Anonymous Credential Schemes with Encrypted Attributes

Transcription

1 Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network Security Kuala Lumpur, Malaysia 14 December / 21

2 Outline 1 Motivation 2 ElGamal Cryptosystem 3 Anonymous Credentials with Encrypted Attributes 4 Conclusions 2 / 21

3 Motivation Anonymous Credential Schemes Anonymous Credential Schemes 3 types of parties: issuers, users, relying parties (veriers) 3 / 21

4 Motivation Anonymous Credential Schemes Anonymous Credential Schemes 3 types of parties: issuers, users, relying parties (veriers) Issuer issues credential (on some attributes) to user 3 / 21

5 Motivation Anonymous Credential Schemes Anonymous Credential Schemes 3 types of parties: issuers, users, relying parties (veriers) Issuer issues credential (on some attributes) to user User shows credential to a relying party 3 / 21

6 Motivation Anonymous Credential Schemes Anonymous Credential Schemes 3 types of parties: issuers, users, relying parties (veriers) Issuer issues credential (on some attributes) to user User shows credential to a relying party Required security properties: unforgeability and unlinkability Examples: digital passports, identity management,... 3 / 21

7 Motivation Anonymous Credential Schemes Anonymous Credential Schemes Theory: Introduced by Chaum in Several ecient constructions, most prominently by Brands [Bra93, Bra95, Bra99] Camenisch-Lysyanskaya [CL01, CL02, CL04] Plus variations and extensions Practice: ecash, DigiCash (Chaum) CAFE project Idemix (IBM, Camenisch-Lysyanskaya credentials) U-Prove (Microsoft, Brands credentials) 4 / 21

8 Motivation Secure Function Evaluation (SFE) Secure Function Evaluation (SFE) A number of parties jointly and securely compute a function f secret data on f multiparty computation E(f (x 1,..., x L )) E(x 1 ),..., E(x L ) servers 5 / 21

9 Motivation Secure Function Evaluation (SFE) Secure Function Evaluation (SFE) A number of parties jointly and securely compute a function f secret data on f multiparty computation E(f (x 1,..., x L )) E(x 1 ),..., E(x L ) servers Yao's millionaires protocol (1982) Alice and Bob want to compare their wealth 5 / 21

10 Motivation Secure Function Evaluation (SFE) Secure Function Evaluation (SFE) A number of parties jointly and securely compute a function f secret data on f multiparty computation E(f (x 1,..., x L )) E(x 1 ),..., E(x L ) servers Yao's millionaires protocol (1982) Alice and Bob want to compare their wealth Both encrypt their fortunes: E(x A ), E(x B ) 5 / 21

11 Motivation Secure Function Evaluation (SFE) Secure Function Evaluation (SFE) A number of parties jointly and securely compute a function f secret data on f multiparty computation E(f (x 1,..., x L )) E(x 1 ),..., E(x L ) servers Yao's millionaires protocol (1982) Alice and Bob want to compare their wealth Both encrypt their fortunes: E(x A ), E(x B ) Jointly execute SFE protocol to compute x A < x B Security: the protocol should not leak any other info about x A, x B 5 / 21

12 Motivation Secure Function Evaluation (SFE) Secure Function Evaluation (SFE) Theory: Introduced by Yao in Main approaches to multiparty computation by Ben-Or et al. [BGW87] Goldreich et al. [GMW87] Cramer et al. [CDN01] Practice: E-voting, e-auctions,... Fairplay (2004), VIFF (2007), Sharemind (2008), and more Commercial activity: new company Partisia 6 / 21

13 Motivation Combining Credential Schemes and SFE Combining Credential Schemes and SFE Problem: Input to SFE should be correct or meaningful One can employ credentials to guarantee this But SFE servers are not allowed to learn the attributes, while standard credential schemes require the user to know these 7 / 21

14 Motivation Combining Credential Schemes and SFE Combining Credential Schemes and SFE Problem: Input to SFE should be correct or meaningful One can employ credentials to guarantee this But SFE servers are not allowed to learn the attributes, while standard credential schemes require the user to know these Solution: Anonymous Credentials on Encrypted Attributes 7 / 21

15 Motivation Combining Credential Schemes and SFE Combining Credential Schemes and SFE Lead to networks of SFEs with anonymous links connecting inputs and outputs 8 / 21

16 Motivation Combining Credential Schemes and SFE Combining Credential Schemes and SFE Lead to networks of SFEs with anonymous links connecting inputs and outputs In general, anonymous credentials with encrypted attributes can be used if the user is not allowed or does not want to know the attributes 8 / 21

17 Motivation Examples Medical Data of Employees HRM (human resource management) needs to mine privacy sensitive medical data from employees 9 / 21

18 Motivation Examples Medical Data of Employees HRM (human resource management) needs to mine privacy sensitive medical data from employees 9 / 21

19 Motivation Examples Medical Data of Employees HRM (human resource management) needs to mine privacy sensitive medical data from employees HRM can send these encrypted credentials to SFE servers for analysis... encrypted DNA, encrypted parts of EPD (electronic patient dossier) 9 / 21

20 Motivation Examples Boy or Girl? Alice and Bob want to buy/receive clothes and toys for unborn baby 10 / 21

21 Motivation Examples Boy or Girl? Alice and Bob want to buy/receive clothes and toys for unborn baby They do not want to know the gender yet 10 / 21

22 Motivation Examples Boy or Girl? Alice and Bob want to buy/receive clothes and toys for unborn baby They do not want to know the gender yet 10 / 21

23 Motivation Examples Boy or Girl? Alice and Bob want to buy/receive clothes and toys for unborn baby They do not want to know the gender yet 10 / 21

24 Motivation Examples Boy or Girl? Alice and Bob want to buy/receive clothes and toys for unborn baby They do not want to know the gender yet They unwrap the presents as soon as the baby is born! 10 / 21

25 Motivation Examples Boy or Girl? Alice and Bob want to buy/receive clothes and toys for unborn baby They do not want to know the gender yet They unwrap the presents as soon as the baby is born!... get yard signs in advance 10 / 21

26 ElGamal Cryptosystem Outline 1 Motivation 2 ElGamal Cryptosystem 3 Anonymous Credentials with Encrypted Attributes 4 Conclusions 11 / 21

27 ElGamal Cryptosystem ElGamal Cryptosystem We use the ElGamal cryptosystem: Group g of prime order q Secret key λ R Z q, public key f = g λ Encryption of x Z q : x = (g r, g x f r ) for r R Z q 12 / 21

28 ElGamal Cryptosystem ElGamal Cryptosystem We use the ElGamal cryptosystem: Group g of prime order q Secret key λ R Z q, public key f = g λ Encryption of x Z q : x = (g r, g x f r ) for r R Z q Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x 12 / 21

29 Anonymous Credentials with Encrypted Attributes Outline 1 Motivation 2 ElGamal Cryptosystem 3 Anonymous Credentials with Encrypted Attributes 4 Conclusions 13 / 21

30 Anonymous Credentials with Encrypted Attributes Anonymous Credential Schemes Anonymous Credential Schemes Three components: Key generation: algorithm for I Issuance: protocol for (I, U) Verication: protocol for (U, V) Credentials are tuples (p, s, σ), where: p public part, and σ signature on p s secret part corresponding to p s contains the attributes on which the credential is issued In this presentation: 2 attributes (x 1, x 2 ) 14 / 21

31 Anonymous Credentials with Encrypted Attributes Brands' Anonymous Credential Scheme Brands' Anonymous Credential Scheme Brands' credential schemes: single-use credentials We use the Brands' credential scheme based on the blind Chaum-Pedersen (CP) signature scheme Issuance possible without I learning attributes This variant is also used in U-Prove 15 / 21

32 Anonymous Credentials with Encrypted Attributes Brands' Anonymous Credential Scheme Brands' Anonymous Credential Scheme Brands' credential schemes: single-use credentials We use the Brands' credential scheme based on the blind Chaum-Pedersen (CP) signature scheme Issuance possible without I learning attributes This variant is also used in U-Prove Key generation: group g of prime order q Secret key x 0, y 1, y 2 R Z q, public h 0 = g x 0, g 1 = g y 1, g 2 = g y 2 15 / 21

33 Anonymous Credentials with Encrypted Attributes Brands' Anonymous Credential Scheme Brands' Anonymous Credential Scheme Brands' credential schemes: single-use credentials We use the Brands' credential scheme based on the blind Chaum-Pedersen (CP) signature scheme Issuance possible without I learning attributes This variant is also used in U-Prove Key generation: group g of prime order q Secret key x 0, y 1, y 2 R Z q, public h 0 = g x 0, g 1 = g y 1, g 2 = g y 2 Credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h 15 / 21

34 Anonymous Credentials with Encrypted Attributes Brands' Anonymous Credential Scheme Brands' Anonymous Credential Scheme Credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h 16 / 21

35 Anonymous Credentials with Encrypted Attributes Brands' Anonymous Credential Scheme Brands' Anonymous Credential Scheme Credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h Issuance: I issues blind CP-signature σ on h = (h ) 1/α U (knows: x1, x2, α; h, h ) (knows: x0; h) z=h x 0 ; a,b c r I / 21

36 Anonymous Credentials with Encrypted Attributes Brands' Anonymous Credential Scheme Brands' Anonymous Credential Scheme Credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h Issuance: I issues blind CP-signature σ on h = (h ) 1/α U (knows: x1, x2, α; h, h ) (knows: x0; h) z=h x 0 ; a,b c r Verication: U proves knowledge of x 1, x 2, α s.t. (g x 1 1 g x 2 2 h 0) α = h I / 21

37 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Extension to Encrypted Attributes We extend Brands' credential scheme with encrypted attributes Several variations discussed in the paper, where none of the participants learns the attributes all parties learn a specic (possibly dierent) set of attributes I learns the attributes, but U, V do not learn these Now: simplied version of the encrypted credential scheme 17 / 21

38 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Extension to Encrypted Attributes Brands' credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h 18 / 21

39 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Extension to Encrypted Attributes Brands' credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h Encrypted credential on (c 1, c 2 ) is a tuple (h, c 1, c 2, α, σ) s.t.: }{{}}{{} a) p s b) Now, encryptions c 1 = x 1, c 2 = x 2 belong to public part 18 / 21

40 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Extension to Encrypted Attributes Brands' credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h Encrypted credential on (c 1, c 2 ) is a tuple (h, c 1, c 2, α, σ) s.t.: }{{}}{{} a) σ is CP-signature on (h, c, p s 1 c ) 2 b) Now, encryptions c 1 = x 1, c 2 = x 2 belong to public part U has to re-randomize c 1, c 2 in issuance 18 / 21

41 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Extension to Encrypted Attributes Brands' credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, σ) s.t.: }{{} a) σ is CP-signature on h p s b) (g x1 1 g x2 2 h 0) α = h Encrypted credential on (c 1, c 2 ) is a tuple (h, c 1, c 2, α, σ) s.t.: }{{}}{{} a) σ is CP-signature on (h, c, p s 1 c ) 2 b) (D((c 1 )y1 (c 2 )y2 )h 0 ) α = h Now, encryptions c 1 = x 1, c 2 = x 2 belong to public part U has to re-randomize c 1, c 2 in issuance U cannot prove knowledge of x 1, x 2 in verication 18 / 21

42 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Technical Issues U has to re-randomize c 1 = x 1, c 2 = x 2 in issuance U cannot prove knowledge of x 1, x 2 in verication 19 / 21

43 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Technical Issues U has to re-randomize c 1 = x 1, c 2 = x 2 in issuance Problem: user can replace c 1 by 0 and obtain oracle for x 1 = 0? U cannot prove knowledge of x 1, x 2 in verication 19 / 21

44 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Technical Issues U has to re-randomize c 1 = x 1, c 2 = x 2 in issuance Problem: user can replace c 1 by 0 and obtain oracle for x 1 = 0? Solution: credential will actually be issued on x i + φ i, for φ i R Z q g φ i can be made public x i can be obtained from x i + φ i and g φ i U cannot prove knowledge of x 1, x 2 in verication 19 / 21

45 Anonymous Credentials with Encrypted Attributes Extension to Encrypted Attributes Technical Issues U has to re-randomize c 1 = x 1, c 2 = x 2 in issuance Problem: user can replace c 1 by 0 and obtain oracle for x 1 = 0? Solution: credential will actually be issued on x i + φ i, for φ i R Z q g φ i can be made public x i can be obtained from x i + φ i and g φ i U cannot prove knowledge of x 1, x 2 in verication Verication: U proves knowledge of α s.t. (D((c 1 )y 1 (c 2 )y 2 )h 0 ) α = h Verier needs secret data, namely y 1, y 2, and λ (for decryption) Verier is required to be semi-honest (threshold cryptography) 19 / 21

46 Anonymous Credentials with Encrypted Attributes Security Analysis Security Analysis Proven secure, against: Malicious I and U Semi-honest V (threshold cryptography) Security based on: DDH assumption Random Oracle Model Security of blind Chaum-Pedersen scheme A new assumption Same level of security as original Brands' scheme 20 / 21

47 Conclusions Conclusions We introduced anonymous credential schemes with encrypted attributes, and presented and analyzed various ecient constructions based on a credential scheme by Brands Wide range of applications: Missing link between credential schemes and SFE Medical data of employees, boy or girl?,... Letters of recommendation, medical data of illnesses,... Further research: Encrypted credential schemes with multi-use credentials Public veriability of encrypted credentials Thank you for your attention! 21 / 21

48 Supporting Slides SUPPORTING SLIDES!!! 22 / 21

49 Supporting Slides Preliminaries Σ-protocols Simplest example: Schnorr's identication protocol We consider a group g, and public h g Prover wants to prove that he knows x = log g h 23 / 21

50 Supporting Slides Preliminaries Σ-protocols Simplest example: Schnorr's identication protocol We consider a group g, and public h g Prover wants to prove that he knows x = log g h Prover Verier (knows: h; x) (knows: h) u R Z q, a g u a r u + cx mod q c c R Z q r r g? = c ah 23 / 21

51 Supporting Slides Preliminaries Σ-protocols Simplest example: Schnorr's identication protocol We consider a group g, and public h g Prover wants to prove that he knows x = log g h Prover Verier (knows: h; x) (knows: h) u R Z q, a g u a r u + cx mod q c c R Z q r r g? = c ah This is Σ-protocol for relation {(h; x) h = g x } Σ-protocol: completeness, special-soundness, honest-verier zero-knowledge 23 / 21

52 Supporting Slides Brands' Credential Scheme Key Generation for I Public: group g of prime order q; h 0 g, g 1, g 2 R g Secret: x 0 R Z q such that h 0 = g x 0 A credential on (x 1, x 2 ) is a tuple ( h, x }{{} 1, x 2, α, z, c, r ) s.t.: }{{}}{{} p s σ c = H(h, z, g r h c 0, (h ) r (z ) c ) and (g x 1 1 g x 2 2 h 0) α = h 24 / 21

53 Supporting Slides Brands' Credential Scheme Issuance for (I, U) For (x 1, x 2 ), U and I compute h = g x 1 1 g x 2 2 h 0 α R Z q, h h α, U β, γ R Z q z z α a h β 0 g γ a b (z ) β (h ) γ b α c H(h, z, a, b ) c c + β mod q a? = g r h c 0, b? = h r z c r r + γ mod q z;a,b c r I z h x 0, a g w, w R Z q b h w r cx 0 + w mod q Note: c = H(h, z, g r h c 0, (h ) r (z ) c ) and (g x 1 1 g x 2 2 h 0) α = h 25 / 21

54 Supporting Slides Brands' Credential Scheme Verication for (U, V) Brands' credential is (h, x 1, x 2, α, z, c, r ) such that: c = H(h, z, g r h c 0, (h ) r (z ) c ) and (g x 1 1 g x 2 2 h 0) α = h (knows: h, z, c, r ; x1, x2, α) U V u1, u2, uα R Z q a (h ) uα g u 1 1 g u l l a;h,z,c,r c (r i u i + cx i mod q) 2 i=1 c R Z q rα uα + cα 1 mod q r1,r2,rα c? = H(h, z, g r h c 0, (h ) r (z ) c ) (h ) rα g r 1 1 g r l l? = ah c 0 Σ-protocol for {(h ; x 1, x 2, α) h 0 = (h ) α 1 g x 1 1 g x 2 2 α 0} 26 / 21

55 Supporting Slides Encrypted Credential Scheme Key Generation for (I, V) Public: group g of prime order q; h 0, g 1, g 2, f, ˆf, f 1 g Secret: x 0, φ 1 R Z q for I and y 1, y 2, λ R Z q for V such that h 0 = g x 0 g 1 = g y 1 g 2 = g y 2 f = g λ ˆf = f x 0 = h λ 0 f 1 = g φ 1 A credential on x 1 is a tuple (h, c 1, c 2, α, z, z }{{}}{{} 1, z 2, c, r ), where }{{} c = p s σ 1 x + φ 1 1, such that: c = H([c i, z i, (c i ) r (z i ) c ] 2 i=1;h, z, g r h c 0, (h ) r (z ) c ) and (D((c 1) y 1 (c 2) y 2 )h 0 ) α = h Note the transformation from x 1 to x + φ 1 1 Otherwise, a malicious U can replace c by 0 1 Verication succeeds if and only if x = 0 1 this gives U an oracle for `x = 0?' 1 27 / 21

56 Supporting Slides Encrypted Credential Scheme Issuance for (I, U) Credential issuance on x 1 U {0, 1} I r1, r2, x l R Z q c1 (g r 1, g x 1 f1f r 1 ) c2 (g r 2, g x2 f r 2 ) h g x 1 +φ 1 1 g x 2 2 h 0 ( ) z h x 0, z i c x 0 2 i i=1 w R Z q, a g w, b h w h,z,(c i,z i ) 2 i =1 ; f f w, (e i c w i ) 2 i=1... a,b, f,(e i ) 2 i =1 Notice that also z i = c x 0 1 and e i0 = c w 0 i are computed 28 / 21

57 Supporting Slides Encrypted Credential Scheme Issuance for (I, U) U and I know h, z, c 1, c 2, z 1, z 2, a 0, b 0, f, (e i0 ) 2 i=1 α R Z q, h h α, β, γ R Z q z z α a h β 0 g γ a, b (z ) β (h ) γ b α δ i R Z q, c c i i (g, f ) δ 2 i z z i i (h0, ˆf ) δ i e (z i i )β (c i )γ e i (a, f ) δ i i=1 c H([c, i z, i e i ]2 i=1 ; h, z, a, b ) f c c + β mod q a? = g r h c 0, b? = h r z c? = f r ˆf c, (e i? = c r i z c i ) 2 i=1 r r + γ mod q c r r cx 0 + w mod q 29 / 21

58 Supporting Slides Encrypted Credential Scheme Verication for (U, V) U proves knowledge of α such that (D((c 1 )y 1 (c 2 )y 2 )h 0 ) α = h U (knows: h, c 1, c 2 ; α) (knows: h, c 1, c 2 ; y 1, y2, λ) u R Z q, a (h ) u a c c R Z q r u + cα 1 mod q r ] b [(h ) r? = a(d((c 1 ) y 1 (c 2 2 )y )h0) c b Protocol is a zero-knowledge proof of knowledge for α such that (D((c 1 )y 1 (c 2 )y 2 )h 0 ) α = h V is required to be semi-honest (threshold cryptography) V 30 / 21

59 Supporting Slides Encrypted Credential Scheme Verication for (U, V) U proves knowledge of α such that (D((c 1 )y 1 (c 2 )y 2 )h 0 ) α = h U (knows: h, c 1, c 2 ; α) (knows: h, c 1, c 2 ; y 1, y2, λ) u R Z q, a (h ) u a c c R Z q r u + cα 1 mod q r ] b [(h ) r? = a(d((c 1 ) y 1 (c 2 2 )y )h0) c b Protocol is a zero-knowledge proof of knowledge for α such that (D((c 1 )y 1 (c 2 )y 2 )h 0 ) α = h V is required to be semi-honest (threshold cryptography) V can obtain x 1 by computing c 1 V (1, f 1 1 ): c 1 (1, f 1 1 ) = (g r, g x 1 +φ1 f r ) (1, g φ 1 ) = (g r, g x 1 f r ) = x 1 30 / 21

60 Supporting Slides Security Analysis Assumption U is issued K credentials on x j (j = 1,..., K ), and learned (c ji ) 2 i=1 Then he outputs a tuple (h, c 1, c 2, α, z, z 1, z 2, c, r ). Now, either This tuple is not a valid credential There exists a j such that U knows values β 1, β 2 such that (c i ) 2 i=1 = (c ji (g, f ) β i )2 i=1 31 / 21

61 Supporting Slides Security Analysis One-more Unforgeability `Hard to obtain K + 1 credentials after K issuing executions' Credential scheme is based on blind Chaum-Pedersen signature scheme Reducing one-more forgeries: [ U F S CP issues credential issues CP-signature ] K times forgery: K+1 credentials forgery: K+1 CP-signatures Our scheme is at least as secure against one-more forgeries 32 / 21

62 Supporting Slides Security Analysis Verication Protocol Recall the verication protocol U (knows: h, c 1, c 2 ; α) (knows: h, c 1, c 2 ; y 1, y2, λ) u R Z q, a (h ) u a c c R Z q r u + cα 1 mod q r ] b [(h ) r? = a(d((c 1 ) y 1 (c 2 2 )y )h0) c b Protocol should be a secure proof of knowledge V Proof of knowledge: complete and special sound Secure: views on protocol simulateable for passive V and active U Simulation of view of active U : after sending r, U already knows b 33 / 21