Efficient Selective Disclosure on Smart Cards using Idemixpim/talks/20130408_idman.pdf · Smart...

$: Efficient Selective Disclosure on Smart Cards using Idemixpim/talks/20130408_idman.pdf · Smart cards are \Big Brother’s little helper" (Stefan Brands) With Oyster / OV-chipcard$
IntroductionIdemix Credentials

Smart Card ImplementationPerformance Results

SummaryRadboud University Nijmegen

Efficient Selective Disclosure on Smart Cardsusing Idemix

Pim Vullers Gergely Alpar

Institute for Computing and Information Sciences – Digital SecurityRadboud University Nijmegen

Conference on Policies & Research in Identity Management8th April 2013

Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 1 / 18




Attributes on Smart Cards

Privacy issues

• Smart cards are “Big Brother’s little helper” (Stefan Brands)

• With Oyster / OV-chipcard / Charlie / . . . , you tell who youare when you get on a bus, metro, train, . . .

• Identity-based solutions violate their users’ privacy(and increase identity-fraud risk)

Attribute-based credentials

• Attribute-based authorisation:only provide the information which the system needs

• Example of attribute-based credentials (electronic wietpas):

• card only says “I’m a Dutch citizen, and my age is over 18”





Outline

Introduction

Idemix Credentials

Smart Card Implementation

Performance Results

Summary





Credential-based System

The ideas

• Attributes: grouped in credentials

• Data minimisation: selective disclosure

• Unlinkability: randomisation & zero-knowledge

A credential

• Attributes

• Secret key

• Issuer’s signature





Protocols

1 Credential issuance• Blind signature generated by the issuer over the secret key of

the card and the attributes to be issued.• Issuer unlinkability

2 Attribute verification

I Proof generation / presentation• Selective disclosure of the credential’s attributes• Randomisation of the issuer’s signature

II Proof verification / authentication• Verify the zero-knowledge proof using the issuer’s public key• Multi-show unlinkability





Idemix specifics

Camenisch-Lysyanskaya signature scheme

• Keys: (n,S ,Z ,R0...l), (p′, q′) where n = (2p′ + 1)(2q′ + 1)

• Signature: (A, e, v) where A =

(Z

Sv∏l

i=0 Rimi

)e−1 mod p′q′

mod n

Credentials

• Secret key: m0

• Attributes: m1 . . .ml

Verification

• Randomisation (with r): A′ = A · S r mod n, v ′ = v − e · r

• Zero-knowledge proof of e and undisclosed mi





Outline

Introduction

Idemix Credentials


Performance Results

Summary





Smart Card Platforms

Java Card

+ High-level (object-oriented) programming language

+ Widely spread / high availability

− Limited cryptographic API / no mathematical API

MULTOS

+ Low-level access to the cryptographic co-processor

+ Proper cryptographic/mathematical API

+ Very flexible memory management

− Low-level language causes a steep learning curve.

− Limited amount of RAM available





Design of the System

Java

platform

Idemix

application Terminal

service

Idemix

library

(a) Terminal

MULTOS

platform

Idemix

applicationAPDU

handling

Recipient/Prover

cryptography

(b) Card

Figure : System architecture for Idemix on a smart card.

• Terminal service translates IBM’s Idemix commands and datatypes into APDU commands for smart card communication

• MULTOS implementation, limited by smart cardcharacteristics, is 95% compatible with Idemix Library





Outline

Introduction

Idemix Credentials


Performance Results

Summary





Related Work on Smart Cards

Related work

• Bichsel et al. (IBM Research, 2009), ± 7.5 secCamenisch & Lysyanskaya anonymous credential system

• Sterckx et al. (KU Leuven, 2009), ± 3 secDirect anonymous attestation

Our previous results


• Batina et al. (RU Nijmegen, 2010), ± 1.5 secHoepman et al. (RU Nijmegen, 2010), ± 0.6 sec

Self-blindable certificates of Verheul

• Mostowski and Vullers (RU, 2011), ± 0.5 - 0.9 secU-Prove selective disclosure (2-5 attributes)




Issuance Performance

2.2622.379

2.4542.522

2.605

1.6961.758 1.781 1.796 1.809

1 2 3 4 5

#attributes

0

1.5s

2.5s

time

Figure : Credential issuance times ( : computation, : overhead).





Presentation Performance

1.099

0.997

0.895

0.969

0.869

0.768

0 1 2

#disclosed

0

0.75s

1.5stime

(a) 2 stored attributes

1.454

1.352

1.226

1.149

1.025

0.947

1.287

1.185

1.063

0.985

0.864

0.784

0 1 2 3 4 5

#disclosed

0

0.75s

1.5stime

(b) 5 stored attributes

Figure : Attribute verification times ( : computation, : overhead).





U-Prove Comparison

1.454

1.352

1.226

1.149

1.025

0.947

1.287

1.185

1.063

0.985

0.864

0.784

0 1 2 3 4 5

#disclosed

0

0.75s

1.5stime

(a) Idemix

869814

764708

651594

648586

530469

406343

0 1 2 3 4 5

#disclosed

0

1000

time (ms)

(b) U-Prove

Figure : Attribute verification times ( : computation, : overhead).





Summary

• Efficient MULTOS implementation of the Idemix technology

• Multi-show unlinkability of the credentials on the smart card

• Attribute-based credentials on smart cards are possible

• Major improvement over IBM’s DAA implementation

Next steps:

• Studying other technologies

• Practicing with other platforms

• Making anonymous credentials usable: IRMA





IRMA – I Reveal My Attributes

Tuesday 9th April 201309:15 – 10:15 Second keynote session: Bart Jacobs

Towards Practical Attribute-Based Identity Management:the IRMA Trajectory.

https://www.irmacard.org/Pim Vullers IFIP IDMAN 2013 Efficient Selective Disclosure using Idemix 16 / 18

https://www.irmacard.org/




Demo





Questions


Efficient Selective Disclosure on Smart Cards using Idemixpim/talks/20130408_idman.pdf · Smart...

Documents

Transcript of Efficient Selective Disclosure on Smart Cards using Idemixpim/talks/20130408_idman.pdf · Smart...