SLIDE 1
E-cash Anonymous Credentials Compact E-cash
E-cash Anonymous Credentials Compact E-cash
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography - - PowerPoint PPT Presentation
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography - - PowerPoint PPT Presentation
E-cash Anonymous Credentials Compact E-cash ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 E-cash Anonymous Credentials Compact E-cash E-cash 1 Chaums E-cash Offline E-cash
SLIDE 2
SLIDE 3
E-cash Anonymous Credentials Compact E-cash
E-cash properties
How is cash different from credit card transactions? Untraceable Verifiable offline
SLIDE 4
E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash
First Attempt at e-cash
A message with a digital signature: Example (eBill) “This bill is legal tender for exactly US$1.00” – US Mint How well does this work for our purposes? Traceable: Mint will recognize randomized signature Needs online verification to prevent double spending
SLIDE 5
E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash
Blind Signatures
[Chaum, Crypto’82]
Recall RSA homomorphism: RSA Signature Homomorphism
- (m1)d (mod n)
(m2)d (mod n)
- ≡ (m1m2)d (mod n)
We can use this to construct a blind signature: Definition Blind signature
1 Alice picks r ∈R Z∗
n
2 Alice generates blinded message: m′ = m · re (mod n) and
asks the mint to sign it
3 Mint produces signature on m′:
σ′ = (m′)d ≡ mdred ≡ mdr (mod n)
4 Alice uses σ = σ′/r to obtain a signature on m
SLIDE 6
E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash
Blind signature protocol
Withdrawal Protocol
1 Alice produces a message:
m = H(“This bill is legal tender for exactly US$1,000.00”)
2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice’s account.
Properties Unlinkable: mint cannot link signature on m to signature on m′ (information-theoretic security) Needs online verification to prevent double spending Alice can change amount
SLIDE 7
E-cash Anonymous Credentials Compact E-cash Chaum’s E-cash
Single-denomination keys
Mint’s public key (n, e) used to only issue $1.00 e-coins. Withdrawal Protocol
1 Alice produces a serial number s, and message m = H(s) 2 Alice obtains a blind signature on m from the mint. 3 Mint deducts $1 from Alice’s account.
Why does m = H(s)? Prevents existential forgery. Payment protocol requires Alice to produce s and a signature
- n H(s)
How do we support multiple denominations? Multiple public keys: (n$1, e$1), (n$5, e$5), . . .
SLIDE 8
E-cash Anonymous Credentials Compact E-cash Offline E-cash
Offline E-cash
[Chaum,Fiat, & Naor, Crypto’90]
Basic ideas: Encode payer’s identity in the coin Payment protocol reveals some function of user’s identity Two payments will reveal full identity Zero-knowledge proofs to show that protocol is being followed
SLIDE 9
E-cash Anonymous Credentials Compact E-cash Offline E-cash
Setup
Bank’s RSA public key: (n, e) as before, every coin worth $1. Each user has an account number u and a counter v. Two collision-resistant hash functions are used: f (x, y) is modeled as a random oracle g(x, y) has the property that g(x, ·) is a permutation Note: this guarantees that g(x, ·) is collision free
SLIDE 10
E-cash Anonymous Credentials Compact E-cash Offline E-cash
Withdrawal Protocol
Withdrawal
1 Alice chooses a, c, d, r ∈R Z∗
n
2 Alice forms a coin:
C = f (g(ai, ci), g(a ⊕ (u||(v + 1)), d))
3 Alice sends re · C to the bank 4 The bank produces a signature σ′ = r · C d 5 The bank increments v by 1, debits Alice’s account $1
Note: Alice’s identity is encoded in the coin (in a complex way) Bank needs to verify that Alice is constructing the coin correctly
SLIDE 11
E-cash Anonymous Credentials Compact E-cash Offline E-cash
Cut-and-choose
Withdrawal
1 Alice chooses ai, ci, di, ri ∈R Z∗
n, for i = 1, . . . , k
2 Alice forms a coin:
Ci = f (g(ai, ci), g(ai ⊕ (u||(v + i)), di))
3 Alice sends re
i · Ci to the bank
4 The bank picks a set of k/2 indices, R, and sends them to
Alice
5 Alice sends ai, ci, di, and ri for i ∈ R to the bank 6 The bank produces a signature on the remaining Ci’s:
σ′ =
i / ∈R ri · C d i
7 Alice generates the final coin:
C = σ′/
i / ∈R ri = i / ∈R C d i
8 The bank increments v by 1, debits Alice’s account $1
SLIDE 12
E-cash Anonymous Credentials Compact E-cash Offline E-cash
Payment Protocol
Assume without loss of generality that R = {k/2 + 1, . . . , k}, thus: Payment
1 Alice sends C to Bob. 2 Bob chooses k/2 random bits, z1, . . . , zk/2 ∈R {0, 1} 3 For each i, Alice sends: 1
If zi = 1, she sends ai, ci, g(ai ⊕ (u||(v + i)), di)
2
If zi = 0, she sends g(ai, ci), ai ⊕ (u||(v + i)), di
4 Bob recomputes each Ci and verifies that the signature is
correct
5 Later, Bob sends C and Alice’s responses to the bank 6 Bank verifies the responses and credits Bob’s account
SLIDE 13
E-cash Anonymous Credentials Compact E-cash Offline E-cash
Double Spending
If the bank receives two copies of the same coin C, it can recover Alice’s identity from her responses to two merchant’s challenges: z and z′ With probability 1 − 2−k/2, ∃i such that zi = z′
i
The bank has ai and ai ⊕ (u||(v + i)) Note: if Alice and Charlie collude, Charlie can issue the same challenge as Bob. Fix: make Bob’s challenge depend on his identity. Note: To prevent framing by the bank, Alice can use account number u||wi for random wi and provide a signature on H(wi)’s to the bank (that the bank checks during cut-and-choose).
SLIDE 14
E-cash Anonymous Credentials Compact E-cash
Credential Systems
Credential: a certified list of attributes. Example (Driver’s License) Name John Smith D.O.B. 01/01/1970 Address 123 Main St. Zipcode 61820 Eye color Blue Hair color Brown Digital credentials: attribute list signed by some authority (e.g., IL Secretary of State) Privacy issues: reveal all information to demonstrate one attribute.
SLIDE 15
E-cash Anonymous Credentials Compact E-cash
Anonymous Credentials
(aka Private Credentials)
Properties Selective Disclosure: can reveal only the attributes necessary. E.g.:
Over 21 Resident of Illinois Licensed to drive Needs glasses
Unlinkability: Issuing and showing credentials should not be linkable, even with cooperation of the CA.
SLIDE 16
E-cash Anonymous Credentials Compact E-cash
Constructions
e-cash based Brands’ private credentials Camenisch et al.’s anonymous credentials Noninteractive Anonymous Credentials
SLIDE 17
E-cash Anonymous Credentials Compact E-cash e-cash-based Credentials
Digital Coin as Credential
Credential issue: Withdraw Credential show: Payment No double-spending protection Credential attribute: denomination Problems Credential showing are linkable to each other
Effectively, credential = pseudonym
Limited policy expressivity: conjunction of boolean attributes No protection against credential sharing, combining
SLIDE 18
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Private Credentials
[Brands, MIT Press, 1990]
Stefan Brand’s Ph.D. thesis Constructs a credential with a collection of attributes Blinded credential signed by issuing authority Can selectively disclose a subset of (or a formula over) credentials
SLIDE 19
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
DLREP
Definition Create generators g1, . . . , gl for group of order q in Z∗
p
f (x1, . . . , xl) := gx1
1 · · · gxl l
(mod p) Proof of Knowledge of a DLREP for h
1 Alice creates w1, . . . , wl ∈R Z∗
q, sends a = H(gw1 1 · · · gwl l )
2 Bob sends challenge c 3 Alice computes ri = c · xi + wi 4 Bob checks that a = H(gr1
1 · grl l h−c)
SLIDE 20
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Fiat-Shamir Heuristic
[Fiat, Shamir, Crypto’86]
Given a 3-move ZK protocol: Prover: commit to a Verifier: send challenge c Prover: reveal r to prove commitment Set c = H(a); then (a, r) is a non-interactive ZK proof. Needs random oracle model Can be extended to signature proof of knowledge with c = H(a, M)
SLIDE 21
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Approach
Issue Protocol Let gi = gyi mod p, h0 = gy0 mod p Use a modified DLREP function: f (α, x1, . . . , xl) = (gx1
1 · · · gxl l h0)α mod p
Obtain a restricted blind signature on h Showing Protocol Reveal value of selected attributes Prove knowledge of DLREP for remaining attributes Never reveal α
SLIDE 22
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Sharing Protection
Need to know all attributes to prove DLREP Make one attribute be something sensitive (e.g., SSN, bank account password)
SLIDE 23
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Issue Protocol
Alice CA
- 1. Pre-compute:
- 1. Pre-compute:
α ∈R Z∗
q
k ∈R Zq α2, α3 ∈R Zq s ← gk mod p h ← gx1
1 · · · gxl l
mod p h′ ← (h0h)α mod p β ← gα2(h0h)α3 mod p
- 2. Send
x1,...,xl
− − − − →
- 2. Validate attributes
- 3. Compute:
s
← −
- 3. Send: s
γ ← βs mod p
- 4. Compute:
u′ ← H(h′, γ) mod q t ← (y0 + x1y1 + · · · + xlyl)−1 u ← u′ − α2 mod q mod q
SLIDE 24
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Issue Protocol
Alice CA
- 4. Send: u
u
− →
- 5. Compute:
v ← (k − u)t mod q
- 5. Compute:
v
← − 6: Send: v v′ ← (v + α3)α−1 mod q
- 6. Verify:
u′ ? = H(h′, (gu′(h′)v′ mod p)) mod q
SLIDE 25
E-cash Anonymous Credentials Compact E-cash Brands’ Credentials
Issue Protocol Explained
Final signature: u′ = H(h′, γ = (gu′(h′)v′ mod p)) mod q Let γ = gα2(h0h)α3gk Let v = (k − (u′ − α2))(logg(h0h))−1 v′ = (v + α3)α−1 (h′)v′ = ((h0h)α)v′ = (h0h)v+α3 = gkg−u′gα2(h0h)α3 = γg−u′
SLIDE 26
E-cash Anonymous Credentials Compact E-cash CL Signatures
Background: Pedersen Commitments
Commit to an integer ∈ Zq Uses g, h ∈ Z∗
p (generators of group of order q)
Prover does not know logg h (e.g., verifier chooses h = ga) Commit to x: send c = gxhr Reveal: show (x, r)
SLIDE 27
E-cash Anonymous Credentials Compact E-cash CL Signatures
Fujisaki-Okamoto
Pick RSA modulus n Let h ∈ QRn, g ∈ h Commit: gxhr mod n Reveal: send (x, r) Secure if prover does not know factorization of n
SLIDE 28
E-cash Anonymous Credentials Compact E-cash CL Signatures
Camenisch-Lysyanskaya Signatures
(SCN 2002)
A signature scheme designed to be used with anonymous protocols Protocol to generate a signature on a committed value Protocol to prove knowledge of signature on committed value Building block of protocols, along with proofs regarding committed values
SLIDE 29
E-cash Anonymous Credentials Compact E-cash CL Signatures
Signature Scheme
Setup RSA modulus n = pq, with p = 2p′ + 1, q = 2q′ + 1, p, q, p′, q′ prime Choose a1, . . . , al, b, c ∈ QRn PK = (n, a1, . . . , al, b, c), SK = p Signature Message: m1, . . . , ml Pick random prime e, random number s v = (am1
1 · · · aml l bsc)1/e mod n
Output (e, s, v)
SLIDE 30
E-cash Anonymous Credentials Compact E-cash CL Signatures
Camenisch-Stadler Notation
Generic notation for zero-knowledge proofs PK{(vars) : conditions} By convention, Greek letters represent values known to the prover only, other letters represent public values Example Proof of knowledge of a DLREP for h according to bases g1, . . . , gl: PK{(ξ1, . . . , ξl) : h ≡ gξ1
1 · · · gξl l
mod p}
SLIDE 31
E-cash Anonymous Credentials Compact E-cash CL Signatures
Commitment Proofs
Proof of a DLREP modulo a composite: PK
- (α1, . . . , αm) : C =
m
- i=1
gαi
i
mod n
- Proof of knowledge of equivalent representations:
PK
- (α1, . . . , αi) : C1 =
m
- i=1
gαi
i
mod n1 ∧ C2 =
m
- i=1
hαi
i
mod n2
- Proof that a committed value is the product of two other
committed values: PK{(α, β, ρ1, ρ2, ρ3) : Ca = gαhρ1 mod n ∧ Cb = gβhρ2 mod n ∧Cab = gαβhρ3 mod n} Proof that a value lies within a given range: PK {(α, ρ) : C = gαhρ mod n ∧ a ≤ α ≤ b}
SLIDE 32
E-cash Anonymous Credentials Compact E-cash CL Signatures
Signing a Committed Value
Setup Public key: (n, a, b, c), commitment public key (nC, gC, hC) User: commitment C = gx
ChrC C mod nC
Protocol
1 Form commitment Cx = axbr mod n 2 Prove Cx is equivalent to C 3 Prove knowledge of x, r 4 Signer: pick random r′, prime e, let v = (Cxbr′c)1/e. 5 Send (r′, e, v) to user 6 User: Let s = r + r′; check ve ≡ axbsc mod n
SLIDE 33
E-cash Anonymous Credentials Compact E-cash Camenisch Anonymous Credentials
Anonymous Credentials
Similar to private credentials Can be shown arbitrary number of times General Approach Attributes: (x1, . . . , xl) Commit to a DLREP of attributes, prove that attributes are correct Obtain signature on DLREP To show credential, commit to the DLREP (new commitment) Prove commitment has required attributes Prove knowledge of signature over DLREP
SLIDE 34
E-cash Anonymous Credentials Compact E-cash Camenisch Anonymous Credentials
Efficient Anonymous Credentials
[Camenisch & Groß, CCS’08]
Proofs of attributes are linear in number of attributes Public key needs to pre-specify attribute list Idea: create a single attribute e that encodes all of the credential Let each (binary) attribute be represented by a prime ei e =
User has attr i ei
k-valued attributes can be supported, too (How?)
SLIDE 35
E-cash Anonymous Credentials Compact E-cash Camenisch Anonymous Credentials
Showing Possession of Attribute
Proof of Knowledge of Signature PK{(σ, ǫ, ν, µ) : νǫ = aµbσc mod n} For attribute set E, show signature on E/ei using base aei Proof of Possession of Attribute ei PK{(σ, ǫ, ν, µ) : νǫ = (aei)µbσc mod n} Note: can prove combination of attributes by using (aeiejek)
SLIDE 36
E-cash Anonymous Credentials Compact E-cash Camenisch Anonymous Credentials
Showing Absence of Attribute ej
Find two numbers a, b such that aE + bej = 1 by extended Euclidian algorithm. Let D = gEhr mod n Proof PK{(σ, ǫ, µ, ρ1, ρ2, α, β) : νǫ = aµbσc mod n ∧D = gµhρ1 mod n ∧ g = Dα(gej)βhρ2 mod n}
SLIDE 37
E-cash Anonymous Credentials Compact E-cash Camenisch Anonymous Credentials
Showing an OR relation
Show that one of attributes {e1, . . . , em} is present. Note: can be done generically (How?) Approach: commit to ej (D = gejhr) show that ej| l
i=1 ei and
ej|E. Proof D = gejhr PK{(σ, ǫ, µ, ρ1, ρ2, ρ3, α, β, δ) : νǫ = aµbσc mod n ∧D = gδhρ1 ∧ g
Qm
i=1 ei = Dαhρ2 ∧ 1 = Dβgµhρ3}
SLIDE 38
E-cash Anonymous Credentials Compact E-cash
Compact E-cash
Camenisch, Hohenberger, Lysanskaya, 2005
Generate a compact “wallet” Wallet contains 2l coins Wallet length, withdrawal protocol: O(l) Two constructions Definition of Security
SLIDE 39
E-cash Anonymous Credentials Compact E-cash
Syntax
KeyGen: generate keys for user and bank Withdraw: obtain a coin from the bank Spend: spend a coin at a merchant Deposit: deposit a coin at a bank Identify: used by bank to identify double-spender VerifyGuilt: verifies that double-spending occurred
SLIDE 40
E-cash Anonymous Credentials Compact E-cash