George Danezis Microsoft Research, Cambridge, UK

Similar documents
Dr George Danezis University College London, UK

ECash and Anonymous Credentials

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

March 19: Zero-Knowledge (cont.) and Signatures

Anonymous Credentials Light

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Cryptographic Protocols Notes 2

Anonymous Credential Schemes with Encrypted Attributes

Practical Verifiable Encryption and Decryption of Discrete Logarithms

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Anonymous Credentials Light

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

Lecture 10: Zero-Knowledge Proofs

An Anonymous Authentication Scheme for Trusted Computing Platform

Katz, Lindell Introduction to Modern Cryptrography

Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials

Entity Authentication

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Group Undeniable Signatures

Introduction to Cryptography Lecture 13

CPSC 467b: Cryptography and Computer Security

Efficient Group Signatures without Trapdoors

Group Undeniable Signatures

A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

A Fully-Functional group signature scheme over only known-order group

Convertible Group Undeniable Signatures

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Lecture 15 - Zero Knowledge Proofs

Accumulators and U-Prove Revocation

Cryptology. Vilius Stakėnas autumn

Group Blind Digital Signatures: A Scalable Solution to Electronic Cash

Winter 2011 Josh Benaloh Brian LaMacchia

Non-Interactive Zero-Knowledge Proofs of Non-Membership

III. Authentication - identification protocols

Blind Collective Signature Protocol

Direct Anonymous Attestation

A Fair and Efficient Solution to the Socialist Millionaires Problem

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

A Direct Anonymous Attestation Scheme for Embedded Devices

Essam Ghadafi CT-RSA 2016

An Identification Scheme Based on KEA1 Assumption

Unlinkable Divisible Electronic Cash

Notes on Zero Knowledge

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

RZ 3730 (# 99740) 03/19/2009 Revised version: 04/29/2010 Computer Science 48 pages. Specification of the Identity Mixer Cryptographic Library

A Note on the Cramer-Damgård Identification Scheme

Pairing-Based Identification Schemes

Some ZK security proofs for Belenios

Theory of Computation Chapter 12: Cryptography

Homework 3 Solutions

Schnorr Signature. Schnorr Signature. October 31, 2012

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

PAIRING-BASED IDENTIFICATION SCHEMES

CPSC 467: Cryptography and Computer Security

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Chapter 8 Public-key Cryptography and Digital Signatures

A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

The Cramer-Shoup Strong-RSA Signature Scheme Revisited

Introduction to Modern Cryptography Lecture 11

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Week : Public Key Cryptosystem and Digital Signatures

Threshold Undeniable RSA Signature Scheme

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Non-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)

From Secure MPC to Efficient Zero-Knowledge

Borromean Ring Signatures

GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

Tightly-Secure Signatures From Lossy Identification Schemes

Universal Accumulators with Efficient Nonmembership Proofs

Interactive protocols & zero-knowledge

Additive Combinatorics and Discrete Logarithm Based Range Protocols

Cryptographic Protocols FS2011 1

Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes

Digital Signature Scheme Based on a New Hard Problem

Interactive protocols & zero-knowledge

Private Intersection of Certified Sets

Montgomery-Suitable Cryptosystems

Security Arguments for Digital Signatures and Blind Signatures

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Efficient Zero-Knowledge Range Proofs in Ethereum

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Lecture 3: Interactive Proofs and Zero-Knowledge

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

CPSC 467: Cryptography and Computer Security

On Two Round Rerunnable MPC Protocols

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

CPSC 467b: Cryptography and Computer Security

Systèmes de preuve Groth-Sahai et applications

A handy multi-coupon system

DATA PRIVACY AND SECURITY

Zero-Knowledge Proofs and Protocols

Transcription:

George Danezis Microsoft Research, Cambridge, UK

Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets allow you to use cinema / train Bars require customers to be older than 18 But do you want the barman to know your address?

Usual way: Identity provider certifies attributes of a subject. Identity consumer checks those attributes Match credential with live person (biometric) Examples: E-passport: signed attributes, with lightweight access control. Attributes: nationality, names, number, pictures,... Identity Cards: signatures over attributes Attributes: names, date of birth, picture, address,...

The players: Issuer (I) = Identity provider Prover (P) = subject Verifier (V) = identity consumer Properties: The prover convinces the verifier that he holds a credential with attributes that satisfy some boolean formula: Simple example age=18 AND city=cambridge Prover cannot lie Verifier cannot infer anything else aside the formula Anonymity maintained despite collusion of V & I

1. Issuing protocol: Prover gets a certified credential. Issuer Passport Issuing Authority Name=Peggy, age=25, address=cambridge, Status=single Cannot learn anything beyond age Prover Peggy 2. Showing Protocol: Prover makes assertions about some attributes age=25 Verifier Victor (Bar staff Checking age)

Single-show credential (Brands & Chaum) Blind the issuing protocol Show the credential in clear Multiple shows are linkable BAD Protocols are simpler GOOD We will Focus on these Multi-show (Camenisch & Lysyanskaya) Random oracle free signatures for issuing (CL) Blinded showing Prover shows that they know a signature over a particular ciphertext. Cannot link multiple shows of the credential More complex no implementations

Cryptographic preliminaries The discrete logarithm problem Schnorr s Identification protocol Unforgeability, simulator, Fiat-Shamir Heuristic Generalization to representation Showing protocol Linear relations of attributes AND-connective Issuing protocol Blinded issuing

Assume p a large prime (>1024 bits 2048 bits) Detail: p = qr+1 where q also large prime Denote the field of integers modulo p as Z p Example with p=5 Addition works fine: 1+2 = 3, 3+3 = 1,... Multiplication too: 2*2 = 4, 2*3 = 1,... Exponentiation is as expected: 2 2 = 4 4 3 0 2 1 Choose g in the multiplicative group of Z p Such that g is a generator Example: g=2 1 2 4 3

Exponentiation is computationally easy: Given g and x, easy to compute g x But logarithm is computationally hard: Given g and g x, difficult to find x = log g g x If p is large it is practically impossible Related DH problem Given (g, g x, g y ) difficult to find g xy Stronger assumption than DL problem

Efficient to find inverses Given c easy to calculate g -c mod p (p-1) c mod p-1 Efficient to find roots Given c easy to find g 1/c mod p c (1/c) = 1 mod (p-1) Note the case N=pq (RSA security) No need to be scared of this field.

Exemplary of the zero-knowledge protocols credentials are based on. Players Public g a generator of Z p Prover knows x (secret key) Verifier knows y = g x (public key) Aim: the prover convinces the verifier that she knows an x such that g x = y Zero-knowledge verifier does not learn x! Why identification? Given a certificate containing y

Knows: x Public: g, p Knows: y=g x P->V: g w = a (witness) Peggy (Prover) Random: w V->P: c P->V: cx+w = r (challenge) (response) Victor (Verifier) Check: g r = y c a g cx+w = (g x ) c g w

Assume that Peggy (Prover) does not know x? If, for the same witness, Peggy forges two valid responses to two of Victor s challenges r 1 = c 1 x + w r 2 = c 2 x + w Then Peggy must know x 2 equations, 2 unknowns (x,w) can find x

The verifier learns nothing new about x. How do we go about proving this? Verifier can simulate protocol executions On his own! Without any help from Peggy (Prover) This means that the transcript gives no information about x How does Victor simulate a transcript? (Witness, challenge, response)

Need to fake a transcript (g w, c, r ) Simulator: Trick: do not follow the protocol order! First pick the challenge c Then pick a random response r Then note that the response must satisfy: g r = (g x ) c g w -> g w = g r / (g x ) c Solve for g w Proof technique for ZK but also important in constructions (OR)

Schnorr s protocol Requires interaction between Peggy and Victor Victor cannot transfer proof to convince Charlie (In fact we saw he can completely fake a transcript) Fiat-Shamir Heuristic H[ ] is a cryptographic hash function Peggy sets c = H[g w ] Note that the simulator cannot work any more g w has to be set first to derive c Signature scheme Peggy sets c = H[g w, M]

Traditional Schnorr For fixed g, p and public key h = g x Peggy proves she knows x such that h = g x General problem Fix prime p, generators g 1,..., g l Public key h =g 1 x 1g2 x 2... gl x l Peggy proves she knows x 1,..., x l such that h =g 1 x 1 g 2 x 2... g l x l

Knows: x 1,..., x l Public: g, p Knows: h = g 1 X1 g 2 X2... g l Xl Peggy (Prover) l random: w i P->V: 0<i<l g w i = a (witness) V->P: c (challenge) Victor (Verifier) r i = cx i +w i P->V: r 1,..., r l Check: ( 0<i<l g i r i) = hc a (response) Let s convince ourselves: ( 0<i<l g i r i ) = ( 0<i<l g i x i ) c ( 0<i<l g w i) = h c a

Knows: x 1,..., x l Public: g, p Knows: h = g 1 X1 g 2 X2... g l Xl Peggy (Prover) l random: w i P->V: 0<i<l g w i = a (witness) V->P: c (challenge) Victor (Verifier) r i = cx i +w i P->V: r 1,..., r l Check: ( 0<i<l g i r i) = hc a (response) Lets convince ourselves: ( 0<i<l g i r i ) = ( 0<i<l g i x i ) c ( 0<i<l g w i) = h c a

Relation to DL representation Credential representation: Attributes x i Credential h =g 1 X1 g 2 X2... g l Xl, Sig Issuer (h) Credential showing protocol Peggy gives the credential to Victor Peggy proves a statement on values x i X age = 28 AND x city = H[Cambridge] Merely DL rep. proves she knows x i

Remember: Attributes x i, i = 1,...,4 Credential h =g 1 x 1g2 x 2 g3 x 3 g 4 x 4, Sig Issuer (h) Example relation of attributes: (x 1 + 2x 2 10x 3 = 13) AND (x 2 4x 3 = 5) Implies: (x 1 = 2x 3 +3) AND (x 2 = 4x 3 +5) Substitute into h h = g 1 2x 3 +3 g 2 4x 3 +5 g 3 x 3 g4 x 4= (g13 g 25 )(g 12 g 24 g 3 ) x 3 g4 x 4 Implies: h / (g 13 g 25 ) = (g 12 g 24 g 3 ) x 3 g4 x 4

Example (continued) (x 1 + 2x 2 10x 3 = 13) AND (x 2 4x 3 = 5) Implies: h / (g 13 g 25 ) = (g 12 g 24 g 3 ) x 3 g4 x 4 How do we prove that in ZK? DL representation proof! h = h / (g 13 g 25 ) g 1 = g 12 g 24 g 3 g 2 = g 4 Prove that you know x 3 and x 4 such that h = (g 1 ) x 3 (g2 ) x 4

Knows: x 1, x 2, x 3, x 4 Public: g, p Knows: h = g 1 X1 g 2 X2 g 3 X3 g 4 X4 random: w 1, w 2 Peggy (Prover) P->V: g 1 w 1 g2 w 2 = a V->P: c (witness) (challenge) Victor (Verifier) r 1 = cx 3 +w 1 r 2 = cx 4 +w 2 P->V: r 1, r 2 Check: (g 1 ) r 1 (g2 ) r 2 = (h )c a (response)

Reminder h = g 1 X1 g 2 X2 g 3 X3 g 4 X4 h = h / (g 13 g 25 ) g 1 = g 12 g 24 g 3 g 2 = g 4 a = g 1 w 1 g2 w 2 r 1 = cx 3 +w 1 r 2 = cx 4 +w 1 Check: (g 1 ) r 1 (g2 ) r 2 = (h )c a => (g 1 ) (cx 3+w 1) (g 2 ) (cx 4+w 1) = (h / (g 13 g 25 )) c g 1 w 1 g 2 w 2 => (g 1 2x 3 +3 g 2 4x 3 +5 g 3 x 3g4 x 4) = h x 1 x 2

Showing any relation implies knowing all attributes. Can make non-interactive (message m) c = H[h, m, a ] Other proofs: (OR) connector (simple concept) (x age =18 AND x city =H[Cambridge]) OR (x age =15) (NOT) connector Inequality (x age > 18) (Yao s millionaire protocol)

Standard tools Schnorr ZK proof of knowledge of discrete log. DL rep. ZK proof of knowledge of representation. Credential showing representation + certificate ZK proof of linear relations on attributes (AND) More reading: (OR), (NOT), Inequality

1. Issuing protocol: Prover gets a certified credential. Issuer Cannot learn anything Prover Credential h =g 1 X1 g 2 X2... g l Xl Sig Issuer (h) 2. Showing Protocol: Prover makes assertions about some attributes Verifier

Prover cannot falsify a credential Unlinkability Issuer cannot link a showing transcript to an instance of issuing h, Sig issuer (h) have to be unlinkable to issuing Achieving unlinkability Issuer s view: h = g 1 X1 g 2 X2...g l Xl Prover uses: h = g 1 X1 g 2 X2...g l Xl g 0 a 1

Knows: x 1, x 2,..., x l Public: g, p Knows: x 1, x 2,..., x l Private: x 0, (y 1,..., y l ) Public: h 0 = g x 0, g i = g y i Rand: w 0 I->P: g w 0 = a0 (witness) Prover Issuer P->I: c 0 (challenge) Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 r 0 = c 0 (x 0 + i x i y i ) +w 0 I->P: r 0 (response) Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1

Knows: x 1, x 2,..., x l Public: g, p Knows: x 1, x 2,..., x l Private: x 0, (y 1,..., y l ) Public: h 0 = g x 0, g i = g y i Rand: w 0 I->P: g w 0 = a0 (witness) Prover Issuer Non interactive signature: c 0 = H[h, a 0 ] P->I: c 0 (challenge) Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 r 0 = c 0 (x 0 + i x i y i ) +w 0 I->P: r 0 (response) ZK knowledge proof of the representation of h 0 h = g x 0 gi x i Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 = g (x 0 + i x i y i ) : just Schnorr!

Public: g, p, h 0 = g x 0, g i = g y i Knows: x 1, x 2,..., x l I->P: g w 0 = a0 (witness) P->I: c 0 (challenge) I->P: r 0 (response) Prover Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 Schnorr Verification: Issuer knows the representation of (h 0 h)! Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0]

Public: g, p, h 0 = g x 0, g i = g y i Knows: x 1, x 2,..., x l I->P: g w 0 = a0 (witness) Prover P->I: c 0 (challenge) I->P: r 0 (response) Unlinkable Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3 Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 1) Set c 0 2) Get r 0 such that... Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] My Goal

Public: g, p, h 0 = g x 0, g i = g y i Knows: x 1, x 2,..., x l I->P: g w 0 = a0 (witness) Prover Rand: a 1, a 2, a 3 h = h g a 1 c 0 = H[h, g a 2(h 0 h) a 3a 0 ] c 0 = c 0 + a 3? (response) Check: g r o = (h 0 h) c 0a 0 r 0 = r 0 + a 2 + c 0 a 1 Credential: h = g a 1 g x i i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] P->I: c 0 (challenge) I->P: r 0

Goal: c 0 = H[h, g a 2 (h0 h) a 3 a0 ] = H[h, g r 0 (h0 h ) -c 0 ] So g a 2(h 0 h) a 3a 0 = g r 0(h 0 h ) -c 0 must be true Lets follow: g r 0(h 0 h ) -c 0 = g a 2(h 0 h) a 3a 0 g (r 0 + a 2 + c 0 a 1) (h 0 h) -(c 0+a 3) g -c 0a 1 = g a 2 (h 0 h) a 3 a 0 (g r 0 (h0 h) -c 0) (g a 2(h 0 h) a 3 ) = (g a 2(h 0 h) a 3 ) a 0 Substitute r 0 and c 0 TRUE

Issuer sees: c o, r 0, h Such that g r o = (h0 h) c 0 a0 Verifier sees: c 0, r 0, h Relation: Random: a 1, a 2, a 3 h = h g a 1 c 0 = c 0 + a 3 r 0 = r 0 + a 2 + c 0 a 1 Even if they collude they cannot link the credential issuing and showing

Authentication between Issuer and Peggy Need to check that Peggy has the attributes requested Issuing protocol should not be run in parallel! (simple modifications are required)

Putting it all together: Issuer and Peggy run the issuing protocol. Peggy gets: Credential: h = g a 1 g i x i Signature: (c 0, r 0 ) Check: c 0 = H[h, g r 0(h 0 h ) -c 0] Peggy and Victor run the showing protocol Victor checks the validity of the credential first Peggy shows some relation on the attributes (Using DL-rep proof on h )

Credential issuing Proof of knowledge of DL-rep & x 0 of issuer Peggy assists & blinds proof to avoid linking Further topics Transferability of credential Double spending

Attribute based access control Federated identity management Electronic cash (double spending) Privacy friendly e-identity Id-cards & e-passports Multi-show credentials!

Core: Claus P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161 174, 1991. Stefan Brands. Rethinking public key infrastructures and digital certificates building in privacy. MIT Press. More: Jan Camenisch and Markus Stadler. Proof systems for general statements about discrete logarithms. Technical report TR 260, Institute for Theoretical Computer Science, ETH, Zurich, March 1997. Jan Camenisch and Anna Lysianskaya. A signature scheme with efficient proofs. (CL signatures)

Peggy wants to prove (A OR B) Say A is true and B is false Simple modification of Schnorr Peggy sends witness Victor sends commitment c Peggy uses simulator for producing a response r B for B (That sets a particular c B ) Peggy chooses c A such that c = c A + c B Then she produces the response r A for A Key concept: simulators are useful, not just proof tools!

Designated verifier proof A OR knowledge of verifier s key Simulate the second part Third parties do nor know if A is true or the statement has been built by the designated verifier! Non-interactive proof not transferable!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback