anonymous credentials
play

Anonymous Credentials: How to show credentials without compromising - PowerPoint PPT Presentation

Jul 23, 2023 •164 likes •659 views

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove youre over 21, or verify your address

  1. Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research

  2. Credentials: Motivation • ID cards – Sometimes used for other uses • E.g. prove you’re over 21, or verify your address – Don’t necessarily need to reveal all of your information – Don’t necessarily want issuer of ID to track all of it’s uses – How can we get the functionality/verifiability of an physical id in electronic form without extra privacy loss

  3. Credentials: Motivation • The goal – Users should be able to • obtain credentials • Show some properties – Without • Revealing additional information • Allowing tracking

  4. Credentials: Motivation • Other applications – Transit tokens/passes – Electronic currency – Online polling • Implementations – Idemix (IBM), UProve (Microsoft)

  5. Credentials Organization Service Org says Name Alice Alice Address Birthdate Org says Birthplace Name Alice Citizenship Address … Birthdate Birthplace Citizenship …

  6. Credentials Organization Service Org says Name Alice Alice Address Birthdate Org says Birthplace Name Alice Citizenship Address … Birthdate Birthplace Citizenship … Reveals a lot of info on Alice!

  7. A new model Anonymous Credentials/Minimal Disclosure Tokens *Chaum83, …+ Organization Service “I have a cred from Org saying Alice WA resident Age >21” Cred from Org Name Alice Address Reveals only what Alice Birthdate chooses to reveal Birthplace Citizenship Need not reveal her name … (Need Accountability)

  8. A new model Anonymous Credentials/Minimal Disclosure Tokens *Chaum83, …+ Organization Service “I have a cred from Org saying Alice WA resident • Cannot Age >18” Cred from Org • Identify Alice Name Alice (if her name is not provided) Address • Learn anything beyond Birthdate the info she gives Birthplace (and what can be inferred) Citizenship • Distinguish two users … with the same attributes • Link multiple uses of the same credentials

  9. How can we do this? • Signatures/Certs? – No privacy! • What about other crypto tools? • We will use – Zero Knowledge Proof of knowledge • (interactive or Fiat-Shamir) – Commitments – Blind signatures

  10. Roadmap • Review crypto tools • Construct basic credential systems • Additional issues – Revocation – Deciding who to revoke • Additional features – Non-interactive credentials/signatures – Delegation • Conclusion

  11. Zero Knowledge Proofs Statement X Alice Service Knows X is true X is true OR Alice is cheating Alice wants to convince service that statement X is true, Without revealing any other information

  12. Zero Knowledge Proofs “I have signature from Org on message m such that …. Alice Service X is true OR Alice is cheating Alice wants to convince service that she has such a signature Without revealing any other information Fiat Shamir: get challenge from hash function

  13. Commitments • Like locked box or safe • Hiding – hard to tell which message is committed to • Binding – there is a unique message corresponding to each commitment Msg Msg , Msg E.g. Pederson Commitment: C = g m h r

  14. Blind signatures Message: m Signing key: sk Verification key: pk Signature under pk on m Alice learns only signature on her message. Signer learns nothing.

  15. Blind signatures Msg Message: m Signing key: sk Verification key: pk Sign(sk, ) Msg Signature under pk on m Alice learns only signature on her message. Signer learns nothing.

  16. How it works (abstractly) Anonymous Credentials/Minimal Disclosure Tokens • Prevents impersonation • Tie multiple creds to one user secret Organization Service “I have a cred from Org saying Alice WA resident Age >21” Cred from Org Name Alice Address Birthdate Birthplace Citizenship …

  17. How it works Anonymous Credentials/Minimal Disclosure Tokens secret Organization Service Prove “I have a cred from Alice Org saying • Need to generate WA resident Signature from Org signature without Org Age >21” learning secret secret Name Alice Address Birthdate Birthplace Citizenship …

  18. How it works Anonymous Credentials/Minimal Disclosure Tokens secret Organization Service Prove “I have sig from Org Alice * @@@, WA Signature from Org #>21 secret Name Alice How can we Address “prove” this Birthdate without revealing Birthplace • secret Citizenship … • rest of message • signature

  19. How it works Anonymous Credentials/Minimal Disclosure Tokens secret Organization Service Zero Knowledge Proof “I have sig from Org Alice * @@@, WA Signature from Org #>21 secret Name Alice Proof does not Address reveal Birthdate • secret Birthplace • rest of message Citizenship • signature …

  20. Is this practical? • Depends on how we implement proofs and blind signatures • Two main approaches: – RSA type signatures [CL02] • Based on strong version of RSA assumption • Idemix (IBM) – DSA type signatures [Brands 99] • Based on discrete logarithm problem (more or less) • UProve (Microsoft) – Also third type based on elliptic curves with pairings [BCKL08] • Less efficient • Allows for extra features

  21. Is this practical? • Key tool: Proof of knowledge of discrete log – Given Y, g, prove “I know x such that Y = g x ” – Generalized: • Given Y, g, h, prove “I know x, z such that Y = g x h z ” • Given Y, W, g , h, prove “I know x such that Y = g x and Z = h x ” • Prove arithmetic relationships • Prove that values are not equal • ….. – Prove statements about commitments, signatures, encryptions, etc.

  22. Is this practical? I know x such that Y = g x A = g r Alice Service c Knows X is true z = r + cx Check if AY c = g z Alice wants to convince service that she knows x, Without revealing any other information

  23. Is this practical? • Key tool: Proof of knowledge of discrete log – Given Y, g, prove “I know x such that Y = g x ” – Generalized: • Given Y, g, h, prove “I know x, z such that Y = g x h z ” • Given Y, W, g , h, prove “I know x such that Y = g x and Z = h x ” • Prove arithmetic relationships • Prove that values are not equal • ….. – Prove statements about commitments, signatures, encryptions, etc.

  24. Roadmap • Review crypto tools • Construct basic credential systems • Additional issues – Revocation – Deciding who to revoke • Additional features – Non-interactive credentials/signatures – Delegation • Conclusion

  25. Credentials • Now we have an anonymous credential system. What other issues come up? • What about misuse of credentials? – If everyone is completely anonymous, how do we deal with misuse of privileges? – Can we revoke credentials? – Can we even tell whose credential to revoke?

  26. Credential Revocation • Expiration dates – Can be embedded in anonymous credentials – prove that expiration date > current date • CRL (Certificate Revocation List) – List of all revoked certificates – Verifier can check that presented cert is not on list – Anonymous CRLs? : How to check that the credential is not on the revoked list without compromising privacy?

  27. Anonymous CRLs • Option 1: – Verifier gives Alice CRL – Alice proves that her credential is not on the list (for each value on the list, prove that her value is different) • Option 2: – We can do this more concisely using accumulators – Issuer publishes accumulator – single value that encapsulates all revoked credentials (or all good credentials) – Users, given updates to CRL (or list of all good credentials), can give short proof they are not on CRL (or they are on whitelist).

  28. How do we deal with misuse of privileges? (How do we tell who to revoke?) • Depends how we define misuse: – Simple type: reused one-use token • Tried to vote twice in a poll • Tried to spend transit token twice – More complex scenarios • Trust a judge to determine misuse

  29. How do we deal with misuse of privileges? One-Time/Limited Use Credentials • Credentials meant to be used only once (or fixed number of times) – Subway tokens – Electronic currency (e-cash) – Movie tickets – Access passes for online service • Service records “serial number” on every token used • As long as each token is only used once – user is anonymous – multiple tokens used by the same user are unlinkable • If token is used twice, identity of user is revealed. • Previous work *Chaum83, CFN90,… CHL05,… BCKL09+

  30. How do we deal with misuse of privileges? One-Time/Limited Use Credentials • Anything digital can be copied! • Why can’t Alice just copy her credential, and give one copy to Bob and the other to Carol? – Efficient Solution: offline e-cash [CFN90] • Cred includes (T, Id) unknown to Org – Id: the identifying info for the user – T: the slope of a line with f(0)=Id (0,Id) • When cred is used it includes (R, D): – R: transaction information (station name, timestamp, etc) – D: Doublespending tag (f(R)). (R, D) » (R,D) and (R’,D’) gives Id

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Survey on Untransferable Anonymous Credentials 1 Sebastian Pape, Databases and Interactive

A Survey on Untransferable Anonymous Credentials 1 Sebastian Pape, Databases and Interactive

FIDIS / IFIP Summerschool Workshop 2: Privacy Issues Sebastian Pape A Survey on Untransferable Anonymous Credentials 1 Sebastian Pape, Databases and Interactive Systems Research Group Overview Anonymous Credentials Approaches to

382 views • 23 slides
Sebastian Pape Templateless Biometric-Enforced Non-Transferability of Anonymous Credentials 1

Sebastian Pape Templateless Biometric-Enforced Non-Transferability of Anonymous Credentials 1

Kryptowochenende 2008 Sebastian Pape Templateless Biometric-Enforced Non-Transferability of Anonymous Credentials 1 Sebastian Pape, Databases and Interactive Systems Research Group Overview Motivation Anonymous Credentials

268 views • 16 slides
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9,

ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9,

E-cash Anonymous Credentials Compact E-cash ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 E-cash Anonymous Credentials Compact E-cash E-cash 1 Chaums E-cash Offline E-cash

539 views • 40 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic

Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic

Cinderella: Turning Shabby X.509 Certificates into Elegant Anonymous Credentials with the Magic of Verifiable Computation Antoine Delignat-Lavaud Cdric Fournet, Markulf Kohlweiss, Bryan Parno X.509 V.C. The X.509 Public Key Infrastructure

647 views • 27 slides
Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020 Context PKC 2020 p 2 Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address

437 views • 33 slides
Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous onymous Credentia

Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous onymous Credentia

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous onymous Credentia edentials ls privac ivacy-pres preservin rving (use ser) r) authe hentic

592 views • 32 slides
CREDENTIALS STUDENT RECORD SERVICES TUTORIAL WHAT ARE CREDENTIALS ? 01 credentials ( noun )

CREDENTIALS STUDENT RECORD SERVICES TUTORIAL WHAT ARE CREDENTIALS ? 01 credentials ( noun )

CREDENTIALS STUDENT RECORD SERVICES TUTORIAL WHAT ARE CREDENTIALS ? 01 credentials ( noun ) reference materials used to support applications for employment or graduate study BENEFITS OF CREATING A FILE Compile all of your resources in the Career

677 views • 21 slides
Richard Orsini Forensic Document Examiner For Credentials: www.richardorsini.com Services

Richard Orsini Forensic Document Examiner For Credentials: www.richardorsini.com Services

Richard Orsini Forensic Document Examiner For Credentials: www.richardorsini.com Services Forgery detection Anonymous writings Handwriting authentication Altered & obliterated documents Identity theft prevention

930 views • 65 slides
Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Two cool ideas: Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons and/or menu items in your VectorGraphics project Three approaches for responding to the events from selecting those buttons /

406 views • 6 slides
12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship of men and women who share their experience, strength and hope with each other that they may solve their common problem and help others to recover

1.11k views • 76 slides
CREDENTIALING AND PRIVILEGING CVOs Credentials Verification Organizations Organization may

CREDENTIALING AND PRIVILEGING CVOs Credentials Verification Organizations Organization may

CREDENTIALING AND PRIVILEGING CVOs Credentials Verification Organizations Organization may elect to rely on a Credentials Verification Organization (CVO) to conduct primary source verification of an applicants credentials. * Prior to

467 views • 21 slides
Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The CA Group Cocaine Anonymous Is The 12 Steps Cocaine Anonymous Is Not Spirituality History of Cocaine Anonymous Sponsorship

700 views • 37 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr Kuznetsov Telecom ParisTech I am here to talk about ... the computability issues of failure-prone anonymous broadcast models. Anonymous Model

660 views • 21 slides
THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous ,

THE SECULAR COMING OF AGE INSIDE ALCOHOLICS ANONYMOUS In the 1939 book, Alcoholics Anonymous , the concept, God as you understand Him including everyone. In 2017 not so much How Many Atheists are there? (last updated May 31,

400 views • 21 slides
Signature-based algorithms for computing Grbner bases over Principal Ideal Domains Maria Francis

Signature-based algorithms for computing Grbner bases over Principal Ideal Domains Maria Francis

Signature-based algorithms for computing Grbner bases over Principal Ideal Domains Maria Francis 1 , Thibaut Verron 2 1. Indian Institute of Technology Hyderabad, Hyderabad, India 2. Institute for Algebra, Johannes Kepler University, Linz,

703 views • 48 slides
Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume

Improving Stateless Hash-Based Signatures CT-RSA 2018 Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 18 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Hash-based signatures What are hash-based

370 views • 36 slides
THE MOD 8 SIGNATURE OF A SURFACE BUNDLE Andrew Ranicki Report on a joint project with Dave

THE MOD 8 SIGNATURE OF A SURFACE BUNDLE Andrew Ranicki Report on a joint project with Dave

1 THE MOD 8 SIGNATURE OF A SURFACE BUNDLE Andrew Ranicki Report on a joint project with Dave Benson, Caterina Campagnolo and Carmen Rovi http://www.maths.ed.ac.uk/aar/ University of Edinburgh Dedicated to the memory of Fritz Hirzebruch on

835 views • 19 slides
Announcements Homework 1 Due today 11:59pm Submit through GradeScope in PDF Midterm

Announcements Homework 1 Due today 11:59pm Submit through GradeScope in PDF Midterm

Announcements Homework 1 Due today 11:59pm Submit through GradeScope in PDF Midterm exam Next Thursday , in class (2-3:20pm) 1 Lecture 8 Public Key Cryptography II: Signatures (contd) + Identification [lecture slides are

405 views • 28 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Power Signatures of High- Performance Computing Workloads Jacob Combs Chung-Hsing Hsu Jolie

Power Signatures of High- Performance Computing Workloads Jacob Combs Chung-Hsing Hsu Jolie

Power Signatures of High- Performance Computing Workloads Jacob Combs Chung-Hsing Hsu Jolie Nazor Stephen W. Poole Rachelle Thysell Fabian Santiago Matthew Hardwick Lowell Olson Suzanne Rivoire Motivation Job scheduling as a Tetris

713 views • 27 slides
Bayesian Learning from Sequential Data using Gaussian Processes with Signature Covariances Csaba

Bayesian Learning from Sequential Data using Gaussian Processes with Signature Covariances Csaba

Bayesian Learning from Sequential Data using Gaussian Processes with Signature Covariances Csaba Toth Joint work with Harald Oberhauser Mathematical Institute, University of Oxford International Conference on Machine Learning, July 2020

292 views • 26 slides
Preview question Which of the following would have to be completely abandoned if scalable quantum

Preview question Which of the following would have to be completely abandoned if scalable quantum

Preview question Which of the following would have to be completely abandoned if scalable quantum computers become widely available? CSci 5271 A. one-time pads Introduction to Computer Security Crypto and protocols combined slides B. RSA

674 views • 9 slides

More recommend