1. September 20 th, 2006 U-Prove crypto overview Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential

2. 2 Digital Credentials: Crypto basics (1) Computation is done in two algebraic structures Base elements live in a finite group G q of prime order q – Property of any group: For g and h in G q, g  h is also in G q Exponents live in the finite field  q = {0, 1, 2, …, q - 1} Properties of the G q structure that we exploit Basic fact: “order” of an element divides order of group – 1 has order 1, rest obviously does not have order 1 Therefore all elements g other than 1 are generators – g x cycles through all elements in G q for successive values of x – Can reduce exponents mod q Example: g a x + b = g (a x + b) mod q Underlying hard problem: DL problem Given g ≠1 and a random h := g x, it is infeasible to find x

3. 3 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Digital Credentials: Crypto basics (2) Technically, f(x) : = g x is a one-way function: Average case takes super-polynomial time – Measured in size of base elements (“key length”) Two well-known constructions for G q G q is a sub-group of  * p = {1, …, p-1} – Example: DSA, defined in FIPS186-2 – Group operation: multiplication mod p – Fastest known algorithms take sub-exponential time – Typical parameter sizes: |p|=1024, |q|=160 G q is an elliptic curve over a finite field – More complicated – Fastest known algorithms take exponential time – Benefit: base elements need only be 160 - 200 bits to achieve same level of protection as 1024-bit prime p above

4. 4 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Digital Credentials: Crypto basics (3) We rely on a generalized form, h := g 1 x 1 … g k x k For k randomly chosen generators g i of G q (x 1,…, x k ) is a representation of h w.r.t. (g 1,…, g k ) Basic properties we exploit: Can compute h almost as fast as a single exponentiation f (x 1,…, x k ) : = g 1 x 1 … g k x k is a one-way function – Can prove inverting is as hard as breaking DL problem f (x 1,…, x k ) : = g 1 x 1 … g k x k is a collision-intractable function – You can only “know” 1 representation for a given h – Can prove that ability to find collisions means breaking DL problem If a single one of the exponents is chosen at random, all the others are unconditionally hidden – And so those k-1 exponents can represent arbitrary attribute data!

5. 5 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential What a Digital Credential looks like Initial system set-up by Issuer: Group G q in which DL problem is hard k randomly chosen generators g i of G q Issuer’s own signing key pair – Issuing protocol & key pair not discussed in this presentation A Digital Credential consists of: Attributes (x 1,…, x k ) that can represent any data A Digital Credential private key: (x 1,…, x k,,  ) –  is chosen at random by User from  q and kept secret – User never discloses   attributes remain unconditionally hidden A Digital Credential public key: h := g 1 x 1 … g k x k h 0  The Issuer’s digital signature,  (h), on h –  (h) consists of a mere two or three 160-bit exponents

6. 6 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Showing a Digital Credential User sends to Verifier: A property of the attributes (x 1,…, x k ) – User has fine-grained control over property (“selective disclosure”) The Digital Credential public key, h The Issuer’s signature,  (h), on h The User’s own signature on a “nonce” of the Verifier About the User’s own signature to the Verifier Made with Digital Credential private key, (x 1,…, x k,,  ) To replay, dishonest Verifier would need to sign another nonce, but  is never disclosed by the User … User’s signature also proves the disclosed property! – Reveals nothing beyond disclosed property, even if Issuer and Verifier collude and would have infinite computing power !

7. 7 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential How we accomplish this Core ingredient: proof of knowledge (“POK”) Well-known idea from modern cryptography Based on challenge-response mechanism – (Naïve) example: The ability to decrypt any “challenge” message is a “proof” that you must know the secret decryption key We rely on provably secure POKs, two flavors: – Zero-knowledge proofs of knowledge (Verifier learns nothing) – Signed proofs of knowledge (for non-repudiation) Verifier is left with evidence that POK took place (but nothing more!) We do: POK of a representation of H with respect to generators (G 1, … G t ), with a special twist! H and G 1, … G t are modified forms of h, g 1,…, g k,h 0, where the modifications depend on the property to be disclosed – To ensure User can disclose properties of secret as part of POK

8. 8 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Example 1: User discloses attribute x 1 User sends to Verifier: Disclosed property: x 1 – Note: h = g 1 x 1 … g k x k h 0   h / g 1 x 1 = g 2 x 2 … g k x k h 0  As usual: h and  (h) User’s signature: (signed) POK of knowledge of a representation of h / g 1 x 1 with respect to (g 2,…, g k,h 0 ) – This is done using the “basic” POK of a representation, but switching to a “new” PK and a new tuple of base elements! The effect: User discloses x 1 and proves knowledge of x 2, …, x k without revealing anything about them (nor about  ) User cannot lie about x 1 (if so, User would not be able to prove knowledge of a representation)

9. 9 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Just how efficient is this? Note: Showing protocol is collapsed into a single move. (Nonce can be the concatenation of a Verifier “identifier” and a granular measurement of the time-of-day, say.) Example: Digital Credential with 3 attributes, User discloses x 2 No exponentiations! Note: almost all are 20-byte numbers, and with Elliptic Curves all of them are Issuer’s signature POK that proves x 2 is correct

10. 10 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Example 2: User discloses linear relations Example scenario: Digital Credential with 3 attributes: h := g 1 x 1 g 2 x 2 g 3 x 3 h 0  User wants to disclose the property (x 1 = 2 x 3 + 3 mod q) AND (x 2 = 4 x 3 + 5 mod q) Note: h = g 1 x 1 g 2 x 2 g 3 x 3 h 0   h = g 1 2x 3 +3 g 2 4x 3 +5 g 3 x 3 h 0   h / (g 1 3 g 2 5 ) = (g 1 2 g 2 4 g 3 ) x 3 h 0  Therefore: User proves knowledge of a representation of h / (g 1 3 g 2 5 ) with respect to (g 1 2 g 2 4 g 3, h 0 ) Remember: Security is always computational But privacy control is always unconditional !

11. 11 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Example 3: User discloses a “negation” Example scenario: Digital Credential with 1 attribute: h := g 1 x 1 h 0  User wants to disclose the property x 1  3 mod q Note: x 1  3  x 1 = 3 -  mod q for some   0 mod q h = g 1 x 1 h 0   h = g 1 3 -  h 0   h 1/  = g 1 3/  g 1 -1 h 0  /   g 1 = (g 1 3 / h) 1/  h 0  /  Therefore: User proves knowledge of a representation of g 1 with respect to g 1 3 / h Useful in practice: User can prove she is not listed on a blacklist without revealing her identity (x 1 represents unique User identifier) Practical even for moderately long blacklists

12. 12 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Other showing techniques Disclosed property can combine any linear relations with AND, OR and NOT connectives User can prove that attribute lies in an interval Example: suppose x 1 represents the User’s age: – to prove he is a minor, the User proves (discloses) x 1  17 mod q User can prove relations between attributes in multiple Digital credentials Even if issued by different Issuers Multiple Users can prove relations between attributes in their Digital credentials “At least one of us is a citizen of the country of entry” They don’t need to open up their secret keys to each other!

13. 13 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential A typical issuing protocol Public Key Issuer’s signature 20-byte numbers

14. 14 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Additional techniques (1) Smartcard extension User cannot show Digital Credential without card’s help Card cannot leak any User information to outside world – User’s own computer moderates all data exchanges on the fly – Even if smartcard, Issuer, and Verifier collude with infinite power! Issuer certifies attributes without seeing them “Registration Authority” or User could provide them Issuer can encode the SK of a User smartcard – Many Issuers can piggyback on security of a single smartcard! – All application credentials remain “fire-walled” Issuer can update attributes without seeing them E.g., loyalty tokens, DRM Privacy for Verifiers

15. 15 Copyright © 2006, 9112-1772 Quebec Inc. Proprietary and Confidential Additional techniques (2) Prevent lending, pooling, and discarding All exploit the fact that User must know all attributes in the Digital Credential to do the showing protocol POK, even if some or all are not disclosed … Limited-show Digital Credentials Prevents showing a Digital Credential too many times Example: off-line e-cash – Each e-coin is a one-show Digital Credential with two attributes User identifier encoded at issuing time by the Issuer (the bank) The coin denomination & optional data (e.g, smartcard indicator bit) – Honest Users are untraceable – Double-spending enables Issuer to trace double-spending User Adding a User smartcard can serve as second line of defense Can be generalized to t-show (e.g., a 10-show e-ticket)