The Alphabet of ABCs OUrsi Greg Alpr greg.alpar@ou.nl Open - PowerPoint PPT Presentation

The Alphabet of ABCs OUrsi Greg Alpár greg.alpar@ou.nl Open Universiteit & Radboud University April 4, 2017 1 / 22

Outline Motivation: Identity in the digital world Attribute-based credentials and tricks Ongoing and future work 2 / 22

Attribute-based identity management 3 / 22

Motivation: Identity in the digital world 4 / 22

Users: security, privacy, usability ◮ Password is often not secure ◮ Authentication: always identifying ◮ Many types of authentication ◮ Mobile devices 5 / 22

Network-based and claim-based identity management IRMA Demo (demo.irmacard.org): ◮ IRMATube ◮ ≥ 18 ◮ name 6 / 22

Goals ◮ Independence between issuing and showing: time and protocol ◮ Privacy ◮ Credential: security for the system ◮ Authenticity ◮ Integrity ◮ Non-transferability ◮ Credential: privacy for the user ◮ Issuer unlinkability (blind signature, randomisation) ◮ Multi-show unlinkability (randomisation, zero-knowledge proofs) ◮ Attribute-based credentials 7 / 22

Attribute-based credentials and tricks 8 / 22

Recap: public-key cryptography ◮ Pair: public key, secret key ◮ Applications: ◮ Encryption: message encryption to the recipient ◮ e.g. RSA enc: c = m e mod n , where n = p · q ◮ Signature: signature verification ◮ e.g. RSA sig: s = m 1 / e mod n ◮ Authentication: proof of secret key ◮ Certificate on the public key (by CA/Issuer) ◮ Public-key infrastructure (PKI) ◮ Note: public key is an identifier ◮ Attribute certificate: C ≥ 18 = Sign ( sk Auth , “Over 18” ) ◮ BUT, general privacy problems: ◮ Issuer (authority) linkability ◮ Multiple showing linkability 9 / 22

Hard problems, i.e. Assumptions Typically, computational problems are defined in a large finite mathematical structure. (We omit the underlying structures here.) g , y = g x discrete logarithm x e , c = m e m RSA c = m e m ′ , e ′ Strong RSA e ′ , f ′ m , n , c = m e n f Representation 10 / 22

Discrete logarithm – a toy example g , y = g x discrete logarithm x The exponents of 23 modulo 29 (the order is q = 7 ): 0 1 2 3 4 5 6 7 ... 1 23 7 16 20 25 24 1 ... 23,25 discrete logarithm 5 D log 23 25 = 5 11 / 22

A “too simple” proof of knowledge How can public-key cryptography be used for authentication? ◮ Discrete logarithm: “I know the discrete logarithm x = D log g h .” ( � , q ) , g , h = g x Prover Verifier Secret: x x − − − − − − − − → ? = g x h ◮ “Now you also know the discrete logarithm D log g h .” � 12 / 22

A zero-knowledge proof [Schnorr 91] ◮ Discrete logarithm: “I know the discrete logarithm x = D log g h .” ◮ PK { x | h = g x } — P roof of K nowledge ◮ Interactive g , h = g x Prover Verifier Secret: x (1) random w a a : = g w − − − − − − − − → c (2) ← − − − − − − − − random c r = g r · h − c ? (3) r : = c · x + w − − − − − − − − → a (1) Commitment (2) Challenge (3) Response 13 / 22

Attribute-based credential (ABC) certificate (sig. on PK/SK) signature ABC block of messages h ( PK ) 1 / e h ( PK � m 1 � ... � m ℓ ) 1 / e m 1 / e � h ( m 1 � ... � m ℓ ) 1 / e Problem: e.g. all message components have to be known to check the signature! 14 / 22

Attribute-based credential (ABC) – Attempt 2 h ( PK ) 1 / e h ( PK � m 1 � ... � m ℓ ) 1 / e m 1 / e � h ( m 1 � ... � m ℓ ) 1 / e � 1 / e Z � Camenisch–Lysyanskaya signature: ( A , e , v ) on m : A = S v R m Assumptions: Strong RSA , Representation � 1 / e � 1 / e � Z � Z S v R sk � 1 / e m ℓ m 1 � Z S v R sk R 1 ... R ℓ � 1 / e S v R m � � Z m 1 m ℓ S v R 1 ... R ℓ 15 / 22

CL Signature Randomisation Signature (the public key is Z , S ; “msg” is R ′ = R sk R m 1 1 ... R m ℓ ℓ ): � 1 / e � Z ( A , e , v ) where A = S v · R ′ = A e · S v · R ′ ? Verification: Z Randomisation: ◮ Select random r ◮ A : = A · S − r , v : = v + er = ⇒ ( A , e , v ) is a randomised signature. ◮ Indeed: e S v R ′ = A e S − er S v S er R ′ = A e S v R ′ = Z . A ◮ Can we achieve untraceability with randomisation? What about e ? 16 / 22

How to hide e ? – i.e. Multi-show Unlinkability ◮ Randomised signature: ( A , e , v ) e S v R sk R m 1 1 ... R m ℓ A = Z . ℓ ◮ Representation problem is hard: ? Z ; ( A , S , R , R 1 ,..., R ℓ ) −→ “( e , v , sk , m 1 ,..., m ℓ )” ◮ So, to prove that she has a signature: ◮ U gives A ( i.e. a part of the randomised signature) and ◮ U proves that she knows the exponents ( i.e. a representation) e S v R sk R m 1 1 ... R m ℓ PK { ( e , v , sk , m 1 ,..., m ℓ ) : Z = A ℓ } . But then selective disclosure is easy! 17 / 22

Selective disclosure ◮ Zero-knowledge proof about all exponents: e S v R sk R m 1 1 R m 2 2 R m 3 3 ... R m ℓ PK { ( e , v , sk , m 1 , m 2 , m 3 ,..., m ℓ ) : Z = A ℓ } . ◮ Disclose some and prove the rest; e.g. : U −→ V disclose m 1 , m 2 and prove: Having m 1 , m 2 , V can compute ZR − m 1 R − m 2 . U proves: 1 2 e S v R sk R m 3 PK { ( e , v , sk , m 1 ,..., m ℓ ) : ZR − m 1 R − m 2 3 ... R m ℓ = A ℓ } . 1 2 18 / 22

Ongoing and future work 19 / 22

Recent research 1. Revocation: “How to revoke anonymous credentials?” ◮ Epoch-based revocation (Lueks et al. Fast Revocation of Attribute-Based Credentials for Both Users and Verifiers , 2016): U’s unique r value, g ev = H ( epoch � veri f ier ) ◮ g 0 , h 0 , x x xPK { r ,... | h 0 = g r 0 ∧ ABC ... } ◮ g 1 , h 1 , PK { r ,... | h 1 = g r 1 ∧ ABC ... } 2. Phone vs smart card: “a phone is convenient but not secure” ◮ Secret sharing of the secret key between cloud and phone ◮ Computation of proofs without recovering secret key ◮ Implemented; however, yet to be written 3. RSA is old and big: “use elliptic-curve crypto (ECC)” ◮ New scheme: Ringers et al. An efficient self-blindable attribute-based credential scheme , 2017 ◮ Implementation is on the way 20 / 22

Applications 1. Attribute-based signature (ABS): “An ABC proof as a signature” (Hampiholi et al. Towards practical Attribute-Based Signatures , 2015) 2. Airbnb: “A house also has an identity” 3. Internet of Things: “Control and minimise data collection wherever possible” (Alpár et al. New Directions in IoT Privacy Using Attribute-Based Authentication , 2016) 4. Webshop: “Why not minimise data at every transactions?” Attribute-based identity management −→ Attribute-based transactions 21 / 22

Thank you 22 / 22