The Alphabet of ABCs
OUrsi
Greg Alpár
[email protected]
Open Universiteit & Radboud University
April 4, 2017
1 / 22
Outline
Motivation: Identity in the digital world
Attribute-based credentials and tricks
Ongoing and future work
2 / 22
Attribute-based identity management
3 / 22
Motivation: Identity in the digital world
4 / 22
Users: security, privacy, usability
5 / 22
É
Password is often not secure
É
Authentication: always identifying
É
Many types of authentication
É
Mobile devices
Network-based and claim-based identity management
IRMA Demo (demo.irmacard.org):
6 / 22
É
IRMATube
É
≥ 18
É
name
Goals
É
Independence between issuing and showing: time and protocol
É
Privacy
É
Credential: security for the system
É
É
É
É
Credential: privacy for the user
É
É
É
7 / 22
Authenticity
Integrity
Non-transferability
Issuer unlinkability (blind signature, randomisation)
Multi-show unlinkability (randomisation, zero-knowledge
proofs)
Attribute-based credentials
Attribute-based credentials and tricks
8 / 22
Recap: public-key cryptography
É
É
Pair: public key, secret key
Applications:
É
Encryption: message encryption to the recipient
É
É
Signature: signature verification
É
É
e.g. RSA sig: s = m1/e mod n
Authentication: proof of secret key
É
Certificate on the public key (by CA/Issuer)
É
Public-key infrastructure (PKI)
É
Note: public key is an identifier
É
É
Attribute certificate:C≥18 = Sign(skAuth , “Over 18” )
BUT, general privacy problems:
É
É
9 / 22
e.g. RSA enc: c = me mod n, where n = p · q
Issuer (authority) linkability
Multiple showing linkability
Hard problems, i.e. Assumptions
Typically, computational problems are defined in a large finite
mathematical structure. (We omit the underlying structures here.)
g, y = g x
discrete logarithm
x
e, c = me
RSA
m
Strong RSA
m0 , e 0
c = me
m, n, c = me n f
10 / 22
Representation
e0 , f 0
Discrete logarithm – a toy example
g, y = g x
discrete logarithm
x
The exponents of 23 modulo 29 (the order is q = 7):
0
1
1
23
23, 25
Dlog23 25 = 5
11 / 22
2
7
3
16
4
20
5
25
6
24
discrete logarithm
7
1
...
...
5
A “too simple” proof of knowledge
How can public-key cryptography be used for authentication?
É
Discrete logarithm: “I know the discrete logarithm
x = Dlog g h.”
Prover
Secret: x
(G, q), g, h = g x
Verifier
x
−−−−−−−−→
?
h = gx
É
12 / 22
“Now you also know the discrete logarithm Dlog g h.” /
A zero-knowledge proof [Schnorr 91]
É
É
É
Discrete logarithm: “I know the discrete logarithm
x = Dlog g h.”
P K{x|h = g x }—Proof of Knowledge
Interactive
(1)
Prover
Secret: x
random w
a := g w
(1) Commitment
(2) Challenge
(3) Response
13 / 22
a
c
r := c · x + w
Verifier
−−−−−−−−→
←−−−−−−−−
(2)
(3)
g, h = g x
r
−−−−−−−−→
random c
?
a = g r · h−c
Attribute-based credential (ABC)
certificate (sig. on PK/SK)
signature
ABC
block of messages
h(PK)1/e
m1/e
h(m1 k . . . km` )1/e
h(PKkm1 k . . . km` )1/e
/
Problem: e.g. all message components have to be known to check
the signature!
14 / 22
Attribute-based credential (ABC) – Attempt 2
h(PK)1/e
h(PKkm1 k . . . km` )1/e
m1/e
/
h(m1 k . . . km` )1/e
Camenisch–Lysyanskaya signature: (A, e, v) on m : A =
Assumptions: Strong RSA, Representation
Z
1/e
Z
S v Rm
15 / 22
1/e
S v Rsk

Z
m
m
S v R1 1 ...R` `

1/e
Z
S v Rm
Z
m
‹1/e
‹1/e
m
S v Rsk R1 1 ...R` `
,
CL Signature Randomisation
m
m
Signature (the public key is Z, S ; “msg” is R0 = Rsk R1 1 . . . R` ` ):
(A, e, v) where A =

Z
S v · R0
‹1/e
?
Verification: Z = Ae · S v · R0
Randomisation:
É
Select random r
É
A := A · S −r , v := v + er =⇒ (A, e, v) is a randomised signature.
É
Indeed:
É
Can we achieve untraceability with randomisation?
e
A S v R0 = Ae S −er S v S er R0 = Ae S v R0 = Z.
What about e?
16 / 22
How to hide e? – i.e. Multi-show Unlinkability
É
Randomised signature: (A, e, v)
e
m
m
A S v Rsk R1 1 . . . R` ` = Z.
É
Representation problem is hard:
?
Z; (A, S, R, R1 , . . . , R` ) −→ “(e, v, sk, m1 , . . . , m` )”
É
So, to prove that she has a signature:
É
É
U gives A (i.e. a part of the randomised signature) and
U proves that she knows the exponents (i.e. a
representation)
e
m
m
P K{(e, v, sk, m1 , . . . , m` ) : Z = A S v Rsk R1 1 . . . R` ` }.
But then selective disclosure is easy!
17 / 22
Selective disclosure
É
Zero-knowledge proof about all exponents:
e
m
m
m
m
P K{(e, v, sk, m1 , m2 , m3 , . . . , m` ) : Z = A S v Rsk R1 1 R2 2 R3 3 . . . R` ` }.
É
Disclose some and prove the rest; e.g.:
U −→ V disclose m1 , m2 and prove:
−m1 −m2
R2 .
Having m1 , m2 , V can compute ZR1
−m1 −m2
R2
P K{(e, v, sk, m1 , . . . , m` ) : ZR1
18 / 22
e
U proves:
m
m
= A S v Rsk R3 3 . . . R` ` }.
Ongoing and future work
19 / 22
Recent research
1. Revocation: “How to revoke anonymous credentials?”
É
Epoch-based revocation (Lueks et al. Fast Revocation of
Attribute-Based Credentials for Both Users and Verifiers,
2016): U’s unique r value, g ev = H(epochkver i f ier)
É
É
g0 , h0 , x x x P K{r, . . . |h0 = g0r ∧ ABC . . .}
g1 , h1 , P K{r, . . . |h1 = g1r ∧ ABC . . .}
2. Phone vs smart card: “a phone is convenient but not secure”
É
É
É
Secret sharing of the secret key between cloud and phone
Computation of proofs without recovering secret key
Implemented; however, yet to be written
3. RSA is old and big: “use elliptic-curve crypto (ECC)”
É
É
20 / 22
New scheme: Ringers et al. An efficient self-blindable
attribute-based credential scheme, 2017
Implementation is on the way
Applications
1. Attribute-based signature (ABS): “An ABC proof as a
signature” (Hampiholi et al. Towards practical
Attribute-Based Signatures, 2015)
2. Airbnb: “A house also has an identity”
3. Internet of Things: “Control and minimise data collection
wherever possible” (Alpár et al. New Directions in IoT
Privacy Using Attribute-Based Authentication, 2016)
4. Webshop: “Why not minimise data at every transactions?”
Attribute-based identity management
−→ Attribute-based transactions
21 / 22
Thank you
22 / 22