ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography - PowerPoint PPT Presentation

E-cash Anonymous Credentials Compact E-cash ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009

E-cash Anonymous Credentials Compact E-cash E-cash 1 Chaum’s E-cash Offline E-cash Anonymous Credentials 2 e-cash-based Credentials Brands’ Credentials CL Signatures Camenisch Anonymous Credentials Compact E-cash 3

E-cash Anonymous Credentials Compact E-cash E-cash properties How is cash different from credit card transactions? Untraceable Verifiable offline

E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash First Attempt at e-cash A message with a digital signature: Example (eBill) “This bill is legal tender for exactly US$1.00” – US Mint How well does this work for our purposes? Traceable: Mint will recognize randomized signature Needs online verification to prevent double spending

E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash Blind Signatures [Chaum, Crypto’82] Recall RSA homomorphism: RSA Signature Homomorphism ( m 1 ) d (mod n ) ( m 2 ) d (mod n ) ≡ ( m 1 m 2 ) d (mod n ) � � � � We can use this to construct a blind signature: Definition Blind signature 1 Alice picks r ∈ R Z ∗ n 2 Alice generates blinded message: m ′ = m · r e (mod n ) and asks the mint to sign it 3 Mint produces signature on m ′ : σ ′ = ( m ′ ) d ≡ m d r ed ≡ m d r (mod n ) 4 Alice uses σ = σ ′ / r to obtain a signature on m

E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash Blind signature protocol Withdrawal Protocol 1 Alice produces a message: m = H (“This bill is legal tender for exactly US$1,000.00”) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice’s account. Properties Unlinkable: mint cannot link signature on m to signature on m ′ (information-theoretic security) Needs online verification to prevent double spending Alice can change amount

E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash Single-denomination keys Mint’s public key ( n , e ) used to only issue $1.00 e-coins. Withdrawal Protocol 1 Alice produces a serial number s , and message m = H ( s ) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice’s account. Why does m = H ( s )? Prevents existential forgery. Payment protocol requires Alice to produce s and a signature on H ( s ) How do we support multiple denominations? Multiple public keys: ( n $1 , e $1 ) , ( n $5 , e $5 ) , . . .

E-cash Anonymous Credentials Compact E-cash Offline E-cash Offline E-cash [Chaum,Fiat, & Naor, Crypto’90] Basic ideas: Encode payer’s identity in the coin Payment protocol reveals some function of user’s identity Two payments will reveal full identity Zero-knowledge proofs to show that protocol is being followed

E-cash Anonymous Credentials Compact E-cash Offline E-cash Setup Bank’s RSA public key: ( n , e ) as before, every coin worth $1. Each user has an account number u and a counter v . Two collision-resistant hash functions are used: f ( x , y ) is modeled as a random oracle g ( x , y ) has the property that g ( x , · ) is a permutation Note: this guarantees that g ( x , · ) is collision free

E-cash Anonymous Credentials Compact E-cash Offline E-cash Withdrawal Protocol Withdrawal 1 Alice chooses a , c , d , r ∈ R Z ∗ n 2 Alice forms a coin: C = f ( g ( a i , c i ) , g ( a ⊕ ( u || ( v + 1)) , d )) 3 Alice sends r e · C to the bank 4 The bank produces a signature σ ′ = r · C d 5 The bank increments v by 1, debits Alice’s account $1 Note: Alice’s identity is encoded in the coin (in a complex way) Bank needs to verify that Alice is constructing the coin correctly

E-cash Anonymous Credentials Compact E-cash Offline E-cash Cut-and-choose Withdrawal 1 Alice chooses a i , c i , d i , r i ∈ R Z ∗ n , for i = 1 , . . . , k 2 Alice forms a coin: C i = f ( g ( a i , c i ) , g ( a i ⊕ ( u || ( v + i )) , d i )) 3 Alice sends r e i · C i to the bank 4 The bank picks a set of k / 2 indices, R , and sends them to Alice 5 Alice sends a i , c i , d i , and r i for i ∈ R to the bank 6 The bank produces a signature on the remaining C i ’s: σ ′ = � ∈ R r i · C d i / i 7 Alice generates the final coin: ∈ R C d C = σ ′ / � ∈ R r i = � i / i / i 8 The bank increments v by 1, debits Alice’s account $1

E-cash Anonymous Credentials Compact E-cash Offline E-cash Payment Protocol Assume without loss of generality that R = { k / 2 + 1 , . . . , k } , thus: Payment 1 Alice sends C to Bob. 2 Bob chooses k / 2 random bits, z 1 , . . . , z k / 2 ∈ R { 0 , 1 } 3 For each i , Alice sends: If z i = 1, she sends a i , c i , g ( a i ⊕ ( u || ( v + i )) , d i ) 1 If z i = 0, she sends g ( a i , c i ) , a i ⊕ ( u || ( v + i )) , d i 2 4 Bob recomputes each C i and verifies that the signature is correct 5 Later, Bob sends C and Alice’s responses to the bank 6 Bank verifies the responses and credits Bob’s account

E-cash Anonymous Credentials Compact E-cash Offline E-cash Double Spending If the bank receives two copies of the same coin C , it can recover Alice’s identity from her responses to two merchant’s challenges: z and z ′ With probability 1 − 2 − k / 2 , ∃ i such that z i � = z ′ i The bank has a i and a i ⊕ ( u || ( v + i )) Note: if Alice and Charlie collude, Charlie can issue the same challenge as Bob. Fix: make Bob’s challenge depend on his identity. Note: To prevent framing by the bank, Alice can use account number u || w i for random w i and provide a signature on H ( w i )’s to the bank (that the bank checks during cut-and-choose).

E-cash Anonymous Credentials Compact E-cash Credential Systems Credential : a certified list of attributes. Example (Driver’s License) Name John Smith D.O.B. 01/01/1970 Address 123 Main St. Zipcode 61820 Eye color Blue Hair color Brown Digital credentials : attribute list signed by some authority (e.g., IL Secretary of State) Privacy issues : reveal all information to demonstrate one attribute.

E-cash Anonymous Credentials Compact E-cash Anonymous Credentials (aka Private Credentials) Properties Selective Disclosure : can reveal only the attributes necessary. E.g.: Over 21 Resident of Illinois Licensed to drive Needs glasses Unlinkability : Issuing and showing credentials should not be linkable, even with cooperation of the CA.

E-cash Anonymous Credentials Compact E-cash Constructions e-cash based Brands’ private credentials Camenisch et al.’s anonymous credentials Noninteractive Anonymous Credentials

E-cash Anonymous Credentials Compact E-cash e-cash-based Credentials Digital Coin as Credential Credential issue: Withdraw Credential show: Payment No double-spending protection Credential attribute: denomination Problems Credential showing are linkable to each other Effectively, credential = pseudonym Limited policy expressivity: conjunction of boolean attributes No protection against credential sharing, combining

E-cash Anonymous Credentials Compact E-cash Brands’ Credentials Private Credentials [Brands, MIT Press , 1990] Stefan Brand’s Ph.D. thesis Constructs a credential with a collection of attributes Blinded credential signed by issuing authority Can selectively disclose a subset of (or a formula over) credentials

E-cash Anonymous Credentials Compact E-cash Brands’ Credentials DLREP Definition Create generators g 1 , . . . , g l for group of order q in Z ∗ p 1 · · · g x l f ( x 1 , . . . , x l ) := g x 1 (mod p ) l Proof of Knowledge of a DLREP for h 1 · · · g w l 1 Alice creates w 1 , . . . , w l ∈ R Z ∗ q , sends a = H ( g w 1 l ) 2 Bob sends challenge c 3 Alice computes r i = c · x i + w i 4 Bob checks that a = H ( g r 1 1 · g r l l h − c )

E-cash Anonymous Credentials Compact E-cash Brands’ Credentials Fiat-Shamir Heuristic [Fiat, Shamir, Crypto’86] Given a 3-move ZK protocol: Prover: commit to a Verifier: send challenge c Prover: reveal r to prove commitment Set c = H ( a ); then ( a , r ) is a non-interactive ZK proof. Needs random oracle model Can be extended to signature proof of knowledge with c = H ( a , M )

E-cash Anonymous Credentials Compact E-cash Brands’ Credentials Approach Issue Protocol mod p , h 0 = g y 0 mod p Let g i = g y i Use a modified DLREP function: l h 0 ) α mod p f ( α, x 1 , . . . , x l ) = ( g x 1 1 · · · g x l Obtain a restricted blind signature on h Showing Protocol Reveal value of selected attributes Prove knowledge of DLREP for remaining attributes Never reveal α

E-cash Anonymous Credentials Compact E-cash Brands’ Credentials Sharing Protection Need to know all attributes to prove DLREP Make one attribute be something sensitive (e.g., SSN, bank account password)

E-cash Anonymous Credentials Compact E-cash Brands’ Credentials Issue Protocol Alice CA 1. Pre-compute: 1. Pre-compute: α ∈ R Z ∗ k ∈ R Z q q s ← g k mod p α 2 , α 3 ∈ R Z q 1 · · · g x l h ← g x 1 mod p l h ′ ← ( h 0 h ) α mod p β ← g α 2 ( h 0 h ) α 3 mod p x 1 ,..., x l 2. Send − − − − → 2. Validate attributes s ← − 3. Send: s 3. Compute: γ ← β s mod p 4. Compute: u ′ ← H ( h ′ , γ ) mod q t ← ( y 0 + x 1 y 1 + · · · + x l y l ) − 1 u ← u ′ − α 2 mod q mod q