anonymous credentials
DESCRIPTION
Anonymous Credentials. Gergely Alpár Collis – November 24, 2011. Crypt assumptions. Crypt assumptions. My assumptions. Modular computation: addition, multiplication Public-key cryptography (PKI) Cryptographic hash function Concatenation. Overview. Zero-knowledge proof of knowledge - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/1.jpg)
Anonymous Credentials
Gergely AlpárCollis – November 24, 2011
![Page 2: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/2.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 2
Crypt assumptions
![Page 3: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/3.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 3
Crypt assumptions
![Page 4: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/4.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 4
My assumptions
• Modular computation: addition, multiplication• Public-key cryptography• (PKI)• Cryptographic hash function• Concatenation
![Page 5: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/5.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 5
Overview
• Zero-knowledge proof of knowledge• Credentials• Discrete logarithm preliminaries• U-Prove• RSA preliminaries• Idemix• Comparison
![Page 6: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/6.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 6
Zero-knowledge proofs
![Page 7: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/7.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 7
Current practice
I know the password!I know the password! I don’t believe you.I don’t believe you.
It’s wachtw0ord201
1
It’s wachtw0ord201
1Yes, indeed.Yes, indeed.
![Page 8: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/8.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 8
Zero-knowledge proof
I know the secret!I know the secret! I don’t believe you.I don’t believe you.I can prove it.I can prove it. I'll believe it when I see it.
I'll believe it when I see it.
No, I don’t show it, but I’ll convince you
that I know it.
No, I don’t show it, but I’ll convince you
that I know it.
A hard problem
![Page 9: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/9.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 9
Waldo and ZK
![Page 10: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/10.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 10
Where’s Waldo?
Source: findwaldo.com // The Gobbling GluttonsIdea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999
![Page 11: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/11.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 11
![Page 12: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/12.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 12
![Page 13: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/13.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 13
![Page 14: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/14.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 14
![Page 15: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/15.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 15
ZK – Ali baba’s cave
![Page 16: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/16.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 16
Credentials
![Page 17: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/17.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 17
Credential flow
![Page 18: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/18.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 18
Anonymity requirements
• Untraceability• Multi-show unlinkability • Selective disclosure • Attribute property proof • Revocation by user • Revocation by issuer
Age > 18Valid
![Page 19: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/19.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 19
High-level approaches
• Every time: issuing before showing (U-Prove, 1999)– Untraceability
• Showing with zero-knowledge proof (Idemix, 2001)– Untraceability and unlinkability
• Randomize (self-blindable, 2001)– Unlinkability and untraceability
![Page 20: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/20.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 20
History of anonymous credentials
1970 1980 1990 2000 2010
1976: Public-key crypto (Diffie & Hellman)
1978: RSA
1981: Digital pseudonym (Chaum)
1985: Zero-knowledge proof
(GMR)
1986: Non-interactive ZK (Fiat & Shamir)
1990-91: Schnorr identification and
signature
1999: U-Prove crypto (Brands)
2001: Idemix crypto (Camenisch & Lysyanskaya)
2002: Idemix JAVA implementation
2009: Light-weight Idemix impl. (IBM)
2010: Microsoft’s U-Prove impl.
2010-14: ABC4Trust (IBM & MS)
![Page 21: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/21.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 21
Discrete logarithm – preliminaries
![Page 22: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/22.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 22
Modular computation
mod nax
mod nlogax
= 14 mod 4773 = 343 = 7.47 + 14
log7 14 = 3 mod 47
![Page 23: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/23.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 23
101
102 103
104
10x mod 53
x
Modular exponentiation
1013
![Page 24: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/24.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 24
log10 24 = ? mod 53log10 24 = ? mod 5310x mod 53
x
Discrete logarithm (p = 53, q = 13)
![Page 25: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/25.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 25
Discrete logarithm (p = 389, q =97)13x mod 389
x
log13 193 = ? mod 389log13 193 = ? mod 389
![Page 26: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/26.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 26
p ~ 21024, q ~ 2160
120647512938908028867388901435622501660544582652084763778469179795603511596928068284302347645679661284502756586088182980185380205485840303823342758131447025760358124071773512320456087558761236652680084522358687865972828438154299478474984622198115039866220934797393671281602442459774704328099491586290681366721842531452715241719233458597619542522728958116591 = 54908600274008470198448664033645016278929009692729460183531661597245923990838629299281250570649704467074998536491481089013147840556922261199819117470352438726889035130940581816459311611337430791063760559062579953505419658290163926050903654308761279654642666891806788178269114799030238674475936287917164274641 (mod 147540829457233765072451123330814771849279870508740658191364766390571127595133276091294946062334381927384270351919254939797952329145575009188956176344993292905052474988906261438800251337646245695529118629813762877963253295780055957721171296243452181910303437299543284160580397044072404446659484077705433238843)
gb = h (mod p) where the order of g is q
![Page 27: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/27.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 27
Efficiently computable• Random numbers– 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8,
8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9
• Modular addition and multiplication– a . b + c (mod n)
• Modular exponentiation– 326 = 3(11010) = 32 .38 .316 = 3 (mod 11)
• 32 = 9 mod 11• 38 = (((9)2)2 mod 11 = 5 mod 11• 316 = 52 mod 11 = 3 mod 11
![Page 28: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/28.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 28
ZK as a basic building blockZero-knowledge (ZK) proof of knowledgeZero-knowledge (ZK) proof of knowledge Schnorr identificationSchnorr identification
Schnorr signatureSchnorr signature
U-Prove issuanceU-Prove issuance
Blind signatureBlind signature
U-Prove showingU-Prove showing
![Page 29: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/29.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 29
U-Prove
![Page 30: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/30.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 30
Crypt assumptionsDiscrete logarithm assumptionDiscrete logarithm assumption
![Page 31: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/31.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 31
Schnorr identification
• Complete (P: “If I know, I can convince you.”)• Sound (V: “If you don’t know, you cannot convince me.”)• Zero-knowledge
![Page 32: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/32.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 32
From outside
![Page 33: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/33.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 33
Simulation Zero-knowledgeness
Real communication Simulated communication
![Page 34: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/34.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 34
Schnorr identification
![Page 35: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/35.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 35
Schnorr identification
![Page 36: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/36.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 36
Non-interactive Schnorr (Fiat—Shamir)
![Page 37: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/37.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 37
Schnorr signature (freshness)
![Page 38: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/38.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 38
Schnorr signature
![Page 39: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/39.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 39
Schnorr blind signature
![Page 40: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/40.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 40
Schnorr blind signature
![Page 41: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/41.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 41
Credential flow
Issuing
Showing
![Page 42: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/42.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 42
DL representation
![Page 43: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/43.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 43
Brands’ issuing protocol (U-Prove)
![Page 44: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/44.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 44
Brands’ showing protocol (U-Prove)
![Page 45: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/45.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 45
• Certain attributes are revealed• Others are proven in the token but remaining
hidden
R
Selective disclosure (U-Prove)
![Page 46: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/46.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 46
Selective disclosure (U-Prove)
![Page 47: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/47.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 47
RSA – preliminaries
![Page 48: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/48.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 48
Crypt assumptionsInteger factorization is hardInteger factorization is hard
![Page 49: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/49.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 49
RSA signature – recap
![Page 50: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/50.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 50
Strong RSA assumption
Integer factorization
Integer factorization
n p, q
RSA problemRSA problemc, e m
Strong RSA problemStrong RSA problemc m, e
c = me (mod n)
![Page 51: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/51.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 51
Idemix – selective disclosure
![Page 52: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/52.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 52
Camenisch—Lysyanskaya signature
![Page 53: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/53.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 53
Idemix issuing protocol (CL)*
* without intervalsPlus: freshness with nonces! SPKs
![Page 54: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/54.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 54
Randomized CL-signature
![Page 55: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/55.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 55
Idemix showing protocol*
* without intervalsPlus: freshness with a nonce! SPK
![Page 56: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/56.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 56
CL showing: selective disclosure*
* without intervalsPlus: freshness with a nonce! SPK
![Page 57: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/57.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 57
U-Prove vs. Idemix
![Page 58: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/58.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 58
Comparison of functionalities
![Page 59: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/59.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 59
Performance (client)
![Page 60: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/60.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 60
U-Prove selective disclosure
W. Mostowski, P. Vullers: Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards
![Page 61: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/61.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 61
Future of anonymous credentials…
• ABC4Trust• NSTIC (discussion by Francisco Corella)• W3C Identity in the browser
![Page 62: Anonymous Credentials](https://reader036.vdocuments.site/reader036/viewer/2022062315/568159a5550346895dc702b5/html5/thumbnails/62.jpg)
November 24, 2011. (Collis) G. Alpár: Anonymous credentials 62
Questions?
Gergely [email protected]
www.cs.ru.nl/~gergely