Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens - PowerPoint PPT Presentation

Anonymous Tokens Michele Orrù ia.cr/2020/072 1

Anonymous Tokens Michele Orrù joint work with Ben Kreuter, Tancrède Lepoint, Mariana Raykova ia.cr/2020/072 1

Definition Anonymous tokens are lightweight, single-use anonymous credentials. 2

Definition Anonymous tokens are lightweight, single-use anonymous credentials. … we focus on secret-key tokens with a private metadata bit. 2

The Problem 3

CloudFlare's story Website protection. [Tor User] [CloudFlare [CDN] ] request request U I W response response / no 4 Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]

CloudFlare's story Website protection. [Tor User] [CloudFlare [CDN] ] request request challenge U I W solution? response response / no 4 Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]

CloudFlare's story Website protection. [Tor User] [CloudFlare [CDN] ] request request CAPTCHA, CAPTCHA, CAPTCHA U I W solution? response response / no 5 Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]

6 Art credits: Marie Gutbub. [source]

CloudFlare's story Website protection. [Tor User] [CloudFlare [CDN] ] request request challenge challenge U I W solution? response + tokens / no response 7 Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]

CloudFlare's story Website protection. [Tor User] [CloudFlare [CDN] ] request, token request U I W response / no response 8 Privacy Pass: Bypassing Internet Challenges Anonymously. [PETS'18]

Other stories Micro payments. 9 Challenge bypass on the Ristretto group [Github]

Other stories Fraud prevention. 10 Fighting fraud using partially blind signatures. [Facebook Engeneering Blog]

Other stories Deprecating 3rd party cookies. 11 Building a more private web: A path towards making third party cookies obsolete . [ Chromium Blog ]

Private medatada token? I 𝒝 ✗ 12

Private medatada token? σ ( b ) I … request, σ ( b ) 𝒝 b 13

The (formal) problem Issuance protocol: σ ← ⟨ U ( pp , t ), I ( sk , b )⟩ Redemption algorithm: {0, 1, ⊥} ← V ( sk , t , σ ) 14

Security notions Unlinkability U 1 U 2 𝒝 ⋮ U n 15

Security notions Unlinkability U 1 ( t , σ ) i i U 2 𝒝 i ⋮ U n 15

Security notions Unlinkability One-more unforgeability I ℓ+1 ( t , σ ) i i =1 i 𝒝 16

Security notions Unlinkability One-more unforgeability I (1) ⋮ (ℓ) ℓ+1 ( t , σ ) i i =1 i 𝒝 16

Security Notions Unnlinkability One-more unforgeability Privacy of the metadata bit I ( sk , b =0) I ( sk , b =1) ind. ≡ 17

Standardization W3C: Trust Token API 1 fetch('https://iacr.org/.well-known/trust-token', { 2 trustToken: { 3 type: 'token-request', 4 issuer: 'ens.fr' 5 } 6 }); [Example derived from the original proposal .] 18

Standardization W3C: Trust Token API 1 fetch('https://iacr.org/.well-known/trust-token', { 2 trustToken: { 3 type: 'token-request', 4 issuer: 'ens.fr' 5 } 6 }); 1 fetch('https://eprint.iacr.org/2020/072.pdf', { 2 trustToken: { 3 type: 'raw-token-redemption', 4 issuer: 'ens.fr' 5 } 6 }); [Example derived from the original proposal .] 18

Standardization W3C: Trust Token API IETF: Privacy Pass draft 1 fetch('https://iacr.org/.well-known/trust-token', { 2 trustToken: { 1. Introduction 3 type: 'token-request', In some situations, it may only be necessary to check that a clien 4 issuer: 'ens.fr' has been previously authorized by a service; without learning any 5 } other information. Such lightweight authorization mechanisms can 6 }); useful in quickly assessing the reputation of a client in latency- sensitive communication. 1 fetch('https://eprint.iacr.org/2020/072.pdf', { 2 trustToken: { 3 type: 'raw-token-redemption', 4 issuer: 'ens.fr' 5 } 6 }); [Example derived from the original proposal .] [Draft version 00 ] 18

Our contribution 19

Our contribution Formalization of Anonymous Tokens; 19

Our contribution Formalization of Anonymous Tokens; Private Medatada extension; 19

Our contribution Formalization of Anonymous Tokens; Private Medatada extension; New techniques for removal of zk proofs. 19

Our contribution Formalization of Anonymous Tokens; Private Medatada extension; New techniques for removal of zk proofs. 19

Our contribution Formalization of Anonymous Tokens; Private Medatada extension; New techniques for removal of zk proofs. 19

Related works 20

Related works Anonymous Credentials 20

Related works Anonymous Credentials Algebraic MACs 20

Related works Anonymous Credentials Algebraic MACs Blind Singatures 20

Privacy Pass Issuer User 21

Privacy Pass Issuer User Γ := ( p , G , G ) X = xG 21

Privacy Pass Issuer User Γ := ( p , G , G ) X = xG r ← Z p ∗ T ′ ′ = r −1 T : H ( t ) 21

Privacy Pass Issuer User Γ := ( p , G , G ) X = xG r ← Z p ∗ T ′ ′ = r −1 T : H ( t ) ′ = xT ′ W : W ′ W := rW ′ 21

Privacy Pass Issuer User Γ := ( p , G , G ) X = xG r ← Z p ∗ T ′ ′ = r −1 T : H ( t ) ′ = xT ′ W : W ′ W := rW ′ ⋯ redemption ⋯ t , W 1. check x H ( t ) = W 2. add to spent tokens. t 21

Privacy Pass Issuer User Γ := ( p , G , G ) X = xG r ← Z p ∗ T ′ ′ = r −1 T : H ( t ) ′ = xT ′ W : { [ G T ′ ] [ X W ′ ]} W ′ , π π := zkp = x check π W := rW ′ ⋯ redemption ⋯ t , W 1. check x H ( t ) = W 2. add to spent tokens. t 22

Private metadata? Issuer User Γ := ( p , G , G ) X = x G , b ∈ {0, 1} b r ← Z p ∗ T ′ ′ = r −1 T : H ( t ) ′ = x T ′ W : b { b [ G T ′ ] [ X b W ′ ]} W ′ , π π := zkp = x check π W := rW ′ ⋯ redemption ⋯ t , W 1. check s.t. x H ( t ) = b W b 2. add to spent tokens. t 23

Attack Adversary Issuer Γ := ( p , G , G ) X = x G , b ∈ {0, 1} b b r , s ← Z p ∗ ′ = r −1 T : H ( t ) ′ = s −1 S : H ( t ) T ′ S ′ ′ = x T ′ W : 0 ′ = x S ′ V : 1 24

Attack Adversary Issuer Γ := ( p , G , G ) X = x G , b ∈ {0, 1} b b r , s ← Z p ∗ ′ = r −1 T : H ( t ) ′ = s −1 S : H ( t ) T ′ S ′ ′ = x T ′ W : 0 ′ = x S ′ V : 1 W ′ V ′ rW ′ = ? sV ′ 24

Privacy Pass variant Issuer User Γ := ( p , G , G , H ) X = xG + yH r ← Z p ∗ ′ = r T ′ −1 T : H ( t ) ′ = H ( T , s ) ′ s ← {0, 1} ; S : λ ′ yS ′ W := xT + 25

Privacy Pass variant Issuer User Γ := ( p , G , G , H ) X = xG + yH r ← Z p ∗ ′ = r T ′ −1 T : H ( t ) ′ = H ( T , s ) ′ s ← {0, 1} ; S : λ ′ yS ′ W := xT + s , W ′ , π W := rW ′ ′ S := r H ( T , s ) ⋯ redemption ⋯ t , S , W 1. check x H ( t ) + yS = W 2. add to spent tokens. t 25

Privacy Pass variant Issuer User Γ := ( p , G , G , H ) X = xG + yH r ← Z p ∗ ′ = r T ′ −1 T : H ( t ) ′ = H ( T , s ) ′ s ← {0, 1} ; S : λ ′ yS ′ W := xT + π := s , W ′ , π { [ G T ′ ] [ H S ′ ] [ X W ′ ]} check π + y = zkp x W := rW ′ ′ S := r H ( T , s ) ⋯ redemption ⋯ t , S , W 1. check x H ( t ) + yS = W 2. add to spent tokens. t 25

Private metadata Issuer User Γ := ( p , G , G , H ) X = x G + y H , b ∈ {0, 1} b b b r ← Z p ∗ ′ = r T ′ −1 T : H ( t ) ′ = H ( T , s ) ′ s ← {0, 1} ; S : λ ′ ′ W := x T + y S b b π := s , W ′ , π { b [ G T ′ ] b [ H S ′ ] [ X b W ′ ]} check π + y = zkp x W := rW ′ ′ S := r H ( T , s ) ⋯ redemption ⋯ t , S , W 1. check s.t. x H ( t ) + y S = b W b b 2. add to spent tokens. t 26

Removing the zk proof Issuer User Γ := ( p , G , G ) X = xG r , ρ ← Z p ∗ T ′ ′ = r ( H ( t ) − ρG ) T : ′ = xT ′ W : W ′ , π −1 ′ W := r W + ρX ⋯ redemption ⋯ t , W 1. check x H ( t ) = W 2. add to spent tokens. t 27

Concrete security 28

Concrete security One-more Diffie-Hellman is not extensively studied; 28

Concrete security One-more Diffie-Hellman is not extensively studied; Token Hijacking; 28

Concrete security One-more Diffie-Hellman is not extensively studied; Token Hijacking; Engeneering issues. 28

Implementation In Rust, using curve25519-dalek::Ristretto. #[test] fn it_works() { let mut csrng = rand::rngs::OsRng; // generate a keypair let keypair = KeyPair::generate(&mut csrng); // get the public parameters let pp = PublicParams::from(&keypair); // client's first message (the blinded token) let blinded_token = pp.generate_token(&mut csrng); // server's reponse (the signed token) with hidden metadata bit 0 let signed_token = keypair.sign(&mut csrng, &blinded_token.to_bytes(), 0); // clien'ts unbliding (the final token) let token = blinded_token.unblind(signed_token); assert!(token.is_ok()); // verification of the token assert!(keypair.verify(&token.unwrap()).is_ok()); } 29 Check out [benchmarks report] for fancy stats.

Future directions 30

Future directions public metadata 30