ABCs in Theory and Practice RFIDsec 2015, TUTORIAL Gergely Alpr - - PowerPoint PPT Presentation
ABCs in Theory and Practice RFIDsec 2015, TUTORIAL Gergely Alpr Radboud, ICIS DS June 23, 2015 Page 1 of 40 June 23 ABC Tutorial http://www.cs.ru.nl/~gergely Currently we are here... Motivating Attribtues Attribute-based identity
RFIDsec 2015, TUTORIAL Gergely Alpár
Radboud, ICIS DS June 23, 2015
Page 1 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Currently we are here...
Motivating Attribtues Attribute-based identity management Crypto of ABCs
[Pew Research Center, December 2014] Page 2 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Motivating Attribtues
Authentication
I Passwords
peace than attempt to remember all their passwords” [Harris Interactive, 2012] I Many accounts at service providers I Identity management
Page 3 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Motivating Attribtues
Problems with Identity Management
I Security
I Privacy
Page 4 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Motivating Attribtues
Page 5 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Motivating Attribtues
Outline
Motivating Attribtues Attribute-based identity management Crypto of ABCs
Page 6 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Motivating Attribtues
Currently we are here...
Motivating Attribtues Attribute-based identity management Crypto of ABCs
Identity and Attributes
[FIDIS 2005] Page 7 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Attribute-based identity management
Digital Identity
I Attributes I Partial identities I Identifying and non-identifying attributes I Typical authorisation: Username + authentication + lookup I Authorisation based on attributes
Page 8 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Attribute-based identity management
Identity Management
Page 9 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Attribute-based identity management
Attribute-Based Identity Management
Page 10 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Attribute-based identity management
Attribute-Based Credential
Page 11 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Attribute-based identity management
Issuing and Showing
Page 12 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Attribute-based identity management
Currently we are here...
Motivating Attribtues Attribute-based identity management Crypto of ABCs
Plan for Crypto
I Commitment I Zero-knowledge proof I Attribute-based credential (ABC) I Selective disclosure
Page 13 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Commitment
I (Temporary) secret in a box with a padlock I . . . and a key. I Phases:
I Examples (related to the DL problem) – secret value x:
1 (mod p). Commit: h, g, g1, p; Opening: r, x.
I Computational hiding and perfect binding. OR I Perfect hiding and computational binding. [Damgård 99] Problem 3 The exponents of 23 modulo 29 (the order is q = 7): 1 2 3 4 5 6 7 ... 1 23 7 16 20 25 24 1 ...
Page 14 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Where’s Waldo? – Zero-Knowledge Proof
Page 15 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Where’s Waldo? – Zero-Knowledge Proof
[Naor et al. 99] Page 16 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Where’s Waldo?
Page 17 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Ali Baba – Zero-Knowledge Proof
[Quisquater et al. 89] Page 18 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Ali Baba – Zero-Knowledge Proof
Commitment and Challenge
Page 19 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Ali Baba – Zero-Knowledge Proof
Response and Verification Problems 1, 2
Page 20 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
A “Too Simple” Proof
I Let us work in G of order q I Discrete logarithm: “I know the discrete logarithm x = logg h.” Prover G, g, q, h = g x Verifier Secret: x
x
− − − − − − − − → h
?
= g x I “Now you also know the discrete logarithm logg h.” /
Page 21 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Schnorr’s Proof of Knowledge [Schnorr 91]
I Let us work in G of order q I Discrete logarithm: “I know the discrete logarithm x = logg h.” I PK{χ|h = g χ}—Proof of Knowledge I Interactive Prover G, g, q, h = g x Verifier Secret: x (1) w ∈R Zq a := g w
a
− − − − − − − − → (2)
c
← − − − − − − − − c ∈R {0, 1} (3) r := c · x + w (mod q)
r
− − − − − − − − → a
?
= g r · hc (1) Commitment (2) Challenge (3) Response
Page 22 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Simulated Communication
I Let us work in G of order q I “I seem to know the discrete logarithm logg h.” , I Simulated conversation: transcript I Choose c ∈R {0, 1}, r ∈R Z⇤
q
a := g r · hc Transcript and verification: (a, c, r) a
?
= g r · hc
Page 23 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Schnorr’s Proof of Knowledge [Schnorr 91]
I Let us work in G of order q I Discrete logarithm: “I know the discrete logarithm logg h.” I PK{χ|h = g χ}—Proof of Knowledge I Interactive Prover G, g, q, h = g x Verifier Secret: x (1) w ∈R Zq a := g w
a
− − − − − − − − → (2)
c
← − − − − − − − − c ∈R [0, 2128 − 1] (3) r := c · x + w (mod q)
r
− − − − − − − − → a
?
= g r · hc (1) Commitment (2) Challenge (3) Response
Page 24 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Schnorr Signature, i.e. Schnorr with Fiat–Shamir [FS 86]
I Discrete logarithm: “I know the discrete logarithm logg h.” I Non-interactive: SPK{χ|h = g χ}(n)
Prover G, g, q, h = g x, H Verifier Secret: x
n
← − − − − − − − − n ∈R Zq w ∈R Zq a := g w c := H(a, n) r := c · x + w (mod q)
a,r
− − − − − − − − − → a
?
= g r · hH(a,n)
Page 25 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
How to Design ABCs? – In Three Simple Steps
Step 1 Take a commitment scheme Step 2 Generalise it to multiple values Step 3 Sign the extended commitment Step +1 Apply here and there zero-knowledge proofs
Page 26 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Page 27 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Hard Problems
Discrete logarithm RSA Strong RSA
Page 28 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Idemix ABC – Based on CL Signature
I Camenisch–Lysyanskaya (CL) signature [CL 01, CL 02] I Strong RSA assumption [BP 97, FO 97]
⇒ Taking the eth root is hard
⇒ DL is hard I Group QRn:
n
I Notation:
I Let’s “design” Idemix’s ABCs
Page 29 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Step 1: Commitment
Take a commitment scheme – Pedersen on a1 Ra · Ra1
1
where a is random.
Page 30 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Step 2: Generalisation
Extend it to multiple values – generalise Pedersen on (a1, . . . , aL) Ra · Ra1
1 · . . . · RaL L
| {z }
QL
i=1 R ai i
where a is random.
Page 31 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Step 3: Signature
Sign the extended commitment – CL on attributes: a1, . . . , aL A := Z Sv · Ra · QL
i=1 Rai i
!1/e (mod n) where (a), v, e are random.
Page 32 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Step 3: Signature
Sign the extended commitment – CL on attributes: a1, . . . , aL A := Z Sv · Ra · QL
i=1 Rai i
!1/e (mod n) where (a), v, e are random.
Page 33 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
CL Signature: Idemix ABCs
(A, e, v) where A ≡ Z Sv · Ra · QL
i=1 Rai i
!1/e (mod n) I Commitment
I CL Signature
I Issuing: blind signature (zero-knowledge proof)
Page 34 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Issuing and Showing
Page 35 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
CL Signature: Verification
Signature: (A, e, v) where A ≡ Z Sv · Ra · QL
i=1 Rai i
!1/e (mod n) I Public key: n, Z, S, R, R1, . . . , RL I Attributes (block of messages): (a), a1, . . . , aL I Verification: Z
?
≡ Ae · Sv · Ra ·
L
Y
i=1
Rai
i
| {z }
R0
(mod n) I IdP − → U; U − → V
Page 36 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
CL Signature Randomisation
Signature: (A, e, v) where A ≡ ✓ Z Sv · R0 ◆1/e (mod n) I Select random r I A := A · Sr (mod n), v := v + er Problem 6 (Hint: The verification is Z
?
≡ Ae · Sv · R0 (mod n)) I Indeed, (A, e, v) is valid: A
eSvR0 ≡ AeSerSvSerR0 ≡ AeSvR0 ≡ Z
(mod n). I Can we achieve untraceability with randomisation?
Page 37 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
How to hide e? – i.e. Multi-show Unlinkability
I Randomised signature: (A, e, v) A
eSv · Ra · L
Y
i=1
Rai
i
≡ Z (mod n). I Representation problem is hard: n; Z; (A, S, R, R1, . . . , RL)
?
− → “(e, v, a, a1, . . . , aL)00 I So, to prove that she has a signature:
PK{(ε, ν, α, α1, . . . , αL) : Z ≡ A
εSνRα L
Y
i=1
Rαi
i
(mod n)}.
Page 38 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
Selective disclosure
I Zero-knowledge proof about all exponents: PK{(ε, ν, α, α1, . . . , αL) : Z ≡ A
εSνRα L
Y
i=1
Rαi
i
(mod n)}. I Disclose some and prove the rest; e.g.: U − → V disclose a1, a2 and prove: PK{(ε, ν, α, α3, . . . , αL) : Z · Ra1
1
· Ra2
2
≡ A
εSνRα L
Y
i=3
Rαi
i
(mod n)}. Generalise: Problem 7
Page 39 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs
In Sum: ABCs are Powerful!
I Security
I Privacy
I Techniques and their smart-card implementations
Page 40 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial Crypto of ABCs