Anonymous Credentials Gergely Alpár Collis – November 24, 2011 Crypt assumptions November 24, 2011. (Collis) G. Alpár: Anonymous credentials 2 Crypt assumptions November 24, 2011. (Collis) G. Alpár: Anonymous credentials 3 My assumptions • • • • • Modular computation: addition, multiplication Public-key cryptography (PKI) Cryptographic hash function Concatenation November 24, 2011. (Collis) G. Alpár: Anonymous credentials 4 Overview • • • • • • • Zero-knowledge proof of knowledge Credentials Discrete logarithm preliminaries U-Prove RSA preliminaries Idemix Comparison November 24, 2011. (Collis) G. Alpár: Anonymous credentials 5 Zero-knowledge proofs November 24, 2011. (Collis) G. Alpár: Anonymous credentials 6 Current practice I know It’s the wachtw0ord2011 password! November 24, 2011. (Collis) I don’t Yes,believe indeed.you. G. Alpár: Anonymous credentials 7 Zero-knowledge proof No, I don’t show it, but I know I I’ll canconvince the prove secret! it.you that I know it. I'll believe it when I I don’t believe you. see it. A hard problem November 24, 2011. (Collis) G. Alpár: Anonymous credentials 8 Waldo and ZK November 24, 2011. (Collis) G. Alpár: Anonymous credentials 9 Where’s Waldo? Source: findwaldo.com // The Gobbling Gluttons Idea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 10 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 11 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 12 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 13 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 14 ZK – Ali baba’s cave November 24, 2011. (Collis) G. Alpár: Anonymous credentials 15 Credentials November 24, 2011. (Collis) G. Alpár: Anonymous credentials 16 Credential flow November 24, 2011. (Collis) G. Alpár: Anonymous credentials 17 Anonymity requirements • • • • • • Untraceability Multi-show unlinkability Selective disclosure Attribute property proof Revocation by user Revocation by issuer November 24, 2011. (Collis) G. Alpár: Anonymous credentials Age > 18 Valid 18 High-level approaches • Every time: issuing before showing (U-Prove, 1999) – Untraceability • Showing with zero-knowledge proof (Idemix, 2001) – Untraceability and unlinkability • Randomize (self-blindable, 2001) – Unlinkability and untraceability November 24, 2011. (Collis) G. Alpár: Anonymous credentials 19 History of anonymous credentials 1986: Non-interactive ZK (Fiat & Shamir) 1978: RSA 1981: Digital pseudonym (Chaum) 1976: Public-key crypto (Diffie & Hellman) 1970 1980 November 24, 2011. (Collis) 1990-91: Schnorr identification and signature 1985: Zeroknowledge proof (GMR) 2002: Idemix JAVA implementation 2001: Idemix crypto (Camenisch & Lysyanskaya) 1999: U-Prove crypto (Brands) 1990 G. Alpár: Anonymous credentials 2000 2010-14: ABC4Trust (IBM & MS) 2010: Microsoft’s U-Prove impl. 2009: Light-weight Idemix impl. (IBM) 2010 20 Discrete logarithm – preliminaries November 24, 2011. (Collis) G. Alpár: Anonymous credentials 21 Modular computation x a mod n 3 7 = . 7 47 343 = + 14 = 14 mod 47 logax mod n log7 14 = 3 mod 47 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 22 Modular exponentiation 10x mod 53 60 50 49 47 102 40 46 44 103 42 36 104 30 28 24 20 101 10 16 15 13 10 1013 1 0 1 2 November 24, 2011. (Collis) 3 4 5 6 7 8 G. Alpár: Anonymous credentials 9 10 11 12 13 x 23 Discrete logarithm (p = 53, q = 13) 10x mod 53 60 log10 24 = ? mod 53 50 49 47 46 44 42 40 36 30 28 24 20 16 15 13 10 10 1 0 1 2 November 24, 2011. (Collis) 3 4 5 6 7 8 G. Alpár: Anonymous credentials 9 10 11 12 13 x 24 Discrete logarithm (p = 389, q =97) log13 193 = ? mod 389 13x mod 389 400 385 380 350 369 365 348 302 278 250 272 303 294 283 269 262 248 223 187 184 178 171 150 150 79 55 50 36 13 0 69 210 208 175 159 157 143 142 122 112 9794 73 176180 129 121 125 119 113 216 206 193 200 100 256 236 221 169164 290 289 275 249 245 337 335 327 325 330 321 300 252 345344 343 326 370 361 93 96 81 74 6 7 65 80 66 85 78 77 58 76 30 25 17 5 102 49 42 35 91 6 11 7 16 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 65 67 69 71 73 75 77 79 81 83 85 87 89 91 93 95 97 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 1 x 25 p ~ 21024, q ~ 2160 gb = h (mod p) where the order of g is q 120647512938908028867388901435622501660544582652084763778469179795603 511596928068284302347645679661284502756586088182980185380205485840303 823342758131447025760358124071773512320456087558761236652680084522358 687865972828438154299478474984622198115039866220934797393671281602442 459774704328099491586290681366721842531452715241719233458597619542522728958116591 = 549086002740084701984486640336450162789290096927294601835316615972459 239908386292992812505706497044670749985364914810890131478405569222611 998191174703524387268890351309405818164593116113374307910637605590625 799535054196582901639260509036543087612796546426668918067881782691147 99030238674475936287917164274641 (mod 147540829457233765072451123330814771849279870508740658191364766390571 127595133276091294946062334381927384270351919254939797952329145575009 188956176344993292905052474988906261438800251337646245695529118629813 762877963253295780055957721171296243452181910303437299543284160580397 044072404446659484077705433238843) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 26 Efficiently computable • Random numbers – 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8, 8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9 • Modular addition and multiplication – a . b + c (mod n) • Modular exponentiation – 326 = 3(11010) = 32 .38 .316 = 3 (mod 11) • 32 = 9 mod 11 • 38 = (((9)2)2 mod 11 = 5 mod 11 • 316 = 52 mod 11 = 3 mod 11 November 24, 2011. (Collis) G. Alpár: Anonymous credentials 27 ZK as a basic building block Zero-knowledge (ZK) proof of knowledge Schnorr identification U-Prove showing Schnorr signature Blind signature U-Prove issuance November 24, 2011. (Collis) G. Alpár: Anonymous credentials 28 U-Prove November 24, 2011. (Collis) G. Alpár: Anonymous credentials 29 Crypt assumptions Discrete logarithm assumption November 24, 2011. (Collis) G. Alpár: Anonymous credentials 30 Schnorr identification • Complete (P: “If I know, I can convince you.”) • Sound (V: “If you don’t know, you cannot convince me.”) • Zero-knowledge November 24, 2011. (Collis) G. Alpár: Anonymous credentials 31 From outside November 24, 2011. (Collis) G. Alpár: Anonymous credentials 32 Simulation Zero-knowledgeness Real communication November 24, 2011. (Collis) Simulated communication G. Alpár: Anonymous credentials 33 Schnorr identification November 24, 2011. (Collis) G. Alpár: Anonymous credentials 34 Schnorr identification November 24, 2011. (Collis) G. Alpár: Anonymous credentials 35 Non-interactive Schnorr (Fiat—Shamir) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 36 Schnorr signature (freshness) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 37 Schnorr signature November 24, 2011. (Collis) G. Alpár: Anonymous credentials 38 Schnorr blind signature November 24, 2011. (Collis) G. Alpár: Anonymous credentials 39 Schnorr blind signature November 24, 2011. (Collis) G. Alpár: Anonymous credentials 40 Credential flow Issuing Showing November 24, 2011. (Collis) G. Alpár: Anonymous credentials 41 DL representation November 24, 2011. (Collis) G. Alpár: Anonymous credentials 42 Brands’ issuing protocol (U-Prove) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 43 Brands’ showing protocol (U-Prove) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 44 Selective disclosure (U-Prove) • Certain attributes are revealed • Others are proven in the token but remaining hidden R November 24, 2011. (Collis) G. Alpár: Anonymous credentials 45 Selective disclosure (U-Prove) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 46 RSA – preliminaries November 24, 2011. (Collis) G. Alpár: Anonymous credentials 47 Crypt assumptions Integer factorization is hard November 24, 2011. (Collis) G. Alpár: Anonymous credentials 48 RSA signature – recap November 24, 2011. (Collis) G. Alpár: Anonymous credentials 49 Strong RSA assumption n Integer factorization p, q c, e RSA problem m c = me (mod n) c Strong RSA problem November 24, 2011. (Collis) G. Alpár: Anonymous credentials m, e 50 Idemix – selective disclosure November 24, 2011. (Collis) G. Alpár: Anonymous credentials 51 Camenisch—Lysyanskaya signature November 24, 2011. (Collis) G. Alpár: Anonymous credentials 52 Idemix issuing protocol (CL)* Plus: freshness with nonces! SPKs November 24, 2011. (Collis) G. Alpár: Anonymous credentials * without intervals 53 Randomized CL-signature November 24, 2011. (Collis) G. Alpár: Anonymous credentials 54 Idemix showing protocol* Plus: freshness with a nonce! SPK November 24, 2011. (Collis) G. Alpár: Anonymous credentials * without intervals 55 CL showing: selective disclosure* Plus: freshness with a nonce! SPK November 24, 2011. (Collis) G. Alpár: Anonymous credentials * without intervals 56 U-Prove vs. Idemix November 24, 2011. (Collis) G. Alpár: Anonymous credentials 57 Comparison of functionalities November 24, 2011. (Collis) G. Alpár: Anonymous credentials 58 Performance (client) November 24, 2011. (Collis) G. Alpár: Anonymous credentials 59 U-Prove selective disclosure W. Mostowski, P. Vullers: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards November 24, 2011. (Collis) G. Alpár: Anonymous credentials 60 Future of anonymous credentials… • ABC4Trust • NSTIC (discussion by Francisco Corella) • W3C Identity in the browser November 24, 2011. (Collis) G. Alpár: Anonymous credentials 61 Questions? Gergely Alpar gergely@cs.ru.nl www.cs.ru.nl/~gergely November 24, 2011. (Collis) G. Alpár: Anonymous credentials 62