ECash and Anonymous Credentials

Transcription

1 ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009

2 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials CL Signatures Camenisch Anonymous Credentials 3 Compact E-cash

3 E-cash properties How is cash different from credit card transactions? Untraceable Verifiable offline

4 Chaum s E-cash First Attempt at e-cash A message with a digital signature: Example (ebill) This bill is legal tender for exactly US$1.00 US Mint How well does this work for our purposes? Traceable: Mint will recognize randomized signature Needs online verification to prevent double spending

5 Chaum s E-cash Blind Signatures [Chaum, Crypto 82] Recall RSA homomorphism: RSA Signature Homomorphism ( (m1 ) d (mod n) ) ( (m 2 ) d (mod n) ) (m 1 m 2 ) d (mod n) We can use this to construct a blind signature: Definition Blind signature 1 Alice picks r R Z n 2 Alice generates blinded message: m = m r e (mod n) and asks the mint to sign it 3 Mint produces signature on m : σ = (m ) d m d r ed m d r (mod n) 4 Alice uses σ = σ /r to obtain a signature on m

6 Chaum s E-cash Blind signature protocol Withdrawal Protocol 1 Alice produces a message: m = H( This bill is legal tender for exactly US$1, ) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice s account. Properties Unlinkable: mint cannot link signature on m to signature on m (information-theoretic security) Needs online verification to prevent double spending Alice can change amount

7 Chaum s E-cash Single-denomination keys Mint s public key (n, e) used to only issue $1.00 e-coins. Withdrawal Protocol 1 Alice produces a serial number s, and message m = H(s) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice s account. Why does m = H(s)? Prevents existential forgery. Payment protocol requires Alice to produce s and a signature on H(s) How do we support multiple denominations? Multiple public keys: (n $1, e $1 ), (n $5, e $5 ),...

8 Offline E-cash Offline E-cash [Chaum,Fiat, & Naor, Crypto 90] Basic ideas: Encode payer s identity in the coin Payment protocol reveals some function of user s identity Two payments will reveal full identity Zero-knowledge proofs to show that protocol is being followed

9 Offline E-cash Setup Bank s RSA public key: (n, e) as before, every coin worth $1. Each user has an account number u and a counter v. Two collision-resistant hash functions are used: f (x, y) is modeled as a random oracle g(x, y) has the property that g(x, ) is a permutation Note: this guarantees that g(x, ) is collision free

10 Offline E-cash Withdrawal Protocol Withdrawal 1 Alice chooses a, c, d, r R Z n 2 Alice forms a coin: C = f (g(a i, c i ), g(a (u (v + 1)), d)) 3 Alice sends r e C to the bank 4 The bank produces a signature σ = r C d 5 The bank increments v by 1, debits Alice s account $1 Note: Alice s identity is encoded in the coin (in a complex way) Bank needs to verify that Alice is constructing the coin correctly

11 Offline E-cash Cut-and-choose Withdrawal 1 Alice chooses a i, c i, d i, r i R Z n, for i = 1,..., k 2 Alice forms a coin: C i = f (g(a i, c i ), g(a i (u (v + i)), d i )) 3 Alice sends r e i C i to the bank 4 The bank picks a set of k/2 indices, R, and sends them to Alice 5 Alice sends a i, c i, d i, and r i for i R to the bank 6 The bank produces a signature on the remaining C i s: σ = i / R r i C d i 7 Alice generates the final coin: C = σ / i / R r i = i / R C d i 8 The bank increments v by 1, debits Alice s account $1

12 Offline E-cash Payment Protocol Assume without loss of generality that R = {k/2 + 1,..., k}, thus: Payment 1 Alice sends C to Bob. 2 Bob chooses k/2 random bits, z 1,..., z k/2 R {0, 1} 3 For each i, Alice sends: 1 If z i = 1, she sends a i, c i, g(a i (u (v + i)), d i ) 2 If z i = 0, she sends g(a i, c i ), a i (u (v + i)), d i 4 Bob recomputes each C i and verifies that the signature is correct 5 Later, Bob sends C and Alice s responses to the bank 6 Bank verifies the responses and credits Bob s account

13 Offline E-cash Double Spending If the bank receives two copies of the same coin C, it can recover Alice s identity from her responses to two merchant s challenges: z and z With probability 1 2 k/2, i such that z i z i The bank has a i and a i (u (v + i)) Note: if Alice and Charlie collude, Charlie can issue the same challenge as Bob. Fix: make Bob s challenge depend on his identity. Note: To prevent framing by the bank, Alice can use account number u w i for random w i and provide a signature on H(w i ) s to the bank (that the bank checks during cut-and-choose).

14 Credential Systems Credential: a certified list of attributes. Example (Driver s License) Name John Smith D.O.B. 01/01/1970 Address 123 Main St. Zipcode Eye color Blue Hair color Brown Digital credentials: attribute list signed by some authority (e.g., IL Secretary of State) Privacy issues: reveal all information to demonstrate one attribute.

15 Anonymous Credentials (aka Private Credentials) Properties Selective Disclosure: can reveal only the attributes necessary. E.g.: Over 21 Resident of Illinois Licensed to drive Needs glasses Unlinkability: Issuing and showing credentials should not be linkable, even with cooperation of the CA.

16 Constructions e-cash based Brands private credentials Camenisch et al. s anonymous credentials Noninteractive Anonymous Credentials

17 e-cash-based Credentials Digital Coin as Credential Credential issue: Withdraw Credential show: Payment No double-spending protection Credential attribute: denomination Problems Credential showing are linkable to each other Effectively, credential = pseudonym Limited policy expressivity: conjunction of boolean attributes No protection against credential sharing, combining

18 Brands Credentials Private Credentials [Brands, MIT Press, 1990] Stefan Brand s Ph.D. thesis Constructs a credential with a collection of attributes Blinded credential signed by issuing authority Can selectively disclose a subset of (or a formula over) credentials

19 Brands Credentials DLREP Definition Create generators g 1,..., g l for group of order q in Z p f (x 1,..., x l ) := g x 1 1 g x l l (mod p) Proof of Knowledge of a DLREP for h 1 Alice creates w 1,..., w l R Z q, sends a = H(g w 1 1 g w l l ) 2 Bob sends challenge c 3 Alice computes r i = c x i + w i 4 Bob checks that a = H(g r 1 1 g r l l h c )

20 Brands Credentials Fiat-Shamir Heuristic [Fiat, Shamir, Crypto 86] Given a 3-move ZK protocol: Prover: commit to a Verifier: send challenge c Prover: reveal r to prove commitment Set c = H(a); then (a, r) is a non-interactive ZK proof. Needs random oracle model Can be extended to signature proof of knowledge with c = H(a, M)

21 Brands Credentials Approach Issue Protocol Let g i = g y i mod p, h 0 = g y 0 mod p Use a modified DLREP function: f (α, x 1,..., x l ) = (g x 1 1 g x l l h 0 ) α mod p Obtain a restricted blind signature on h Showing Protocol Reveal value of selected attributes Prove knowledge of DLREP for remaining attributes Never reveal α

22 Brands Credentials Sharing Protection Need to know all attributes to prove DLREP Make one attribute be something sensitive (e.g., SSN, bank account password)

23 Brands Credentials Issue Protocol Alice CA 1. Pre-compute: 1. Pre-compute: α R Z q k R Z q α 2, α 3 R Z q s g k mod p h g x 1 1 g x l l mod p h (h 0 h) α mod p β g α 2 (h 0 h) α 3 mod p 2. Send x 1,...,x l 2. Validate attributes 3. Compute: s 3. Send: s γ βs mod p 4. Compute: u H(h, γ) mod q t (y 0 + x 1 y x l y l ) 1 u u α 2 mod q mod q

24 Brands Credentials Issue Protocol Alice 4. Send: u 5. Compute: v (v + α 3 )α 1 mod q 6. Verify: u? = H(h, (g u (h ) v mod p)) mod q u v CA 5. Compute: v (k u)t mod q 6: Send: v

25 Brands Credentials Issue Protocol Explained Final signature: u = H(h, γ = (g u (h ) v Let γ = g α 2 (h 0 h) α 3 g k Let v = (k (u α 2 ))(log g (h 0 h)) 1 v = (v + α 3 )α 1 mod p)) mod q (h ) v = ((h 0 h) α ) v = (h 0 h) v+α 3 = g k g u g α 2 (h 0 h) α 3 = γg u

26 CL Signatures Background: Pedersen Commitments Commit to an integer Z q Uses g, h Z p (generators of group of order q) Prover does not know log g h (e.g., verifier chooses h = g a ) Commit to x: send c = g x h r Reveal: show (x, r)

27 CL Signatures Fujisaki-Okamoto Pick RSA modulus n Let h QR n, g h Commit: g x h r mod n Reveal: send (x, r) Secure if prover does not know factorization of n

28 CL Signatures Camenisch-Lysyanskaya Signatures (SCN 2002) A signature scheme designed to be used with anonymous protocols Protocol to generate a signature on a committed value Protocol to prove knowledge of signature on committed value Building block of protocols, along with proofs regarding committed values

29 CL Signatures Signature Scheme Setup RSA modulus n = pq, with p = 2p + 1, q = 2q + 1, p, q, p, q prime Choose a 1,..., a l, b, c QR n PK = (n, a 1,..., a l, b, c), SK = p Signature Message: m 1,..., m l Pick random prime e, random number s v = (a m 1 1 a m l l b s c) 1/e mod n Output (e, s, v)

30 CL Signatures Camenisch-Stadler Notation Example Generic notation for zero-knowledge proofs PK{(vars) : conditions} By convention, Greek letters represent values known to the prover only, other letters represent public values Proof of knowledge of a DLREP for h according to bases g 1,..., g l : PK{(ξ 1,..., ξ l ) : h g ξ 1 1 g ξ l l mod p}

31 CL Signatures Commitment Proofs Proof of a DLREP modulo a composite: { m PK (α 1,..., α m ) : C = i=1 i=1 g α i i mod n Proof of knowledge of equivalent representations: { } m m PK (α 1,..., α i ) : C 1 = g α i i mod n 1 C 2 = h α i i mod n 2 i=1 Proof that a committed value is the product of two other committed values: PK{(α, β, ρ 1, ρ 2, ρ 3 ) : Proof that a value lies within a given range: C a = g α h ρ 1 mod n C b = g β h ρ 2 mod n } C ab = g αβ h ρ 3 mod n} PK {(α, ρ) : C = g α h ρ mod n a α b}

32 CL Signatures Signing a Committed Value Setup Public key: (n, a, b, c), commitment public key (n C, g C, h C ) User: commitment C = g x C hr C C mod n C Protocol 1 Form commitment C x = a x b r mod n 2 Prove C x is equivalent to C 3 Prove knowledge of x, r 4 Signer: pick random r, prime e, let v = (C x b r c) 1/e. 5 Send (r, e, v) to user 6 User: Let s = r + r ; check v e a x b s c mod n

33 Camenisch Anonymous Credentials Anonymous Credentials Similar to private credentials Can be shown arbitrary number of times General Approach Attributes: (x 1,..., x l ) Commit to a DLREP of attributes, prove that attributes are correct Obtain signature on DLREP To show credential, commit to the DLREP (new commitment) Prove commitment has required attributes Prove knowledge of signature over DLREP

34 Camenisch Anonymous Credentials Efficient Anonymous Credentials [Camenisch & Groß, CCS 08] Proofs of attributes are linear in number of attributes Public key needs to pre-specify attribute list Idea: create a single attribute e that encodes all of the credential Let each (binary) attribute be represented by a prime e i e = User has attr i e i k-valued attributes can be supported, too (How?)

35 Camenisch Anonymous Credentials Showing Possession of Attribute Proof of Knowledge of Signature PK{(σ, ɛ, ν, µ) : ν ɛ = a µ b σ c mod n} For attribute set E, show signature on E/e i using base a e i Proof of Possession of Attribute e i PK{(σ, ɛ, ν, µ) : ν ɛ = (a e i ) µ b σ c mod n} Note: can prove combination of attributes by using (a e i e j e k )

36 Camenisch Anonymous Credentials Showing Absence of Attribute e j Find two numbers a, b such that ae + be j = 1 by extended Euclidian algorithm. Let D = g E h r mod n Proof PK{(σ, ɛ, µ, ρ 1, ρ 2, α, β) : ν ɛ = a µ b σ c mod n D = g µ h ρ 1 mod n g = D α (g e j ) β h ρ 2 mod n}

37 Camenisch Anonymous Credentials Showing an OR relation Show that one of attributes {e 1,..., e m } is present. Note: can be done generically (How?) Approach: commit to e j (D = g e j h r ) show that e j l i=1 e i and e j E. Proof D = g e j h r PK{(σ, ɛ, µ, ρ 1, ρ 2, ρ 3, α, β, δ) : ν ɛ = a µ b σ c mod n D = g δ h ρ 1 g Q m i=1 e i = D α h ρ 2 1 = D β g µ h ρ 3 }

38 Compact E-cash Camenisch, Hohenberger, Lysanskaya, 2005 Generate a compact wallet Wallet contains 2 l coins Wallet length, withdrawal protocol: O(l) Two constructions Definition of Security

39 Syntax KeyGen: generate keys for user and bank Withdraw: obtain a coin from the bank Spend: spend a coin at a merchant Deposit: deposit a coin at a bank Identify: used by bank to identify double-spender VerifyGuilt: verifies that double-spending occurred

40 Security Properties Correctness: protocols with honest parties work as expected Balance: any collection of users and merchants cannot successfully deposit more coins than have been withdrawn Double-spending identification: double-spenders will be identified and a proof that fits VerifyGuilt will be generated Anonymity: users cannot be identified (simulator-based definition) Exculpability: bank cannot frame a user