University of Groningen - Mathematics department TNO ICT Security group

Master’s Thesis / Internship Luuk Danes

Smart card integration in the pseudonym system idemix

2

Introduction

• Master’s Thesis for Mathematics• Internship at TNO ICT

• Presentation for the TNO ICT Security Group (May 2007):• The properties of idemix• Aspects on privacy and identity theft• Ideas for implementation

• This presentation:• Less about the properties of idemix• More about protocols and mathematics• Integration of a smart card in idemix

3

Overview

• Context

• idemix

• Use case

• Smart card integration

• Building blocks of idemix

• Zero-knowledge proofs

• Complications on smart card integration

• Solutions for smart card integration

4

Context / pseudonymity

• A new approach:Don not ask for an identity, ask for what you need.

• Using pseudonyms:It does not matter which identity someone has, but which credentials he owns.

• If an organisation does not have your identity information,it can not leak or link it.

• Unlinkability

5

idemix

• IdeMix: identity mixer

• A pseudonym system, developed by IBM

• It consists of mathematical protocols

• Pseudonyms• A user communicates under pseudonyms with organisations• A pseudonym is bound to an identity

• Credentials• Organisations sign combinations of a pseudonym

and a statement concerning the user

6

Use case

Rent-a-car

: Car Rental

7

Use case: Car Rental

My name is Alex

Authorisation

Name, Date of Birth, Place of Birth, Address, Social Security Number

8

Authorisation

Use case: Car Rental using

I am Alex

Alex owns a driver’s license

I am BobBob owns a driver’s license

9

Can we integrate a smart card in idemix ?

10

Building blocks of idemix

• User’s master key xU

• Public Key of an organisation (nO,aO,bO,dO,gO,hO)• nO special RSA modulus, nO = pq = (2p’+1)(2q’+1)• aO, bO,dO,gO,hO in the group of Quadratic Residues QRnO

• Pseudonyms of a user with an organisation PUO• Binding to xU• Hiding xU• PUO = aO

Xu bOSuo mod nO

• Credential triples (c,e,r)• ‘A RSA-signature on the combination of

a pseudonym and a credential identifier’• ce = PUO br dO mod nO • c = (PUO br dO)d with d such that de = 1 mod Φ(nO)

Setup

FormNym

GrantCred

11

Building blocks of idemix

• Verify that the user owns a triple (c,e,r) such that ce = PUO br dO mod nO for a specific credential value dO

• Check that it is bound to a user’s master key xU

• The values c, e, r, xU, sUO must remain secretto avoid linkability

• Verify that the user owns a triple (c,e,r) obtained from the Issuer. And the pseudonym at the Issuer and the Verifier are bound to the same user.

• As in VerifyCred• But also check whether PUI and PUV are bound to the same xU

VerifyCred

VerifyCredOnNym

12

Authorisation

Use case: Car Rental using

I am BobBob owns a driver’s licenseZero-knowledge proof

I am Alex

Alex owns a driver’s license

13

Zero-knowledge proof: Ali-Baba

Peggy Victor

14

Zero-knowledge proof: Schnorr

CommitmentChoose r at random [0,p-1]Calculate R = gr mod p Challenge

Choose c = 0 or 1ResponseCalculate s = r + c x mod p-1 Verification

Check whethergs = gr gcx = R Xc mod p

R

c

s

X = gx mod pX, x X

P V

15

Proof of knowledge of commitment opening

X = gx hr mod nX, x, r X

CommitmentChoose r1, r2 at random [0,2Lr)Calculate R = gr1 hr2 mod n Challenge

Choose c at random [0,2Lc)Response

Calculate s1 = r1 + c x in Z s2 = r2 + c r in Z

VerificationCheck whetherRXc = gs1 hs2 mod n

R

c

s1,s2

P V

16

Zero-knowledge proofs for VerifyCred and VerifyCredOnNym

• VerifyCred

• VerifyCredOnNym

17

A complication: the smart card

• A smart card contains a micro processor• …but cannot be compared to a desktop pc!

• idemix uses heavy calculations:exponentiations with large numbers

• An example:

7013000258548773281133802936979029275099074080163480608318827013660038389437689460544053073329681466827545934060726847978297341102074276355801925688083211771943935266718197425726773408111960575720453978337676152347563715881277780861723460280649870108203093127958014879038780492417171168767551456133842819854

76152975134493896342316580079988669967664159646389215023630080838741997955792050706289259074782565561093737224996682680072825033231130971000565613558230979346118664186677897213109730811414004300898673243381813034322659709590300235658417873375122887185724692840829802563143700262103910200639706081203658025999

135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563

32395047257389933651665486724416025722572979703763044539188730413808452785341898771314904444469602336922226959799217892915638692602869771931032375134406804291168265137164720027740223721996018236503537923186072058477350438818347594952548224194423911032628667272843550471671496192090336051552058830620843966126

= mod 1253

5 125=≈ 60 ms ≈ 1,5 sec

18

Solution 1: Optimising the interval proofs

• Exact interval proofs (Boudot 2000) cost about 22 exponentiations per interval.

• We can use expanded interval proofs instead.

xU

secure master key interval

The Prover starts with X = gx hr mod n with x in [a,b]

The Verifier checks whether the response s1 (= r1 + cx) lies in the correct interval.Then he is convinced that x in [ a – m(b-a), b + m(b-a) ]

a b

a – m(b-a) b + m(b-a)

19

Solution 2: Distribution of computation load

• Untrusted terminal (pay terminal)• We may give no information to the terminal, because

pseudonyms and credentials are ‘linking information’

• Trusted terminal (phone, digital wallet)• Distribution of computation load• We can keep the user’s master key on the smart card

and give the pseudonyms and credentials to the terminal.

20

Solution 2: Distribution of computation load

21

Conclusions

• For security: integration of a smart card in idemix has to be done with a lot of care. (not mentioned earlier in this talk)

• No exact interval proofs are needed;use expanded interval proofs instead.

• With an untrusted terminal all user-side calculations has to be done on the smart card → VerifyCredOnNym takes +/- 17 seconds.

• With a trusted terminal the calculations can be distributed over the smart card and terminal → VerifyCredOnNym takes +/- 6 seconds.

• It is possible to integrate a smart card in idemix (in such manner that users do not have to wait too long)

22

More information…

• Website about this thesis: http://www.luukluuk.nl/idemix

23

Questions?

24www.luukluuk.nl/idemix

Thank you for your attention

25