Anonymous Identification in Ad Hoc Groups

New York, NY, USAApril 6th, 2004

Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup{dodis,nicolosi,shoup}@cs.nyu.edu

New York University

Aggelos Kiayiasaggelos@cse.uconn.edu

University of Connecticut

April 6, 2004 Antonio Nicolosi — NYU 2

Enabling Privacy-Aware Access Control

• Want to control access to many objects– Each with its own set of authorized users

• For privacy concerns, users won’t reveal their identity when accessing an object

• Solution: – Have one ad hoc group for each object– To access an object, users anonymously

identify as members of corresponding group

April 6, 2004 Antonio Nicolosi — NYU 3

Example: Access-controlled Blog

• Alice is keeping a cool blog about her poems• Since she’s shy, she only wants her friends to

access it• But her friends are shy, too: • Maybe one of them is making too much

reading …

Solution: Ad Hoc Anonymous Identification scheme

April 6, 2004 Antonio Nicolosi — NYU 4

Identification Schemes

April 6, 2004 Antonio Nicolosi — NYU 5

Anonymous Identification

April 6, 2004 Antonio Nicolosi — NYU 6

Anonymous Identification (cont’d)

• Alice cannot tell whom she is talking to– Even in the case of two sessions with

the same user (unlinkability)

April 6, 2004 Antonio Nicolosi — NYU 7

Ad Hoc Groups

“Structured” Groups vs.

• E.g. organizations

• Group Manager

• Users need a different key per group

Ad Hoc Groups

• E.g. poetry clubs

• No central authority

• Can use same key for multiple groups

April 6, 2004 Antonio Nicolosi — NYU 8

Ad Hoc Anonymous ID: Syntax

• Setup: system-wide initialization phase

• Register: per-user initialization– Each user picks a secret key/public key pair– Run only once, regardless of # groups user joins

• Make-GPK: combines a set of PKs into one GPK

• Make-GSK: combines a user’s SK with a set of PKs, yielding a single GSK

• Anon-ID: protocol between a group member (holding GSK) and a verifier (holding GPK)

April 6, 2004 Antonio Nicolosi — NYU 9

Ad Hoc Anonymous ID: Syntax (cont’d)

• Make-GPK (running time / to group size)

• Make-GSK (running time / to group size)

• Anon-ID (constant running time)

April 6, 2004 Antonio Nicolosi — NYU 10

Background: One-Way Functions

• At the core of all modern Cryptography– Several instances are widely accepted …– … but nobody knows if they exist (in

particular, cannot exist if P = NP)

• Family of functions easy to compute, but very hard to invert at a random point

x f(x)

easy

HARD

April 6, 2004 Antonio Nicolosi — NYU 11

Background: Accumulators

• Intuition: Secure Dictionary ADT– Element Insertion/Membership Testing

• Element Insertion– Adding to a set yields a different, larger set

– Adding to an accumulator yields a different value of the same size + a witness

April 6, 2004 Antonio Nicolosi — NYU 12

Background: Accumulators (cont’d)

• Membership Testing– Sets are transparent: anybody can

inspect their content

• … unless the proper witness is known

– Accumulators are opaque:• Infeasible to check for membership …

• Hard to compute “fake witness’’

April 6, 2004 Antonio Nicolosi — NYU 13

Constructing Ad Hoc Anonymous ID

• Make-GPK combines PKs by inserting them all into the accumulator

• Make-GSK runs as Make-GPK, but also keeps track of SK and of the witness for PK • In the Anon-ID protocol, the user proves that1. he knows the SK corresponding to

some PK2. PK has been added in the accumulator

• Register sets SK=random, PK=f( SK )

April 6, 2004 Antonio Nicolosi — NYU 14

Ad Hoc Anonymous ID: Variations

• Identity Escrow– To prevent abuse of anonymity,

possible to amend the scheme so that user identity can be recovered by a trusted party

• Supporting large ad hoc groups– If group changes, need to build new

value of GPK from scratch with Make-GPK

– But if changes are just user additions, can compute new GPK (and GSK) efficiently

April 6, 2004 Antonio Nicolosi — NYU 15

Summary• We propose a novel

cryptographic functionality (Ad Hoc Anonymous ID) enabling flexible, privacy-aware access control

• We discuss possible variations to handle identity escrow and growing ad hoc groups

• We design an instance based on a new tool (One-Way Accumulators), efficiently constructible based on standard assumptions

April 6, 2004 Antonio Nicolosi — NYU 16

Any questions?

Thank you!