Jan Camenisch and Gregory Neven, IBM Research – Zurich, Switzerland
Workshop on Postquantum Cryptography, Darmstadt, May 25-28, 2010
The road to post-quantum privacy
© 2010 IBM Corporation
“Neil Armstrong’s
Footsteps are
still there”
(Robin Wilton, futureidentity )
2
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
And we leave traces, lots of traces!
3
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Computers don’t forget!
Data storage becomes ever cheaper
store by default
e.g., surveillance cameras, wireless router traffic
picked up by Google Street View car
Data mining techniques ever better
self-training algorithms become more intelligent than
their designers
not just trend detection, even prediction
e.g., flu pandemics, ad clicks, purchases,…
what about mortgage defaults, criminal behavior?
correlation with illegal criteria, e.g., race, religion?
4
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
What are the risks?
Embarrassment
Discredit
Financial fraud
Blackmailing
Identity theft
None of these risks are new,
but they are higher due to online availability of personal data.
5
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Everyday privacy threats
Sacked because of Facebook or Twitter posts
Burglars using Facebook and Twitter to find targets
Electronic toll collection data used in divorce cases
Abuse of stored or transmitted data by malicious employees
e.g., Telecom Italia wiretapping scandal
Brian Fairrington, Cagle Cartoons
Mother’s maiden name, birth date,… often used as backup secret
Facebook’s evolving default privacy policy
http://mattmckeon.com/facebook-privacy
Google Street View storing payload data from wireless networks
6
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Privacy breaches happen almost daily
14.05.2010
Bayerisches Landesamt für Steuern
Hard disks with tax data on flea market
hundreds
14.05.2010
Rote Hilfe e.V.
Hard disk with member data stolen
thousands
12.05.2010
Vodafone
Glitch leaks customers' MobileMails
few
04.05.2010
SchülerVZ
Large-scale phishing of members' data
1.6 million
03.05.2010
Jugendamt des Lahn-Dill-Kreises
Sensitive documents used as drawing paper for children
multiple
28.04.2010
Klinikum Kassel
Patient list found on street
22
28.04.2010
Stadtverwaltung
Glitch makes confidential information visible online
countless
08.04.2010
Metaltix
Hackers steal credit card data
thousands
24.03.2010
Telekommunikations- und Kabel-TV-Anbieter
Truck loses notes with personal data
thousands
24.03.2010
Klinikum Kassel
Psychiatric patient data found on street
21
22.03.2010
Verteidiger des Aufsichtsrates des Wohn- und Stadtbaus
Confidential documents lost from bike basket
multiple
15.03.2010
Vodafone
Sensitive customer data on black market
thousands
09.03.2010
Münster-Marathon e.V.
Participants' personal data sent by DVD
3500
18.02.2010
Struktur- und Wirtschaftsförderungsgesellschaft (SWFG)
Internal data of enterprises accessible on Internet
40
11.02.2010
BKK Gesundheit
Privacy breach: health insurance being blackmailed
1.5 million
08.02.2010
AWD
Sensitive customer data leaked
12000
05.02.2010
Gemeinde Senden
Data of welfare beneficiaries sent to private person
400
26.01.2010
Sheraton-Hotel
Credit card glitch
multiple
25.01.2010
Ihr Platz
Spying on own employees
thousands
25.01.2010
Taschen GmbH
Live video images from shops on Internet
countless
Source: www.projekt-datenschutz.de
7
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
David, please help?!?
Mix Networks
Oblivious Transfer
Searchable Encryption
Onion Routing
e-cash
Confirmer signatures
Anonymous Credentials
Group signatures
Pseudonym Systems
e-voting
Blind signatures
e-cash
OT with Access Control
Priced OT
Private information retrieval
Secret Handshakes
Homomorphic Encryption
8
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Postquantum community, please help?!?
Mix Networks
?
Searchable Encryption
Onion Routing
Confirmer signatures
Your picture
here
Group signatures
Anonymous Credentials
Pseudonym Systems
e-voting
Blind signatures
e-cash
Oblivious Transfer
OT with Access Control
Priced OT
Private information retrieval
Secret Handshakes
Homomorphic Encryption
9
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Goal of this talk
Give you work – and make you famous!
Have: pre-quantum PETs
in particular
–anonymous credentials
–zero-knowledge proofs
–verifiable encryption
Need: postquantum PETs!
take inspiration from pre-quantum PETs
10
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Privacy-friendly
identification
11
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Our Vision
12
In the Information Society, users can act
and interact in a safe and secure way
while retaining control of their private
spheres.
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Classical public-key
identification
13
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Standard public-key certificates
e.g., X.509 certificates
In the beginning…
14
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Standard public-key certificates
e.g., X.509 certificates
Obtaining a certificate…
name = “Alice Doe”,
birth date = “1973/10/24,
pk =
15
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Standard public-key certificates
e.g., X.509 certificates
Using a certificate…
name = “Alice Doe”,
birth date = “1973/10/24,
pk =
full attribute disclosure
16
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Standard public-key certificates
e.g., X.509 certificates
Using a certificate again…
name = “Alice Doe”,
birth date = “1973/10/24,
pk =
name = “Alice Doe”,
birth date = “1973/10/24,
pk =
linkable by pk
17
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous
identification
18
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
In the beginning…
19
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
Obtaining a credential…
name = “Alice Doe”,
birth date = “1973/10/24,
nym =
20
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
Using a credential…
name = “Alice Doe”,
birth date = “1973/10/24
unlinkable by pseudonym
21
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
Using a credential…
name = ?
birth date = “1973/10/24
selective attribute disclosure
22
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
Using a credential…
name = ?
birth date > 1992/05/27
attribute predicate disclosure
23
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
Using a credential…
name = ?
birth date > 1992/05/27
name = “Alice Doe”,
birth date = ?
unlinkable by pseudonym
24
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credentials
e.g., Identity Mixer, U-Prove
Using multiple credentials…
passport: birth date > 1992/05/27,
driver’s license: vehicle cat B
25
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Attribute escrow
through verifiable encryption
e.g., Identity Mixer
name = ******
name = “Alice Doe”
26
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
How does it work?
27
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Two approaches
Zero-knowledge proofs
Blind signatures
multi-use
one-time use
Damgard, Camenisch-Lysyanskaya
(Identity Mixer)
Chaum, Brands et al. (U-Prove)
strong RSA, pairings (LMRS, q-SDH)
discrete logs, RSA,…
28
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Building blocks
Signatures
Encryption
Efficient
zero-knowledge
proofs
Commitments
29
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Building blocks
Signatures
Encryption
Efficient
zero-knowledge
proofs
Commitments
30
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Schnorr proofs
Given group <g> and element y ∈ <g> .
Prover wants to convince verifier that she knows x = logg y
such that verifier only learns y and g.
PK{(x): y = gx }
Verifier:
Prover:
random r ∈ Zq
r
t := g
t
random c ∈ {0,1}l
c
s := r – cx (q)
s
s
t=g y
c
Knowledge extraction:
Given (t,c1,s1) and (t,c2,s2) such that t = gs1yc1 = gs2yc2
Compute x := (s2–s1) (c1–c2)-1 (q)
31
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Generalized Schnorr in groups of unknown order
Jumping ahead: no suitable signatures from (non-pairing) dlog
Solution: RSA with N := pq , g ∈ QRN
PK{(x): y = gx }
Verifier:
Prover:
random r ∈ Z
r
t := g (N)
t
random c ∈ {0,1}l
c
s := r - cx (in Z)
s
s
c
t = g y (N)
Knowledge extraction no longer works!
Given (t,c1,s1) and (t,c2,s2) such that t = gs1yc1 = gs2yc2
Compute x := (s2–s1) (c1–c2)-1 (φ(N))
32
Jan Camenisch and Gregory Neven, IBM Research – Zurich
unknown → can’t invert!
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Strong RSA to the rescue
RSA Problem:
Given N = pq , e , random z ∈ Z*N
Find u such that ue = z (N)
Flexible RSA Problem:
Given N = pq , random z ∈ QRN
Find e≠1 , u such that ue = z (N)
Strong RSA assumption: flexible RSA is hard
Useful lemma:
Given g,h ∈ QRN
/
Finding a,b,c,u such that uc = gahb (N) and c|a
/ or c|b
is hard under strong RSA assumption
33
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Generalized Schnorr in groups of unknown order
Problem: no suitable standard-model signatures from (non-pairing) dlog
Solution: RSA with N := pq , g ∈ QRN
PK{(x): y = gx }
Verifier:
Prover:
random r ∈ Z
r
t := g (N)
t
random c ∈ {0,1}l
c
s := r - cx (in Z)
s
s
c
t = g y (N)
Knowledge extraction works!
Given (t,c1,s1) and (t,c2,s2) such that yc1-c2=gs1-s2
Using lemma: under strong RSA c1–c2 must divide s2–s1
i.e., s2–s1 = x(c1–c2) → yc1-c2=gx(c1-c2) → y=gx
34
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Building blocks
Signatures
Encryption
Efficient
zero-knowledge
proofs
Commitments
35
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Signatures with protocols
Main requirement:
Efficient proofs of knowledge of signature
Design guidelines:
–(Some degree of) re-randomizability
–No random oracles
• no hashing of message/attribute through random oracles
• no output of RO in signature
–Message(s) appear where efficient ZK proofs be performed
• discrete log, RSA: in exponents (for generalized Schnorr proofs)
36
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Camenisch-Lysyanskaya signatures [CL01]
Public key: RSA modulus N , random a,b,d ∈ QRN
Secret key: p,q such that N=pq
To sign message m ∈ {0,1}l:
choose random prime e > 2l
choose random integer s ≈ N
compute c such that
d = am bs ce (N)
signature is (c,e,s)
Verification: Check that
m ∈ {0,1}l ^ e > 2l ^ d = am bs ce (N)
Security: Unforgeable under strong RSA assumption
37
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Observations about CL signatures
Somewhat re-randomizable:
If (c,e,s) is valid signature
d = am bs ce (N)
then (c*=cbr , e , s*=s-er) is also valid signature
d = am bs-er (cbr)e = am bs* c*e (N)
Generalized Schnorr proofs:
Can prove any statement of form
V
PK{ {x1,…,xn} :
i
( Ci = Πj Ai,jxj (Ni) ) }
Can prove knowledge of CL signatures
as non-re-randomizable signature values in exponent
38
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Prove knowledge of signature on revealed m
(c*,e,s*)
(c,e,s)
c* , m ,
PK{{e,s*} : da-m = bs*c*e }
no information on
so prover remains anonymous
39
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Prove knowledge of signature on hidden m
(c*,e,s*)
(c,e,s)
c* ,
PK{{e,s*,m} : d = ambs*c*e }
no information on
so prover remains anonymous
40
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Building blocks
Signatures
Encryption
Efficient
zero-knowledge
proofs
Commitments
41
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Commitment schemes
Composite-order Pedersen commitments:
choose random s
commitment C := ambs (N)
Nicely fits generalized Schnorr proofs:
42
V
PK{ {x1,…,xn} :
Jan Camenisch and Gregory Neven, IBM Research – Zurich
xj (N ) ) }
(
C
=
Π
A
i
i
j
i,j
i
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Obtaining signature on committed value
C , PK{{msk,s’} : C =
C :=
amskbs’
amskbs’
N,
a,b,d
}
d = C bs” ce (N)
msk
(c,e,s”)
(c,e,s=s’+s”)
no information on msk
so prover remains anonymous
cf. blind signatures
43
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Prove knowledge of signature on committed value
N,
a,b,d
C* := amsk br
(c*,e,s*)
msk
C* , c* , PK{{msk,r,e,s*} :
C* = amskbr ^ d = amskbs*c*e }
44
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
CL signatures on multiple messages
Public key: RSA modulus N , random a1,…,an,b,d ∈ QRN
Secret key: p,q such that N=pq
To sign message m1,…,mn ∈ {0,1}l:
choose random prime e > 2l
choose random integer s ≈ N
compute c such that
d = a1m1 … anmn bs ce (N)
signature is (c,e,s)
Now can embed multiple attributes in a single credential!
45
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
And it gets even better…
46
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Zero-knowledge proofs of CL signatures
Prove knowledge of valid signature on revealed m
Prove knowledge of valid signature on hidden m
Prove knowledge of valid signature on committed m
Prove knowledge of valid signature on mi : i ∈ S ⊆ {1,…,n}
Prove knowledge of valid signature on m ∈ [a,b]
Prove knowledge of multiple signatures with relations among messages
Credential revocation
Limited spending
…
Identity Mixer anonymous credential system
47
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous credential revocation
Pseudonyms → standard CRL doesn’t work
Limited validity: need periodic updating
Multiple use cases and solutions
–Dynamic accumulators
–Signing entries and proofs
48
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Limited spending
Pseudonyms → standard counting doesn’t work
Set limits to credential usage
–Restrict total #logins (information-theoretic for small #)
–Restrict simultaneous #logins (need verifiable random functions)
Alternatively, usage can be bound to secure hardware token
49
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Oblivious transfer with anonymous access control
Oblivious transfer
– User obtains at most one record per query
– Database does not learn which record was selected
– (Database does not learn identity of user)
DNA database
Oblivious transfer with (anonymous) access control
– Separate access control list per record
– User obtains at most one record to which she has access
– Database does not learn which record was selected
– Database does not learn identity of user
Priced oblivious transfer
– Different price per record
– User cannot obtain more record than credit allows
50
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Anonymous secret handshakes
Alice and Bob define predicates PA , PB on each other’s credentials
Alice learns whether Bob satisfies PA iff Alice satisfies PB (and vice versa)
51
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Conclusion
52
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
Conclusion
YOU
WE WANT
TO DEVELOP PQ-PETS
53
Jan Camenisch and Gregory Neven, IBM Research – Zurich
Postquantum Cryptography 2010, Darmstadt
© 2010 IBM Corporation
© Copyright 2024 Paperzz