Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens - - PowerPoint PPT Presentation

Anonymous Tokens

Michele Orrù

ia.cr/2020/072

1

Anonymous Tokens

Michele Orrù

joint work with Ben Kreuter, Tancrède Lepoint, Mariana Raykova

ia.cr/2020/072

1

Definition

Anonymous tokens are lightweight, single-use anonymous credentials.

2

Definition

Anonymous tokens are lightweight, single-use anonymous credentials.

… we focus on secret-key tokens with a private metadata bit.

2

The Problem

3

U

[CloudFlare ] [Tor User] [CDN]

request

I W

request response response / no

4

Website protection.

CloudFlare's story

U

[CloudFlare ] [Tor User] [CDN]

request solution? challenge

I W

request response response / no

4

Website protection.

CloudFlare's story

U

[CloudFlare ] [Tor User] [CDN]

request solution?

I W

request response response / no

5

CAPTCHA, CAPTCHA, CAPTCHA

CloudFlare's story

Website protection.

6

U

[CloudFlare ] [Tor User] [CDN]

challenge solution? challenge

I W

request response

7

response + tokens / no

CloudFlare's story

request Website protection.

U

[CloudFlare ] [Tor User] [CDN]

request, token

I W

request response

response / no

CloudFlare's story

Website protection.

8

Micro payments.

Other stories

9

Fraud prevention.

Other stories

10

Deprecating 3rd party cookies.

Other stories

11

Private medatada

token?

I

𝒝

12

Private medatada

I

token? … request, σ(b) σ(b) b

𝒝

13

The (formal) problem

σ ← ⟨U(pp, t), I(sk, b)⟩ Issuance protocol: Redemption algorithm: {0, 1, ⊥} ← V(sk, t, σ)

14

Security notions

Unlinkability

𝒝

U1

⋮

U2 Un

15

Security notions

Unlinkability

𝒝

U1

⋮

(t , σ )

i i

i

U2 Un

15

Security notions

Unlinkability One-more unforgeability

I

𝒝

(t , σ )

i i i=1 ℓ+1

16

Security notions

Unlinkability One-more unforgeability

I

𝒝

(t , σ )

i i i=1 ℓ+1

⋮ (ℓ) (1)

16

Security Notions

Unnlinkability One-more unforgeability Privacy of the metadata bit

I(sk, b=0) I(sk, b=1) ≡

ind.

17

Standardization

W3C: Trust Token API

fetch('https://iacr.org/.well-known/trust-token', { trustToken: { type: 'token-request', issuer: 'ens.fr' } }); 1 2 3 4 5 6

[Example derived from the .]

• riginal proposal

18

Standardization

W3C: Trust Token API

fetch('https://iacr.org/.well-known/trust-token', { trustToken: { type: 'token-request', issuer: 'ens.fr' } }); 1 2 3 4 5 6

[Example derived from the .]

• riginal proposal

fetch('https://eprint.iacr.org/2020/072.pdf', { trustToken: { type: 'raw-token-redemption', issuer: 'ens.fr' } }); 1 2 3 4 5 6

18

Standardization

W3C: Trust Token API IETF: Privacy Pass draft

fetch('https://iacr.org/.well-known/trust-token', { trustToken: { type: 'token-request', issuer: 'ens.fr' } }); 1 2 3 4 5 6

[Example derived from the .]

• riginal proposal

fetch('https://eprint.iacr.org/2020/072.pdf', { trustToken: { type: 'raw-token-redemption', issuer: 'ens.fr' } }); 1 2 3 4 5 6

• 1. Introduction

In some situations, it may only be necessary to check that a clien has been previously authorized by a service; without learning any

• ther information. Such lightweight authorization mechanisms can

useful in quickly assessing the reputation of a client in latency- sensitive communication.

[Draft ] version 00

18

Our contribution

19

Our contribution

Formalization of Anonymous Tokens;

19

Our contribution

Formalization of Anonymous Tokens; Private Medatada extension;

19

Our contribution

Formalization of Anonymous Tokens; Private Medatada extension; New techniques for removal of zk proofs.

19

Our contribution

Formalization of Anonymous Tokens; Private Medatada extension; New techniques for removal of zk proofs.

19

Our contribution

Formalization of Anonymous Tokens; Private Medatada extension; New techniques for removal of zk proofs.

19

Related works

20

Related works

Anonymous Credentials

20

Related works

Anonymous Credentials Algebraic MACs

20

Related works

Anonymous Credentials Algebraic MACs Blind Singatures

20

Privacy Pass

User Issuer

21

Privacy Pass

User Issuer

Γ := (p, G, G) X = xG

21

Privacy Pass

T ′

User Issuer

Γ := (p, G, G) r ← Zp

∗

T :

′ = r

H(t)

−1

X = xG

21

Privacy Pass

W :

′ = xT ′

T ′ W ′

User Issuer

Γ := (p, G, G) r ← Zp

∗

T :

′ = r

H(t)

−1

W := rW ′ X = xG

21

Privacy Pass

W :

′ = xT ′

T ′ W ′

redemption ⋯ ⋯ t, W

• 1. check xH(t) = W
• 2. add to spent tokens.

t

User Issuer

Γ := (p, G, G) r ← Zp

∗

T :

′ = r

H(t)

−1

W := rW ′ X = xG

21

π := zkp x = { [G T ′] [ X W ′]}

, π check π

Privacy Pass

W :

′ = xT ′

T ′ W ′

redemption ⋯ ⋯ t, W

• 1. check
• 2. add to spent tokens.

xH(t) = W t

User Issuer

Γ := (p, G, G) r ← Zp

∗

T :

′ = r

H(t)

−1

W := rW ′ X = xG

22

π := zkp x = {

b [G

T ′] [Xb W ′]}

W :

′ = x T b ′

X = x G, b ∈

b

{0, 1}

• 1. check s.t.
• 2. add to spent tokens.

b x H(t) =

b

W t

Private metadata?

, π check π T ′ W ′

redemption ⋯ ⋯ t, W

User Issuer

Γ := (p, G, G) r ← Zp

∗

T :

′ = r

H(t)

−1

W := rW ′

23

Attack

r, s ← Zp

∗

T :

′ = r

H(t)

−1

S :

′ = s

H(t)

−1

W :

′ = x T ′

Adversary Issuer

T ′ X =

b

x G, b ∈

b

{0, 1} Γ := (p, G, G) S′ V :

′ = x S 1 ′

24

Attack

r, s ← Zp

∗

T :

′ = r

H(t)

−1

S :

′ = s

H(t)

−1

W :

′ = x T ′

Adversary

rW ′ =

? sV ′

Issuer

T ′ W ′ X =

b

x G, b ∈

b

{0, 1} Γ := (p, G, G) S′ V :

′ = x S 1 ′

V ′

24

W := xT +

′

yS′ T ′ s ← {0, 1} ; S :

λ ′ = H(T , s) ′

X = xG + yH

Privacy Pass variant

User Issuer

Γ := (p, G, G, H) r ← Zp

∗

T :

′ = r

H(t)

−1

25

W := xT +

′

yS′ W := rW ′ S := rH(T , s)

′

T ′ s, W ′, π s ← {0, 1} ; S :

λ ′ = H(T , s) ′

X = xG + yH

redemption ⋯ ⋯ t, S, W

• 1. check xH(t) + yS = W
• 2. add to spent tokens.

t

Privacy Pass variant

User Issuer

Γ := (p, G, G, H) r ← Zp

∗

T :

′ = r

H(t)

−1

25

W := xT +

′

yS′

π := zkp x + y = { [G T ′] [H S′] [ X W ′]}

W := rW ′ S := rH(T , s)

′

check π T ′ s, W ′, π s ← {0, 1} ; S :

λ ′ = H(T , s) ′

X = xG + yH

redemption ⋯ ⋯ t, S, W

• 1. check xH(t) + yS = W
• 2. add to spent tokens.

t

Privacy Pass variant

User Issuer

Γ := (p, G, G, H) r ← Zp

∗

T :

′ = r

H(t)

−1

25

π := zkp x + y = {

b [G

T ′]

b [H

S′] [Xb W ′]}

W := rW ′ S := rH(T , s)

′

check π T ′ s, W ′, π X =

b

x G +

b

y H, b ∈

b

{0, 1}

redemption ⋯ ⋯ t, S, W

• 1. check s.t.
• 2. add to spent tokens.

b x H(t) +

b

y S =

b

W t

Private metadata

User Issuer

Γ := (p, G, G, H) r ← Zp

∗

T :

′ = r

H(t)

−1

W := x T +

b ′

y S

b ′

s ← {0, 1} ; S :

λ ′ = H(T , s) ′

26

, π

Removing the zk proof

W :

′ = xT ′

T ′ W ′

redemption ⋯ ⋯ t, W

• 1. check
• 2. add to spent tokens.

xH(t) = W t

User Issuer

Γ := (p, G, G) r, ρ ← Zp

∗

T :

′ = r(H(t) − ρG)

W := r W +

−1 ′

ρX X = xG

27

Concrete security

28

Concrete security

One-more Diffie-Hellman is not extensively studied;

28

Concrete security

One-more Diffie-Hellman is not extensively studied; Token Hijacking;

28

Concrete security

One-more Diffie-Hellman is not extensively studied; Token Hijacking; Engeneering issues.

28

Implementation

#[test] fn it_works() { let mut csrng = rand::rngs::OsRng; // generate a keypair let keypair = KeyPair::generate(&mut csrng); // get the public parameters let pp = PublicParams::from(&keypair); // client's first message (the blinded token) let blinded_token = pp.generate_token(&mut csrng); // server's reponse (the signed token) with hidden metadata bit 0 let signed_token = keypair.sign(&mut csrng, &blinded_token.to_bytes(), 0); // clien'ts unbliding (the final token) let token = blinded_token.unblind(signed_token); assert!(token.is_ok()); // verification of the token assert!(keypair.verify(&token.unwrap()).is_ok()); }

In Rust, using curve25519-dalek::Ristretto.

Check out for fancy stats. [benchmarks report]

29

Future directions

30

Future directions

public metadata

30

Future directions

public metadata public verifiability blind BLS blind Okamoto-Schnorr? :( broken

30

Future directions

public metadata public verifiability blind BLS blind Okamoto-Schnorr? :( broken batching proofs

30

Future directions

public metadata public verifiability blind BLS blind Okamoto-Schnorr? :( broken batching proofs

30

Future directions

public metadata public verifiability blind BLS blind Okamoto-Schnorr? :( broken batching proofs

30

Future directions

public metadata public verifiability blind BLS blind Okamoto-Schnorr? :( broken batching proofs

30