abcs in theory and practicerfidsec2015.iaik.tugraz.at/wp-content/uploads/2015/... · abcs in theory...
TRANSCRIPT
ABCs in Theory and Practice
RFIDsec 2015, TUTORIAL
Gergely AlpárRadboud, ICIS DS
June 23, 2015
Page 1 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Currently we are here...
Motivating Attribtues
Attribute-based identity management
Crypto of ABCs
“[By 2025 f]ew individuals will have the energy,
interest, or resources to protect themselves from
dataveillance; privacy will become a luxury.”
[Pew Research Center, December 2014]
Page 2 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Motivating Attribtues
Authentication
I Passwords• “38% of adults sometimes think it would be easier to solve world
peace than attempt to remember all their passwords” [HarrisInteractive, 2012]
I Many accounts at service providers
I Identity management• Users• Identity provider(s) = Issuer• Service providers = Relying party = Verifier
Page 3 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Motivating Attribtues
Problems with Identity Management
I Security• Single point of failure• Valuable target
I Privacy• Can log in (often)• Linking all user activities• Profiling
Page 4 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Motivating Attribtues
Authorisation is necessarily identifying
Page 5 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Motivating Attribtues
Outline
Motivating Attribtues
Attribute-based identity management
Crypto of ABCs
Page 6 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Motivating Attribtues
Currently we are here...
Motivating Attribtues
Attribute-based identity management
Crypto of ABCs
Identity and Attributes
[FIDIS 2005]
Page 7 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Attribute-based identity management
Digital Identity
I AttributesI Partial identities
I Identifying and non-identifying attributes
I Typical authorisation: Username + authentication + lookup
I Authorisation based on attributes• Directly looking up relevant attributes• Identifying and non-identifying authorisation (DEMO: � 18)
Page 8 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Attribute-based identity management
Identity Management
Page 9 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Attribute-based identity management
Attribute-Based Identity Management
Page 10 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Attribute-based identity management
Attribute-Based Credential
Page 11 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Attribute-based identity management
Issuing and Showing
Page 12 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Attribute-based identity management
Currently we are here...
Motivating Attribtues
Attribute-based identity management
Crypto of ABCs
Plan for Crypto
I Commitment
I Zero-knowledge proof
I Attribute-based credential (ABC)
I Selective disclosure
Page 13 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Commitment
I (Temporary) secret in a box with a padlockI . . . and a key.I Phases:
• Commit• Opening
I Examples (related to the DL problem) – secret value x :• h = g
x (mod p). Commit: h, g , p; Opening: x .• h = g
r · g x
1
(mod p). Commit: h, g , g1
, p; Opening: r , x .I Computational hiding and perfect binding.
ORI Perfect hiding and computational binding. [Damgård 99]
Problem 3 The exponents of 23 modulo 29 (the order is q = 7):0 1 2 3 4 5 6 7 ...1 23 7 16 20 25 24 1 ...
Page 14 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Where’s Waldo? – Zero-Knowledge Proof
Page 15 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Where’s Waldo? – Zero-Knowledge Proof
[Naor et al. 99]
Page 16 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Where’s Waldo?
Page 17 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Ali Baba – Zero-Knowledge Proof
[Quisquater et al. 89]
Page 18 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Ali Baba – Zero-Knowledge Proof
Commitment and Challenge
Page 19 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Ali Baba – Zero-Knowledge Proof
Response and Verification Problems 1, 2
Page 20 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
A “Too Simple” Proof
I Let us work in G of order qI Discrete logarithm: “I know the discrete logarithm x = log
g
h.”
Prover G, g , q, h = g
x
Verifier
Secret: x
x��������!h
?= g
x
I “Now you also know the discrete logarithm logg
h.” /
Page 21 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Schnorr’s Proof of Knowledge [Schnorr 91]
I Let us work in G of order qI Discrete logarithm: “I know the discrete logarithm x = log
g
h.”I PK{�|h = g
�}—Proof of KnowledgeI Interactive
Prover G, g , q, h = g
x
Verifier
Secret: x
(1) w 2R
Zq
a := g
w
a��������!(2) c �������� c 2
R
{0, 1}(3) r := c · x + w (mod q)
r��������! a
?= g
r · h�c
(1) Commitment(2) Challenge(3) Response
Page 22 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Simulated Communication
I Let us work in G of order qI “I seem to know the discrete logarithm log
g
h.” ,I Simulated conversation: transcriptI Choose c 2
R
{0, 1}, r 2R
Z⇤q
a := g
r · h�c
Transcript and verification:
(a, c , r) a
?= g
r · h�c
Page 23 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Schnorr’s Proof of Knowledge [Schnorr 91]
I Let us work in G of order qI Discrete logarithm: “I know the discrete logarithm log
g
h.”I PK{�|h = g
�}—Proof of KnowledgeI Interactive
Prover G, g , q, h = g
x
Verifier
Secret: x
(1) w 2R
Zq
a := g
w
a��������!(2) c �������� c 2
R
[0, 2128 � 1](3) r := c · x + w (mod q)
r��������! a
?= g
r · h�c
(1) Commitment(2) Challenge(3) Response
Page 24 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Schnorr Signature, i.e. Schnorr with Fiat–Shamir[FS 86]
I Discrete logarithm: “I know the discrete logarithm logg
h.”I Non-interactive: SPK{�|h = g
�}(n)• Challenge c is generated by a hash H• H : {0, 1}⇤ ! [0, 2128 � 1] (128-bit output)
Prover G, g , q, h = g
x ,H Verifier
Secret: x
n �������� n 2R
Zq
w 2R
Zq
a := g
w
c := H(a, n)
r := c · x + w (mod q)a,r���������! a
?= g
r · h�H(a,n)
Page 25 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
How to Design ABCs? – In Three Simple Steps
Step 1 Take a commitment scheme
Step 2 Generalise it to multiple values
Step 3 Sign the extended commitment
Step +1 Apply here and there zero-knowledge proofs
Page 26 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Example: Idemix
Page 27 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Hard Problems
Discrete logarithm RSA Strong RSA
Page 28 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Idemix ABC – Based on CL Signature
I Camenisch–Lysyanskaya (CL) signature [CL 01, CL 02]I Strong RSA assumption [BP 97, FO 97]
• RSA (n = pq) =) Taking the eth root is hard• Strong =) DL is hard
I Group QRn
:• p, q are safe primes (p = 2p0 + 1, q = 2q0 + 1 s.t. p
0, q0 primes)• Quadratic residues in Z⇤
n
• QRn
is a subgroup of order '(n)/4I Notation:
• Some group elements that you’ll see: A,Z , S ,R ,R1
,R2
,R3
, . . .• Some further integers (exponents): e, v , a, . . .
I Let’s “design” Idemix’s ABCs
Page 29 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Step 1: Commitment
Take a commitment scheme – Pedersen on a
1
R
a · Ra
1
1
where a is random.
Page 30 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Step 2: Generalisation
Extend it to multiple values – generalise Pedersen on (a1
, . . . , aL
)
R
a · Ra
1
1
· . . . · Ra
L
L| {z }Q
L
i=1
R
a
i
i
where a is random.
Page 31 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Step 3: Signature
Sign the extended commitment – CL on attributes: a
1
, . . . , aL
A :=
Z
S
v · Ra ·QL
i=1
R
a
i
i
!1/e
(mod n)
where (a), v , e are random.
Page 32 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Step 3: Signature
Sign the extended commitment – CL on attributes: a
1
, . . . , aL
A :=
Z
S
v · Ra ·QL
i=1
R
a
i
i
!1/e
(mod n)
where (a), v , e are random.
Page 33 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
CL Signature: Idemix ABCs
(A, e, v) where A ⌘
Z
S
v · Ra ·QL
i=1
R
a
i
i
!1/e
(mod n)
I Commitment• Binding: computational (representation problem)• Hiding: perfect (randomised)
I CL Signature• Private key: p, q; Public key: n = pq, Z , S , “all Rs”• A bit like RSA: ( · )1/e (mod n)• More complicated: advanced functions
I Issuing: blind signature (zero-knowledge proof)
Page 34 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Issuing and Showing
Page 35 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
CL Signature: Verification
Signature:
(A, e, v) where A ⌘
Z
S
v · Ra ·QL
i=1
R
a
i
i
!1/e
(mod n)
I Public key: n,Z , S ,R ,R1
, . . . ,RL
I Attributes (block of messages): (a), a1
, . . . , aL
I Verification:
Z
?⌘ A
e · Sv · Ra ·LY
i=1
R
a
i
i
| {z }R
0
(mod n)
I IdP �! U; U �! V
Page 36 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
CL Signature Randomisation
Signature:
(A, e, v) where A ⌘✓
Z
S
v · R 0
◆1/e
(mod n)
I Select random r
I A := A · S�r (mod n), v := v + er
Problem 6 (Hint: The verification is Z
?⌘ A
e · Sv · R 0 (mod n))
I Indeed, (A, e, v) is valid:A
e
S
v
R
0 ⌘ A
e
S
�er
S
v
S
er
R
0 ⌘ A
e
S
v
R
0 ⌘ Z (mod n).
I Can we achieve untraceability with randomisation?
What about e?
Page 37 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
How to hide e? – i.e. Multi-show Unlinkability
I Randomised signature: (A, e, v)
A
e
S
v · Ra ·LY
i=1
R
a
i
i
⌘ Z (mod n).
I Representation problem is hard:
n; Z ; (A, S ,R ,R1
, . . . ,RL
)?�! “(e, v , a, a
1
, . . . , aL
)00
I So, to prove that she has a signature:• U gives A (i.e. a part of the randomised signature) and• U proves that she knows the exponents (i.e. a representation)
PK{(", ⌫,↵,↵1
, . . . ,↵L
) : Z ⌘ A
"S
⌫R
↵LY
i=1
R
↵i
i
(mod n)}.
But then selective disclosure is easy!
Page 38 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
Selective disclosure
I Zero-knowledge proof about all exponents:
PK{(", ⌫,↵,↵1
, . . . ,↵L
) : Z ⌘ A
"S
⌫R
↵LY
i=1
R
↵i
i
(mod n)}.
I Disclose some and prove the rest; e.g.:U �! V disclose a
1
, a2
and prove:
PK{(", ⌫,↵,↵3
, . . . ,↵L
) : Z · R�a
1
1
· R�a
2
2
⌘ A
"S
⌫R
↵LY
i=3
R
↵i
i
(mod n)}.
Generalise: Problem 7
Page 39 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs
In Sum: ABCs are Powerful!
I Security• Authenticity• Integrity• Non-transferability
I Privacy• Issuer unlinkability• Multi-show unlinkability• Selective disclosure (data minimisation)
I Techniques and their smart-card implementations• IBM’s Idemix [CL 01, CL 02] ! [VA 13]• Microsoft’s U-Prove [Brands 99] ! [MV 12]• Anonymous Credentials Light [BL 13] ! [HRP 15] (tomorrow)
Page 40 of 40 http://www.cs.ru.nl/~gergely June 23 ABC Tutorial
Crypto of ABCs