ibm brand template … · © 2016 ibm corporation cryptographic e-cash jan camenisch ibm research...
TRANSCRIPT
copy 2016 IBM Corporation
Cryptographic e-Cash
Jan Camenisch
IBM Research ndash ZurichJanCamenischibmbizjancamenisch
IACR Summerschool ndash Blockchain Technologies
copy 2016 IBM Corporation2 June 1 2016
eCash scenario amp requirements
User
Bank
Merchant
Deposit
Withdrawal
Spend
Requirements Anonymity Withdrawal and Deposit must be unlinkable No Double Spending Coin is bit-strings can be spend twice
copy 2016 IBM Corporation3 June 1 2016
Towards a Solution do it like paper money
User
Bank
Merchant
Deposit
Withdrawal
Spend
Sign notes with digital signature scheme ndash Note = (serial number value)ndash Secure because
bull signature scheme can not be forgedbull bank will accepts some serial number only once on-line e-cashrarr
ndash Not anonymous because (cf paper solution)bull bit-string of signature is uniquebull serial number is unique
100
100 100
copy 2016 IBM Corporation4 June 1 2016
Towards a Solution
User
Bank
Merchant
Deposit
Withdrawal
Spend
Use (more) cryptographyndash Hide serial number from bank when issuing
bull eg sign commitment of serial numberndash Reveal serial number and proof
bull knowledge of signature on bull commitment to serial number
ndash Anonymous because of commitments scheme and zero-knowledge proof
100
100100
100 100
copy 2016 IBM Corporation5 June 1 2016
How to implement this
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
copy 2016 IBM Corporation6 June 1 2016
mathematical setting
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation2 June 1 2016
eCash scenario amp requirements
User
Bank
Merchant
Deposit
Withdrawal
Spend
Requirements Anonymity Withdrawal and Deposit must be unlinkable No Double Spending Coin is bit-strings can be spend twice
copy 2016 IBM Corporation3 June 1 2016
Towards a Solution do it like paper money
User
Bank
Merchant
Deposit
Withdrawal
Spend
Sign notes with digital signature scheme ndash Note = (serial number value)ndash Secure because
bull signature scheme can not be forgedbull bank will accepts some serial number only once on-line e-cashrarr
ndash Not anonymous because (cf paper solution)bull bit-string of signature is uniquebull serial number is unique
100
100 100
copy 2016 IBM Corporation4 June 1 2016
Towards a Solution
User
Bank
Merchant
Deposit
Withdrawal
Spend
Use (more) cryptographyndash Hide serial number from bank when issuing
bull eg sign commitment of serial numberndash Reveal serial number and proof
bull knowledge of signature on bull commitment to serial number
ndash Anonymous because of commitments scheme and zero-knowledge proof
100
100100
100 100
copy 2016 IBM Corporation5 June 1 2016
How to implement this
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
copy 2016 IBM Corporation6 June 1 2016
mathematical setting
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation3 June 1 2016
Towards a Solution do it like paper money
User
Bank
Merchant
Deposit
Withdrawal
Spend
Sign notes with digital signature scheme ndash Note = (serial number value)ndash Secure because
bull signature scheme can not be forgedbull bank will accepts some serial number only once on-line e-cashrarr
ndash Not anonymous because (cf paper solution)bull bit-string of signature is uniquebull serial number is unique
100
100 100
copy 2016 IBM Corporation4 June 1 2016
Towards a Solution
User
Bank
Merchant
Deposit
Withdrawal
Spend
Use (more) cryptographyndash Hide serial number from bank when issuing
bull eg sign commitment of serial numberndash Reveal serial number and proof
bull knowledge of signature on bull commitment to serial number
ndash Anonymous because of commitments scheme and zero-knowledge proof
100
100100
100 100
copy 2016 IBM Corporation5 June 1 2016
How to implement this
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
copy 2016 IBM Corporation6 June 1 2016
mathematical setting
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation4 June 1 2016
Towards a Solution
User
Bank
Merchant
Deposit
Withdrawal
Spend
Use (more) cryptographyndash Hide serial number from bank when issuing
bull eg sign commitment of serial numberndash Reveal serial number and proof
bull knowledge of signature on bull commitment to serial number
ndash Anonymous because of commitments scheme and zero-knowledge proof
100
100100
100 100
copy 2016 IBM Corporation5 June 1 2016
How to implement this
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
copy 2016 IBM Corporation6 June 1 2016
mathematical setting
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation5 June 1 2016
How to implement this
EncryptionSchemes
SignatureSchemes
CommitmentSchemes
Zero-Knowledge Proofs
challenge is to do all this efficiently
copy 2016 IBM Corporation6 June 1 2016
mathematical setting
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation6 June 1 2016
mathematical setting
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Abelian Groups
A set G with operation is called a group ifndash closure
for all ab in G a rarr b in Gndash commutativity
for all ab in G a rarr b = b a ndash associativity
for all abc in G (a rarr b) c = a (b c)ndash identity
there exist some e in G st for all a a e = a ndash invertibility
for all a in G there exist a-1 in G a a-1 = e
Exampleintegers under addition (Z+)=-2-1012 or (Zn+) = 012n-1identity e = 0 inverse a-1 = - a
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Cyclic Groups
exponentiation = repeated application of ∙ eg a3 = a ∙ a ∙ a
a group is cyclic if every element is power of some fixed elementndash ie for each a in G there is unique i such that gi = andash g = generator of the groupndash define g0= 1 = identity element
G = ltggt = 1=g0 g1 g2 gq-1ndash q = |G|= order of group
if q is a prime number then G is cyclic rarr computation in exponents can be done modulo q
gi= gi mod q
computing with exponents
gi+j = gi ∙ gj gi-j = gi gj = gi ∙ (gj )-1
gij = (gi)j g-i = (g-1)i = (gi)-1
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
The Discrete Logarithm Problem
given g and x it is easy to compute gx g1x
given gx and gy it is easy to compute gx gy = gx+y
Discrete Log Assumption
given gx it is hard to compute x
Diffie-Hellman Assumption
given gx and gy it is hard to compute gxy
Decisional Diffie-Hellman Assumption
given gx gy and gz it is hard to decide if gz = gxy
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation10 June 1 2016
commitment scheme
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
m
m 2-36-17 m є
mmm
mmm
Commitment Scheme Functionality
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
m 2-36-17
m 3-21-11m є
mmm
m є
mmm
Binding
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Hiding for all message m m
mm
mmm
mmm
mmm
mmm
m
m
Commitment Scheme Security
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Commitment Schemes
Group G = ltggt = lthgt of order q
To commit to element x Є Zq
bull Pedersen perfectly hiding computationally binding choose r Є Zq and compute c = gxhr
bull ElGamal computationally hiding perfectly bindingchoose r Є Zq and compute c = (gxhr gr)
To open commitmentbull reveal x and r to verifierbull verifier checks if c = gxhr
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Pedersens Scheme
Choose r Є Zq and compute c = gxhr
Perfectly hidingLet c be a commitment and u= logg h
Thus c = gxhr = gx+ur = g(x+ur)+u(r-r)
= gx+urhr-r for any r
Ie given c and x here exist r such that c = gxhr
Computationally bindingLet c (x r) and (x r) st c = gxhr = gxhr
Then gx-x = hr-r and u = logg h = (x-x)(r-r) mod q
Pedersens Commitment Scheme
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Proof of Knowledge of Contents
Proof of Relations among Contents
Commitment Scheme Extended Features
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Proof m
true
m
Proof m = 2 bullm
m m
true
m m
Commitment Scheme Extended Features
Let C1 = gmhr and C = gmhr then
PK(αβ) C = gβhα
PK(αβγ) C = gβhα ⋀ C = (g2)βhγ
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation20 June 1 2016
zero-knowledge proofs
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation21 June 1 2016
Zero-Knowledge Proofs
interactive proof between a prover and a verifier about the provers knowledge
properties zero-knowledge
verifier learns nothing about the provers secret proof of knowledge (soundness)
prover can convince verifier only if she knows the secret completeness
if prover knows the secret she can always convince the verifier
Commitment
ChallengeResponse
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation22 June 1 2016
Given group ltggt and element y Є ltggt
Prover wants to convince verifier that she knows x st y = gx
such that verifier only learns y and g
t = gs yc
Prover
random r t = gr
Verifier
random c
s = r - cx
t
s
c
notation PK(α) y = gα
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Proof of Knowledge PropertyIf prover is successful with non-negl probability then she ldquoknowsrdquo x = log g y
ie ones can extract x from her
Assume c isin 01k and consider execution tree
c = 0 c = 2k-1 x x x x
If success probability for any prover (including malicious ones)
is gt2-k
then there are two accepting tuples (tc1s1) and (tc2s2) for the same t
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Prover might do protocol computation in any way it wants amp we cannot analyse codeThought experiment Assume we have prover as a black box we can reset and rerun proverrarr
Need to show how secret can be extracted via protocol interface
t
sc
t
sc
t = gs yc = gs yc rarr yc-c = gs-s
rarr y = g(s-s)(c-c)
rarr x = (s-s)(c-c) mod q
x x
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
Zero-knowledge propertyIf verifier does not learn anything (except the fact that Alice knows x = log g y )
Idea One can simulate whatever Bob ldquoseesrdquo
t
sc
Choose random c s compute t = gs yc
if c = c send s = s otherwise restart
Problem if domain of c too large success probability becomes too small
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation26 June 1 2016
One way to modify protocol to get large domain c
t = gs yc
Prover
random r t = gr
Verifier
random cv h = H(cv)
h = H(cv) s = r - cx
t
s
h
cv
notation PK(α) y = gα
Zero Knowledge Proofs Security
y gx
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Zero Knowledge Proofs Security
One way to modify protocol to get large domain c
t
h
Choose random c s compute t = gs yc
after having received c ldquorebootrdquo verifier
Choose random scompute t = gs yc
send s
s
t
h
cv
cv
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation28 June 1 2016
From Protocols To Signatures
Signing a message m- chose random r Є Zq and - compute c = H(gr||m) = H(t||m)
s = r - cx mod (q) - output (cs)
Verifying a signature (cs) on a message m- check c = H(gs yc||m) harr t = gs yc
Security- underlying protocol is zero-knowledge proof of knowledge- hash function H() behaves as a ldquorandom oraclerdquo
Signature SPK(α) y = gα (m)
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation29 June 1 2016
Zero Knowledge Proofs of Knowledge of Discrete Logarithms
Logical combinations
PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ
Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)
Many Exponents
PK(αβγδ) y = gα hβzγkδuβ
Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]
PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation30 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β1α2β2 α3 β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3and C3 = gα1gα2hβ3
mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3
α3 = a1 + a2 (mod q)
And what aboutPK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 C3and = gα1 (g5)α2hβ3
rarr C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3
α3 = a1 + 5 a2 (mod q)
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation31 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β3) C1= gα1hβ1 and C2= gα2hβ2 and C3 =gα3hβ3 and C3 = C2α1hβ3 mean
rarr Prover knows values α1 β1 α2 β2 β3 such that
C1= gα1hβ1 C2= gα2hβ2 and
C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2middotα1hβ3+β2middotα1
C3 = gα2middotα1 hβ3+β2middotα1 = gα3 hβ3
a3 = a1 middot a2 (mod q)
And what aboutPK(α1β1 β2) C1= gα1hβ1 and C2= gα2hβ2 and C2 = C1α1hβ2
rarr a2 = a12 (mod q)
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation32 June 1 2016
Some Example Proofs and Their Analysis
Let g h C1 C2 C3 be group elements
Now what does PK(α1β2) C1= gα1hβ1 and C2= gα2hβ2 and g = (C2C1)α1hβ2 mean
rarr Prover knows values α β1 β2 such that
C1= gα1hβ1
g = (C2C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2
rarr g1α1 = C2 g-α1h-β1 hβ2α1
C2 = gα1 hβ1 h-β2α1 g1α1 = gα1 + 1α1 hβ1-β2α1
C2 = gα2 hβ2
α2 = α1 + a1-1 (mod q)
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation33 June 1 2016
signature schemes
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
Key Generation
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Signing
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Functionality
(m1 mk)
σ = sig((m1 mk) )
Verification
σ
ver(σ(m1 mk) ) = true
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Signature Scheme Security
m1σ1
mlσl
σ and mne mi st ver(σ m ) = true
Unforgeability under AdaptiveChosen Message Attack
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation41 June 1 2016
signature schemes with protocols
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
( mj+1 mk)
σ
ver(σ(m1 mk) ) = true
σ = sig((( mj+1 mk) )
Verification remains unchangedSecurity requirements basically the same but
bull Signer should not learn any information about m1 mjbull Forgery wrt message clear parts and opening of commitments
mmmjmmm1
mmm1 mmmj
Signature Scheme Signing Hidden Messages
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
mi | i є S
σ on (m1 mk)
Proving Possession of a Signature
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
mi | i є S Proof
protocol
σ mi | i є S
true
Proving Possession of a Signature
Variation Send also mi to verifier and Prove that committed messages are signed Prove properties about hiddencommitted mi
mi | i є S
σ on (m1 mk)
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Blind Signatures vs Signatures with Protocols
can be used multiple times
DamgaardCamenischampLysyanskaya
Strong RSA DL-ECC
can be used only once
Chaum Brands et al
Discrete Logs RSA
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation47 June 1 2016
Some signature schemes
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation48 June 1 2016
RSA Signature Scheme ndash For Reference
Rivest Shamir and Adlemann 1978
Secret Key two random primes p and qPublic Key n = pq prime e
and collision-free hash function H 01 -gt 01ℓ
Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)
s = H(m) d mod n
Verification of signature s on a message m Є 01
se = H(m) (mod n)
Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation49 June 1 2016
RSA Signature Scheme ndash for reference
Verification signature on a message m Є 01 se = H(m) (mod n)
Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)
But this is not a valid proof expression -(
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation50 June 1 2016
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c
c = (d (a1m1 ak
mk bs ))1e mod n
signature is (ces)
CL-Signature Scheme
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation51 June 1 2016
To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1
d = ce a1m1 ak
mk bs mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption
CL-Signature Scheme
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation52 June 1 2016
Sign blindly with CL signatures
( mj+1 mk)mmmjmmm1
σ
σ = sig((( mj+1 mk) ) mmm1 mmmj
Choose esrdquo
c = (d(C a3m3 bsrdquo))1e mod n
C = a1m1a2
m2 bsrsquoC + PK(m1m2srsquo) C = a1
m1a2m2 bsrsquo
(cesrsquorsquo)
d = ce a1m1a2
m2a3m3 bsrsquo+srsquorsquo mod n
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation53 June 1 2016
Recall d = ce a1m1a2m2 bs mod n
ObserveLet c = c btmod n with randomly chosen t Then d = ce a1m1a2m2 bs-et (mod n) ie
(ce s = s-et) is also signature on m1 and m2
To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1
rarr proves d = cε a1micro1 a2m2b σ
Proving Knowledge of a CL-signature
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation54 June 1 2016
Realizing On-Line eCash
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation55 June 1 2016
Recall basic idea
User
Bank
Merchant
Deposit
Withdrawal
Spend
Issue coin Hide serial number from bank when issuing ndash sign commitment of random serial number
Spend coin reveal serial number and proof ndash knowledge of signature on ndash commitment to serial number
100
100100
100 100
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
On-line E-cash Withdrawal
choose random s
and compute
C = a1 bs
C + proo
f
Choose esrdquo
c = (d(C bsrdquo))1e mod n
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
c proofcompute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
On-line E-cash Payment
(cesrdquo+s) st
d = ce a1 bsrdquo + s (mod n)
compute c = c bsmod nproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
c proof
c
pr
oof Є L
OK not OK
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Security
Anonymityndash Bank does not learn during withdrawalndash Bank amp Shop do not learn c e when spending
c proof
c
proo
f Є L
OK not OK
C + proo
f
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Security
Double Spending
Spending = Compute ndashc = c bsmod nndashproof = PK(ε micro ρ σ) d a1
= cε b σ (mod n)
Can use the same only oncendash If more s are presented than withdrawals
bull Proofs would not soundbull Signature scheme would not secure
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation61 June 1 2016
Realizing Off-Line eCash
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Recall On-Line E-Cash
On-Line Solution1 Coin = random serial (chosen by user) signed by Bank 2 Banks signs blindly3 Spending by sending and prove knowledge of signature to Merchant4 Merchant checks validy w Bank5 Bank accepts each serial only once
Off-Line- Can check serial only after the fact- hellip but at that point user will have been disappeared
100
100100
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation63 June 1 2016
Towards off-line signatures
100
100
100
Not Linkable
Link
able
Seems like a paradox but crypto is all about solving paradoxical problems -)
Goalndashspending coin once OKndashspending coin twice anonymity revoked
Not Linkable
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Off-line E-cash
Main Idea ndashInclude id rndashUpon spending
reveal and t = id + r u with c randomly chosen by merchant
ndash t wont reveal anything about idndashHowever given two equations (for the same id r)
t1 = id + r u1 t2 = id + r u2one can solve for id
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Withdrawal
choose random r s
and compute
C = a1a2
r bs
C + proo
f d = ce C a3
nym bsrdquo mod n
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
(cesrdquo)
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
(cesrdquo+s) st
d = ce a1a2
r a3nym bsrdquo + s (mod n)
choose random u
u
compute t = r + u nym mod qc = c bsmod nproof = PK(ε micro ρ σ)
d a1= cε a2
ρa3micro b σ (mod n) ⋀ gt = gρ (gu)micro
t c proof
Let G=ltggt be a group of order q
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Payment
PK(ε micro ρ σ) d a1
= cε a2ρa3
micro b σ (mod n) ⋀ gt = gρ (gu)micro
1 d = cε a1 a2
ρa3micro b σ (mod n)
=gt (c ε σ) is a signature on ( micro ρ)
2 gt = gρ+umicro
=gt t = ρ + u micro mod q ie t was computed correctly
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Deposit
u t proof
Є L If so 1 t = ρ + u micro (mod q)
2 t = ρ + u micro (mod q)
solve for ρ and micro=gt micro = nym because of proof
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Off-line E-cash Security
Unforgeable ndashno more coins than s
bull otherwise one can forge signatures bull or proofs are not sound
ndashif coins with same appears with different us =gt reveals nym
Anonymityndash and r are hidden from signer upon withdrawalndasht does not reveal anything about nym (is blinded by r)ndashproof proof does not reveal anything
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
Extensions and more
e-Cash K-spendable cash
ndash Multiple serial numbers and randomizers per coinndash Use PRF to generate serial number and randomizers from seed in coin
Money laundering preventionsndash Must not spend more that $10000 dollars with same partyndash Essentially use additional coin defined per merchant that controls this
Other protocols from these building blocks essentially anything with authentication and privacy Anonymous credentials eVoting
Alternative building blocks A number of signatures scheme that fit the same bill (Verifiable) encryption schemes that work along as well Alternative framework Groth-Sahai proofs plus ldquostructure-preservingrdquo schemes
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation71 June 1 2016
Thank youeMail identityzurichibmcomLinks
ndash wwwabc4trusteundash wwwfutureIDeundash wwwau2eueundash wwwPrimeLifeeu ndash wwwzurichibmcomidemixndash idemixdemozurichibmcom
Codendash githubcomp2abcengine amp abc4trusteuidemix
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
References
D Chaum J-H Evertse and J van de Graaf An improved protocol for demonstrating possession of discrete logarithms and some generalizations In EUROCRYPT rsquo87 vol 304 of LNCS pp 127ndash141 Springer-Verlag 1988
S Brands Rapid demonstration of linear relations connected by boolean operatorsIn EUROCRYPT rsquo97 vol 1233 of LNCS pp 318ndash333 Springer Verlag 1997
Mihir Bellare Computational Number Theory httpwww-cseucsdedu~mihircse207w-cntpdf
Camenisch Lysanskaya Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials Crypto 2002 Lecture Notes in Computer Science Springer Verlag
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
Jan Camenisch Natalie Casati Thomas Gross Victor Shoup Credential Authenticated Identification and Key Exchange CRYPTO 2010255-276
Jan Camenisch Maria Dubovitskaya Gregory Neven Oblivious transfer with access control ACM Conference on Computer and Communications Security 2009 131-140
Ateniese Song Tsudik Quasi-Efficient Revocation of Group Signatures In Financial Cryptography 2002 Lecture Notes in Computer Science Springer Verlag
M Bellare C Namprempre D Pointcheval and M Semanko The One-More-RSA-Inversion Problems and the Security of Chaums Blind Signature Scheme Journal of Cryptology Volume 16 Number 3 Pages 185 -215 Springer-Verlag 2003
E Bangerter J Camenisch and A Lyskanskaya A Cryptographic Framework for the Controlled Release Of Certified Data In Twelfth International Workshop on Security Protocols 2004 wwwzurichibmcom~jcapublications
Stefan Brands Untraceable Off-line Cash in Wallets With Observers In Advances in Cryptology ndash CRYPTO 93 Springer Verlag 1993
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-
copy 2016 IBM Corporation June 1 2016
References
J Camenisch and A Lyskanskaya Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation wwwzurichibmcom~jcapublications
David Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM Vol 24 No 2 pp 84mdash88 1981
David Chaum Blind Signatures for Untraceable Payments In Advances in Cryptology ndash Proceedings of CRYPTO 82 1983
David Chaum Security Without Identification Transaction Systems to Make Big Brother obsolete in Communications of the ACM Vol 28 No 10 1985
Camenisch Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms CRYPTO 2003 126-144
Victor Shoup A computational introduction to Number Theory and Algebra Available from httpwwwshoupnetntb
D Chaum Untraceable Electronic Mail Return Addresses and Digital Pseudonyms In Communications of the ACM
D Chaum The Dining Cryptographers Problem Unconditional Sender and Recipient Untraceability Journal of Cryptology 1988
J Camenisch and V Shoup Practical Verifiable Encryption and Decryption of Discrete Logarithms In Advances in Cryptology - CRYPTO 2003
T ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology - CRYPTO 84
- IBM Presentation Template Full Version
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- Slide 8
- Slide 9
- Slide 10
- Slide 11
- Slide 12
- Slide 13
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- Slide 18
- Slide 19
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- Slide 24
- Slide 25
- Slide 26
- Slide 27
- Slide 28
- Slide 29
- Slide 30
- Slide 31
- Slide 32
- Slide 33
- Slide 34
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Slide 42
- Slide 43
- Slide 44
- Slide 45
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- Slide 50
- Slide 51
- Slide 52
- Slide 53
- Slide 54
- Slide 55
- Slide 56
- Slide 57
- Slide 58
- Slide 59
- Slide 60
- Slide 61
- Slide 62
- Slide 63
- Slide 64
- Slide 65
- Slide 66
- Slide 67
- Slide 68
- Slide 69
- Slide 70
- Slide 71
- Slide 72
- Slide 73
-