Jan Camenisch and Gregory Neven, IBM Research – Zurich, Switzerland Workshop on Postquantum Cryptography, Darmstadt, May 25-28, 2010 The road to post-quantum privacy © 2010 IBM Corporation “Neil Armstrong’s Footsteps are still there” (Robin Wilton, futureidentity ) 2 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation And we leave traces, lots of traces! 3 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Computers don’t forget! Data storage becomes ever cheaper store by default e.g., surveillance cameras, wireless router traffic picked up by Google Street View car Data mining techniques ever better self-training algorithms become more intelligent than their designers not just trend detection, even prediction e.g., flu pandemics, ad clicks, purchases,… what about mortgage defaults, criminal behavior? correlation with illegal criteria, e.g., race, religion? 4 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation What are the risks? Embarrassment Discredit Financial fraud Blackmailing Identity theft None of these risks are new, but they are higher due to online availability of personal data. 5 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Everyday privacy threats Sacked because of Facebook or Twitter posts Burglars using Facebook and Twitter to find targets Electronic toll collection data used in divorce cases Abuse of stored or transmitted data by malicious employees e.g., Telecom Italia wiretapping scandal Brian Fairrington, Cagle Cartoons Mother’s maiden name, birth date,… often used as backup secret Facebook’s evolving default privacy policy http://mattmckeon.com/facebook-privacy Google Street View storing payload data from wireless networks 6 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Privacy breaches happen almost daily 14.05.2010 Bayerisches Landesamt für Steuern Hard disks with tax data on flea market hundreds 14.05.2010 Rote Hilfe e.V. Hard disk with member data stolen thousands 12.05.2010 Vodafone Glitch leaks customers' MobileMails few 04.05.2010 SchülerVZ Large-scale phishing of members' data 1.6 million 03.05.2010 Jugendamt des Lahn-Dill-Kreises Sensitive documents used as drawing paper for children multiple 28.04.2010 Klinikum Kassel Patient list found on street 22 28.04.2010 Stadtverwaltung Glitch makes confidential information visible online countless 08.04.2010 Metaltix Hackers steal credit card data thousands 24.03.2010 Telekommunikations- und Kabel-TV-Anbieter Truck loses notes with personal data thousands 24.03.2010 Klinikum Kassel Psychiatric patient data found on street 21 22.03.2010 Verteidiger des Aufsichtsrates des Wohn- und Stadtbaus Confidential documents lost from bike basket multiple 15.03.2010 Vodafone Sensitive customer data on black market thousands 09.03.2010 Münster-Marathon e.V. Participants' personal data sent by DVD 3500 18.02.2010 Struktur- und Wirtschaftsförderungsgesellschaft (SWFG) Internal data of enterprises accessible on Internet 40 11.02.2010 BKK Gesundheit Privacy breach: health insurance being blackmailed 1.5 million 08.02.2010 AWD Sensitive customer data leaked 12000 05.02.2010 Gemeinde Senden Data of welfare beneficiaries sent to private person 400 26.01.2010 Sheraton-Hotel Credit card glitch multiple 25.01.2010 Ihr Platz Spying on own employees thousands 25.01.2010 Taschen GmbH Live video images from shops on Internet countless Source: www.projekt-datenschutz.de 7 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation David, please help?!? Mix Networks Oblivious Transfer Searchable Encryption Onion Routing e-cash Confirmer signatures Anonymous Credentials Group signatures Pseudonym Systems e-voting Blind signatures e-cash OT with Access Control Priced OT Private information retrieval Secret Handshakes Homomorphic Encryption 8 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Postquantum community, please help?!? Mix Networks ? Searchable Encryption Onion Routing Confirmer signatures Your picture here Group signatures Anonymous Credentials Pseudonym Systems e-voting Blind signatures e-cash Oblivious Transfer OT with Access Control Priced OT Private information retrieval Secret Handshakes Homomorphic Encryption 9 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Goal of this talk Give you work – and make you famous! Have: pre-quantum PETs in particular –anonymous credentials –zero-knowledge proofs –verifiable encryption Need: postquantum PETs! take inspiration from pre-quantum PETs 10 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Privacy-friendly identification 11 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Our Vision 12 In the Information Society, users can act and interact in a safe and secure way while retaining control of their private spheres. Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Classical public-key identification 13 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Standard public-key certificates e.g., X.509 certificates In the beginning… 14 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Standard public-key certificates e.g., X.509 certificates Obtaining a certificate… name = “Alice Doe”, birth date = “1973/10/24, pk = 15 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Standard public-key certificates e.g., X.509 certificates Using a certificate… name = “Alice Doe”, birth date = “1973/10/24, pk = full attribute disclosure 16 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Standard public-key certificates e.g., X.509 certificates Using a certificate again… name = “Alice Doe”, birth date = “1973/10/24, pk = name = “Alice Doe”, birth date = “1973/10/24, pk = linkable by pk 17 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous identification 18 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove In the beginning… 19 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove Obtaining a credential… name = “Alice Doe”, birth date = “1973/10/24, nym = 20 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove Using a credential… name = “Alice Doe”, birth date = “1973/10/24 unlinkable by pseudonym 21 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove Using a credential… name = ? birth date = “1973/10/24 selective attribute disclosure 22 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove Using a credential… name = ? birth date > 1992/05/27 attribute predicate disclosure 23 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove Using a credential… name = ? birth date > 1992/05/27 name = “Alice Doe”, birth date = ? unlinkable by pseudonym 24 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credentials e.g., Identity Mixer, U-Prove Using multiple credentials… passport: birth date > 1992/05/27, driver’s license: vehicle cat B 25 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Attribute escrow through verifiable encryption e.g., Identity Mixer name = ****** name = “Alice Doe” 26 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation How does it work? 27 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Two approaches Zero-knowledge proofs Blind signatures multi-use one-time use Damgard, Camenisch-Lysyanskaya (Identity Mixer) Chaum, Brands et al. (U-Prove) strong RSA, pairings (LMRS, q-SDH) discrete logs, RSA,… 28 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Building blocks Signatures Encryption Efficient zero-knowledge proofs Commitments 29 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Building blocks Signatures Encryption Efficient zero-knowledge proofs Commitments 30 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Schnorr proofs Given group <g> and element y ∈ <g> . Prover wants to convince verifier that she knows x = logg y such that verifier only learns y and g. PK{(x): y = gx } Verifier: Prover: random r ∈ Zq r t := g t random c ∈ {0,1}l c s := r – cx (q) s s t=g y c Knowledge extraction: Given (t,c1,s1) and (t,c2,s2) such that t = gs1yc1 = gs2yc2 Compute x := (s2–s1) (c1–c2)-1 (q) 31 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Generalized Schnorr in groups of unknown order Jumping ahead: no suitable signatures from (non-pairing) dlog Solution: RSA with N := pq , g ∈ QRN PK{(x): y = gx } Verifier: Prover: random r ∈ Z r t := g (N) t random c ∈ {0,1}l c s := r - cx (in Z) s s c t = g y (N) Knowledge extraction no longer works! Given (t,c1,s1) and (t,c2,s2) such that t = gs1yc1 = gs2yc2 Compute x := (s2–s1) (c1–c2)-1 (φ(N)) 32 Jan Camenisch and Gregory Neven, IBM Research – Zurich unknown → can’t invert! Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Strong RSA to the rescue RSA Problem: Given N = pq , e , random z ∈ Z*N Find u such that ue = z (N) Flexible RSA Problem: Given N = pq , random z ∈ QRN Find e≠1 , u such that ue = z (N) Strong RSA assumption: flexible RSA is hard Useful lemma: Given g,h ∈ QRN / Finding a,b,c,u such that uc = gahb (N) and c|a / or c|b is hard under strong RSA assumption 33 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Generalized Schnorr in groups of unknown order Problem: no suitable standard-model signatures from (non-pairing) dlog Solution: RSA with N := pq , g ∈ QRN PK{(x): y = gx } Verifier: Prover: random r ∈ Z r t := g (N) t random c ∈ {0,1}l c s := r - cx (in Z) s s c t = g y (N) Knowledge extraction works! Given (t,c1,s1) and (t,c2,s2) such that yc1-c2=gs1-s2 Using lemma: under strong RSA c1–c2 must divide s2–s1 i.e., s2–s1 = x(c1–c2) → yc1-c2=gx(c1-c2) → y=gx 34 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Building blocks Signatures Encryption Efficient zero-knowledge proofs Commitments 35 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Signatures with protocols Main requirement: Efficient proofs of knowledge of signature Design guidelines: –(Some degree of) re-randomizability –No random oracles • no hashing of message/attribute through random oracles • no output of RO in signature –Message(s) appear where efficient ZK proofs be performed • discrete log, RSA: in exponents (for generalized Schnorr proofs) 36 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Camenisch-Lysyanskaya signatures [CL01] Public key: RSA modulus N , random a,b,d ∈ QRN Secret key: p,q such that N=pq To sign message m ∈ {0,1}l: choose random prime e > 2l choose random integer s ≈ N compute c such that d = am bs ce (N) signature is (c,e,s) Verification: Check that m ∈ {0,1}l ^ e > 2l ^ d = am bs ce (N) Security: Unforgeable under strong RSA assumption 37 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Observations about CL signatures Somewhat re-randomizable: If (c,e,s) is valid signature d = am bs ce (N) then (c*=cbr , e , s*=s-er) is also valid signature d = am bs-er (cbr)e = am bs* c*e (N) Generalized Schnorr proofs: Can prove any statement of form V PK{ {x1,…,xn} : i ( Ci = Πj Ai,jxj (Ni) ) } Can prove knowledge of CL signatures as non-re-randomizable signature values in exponent 38 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Prove knowledge of signature on revealed m (c*,e,s*) (c,e,s) c* , m , PK{{e,s*} : da-m = bs*c*e } no information on so prover remains anonymous 39 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Prove knowledge of signature on hidden m (c*,e,s*) (c,e,s) c* , PK{{e,s*,m} : d = ambs*c*e } no information on so prover remains anonymous 40 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Building blocks Signatures Encryption Efficient zero-knowledge proofs Commitments 41 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Commitment schemes Composite-order Pedersen commitments: choose random s commitment C := ambs (N) Nicely fits generalized Schnorr proofs: 42 V PK{ {x1,…,xn} : Jan Camenisch and Gregory Neven, IBM Research – Zurich xj (N ) ) } ( C = Π A i i j i,j i Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Obtaining signature on committed value C , PK{{msk,s’} : C = C := amskbs’ amskbs’ N, a,b,d } d = C bs” ce (N) msk (c,e,s”) (c,e,s=s’+s”) no information on msk so prover remains anonymous cf. blind signatures 43 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Prove knowledge of signature on committed value N, a,b,d C* := amsk br (c*,e,s*) msk C* , c* , PK{{msk,r,e,s*} : C* = amskbr ^ d = amskbs*c*e } 44 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation CL signatures on multiple messages Public key: RSA modulus N , random a1,…,an,b,d ∈ QRN Secret key: p,q such that N=pq To sign message m1,…,mn ∈ {0,1}l: choose random prime e > 2l choose random integer s ≈ N compute c such that d = a1m1 … anmn bs ce (N) signature is (c,e,s) Now can embed multiple attributes in a single credential! 45 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation And it gets even better… 46 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Zero-knowledge proofs of CL signatures Prove knowledge of valid signature on revealed m Prove knowledge of valid signature on hidden m Prove knowledge of valid signature on committed m Prove knowledge of valid signature on mi : i ∈ S ⊆ {1,…,n} Prove knowledge of valid signature on m ∈ [a,b] Prove knowledge of multiple signatures with relations among messages Credential revocation Limited spending … Identity Mixer anonymous credential system 47 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous credential revocation Pseudonyms → standard CRL doesn’t work Limited validity: need periodic updating Multiple use cases and solutions –Dynamic accumulators –Signing entries and proofs 48 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Limited spending Pseudonyms → standard counting doesn’t work Set limits to credential usage –Restrict total #logins (information-theoretic for small #) –Restrict simultaneous #logins (need verifiable random functions) Alternatively, usage can be bound to secure hardware token 49 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Oblivious transfer with anonymous access control Oblivious transfer – User obtains at most one record per query – Database does not learn which record was selected – (Database does not learn identity of user) DNA database Oblivious transfer with (anonymous) access control – Separate access control list per record – User obtains at most one record to which she has access – Database does not learn which record was selected – Database does not learn identity of user Priced oblivious transfer – Different price per record – User cannot obtain more record than credit allows 50 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Anonymous secret handshakes Alice and Bob define predicates PA , PB on each other’s credentials Alice learns whether Bob satisfies PA iff Alice satisfies PB (and vice versa) 51 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Conclusion 52 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation Conclusion YOU WE WANT TO DEVELOP PQ-PETS 53 Jan Camenisch and Gregory Neven, IBM Research – Zurich Postquantum Cryptography 2010, Darmstadt © 2010 IBM Corporation
© Copyright 2024 Paperzz