Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity - - PowerPoint PPT Presentation

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic Point of View

• F. Prost

Frederic.Prost@ens-lyon.fr

Ecole Normale Sup´ erieure de Lyon

July 2015

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 1 / 48

Introduction

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 2 / 48

Introduction

Anonymity/Identity in a virtual world

0s and 1s are very much alike one another in a computer...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 3 / 48

Introduction

Anonymity/Identity in a virtual world

0s and 1s are very much alike one another in a computer... Dual problems:

Anonymity: One should receive data in the end... Identity: how to prove oneself a virtual world

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 3 / 48

Introduction

Anonymity/Identity in a virtual world

0s and 1s are very much alike one another in a computer... Dual problems:

Anonymity: One should receive data in the end... Identity: how to prove oneself a virtual world

Integrity issue: how to insure that

Message is untampered. Person/system identified is the “good” one.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 3 / 48

Introduction

Anonymity/Identity in a virtual world

0s and 1s are very much alike one another in a computer... Dual problems:

Anonymity: One should receive data in the end... Identity: how to prove oneself a virtual world

Integrity issue: how to insure that

Message is untampered. Person/system identified is the “good” one.

Replay attack: identity does not change, but proof of identity should change.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 3 / 48

Introduction

How to prove yourself ?

The problem of proving oneself is particularly challenging when there is no cooperation. One wants to make it impossible for B to misrepresent himself as A even after he witnessed and verifyed many proofs of identity generated by A.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 4 / 48

Introduction

How to prove yourself ?

The problem of proving oneself is particularly challenging when there is no cooperation. One wants to make it impossible for B to misrepresent himself as A even after he witnessed and verifyed many proofs of identity generated by A. Three levels of protection:

1

Authentication schemes: A can prove to B that he is A, but someone else cannot prove to B that he is A.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 4 / 48

Introduction

How to prove yourself ?

The problem of proving oneself is particularly challenging when there is no cooperation. One wants to make it impossible for B to misrepresent himself as A even after he witnessed and verifyed many proofs of identity generated by A. Three levels of protection:

1

Authentication schemes: A can prove to B that he is A, but someone else cannot prove to B that he is A.

2

Identification schemes: A can prove to B that he is A, but B cannot prove someone else that he is A.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 4 / 48

Introduction

How to prove yourself ?

The problem of proving oneself is particularly challenging when there is no cooperation. One wants to make it impossible for B to misrepresent himself as A even after he witnessed and verifyed many proofs of identity generated by A. Three levels of protection:

1

Authentication schemes: A can prove to B that he is A, but someone else cannot prove to B that he is A.

2

Identification schemes: A can prove to B that he is A, but B cannot prove someone else that he is A.

3

Signature schemes: A can prove to B that he is A, but B cannot event prove to himself that he is A.

Difference between 2 and 3 is when one wants to prove to a judge that the identification was legit (2). 3 is based on ZKP and only direct interaction can prove the identity of A.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 4 / 48

Introduction

Traditional Cryptographic Approach to Privacy

Privacy is more complex than just using a cryptographic function.

= ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 5 / 48

Introduction

Traditional Cryptographic Approach to Privacy

Privacy is more complex than just using a cryptographic function.

= ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...)

It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal:

Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 5 / 48

Introduction

Traditional Cryptographic Approach to Privacy

Privacy is more complex than just using a cryptographic function.

= ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...)

It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal:

Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc.

Together with those primitives, standard techniques to compose them are used:

Challenge/response schemes.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 5 / 48

Introduction

Traditional Cryptographic Approach to Privacy

Privacy is more complex than just using a cryptographic function.

= ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...)

It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal:

Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc.

Together with those primitives, standard techniques to compose them are used:

Challenge/response schemes. Use of nounces and randomness in general.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 5 / 48

Introduction

Traditional Cryptographic Approach to Privacy

Privacy is more complex than just using a cryptographic function.

= ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...)

It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal:

Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc.

Together with those primitives, standard techniques to compose them are used:

Challenge/response schemes. Use of nounces and randomness in general. Cut and choose.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 5 / 48

Introduction

Traditional Cryptographic Approach to Privacy

Privacy is more complex than just using a cryptographic function.

= ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...)

It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal:

Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc.

Together with those primitives, standard techniques to compose them are used:

Challenge/response schemes. Use of nounces and randomness in general. Cut and choose. Etc.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 5 / 48

Data Integrity, Secure Hash

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 6 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 7 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. The idea is that if h(x) = y and y is securily stored. Then if x is changed into x′, h(x′) = y′ = y.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 7 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. The idea is that if h(x) = y and y is securily stored. Then if x is changed into x′, h(x′) = y′ = y. Actually families of keyed hash functions are used. The simplest way to make a MAC: A and B share k, A sends (x, y = hk(x)) to B. A third party C cannot alter x into x′ and sends (x′, hk(x′)) without knowing k.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 7 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Definition (hash-family) A hash-family is (X, Y, K, H) X: set of messages Y: set of digests of authentication tags K: set of keys H: for each k ∈ K, there is hk ∈ H : X → Y

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 8 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Definition (hash-family) A hash-family is (X, Y, K, H) X: set of messages Y: set of digests of authentication tags K: set of keys H: for each k ∈ K, there is hk ∈ H : X → Y

1 Preimage:

In h : X → Y, and y ∈ Y Out x ∈ X s.t. h(x) = y

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 8 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Definition (hash-family) A hash-family is (X, Y, K, H) X: set of messages Y: set of digests of authentication tags K: set of keys H: for each k ∈ K, there is hk ∈ H : X → Y

1 Preimage:

In h : X → Y, and y ∈ Y Out x ∈ X s.t. h(x) = y

2 Second Preimage:

In h : X → Y, and x ∈ § Out x′ ∈ X s.t. h(x) = h(x′) and x = x′

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 8 / 48

Data Integrity, Secure Hash

Cryptographic Hash Functions

Definition (hash-family) A hash-family is (X, Y, K, H) X: set of messages Y: set of digests of authentication tags K: set of keys H: for each k ∈ K, there is hk ∈ H : X → Y

1 Preimage:

In h : X → Y, and y ∈ Y Out x ∈ X s.t. h(x) = y

2 Second Preimage:

In h : X → Y, and x ∈ § Out x′ ∈ X s.t. h(x) = h(x′) and x = x′

3 Collision:

In h : X → Y Out x, x′ ∈ X s.t. h(x) = h(x′) and x = x′

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 8 / 48

Data Integrity, Secure Hash

The properties of Hash functions: Random Oracle Model

Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function:

h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 9 / 48

Data Integrity, Secure Hash

The properties of Hash functions: Random Oracle Model

Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function:

h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle.

We can try to analyze hash functions independently from the particularities of the hash function considered. Algorithms are randomized algorithms.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 9 / 48

Data Integrity, Secure Hash

The properties of Hash functions: Random Oracle Model

Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function:

h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle.

We can try to analyze hash functions independently from the particularities of the hash function considered. Algorithms are randomized algorithms. Notion of ǫ average-case success probability relatively to the number Q of queries to the oracle: (ǫ, Q).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 9 / 48

Data Integrity, Secure Hash

Pre-image

Find_PreImage(h,y,Q): choose X0 subset of X, |X0|=Q for all x in X0 do if h(x)=y then return (x) return (fail)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 10 / 48

Data Integrity, Secure Hash

Pre-image

Find_PreImage(h,y,Q): choose X0 subset of X, |X0|=Q for all x in X0 do if h(x)=y then return (x) return (fail) Theorem If |X| = M the average-case success of Find Preimage is: ǫ = 1 − (1 − 1/M)Q

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 10 / 48

Data Integrity, Secure Hash

Second Pre-image

Find_Second_PreImage(h,x,Q): y := h(x) choose X0 subset of X\{x}, |X0|=Q-1 for all x0 in X0 do if h(x0)=y then return (x0) return (fail)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 11 / 48

Data Integrity, Secure Hash

Second Pre-image

Find_Second_PreImage(h,x,Q): y := h(x) choose X0 subset of X\{x}, |X0|=Q-1 for all x0 in X0 do if h(x0)=y then return (x0) return (fail) Theorem If |X| = M average-case success of Find Second Preimage is: ǫ = 1 − (1 − 1/M)Q−1

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 11 / 48

Data Integrity, Secure Hash

Collision

Find_Collision(h,x,Q): Choose X0 subset of X\{x}, |X0|=Q-1 for all x in X0 do y[x] := h(x) if y[x]=y[x’] for some x <> x’ then return (x,x’) else return (fail)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 12 / 48

Data Integrity, Secure Hash

Collision

Find_Collision(h,x,Q): Choose X0 subset of X\{x}, |X0|=Q-1 for all x in X0 do y[x] := h(x) if y[x]=y[x’] for some x <> x’ then return (x,x’) else return (fail) Theorem The average-case success probability of Find Collision is, supposing that |X| = M ǫ = 1 − (M − 1 M )(M − 2 M ) . . . (M − Q + 1 M )

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 12 / 48

Data Integrity, Secure Hash

Some numbers

Birthday paradox and Find Second Preimage. In a group of 23 there is probability 1/2 that two persons have the same age: Q = 23 and M = 365.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 13 / 48

Data Integrity, Secure Hash

Some numbers

Birthday paradox and Find Second Preimage. In a group of 23 there is probability 1/2 that two persons have the same age: Q = 23 and M = 365. Analysis of Find Collision. Theorem 4 gives the probability of no collisions: ΠQ−1

i=1 (1 − i

M ) when x → 0 1 − x ≃ exp−x, thus ΠQ−1

i=1 (1 − i M )

≃ ΠQ−1

i=1 exp

−i M

= exp−ΣQ−1

i=1 i M

= exp

−Q(Q−1) 2M

We can express Q in terms of ǫ (probability to find a collision) and M. Q ≃

• 2M log(

1 1 − ǫ) Thus for ǫ = 1/2 we have Q ≃ 1.17 √ M.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 13 / 48

Data Integrity, Secure Hash

Collision using Second Preimage

It is easy to find collision using the second preimage algorithm: choose random x in X if Find_Second_Preimage h(x)=x’ then return (x,x’) else return failure Hence because of the birthday paradox we have to take care of the size of the digest ! With probability 1/2 a 40-bits message digest only needs 220 random hashes.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 14 / 48

Proving Oneself’s Identity

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 15 / 48

Proving Oneself’s Identity

Philosophy of Identity

Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 16 / 48

Proving Oneself’s Identity

Philosophy of Identity

Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity:

Something you know: password, proof of a theorem, etc.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 16 / 48

Proving Oneself’s Identity

Philosophy of Identity

Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity:

Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 16 / 48

Proving Oneself’s Identity

Philosophy of Identity

Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity:

Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email Something you are: biometrics.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 16 / 48

Proving Oneself’s Identity

Philosophy of Identity

Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity:

Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email Something you are: biometrics.

Each of these three ways have advantages/drawbacks.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 16 / 48

Proving Oneself’s Identity

Challenge-Response and Randomization

To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 17 / 48

Proving Oneself’s Identity

Challenge-Response and Randomization

To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k

1

Bob chooses a random challenge r, sends it to Alice.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 17 / 48

Proving Oneself’s Identity

Challenge-Response and Randomization

To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(r) and sends y to Bob.

3

Bob computes y ′ = hK(r). If y = y ′ Bob accepts, otherwise rejects.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 17 / 48

Proving Oneself’s Identity

Challenge-Response and Randomization

To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(r) and sends y to Bob.

3

Bob computes y ′ = hK(r). If y = y ′ Bob accepts, otherwise rejects.

Attack (parallel session) of the insecure scheme:

1

Bob chooses a random challenge r, sends it to Alice.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 17 / 48

Proving Oneself’s Identity

Challenge-Response and Randomization

To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(r) and sends y to Bob.

3

Bob computes y ′ = hK(r). If y = y ′ Bob accepts, otherwise rejects.

Attack (parallel session) of the insecure scheme:

1

Bob chooses a random challenge r, sends it to Alice.

2

Oscar intercepts r and sends it to Bob

3

Bob thinking it has received an id request from Alice computes y = hK(r) and sends y back.

4

Oscar can impersonate Alice by sending back the y he received from Bob.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 17 / 48

Proving Oneself’s Identity

Naive Challenge Response Fixed

Secure version:

1

Bob chooses a random challenge r, sends it to Alice.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 18 / 48

Proving Oneself’s Identity

Naive Challenge Response Fixed

Secure version:

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(ID(Alice), r) and sends y to Bob.

3

Bob computes y ′ = hK(ID(Alice), r). If y = y ′ Bob accepts, otherwise rejects.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 18 / 48

Proving Oneself’s Identity

Naive Challenge Response Fixed

Secure version:

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(ID(Alice), r) and sends y to Bob.

3

Bob computes y ′ = hK(ID(Alice), r). If y = y ′ Bob accepts, otherwise rejects.

If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing hK(ID(Bob), r) does not help to compute hk(ID(Alice), r).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 18 / 48

Proving Oneself’s Identity

Naive Challenge Response Fixed

Secure version:

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(ID(Alice), r) and sends y to Bob.

3

Bob computes y ′ = hK(ID(Alice), r). If y = y ′ Bob accepts, otherwise rejects.

If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing hK(ID(Bob), r) does not help to compute hk(ID(Alice), r). What about other attacks ??

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 18 / 48

Proving Oneself’s Identity

Naive Challenge Response Fixed

Secure version:

1

Bob chooses a random challenge r, sends it to Alice.

2

Alice computes y = hK(ID(Alice), r) and sends y to Bob.

3

Bob computes y ′ = hK(ID(Alice), r). If y = y ′ Bob accepts, otherwise rejects.

If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing hK(ID(Bob), r) does not help to compute hk(ID(Alice), r). What about other attacks ?? = ⇒ What are the assumptions made ?

Secret Key. Random Challenges. MAC Security.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 18 / 48

Proving Oneself’s Identity

Conclusion

There are full books of MAC/identification/signature schemes/protocols. Different protocols for different usage:

One time passwords. Tickets with limited time limit. With or without central authority. etc.

It is very hard to have “convincing proofs” of their correctness.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 19 / 48

Anonymous communications

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 20 / 48

Anonymous communications

Communicating without Revealing one’s Identity

Everyday life concern:

Confession at church, Anonymous disease testing, Anonymous medical consultation, Etc.

Seems paradoxical at first: it appears that one should know where to send the data and where to return the answer.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 21 / 48

Anonymous communications

Communicating without Revealing one’s Identity

Everyday life concern:

Confession at church, Anonymous disease testing, Anonymous medical consultation, Etc.

Seems paradoxical at first: it appears that one should know where to send the data and where to return the answer. Many point of views:

Sender anonymity. Receiver anonymity. External vs Internal observer.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 21 / 48

Anonymous communications Sender Anonymity

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 22 / 48

Anonymous communications Sender Anonymity

Sender Anonymity

How to achieve sender’s anonymity allowing return adresses for the answer ?

Useful in anonymous referee process. Web surfing under political watch. Etc.

Seems paradoxical since the return adress should reveal the senders identity. Uses asymetric encryptions in layers for which encryption and decrytion commutes: K(K(M)) = K(K(M)) = M

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 23 / 48

Anonymous communications Sender Anonymity

Chaum’s mix nets [Chaum, 1981], the Idea

The idea is to put many envelopes around the message in order for each intermediary to know only two links of the message path.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 24 / 48

Anonymous communications Sender Anonymity

Chaum’s mix nets [Chaum, 1981], the Specifications

Let us name the public key of actor A with its name, and the private key with A. Relays are called “mixes” they receive many messages and shuffle them before sending them back. The structure of a message sent to a mix K is K(R, Knext(Rnext, M), Knext) The mix K can decypher it and sends the second part of the message (Knext(Rnext, M)) to Knext

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 25 / 48

Anonymous communications Sender Anonymity

Chaum’s mix nets [Chaum, 1981], the Specifications

Let us name the public key of actor A with its name, and the private key with A. Relays are called “mixes” they receive many messages and shuffle them before sending them back. The structure of a message sent to a mix K is K(R, Knext(Rnext, M), Knext) The mix K can decypher it and sends the second part of the message (Knext(Rnext, M)) to Knext The procedure can be repeteadly nested: Kn(Rn, Kn−1(Rn−1, . . . K2(R2, K1(R1, B(R0, M), B), K1) . . .), Kn−1)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 25 / 48

Anonymous communications Sender Anonymity

Chaum’s mix nets [Chaum, 1981], Return Adress

The anonymous return adress can be added to the message: K1(R1, A), KA where KA is a session key, A is Alice’s adress. Bob sends: K1(R1, A), KA(R0, M) and the mix K1 decrypts the first part of the message and sends: R1(KA(R0, M)) to A using R1 as an encryption key. This construction can be nested as well: K1(R1, K2(R2, . . . Kn(Rn, A) . . .)), KA(R0, M) In the end Alice receives: Rn(Rn−1(. . . R2(R1(KA(R0, M)) . . .)))

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 26 / 48

Anonymous communications Sender Anonymity

Mix Nets in Real Life

Attacking mix nets:

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 27 / 48

Anonymous communications Sender Anonymity

Mix Nets in Real Life

Attacking mix nets:

Flooding the net with fake messages.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 27 / 48

Anonymous communications Sender Anonymity

Mix Nets in Real Life

Attacking mix nets:

Flooding the net with fake messages. Timing attacks between entry and output nodes.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 27 / 48

Anonymous communications Sender Anonymity

Mix Nets in Real Life

Attacking mix nets:

Flooding the net with fake messages. Timing attacks between entry and output nodes. Earning a lot of relays.

• etc. ref http://freehaven.net/anonbib/
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 27 / 48

Anonymous communications Sender Anonymity

Mix Nets in Real Life

Attacking mix nets:

Flooding the net with fake messages. Timing attacks between entry and output nodes. Earning a lot of relays.

• etc. ref http://freehaven.net/anonbib/

Mix nets in practice: The Onion routing, aka Tor.

Not exactly mix nets but same ideas. NSAproof (they try other attacks). More than 2 Million Users and 6,500 relays: https://metrics.torproject.org/

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 27 / 48

Anonymous communications Sender and Receiver Anonymity

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 28 / 48

Anonymous communications Sender and Receiver Anonymity

Sender and Receiver Anonymity [Golle and Juels, 2004]

Dining Cryptographers networks (DC-Networks) [Chaum, 1988] In a DC-net the anonymous message transmission may be accomplished by players in a non-interactive manner, i.e., in a single broadcast round.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 29 / 48

Anonymous communications Sender and Receiver Anonymity

Sender and Receiver Anonymity [Golle and Juels, 2004]

Dining Cryptographers networks (DC-Networks) [Chaum, 1988] In a DC-net the anonymous message transmission may be accomplished by players in a non-interactive manner, i.e., in a single broadcast round. Problem: DC-nets are easily breakable with non cooperative players (honnest but curious is the limit). The problem is to be able to publish a message without knowing who has sent the message.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 29 / 48

Anonymous communications Sender and Receiver Anonymity

Basic Protocol

A and B possesses k-bits messages mA, mB. A and B shares two keys of length k : kAB(0), kAB(1) and a random bit b.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 30 / 48

Anonymous communications Sender and Receiver Anonymity

Basic Protocol

A and B possesses k-bits messages mA, mB. A and B shares two keys of length k : kAB(0), kAB(1) and a random bit b. A and B publishes pairs of messages as follows: if b=0 then Alice: MA,0 = kAB(0) ⊕ mA, MA,1 = kAB(1) Bob: MB,0 = kAB(0), MB,1 = kAB(1) ⊕ mB if b=1 then Alice: MA,1 = kAB(0), MA,1 = kAB(1) ⊕ mA Bob: MB,0 = kAB(0) ⊕ mB, MB,1 = kAB(1) An observer can compute MA,0 ⊕ Mb,0 and MA,1 ⊕ Mb,1 yielding the unordered pair (mA, mB).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 30 / 48

Anonymous communications Sender and Receiver Anonymity

Extension to multiple players

Suppose there are n players P1, P2, . . . , Pn. Each pair (Pi, Pj) shares a set of keys ki,j(w) for i, j, w ∈ {1, 2, . . . , n} where Ki,j(w) = kj,i(w). Each players Pi computes a vector: Wi = {Wi(1) = ⊕n

j=1ki,j(1), . . . , Wi(n) = ⊕n j=1ki,j(n)}

Notice that ⊕n

j=1Wi(w) = 0

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 31 / 48

Anonymous communications Sender and Receiver Anonymity

Extension to multiple players

Suppose there are n players P1, P2, . . . , Pn. Each pair (Pi, Pj) shares a set of keys ki,j(w) for i, j, w ∈ {1, 2, . . . , n} where Ki,j(w) = kj,i(w). Each players Pi computes a vector: Wi = {Wi(1) = ⊕n

j=1ki,j(1), . . . , Wi(n) = ⊕n j=1ki,j(n)}

Notice that ⊕n

j=1Wi(w) = 0

To broadcast a message each players Pi chosses a random position ci and XORs the message mi with Wi(ci) obtaining Vi = {Vi(1), . . . , Vi(n)} that differ in position ci. If all players select a different ci the vector V = ⊕n

j=1Vj will consists

in the set of messages posted by all players.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 31 / 48

Anonymous communications Sender and Receiver Anonymity

Extension to multiple players

Suppose there are n players P1, P2, . . . , Pn. Each pair (Pi, Pj) shares a set of keys ki,j(w) for i, j, w ∈ {1, 2, . . . , n} where Ki,j(w) = kj,i(w). Each players Pi computes a vector: Wi = {Wi(1) = ⊕n

j=1ki,j(1), . . . , Wi(n) = ⊕n j=1ki,j(n)}

Notice that ⊕n

j=1Wi(w) = 0

To broadcast a message each players Pi chosses a random position ci and XORs the message mi with Wi(ci) obtaining Vi = {Vi(1), . . . , Vi(n)} that differ in position ci. If all players select a different ci the vector V = ⊕n

j=1Vj will consists

in the set of messages posted by all players. Receiver anonymity can be achieved through public key encryption of messages.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 31 / 48

Electronic Cash

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 32 / 48

Electronic Cash

Anonymous Money

Payment mechanism without audit trail (typically the opposite of BitCoin) ...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 33 / 48

Electronic Cash

Anonymous Money

Payment mechanism without audit trail (typically the opposite of BitCoin) ... Raw issues to solve:

false money. double spending.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 33 / 48

Electronic Cash

Anonymous Money

Payment mechanism without audit trail (typically the opposite of BitCoin) ... Raw issues to solve:

false money. double spending.

Political issue as well: governments are reluctant. Complicated protocols using many cryptographic ingredients: bit commitment, secret sharing and Blind signatures.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 33 / 48

Electronic Cash

Blind Signature

Normally the signer knows what he is signing...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 34 / 48

Electronic Cash

Blind Signature

Normally the signer knows what he is signing... In order to respect privacy it could be a good idea that it is not the case !

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 34 / 48

Electronic Cash

Blind Signature

Normally the signer knows what he is signing... In order to respect privacy it could be a good idea that it is not the case ! Completely blind signature:

1

Alice takes the message to be signed and multiply it by a random value (blinding factor).

2

Alice sends the blinded document to Bob.

3

Bob signs the blinded document.

4

Alice divides by the blinding factor.

= ⇒ The signature function and multiplication must be commutative (eg RSA).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 34 / 48

Electronic Cash

Bit Commitment

Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 35 / 48

Electronic Cash

Bit Commitment

Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. Solution with symmetric cryptography:

1

Bob generates R, sends it to Alice

2

Alice makes her prediction (one bit) b and sends K(R, b)

3

When the time has come to make the prediction public Alice sends Bob K.

4

Bob decrypts it to reveal her bit and checks the random string.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 35 / 48

Electronic Cash

Bit Commitment

Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. Solution with symmetric cryptography:

1

Bob generates R, sends it to Alice

2

Alice makes her prediction (one bit) b and sends K(R, b)

3

When the time has come to make the prediction public Alice sends Bob K.

4

Bob decrypts it to reveal her bit and checks the random string.

Solution with secure hash functions:

1

Alice generates R1, R2 and sends H(R1, R2, b), R1 to Bob.

2

When time has come to reveal the prediction Alice sends Bob (R1, R2, b)

3

Bob computes the Hash and compares it and R1

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 35 / 48

Electronic Cash

Secret Sharing

Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 36 / 48

Electronic Cash

Secret Sharing

Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. Definition Let t, w be positive integers, t ≤ w. A (t, w)-threshold scheme is a method of sharing a key K among w participants in such a way that any subset of size t can compute K but no group of a lesser size can.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 36 / 48

Electronic Cash

Secret Sharing

Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. Definition Let t, w be positive integers, t ≤ w. A (t, w)-threshold scheme is a method of sharing a key K among w participants in such a way that any subset of size t can compute K but no group of a lesser size can. The Shamir scheme is unconditionnaly secure (no limit on the amount

• f computation that can be performed by any subset of participants).

Many cryptographic applications.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 36 / 48

Electronic Cash

Secret Sharing [Shamir, 1979], definition

D is the dealer. Pi, 1 ≤ i ≤ w are the participants. K ∈ Zp is the secret to be shared (p > w).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 37 / 48

Electronic Cash

Secret Sharing [Shamir, 1979], definition

D is the dealer. Pi, 1 ≤ i ≤ w are the participants. K ∈ Zp is the secret to be shared (p > w). Definition (Shamir (t, w)-Threshold Scheme)

1 Initialization Phase: D chooses w distinct, non-zero elements of Zp

: xi, 1 ≤ i ≤ w. For i ∈ {1, . . . , w), D gives xi to Pi. xi are public values.

2 Share Distribution: D secretely and randomly choose t − 1 elements

• f Zp : a1, . . . , at−1.

3 For 1 ≤ w ≤ w, D computes

yi = a(xi) = K +

t−1

• j=1

ajxj

i

mod p

4 For 1 ≤ i ≤ w, D gives the share yi to Pi

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 37 / 48

Electronic Cash

Secret Sharing [Shamir, 1979], geometric interpretation

The scheme relies on the Lagragian polynomial interpolation: there is

• nly one polynomial curve of degree t − 1 groing through t different

points !

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 38 / 48

Electronic Cash

Secret Sharing [Shamir, 1979], recovering the secret

Suppose Pi1, . . . , Pit want to recover the secret. They know yij = a(xij) Since a(x) ahs degree at most t − 1: a(x) = a0 + a1x + . . . + at−1

t−1

There are t linear equations in the t unknowns a0 + . . . + at−1, there is a unique solution and a0 is the key !

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 39 / 48

Electronic Cash

Secret Sharing [Shamir, 1979], recovering the secret

Suppose Pi1, . . . , Pit want to recover the secret. They know yij = a(xij) Since a(x) ahs degree at most t − 1: a(x) = a0 + a1x + . . . + at−1

t−1

There are t linear equations in the t unknowns a0 + . . . + at−1, there is a unique solution and a0 is the key ! Easier way to compute is to use the formula of Lagrangian interpolation (we just need to compute a(0)): K =

t

• j=1

 yij

• 1≤k≤t,k=j

xik xik − xij  

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 39 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes.

4 The Bank blindly signs the last envelope and sends it back to Alice.

The Bank deducts 1000$ from Alice’s account.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes.

4 The Bank blindly signs the last envelope and sends it back to Alice.

The Bank deducts 1000$ from Alice’s account.

5 Alice opens the envelope and spends it with a Merchant.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes.

4 The Bank blindly signs the last envelope and sends it back to Alice.

The Bank deducts 1000$ from Alice’s account.

5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature is correct and

takes it to the Bank.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash First Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes.

4 The Bank blindly signs the last envelope and sends it back to Alice.

The Bank deducts 1000$ from Alice’s account.

5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature is correct and

takes it to the Bank.

7 Bank checks the signature and credits 1000 $ to the Merchant

account.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 40 / 48

Electronic Cash

E-cash Second Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $ and adds in each bill a

random number.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 41 / 48

Electronic Cash

E-cash Second Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $ and adds in each bill a

random number.

2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes with genuine uniqueness random numbers.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 41 / 48

Electronic Cash

E-cash Second Protocol (from [Chaum, 1982])

1 Alice prepares 100 anonymous bills for 1000 $ and adds in each bill a

random number.

2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are

all 1000 $ notes with genuine uniqueness random numbers.

4 The Bank signs the last envelope and sends back it to Alice. The

Bank deducts 1000$ from Alice’s account.

5 Alice open the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature is correct and

takes it to the Bank.

7 Bank checks the signature and checks that the random number has

never been used. It then credits 1000 $ to the Merchant account and record the random number.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 41 / 48

Electronic Cash

Anonymous E-cash [Chaum, 1982]

1 Alice prepares n anonymous bills of the form

A, X, I1, . . . , In such that A is an amount in $, X is a big random number and each Ij = (IjL, IjR) are a pair of identity bit strings splitted (along Shamir’s secret sharing) in 2. Moreover Alice commits on each part.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 42 / 48

Electronic Cash

Anonymous E-cash [Chaum, 1982]

1 Alice prepares n anonymous bills of the form

A, X, I1, . . . , In such that A is an amount in $, X is a big random number and each Ij = (IjL, IjR) are a pair of identity bit strings splitted (along Shamir’s secret sharing) in 2. Moreover Alice commits on each part.

2 Alice blinds the n bills and sends them to the Bank. 3 The Bank opens (by asking Alice) n − 1 envelopes and confirms they

are all A$ notes with genuine uniqueness random numbers and correct identity information.

4 The Bank signs the last envelope and sends back it to Alice. The

Bank deducts A$ from Alice’s account.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 42 / 48

Electronic Cash

Anonymous E-cash [Chaum, 1982]

5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature. The merchant

asks Alice reveal either left half or right half of each Ij’s (it is a n bits vector).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 43 / 48

Electronic Cash

Anonymous E-cash [Chaum, 1982]

5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature. The merchant

asks Alice reveal either left half or right half of each Ij’s (it is a n bits vector).

7 Alice complies. The Merchant takes the money to the Bank. 8 Bank checks the signature and checks that the random number has

never been used. It then credits A$ to the Merchant account, records the random numberand all the identity informations.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 43 / 48

Electronic Cash

Anonymous E-cash [Chaum, 1982]

5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature. The merchant

asks Alice reveal either left half or right half of each Ij’s (it is a n bits vector).

7 Alice complies. The Merchant takes the money to the Bank. 8 Bank checks the signature and checks that the random number has

never been used. It then credits A$ to the Merchant account, records the random numberand all the identity informations.

9 If the uniqueness number is in the base, the Bank can compare the

identity string on the money order with the one stored.

= ⇒ If it is the same, the Merchant cheated

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 43 / 48

Electronic Cash

Anonymous E-cash [Chaum, 1982]

5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature. The merchant

asks Alice reveal either left half or right half of each Ij’s (it is a n bits vector).

7 Alice complies. The Merchant takes the money to the Bank. 8 Bank checks the signature and checks that the random number has

never been used. It then credits A$ to the Merchant account, records the random numberand all the identity informations.

9 If the uniqueness number is in the base, the Bank can compare the

identity string on the money order with the one stored.

= ⇒ If it is the same, the Merchant cheated = ⇒ If not the same, then the second Merchant certainly selected another n bits vector. The Bank thus have both left and right half of some Ii and can find out the identity of Alice.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 43 / 48

Conclusion

Plan

1

Introduction

2

Data Integrity, Secure Hash

3

Proving Oneself’s Identity

4

Anonymous communications Sender Anonymity Sender and Receiver Anonymity

5

Electronic Cash

6

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 44 / 48

Conclusion

Conclusion

Traditionnal cryptographic approach to privacy is very much like algorithmic: there are basic notions and general schemes, but in the end you have to be smart.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 45 / 48

Conclusion

Conclusion

Traditionnal cryptographic approach to privacy is very much like algorithmic: there are basic notions and general schemes, but in the end you have to be smart. Proving the security of such elaborated protocols is not trivial:

1

What security ? How is the opponnent modeled ? etc.

2

What proof techniques can be used ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 45 / 48

Conclusion

Conclusion

Traditionnal cryptographic approach to privacy is very much like algorithmic: there are basic notions and general schemes, but in the end you have to be smart. Proving the security of such elaborated protocols is not trivial:

1

What security ? How is the opponnent modeled ? etc.

2

What proof techniques can be used ?

= ⇒ Several attacks were discovered years after the release of cryptographic schemes, the opponent can be smarter than you, e.g.:

Needham-Schroeder protocol 1978 → Denning-Sacco attack 1981. Agora 1996 → Multiple session attack 1997 ... [Panti et al., 2002]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 45 / 48

Conclusion

Bibliography I

Bellare, M., Pointcheval, D., and Rogaway, P. (2000). Authenticated key exchange secure against dictionary attacks. In Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000, Proceeding, pages 139–155. Bellare, M. and Rogaway, P. (1995). Provably secure session key distribution: the three party case. In Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, 29 May-1 June 1995, Las Vegas, Nevada, USA, pages 57–66. Chaum, D. (1981). Untraceable electronic mail, return addresses, and digital pseudonyms.

• Commun. ACM, 24(2):84–88.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 46 / 48

Conclusion

Bibliography II

Chaum, D. (1982). Blind signatures for untraceable payments. In Chaum, D., Rivest, R. L., and Sherman, A. T., editors, Advances in Cryptology: Proceedings of CRYPTO ’82, Santa Barbara, California, USA, August 23-25, 1982., pages 199–203. Chaum, D. (1988). The dining cryptographers problem: Unconditional sender and recipient untraceability.

• J. Cryptology, 1(1):65–75.

Feige, U., Fiat, A., and Shamir, A. (1988). Zero-knowledge proofs of identity.

• J. Cryptology, 1(2):77–94.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 47 / 48

Conclusion

Bibliography III

Golle, P. and Juels, A. (2004). Dining cryptographers revisited. In Advances in Cryptology - EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2-6, 2004, Proceedings, pages 456–473. Panti, M., Spalazzi, L., and Tacconi, S. (2002). Attacks on cryptographic protocols: A survey. Technical report, Instituto di Infomartica, Universtity of Ancona. Shamir, A. (1979). How to share a secret.

• Commun. ACM, 22(11):612–613.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic July 2015 48 / 48