Pseudonym and Anonymous Credential Systems
Transcript of Pseudonym and Anonymous Credential Systems
Pseudonym and Anonymous Credential Systems
Gihyuk Ko
Carnegie Mellon University
slides from Kyle Soska
Moving Past Encryption
β’ Encryption DOES:β’ Hide the contents of messages that are being communicated
β’ Provide tools for authenticating messages
β’ Encryption DOES NOT:β’ Hide who is communicating with who
β’ Hide an upper bound on how much they are communicating
β’ Hide timing information or other aspects of the communication
Sensitive Information
Alice Employer
(Name, Birthday, SSN, Employee Review)
(Name, Birthdate, SSN, Patient File, β¦)
(Name, Birthdate, SSN, Prescriptions, β¦)
(Name, Birthdate, SSN, DNA Fingerprint, β¦)
Hospital
Pharmacy
DNA ProfilingLaboratory
Information Sharing Concerns
(Alice, 1-1-1970, 123-45-6789, Patient File, β¦)
SELECT * FROM patients WHEREName = βAliceβ and SSN = 123-45-6789
β’ An employer and a hospital could share information to give the employer Aliceβs medical records
β’ The employer could learn that Alice is going to have a baby soon or that she has some illness and choose to fire her
Sensitive Information
β’ Problem: Alice uses her real identity (personally identifying information) to authenticate to different organizations
β’ These organizations can collude and share data to learn a lot about Alice that she does not want them to know
β’ Employer learns that she is going to have a baby
β’ Insurance company learns that she has a genetic pre-disposition for cancer
β’ Etc.
β’ Question: How do we resolve this problem?
β’ Idea: Donβt use real personal information to authenticate to these organizations
Sensitive Information
xXA1ic3Xx
(xXA1ic3Xx, Birthday, Employee Review)
(xXA1ic3Xx, Birthdate, Patient File, β¦)
(xXA1ic3Xx, Birthdate, Prescriptions, β¦)
(xXA1ic3Xx, Birthdate, DNA Fingerprint, β¦)
Employer
Hospital
Pharmacy
DNA ProfilingLaboratory
Sensitive Information
β’ Problem: Even if Alice uses a Nym not connected with her real identity, if she uses the same Nym with different organizations, then data-sharing attacks are still possible
β’ Data sharing attacks are leverage the fact that Aliceβs Nyms are linkable, information associated with one of her Nyms can be linked to her other Nyms
β’ Idea: Use a different Nym for each organization
Nym Linkability
ID DOB SSN
Alice 1-1-1970 123-45-6789
Bob 1-1-2000 111-11-1111
Charlie 12-31-1999 555-55-5555
David 7-7-1970 777-77-777
ID DOB SSN
April 4-20-1996 001-01-1101
Alyssa 1-1-1970 123-45-6789
Charlie 12-31-1999 555-55-5555
Don 8-8-1991 999-99-9999
Different name but same value for a unique field, and same birthday
employee-listpatient-list
Sensitive Information
{xXA1ic3Xx, aLiCe, yasuo_only, rengar_only}
(xXA1ic3Xx, Birthday, Employee Review)
(aLiCe, Birthdate, Patient File, β¦)
(yasuo_only, Birthdate, Prescriptions, β¦)
(rengar_only, Birthdate, DNA Fingerprint, β¦)
Employer
Hospital
Pharmacy
DNA ProfilingLaboratory
Sensitive Information
β’ Problem: What happens when different organizations do need to communicate?
β’ Ex. Hospital needs to transfer prescriptions to pharmacy
β’ We want selective information disclosure
β’ Problem: Users can share identities with each other
β’ Alice wants to share her medical insurance with all of her friends
How to share information?
{aLiCe, yasuo_only}
(aLiCe, Birthdate, Patient File, β¦) (yasuo_only, Birthdate, Prescriptions, β¦)
Prescription foraLiCe I donβt know who aLiCe is,
you are yasuo_only
If prescriptions written for aLiCe were able to be redeemed by yasuo_only, then Alice could sell her prescription to someone else, or her prescription could be stolen etc.
Hospital Pharmacy
Paradox of Information Sharing & Unlikability
β’ Organization 1 and Organization 2 want to exchange important information about Alice
β’ Ex. A Drug Prescription
β’ The organizations need to make sure they are referring to the same person, (the identities are linkable)
β’ The pharmacy needs to make sure that Alice is really the person that the prescription was written for
β’ Aliceβs identities need to be unlinkable so that nothing but the allowed informationcan be shared
Cryptography To The Rescue
β’ Alice will generate a single master key (public, private)
β’ Alice will register her key pair with a trusted CA, her key pair will be her nym with the CA
β’ Alice establishes a different nym with each organization such that her interactions with each organization are unlinkableβ’ Does not consider timing information or side channels
β’ An organization can grant Alice a credential that attests to some property
β’ Alice can convince another organization of some property by showing them a credential that was previously granted to Aliceβ’ This process is referred to as transferring a credential
Actors and Objects
β’ πͺπ¨: Unique certification authority, trusted by all actors in the system
β’ πΌ: A user (Possibly many users)
β’ π·πΌ, πΊπΌ: Master public key and secret key of π
β’ π(π, π): Set of nyms π has generated with π
β’ π(π): Set of nyms π has generated with anyone
β’ πΆ: An organization (Possibly many organizations)
β’ π·πΆ, πΊπΆ: Master public key and secret key of π
β’ π·πΆπͺ , πΊπΆ
πͺ : Public and secret key of π for credential πΆ
β’ π΅(πΆ): Set of nyms π has generated with any user
β’ ππ,π: User Uβ²s nym with organization π
β’ πΊπππ: Asymmetric key generation algorithm for generating master keypair
CA
π1, ππ1,πΆπ΄ π2, ππ2,πΆπ΄
π, (ππ, ππ)
1. Establish ππ,πΆπ΄
2. Establish ππ,π13. Establish ππ,π2
4. πͺπΌ,πΆπ 5. πͺπΌ,πΆπ
System Overview
Organization 1 Organization 2
credential
Intuitive Goals
1. We want a system where users can create pseudonyms with different organizations, possibly multiple pseudonyms with the same organization
2. No set of organizations can collaborate to link pseudonyms of a user, an organization cannot link the multiple pseudonyms from the same user
3. A user can prove a statement from one organization to another organization using credential transfer
β’ Ex. The hospital has granted a prescription for Alice to the pharmacy
4. No set of users or organizations can forge a credential
5. Users cannot share credentials with each other
β’ A user cannot give their health insurance to a friend
Generating Userβs Master Key
β’ User master key generation: User generates a master key pair derived from the computational discrete log problemβ’ π = 2π + 1 for π, π large π-bit prime numbers
β’ πΊπ = ππ β€π = π is the quadratic residue subgroup of β€π which has order π
β’ Let π β πΊπ be a public generator
β’ User selects π₯ βπ β€π and computes ππ₯ πππ π
β’ Userβs Private Key: π₯
β’ Userβs Public Key: ππ₯ πππ π
β’ The user shares this public key with the CA. The CA checks that Alice is a real person and that she has not already registered an account with the system
π1, ππ1,πΆπ΄ π2, ππ2,πΆπ΄
ππ΄, (ππ,π΄, ππ,π΄)
1. Establish ππ,π1 2. Establish ππ,π2
3. πͺπΌπ¨,πΆπ 5. πͺπΌπ¨,πΆπ
β’ We want a scheme that lets Alice can βredeemβ πΆππ΄,π1, but not Bob
β’ How can we achieve this? What is the difference between Alice and Bob?
ππ΅ , (ππ,π΅, ππ,π΅)
6. πͺπΌπ¨,πΆπ
4. πͺπΌπ¨,πΆπ
Transferring Credentials
Transferring Credentials
β’ ππ΄ and ππ΅ have different nyms at π1 and π2, namely πππ΄,π1 β πππ΅,π2, πππ΄,π2 β πππ΅,π2β’ What if the credential πΆππ΄,π1 carries information about πππ΄,π1?
β’ What if the credential πΆππ΄,π1 carries information about πππ΄,π2?
β’ Credentials are supposed to be unlinkable, so tying the credential to the userβs nyms is not good!
β’ ππ,π΄, ππ,π΄ β ππ,π΅, ππ,π΅β’ What if the credential πΆππ΄,π1 carries information about ππ,π΄?
β’ What if the credential πΆππ΄,π1 carries information about ππ,π΄?
β’ Secret keys must be kept secret and public keys can be forged by anyone since they are public!
Userβs Master Key
β’ All of the actions that a user performs are somehow tied to their master secret key
β’ A userβs nym with the CA is their public key
β’ A userβs nyms with other organizations are derived from their master secret key
β’ Transferring a credential requires computations with the master secret key
β’ Corollary: sharing a credential requires sharing the master secret key which is sufficient for identity theft
Generating Nyms
β’ Secure interactive protocol between two parties π: ππ , ππ , π: ππ, ππ
β’ Public Input: ππ, the public key of the organization
β’ Userβs Private Input: ππ , ππ
β’ Organizationβs Private Input: ππ
β’ Common Output: ππ,π
β’ Private User Output: ππΌπ,ππ
β’ Private Organization Output: ππΌπ,ππ
ππ, ππππ, ππ , ππ
I want to generate a nym with you
Interactive nym generation protocol
ππ, ππ , ππ, πΊπ°πΌ,πΆπΌ , π΅πΌ,πΆ ππ, ππ , ππ, πΊπ°π΅,πΆ
πΆ , π΅πΌ,πΆ
Generating Nyms
Zero Knowledge Proofs
β’ Interactive protocol between a prover π and a verifier π
β’ π wants to prove to π that he knows something, but without revealing any information other than that βhe knows somethingβ
β’ Soundness: π cannot prove false statements to the π
β’ Completeness: Proofs of true statements by π will be accepted by π
β’ Zero Knowledge: π will not learn anything other than the truth of the statement being proven
ZK Proof Example
β’ Alice (the prover π) wants to prove to Bob (the verifier π) that she knows how to unlock the door
β’ If she let him watch her open the door, it would convince him that she knows how, but he might learn something about how she does it
β’ Instead they devise the following game to convince Bob that Alice knows how to unlock the door
β’ Start with a locked door
ZK Proof Example
β’ Bob goes and hides and lets Alice pick one of the hallways to walk down
β’ Alice flips a coin and picks either left or right to walk down
β’ Heads = Leftβ’ Tails = Right
ZK Proof Example
β’ Bob flips a coinβ’ Heads = Leftβ’ Tails = Right
β’ Bob then yells down the hallway and demands that Alice appear from that side
β’ If Alice is already on the same side she simply walks out
ZK Proof Example
β’ Bob flips a coinβ’ Heads = Leftβ’ Tails = Right
β’ Bob then yells down the hallway and demands that Alice appear from that side
β’ If Alice is already on the same side she simply walks out
β’ If Alice is on the wrong side she needs to unlock the door
ZK Proof Example
β’ Is this sound? Can Alice prove false statements to Bob?
β’ Is this complete? Will Bob always accept true statements?
β’ Is this zero-knowledge? Does Bob learn anything other than the truth about whether or not Alice can unlock the door?
ZK Proof Example
β’ Can Bob convince Charlie that Alice knows how to unlock the door?
β’ If the proof fails, if Alice comes out from the wrong side, does this prove that Alice does not know how to unlock the door?
What does Zero Knowledge mean?
β’ What does it mean to say that π does not learn any knowledge other than the truth of the statement being proven?β’ What is knowledge? β Hard question, will not attempt to answer
β’ What does it mean to say that π gained no knowledge?
β’ What does it mean to say that π gained no knowledge?β’ π after executing the protocol cannot do anything that π½ cannot already do
β’ in particular πβ²π ability to compute statements
β’ Even the protocol generated by the proof interactions between π and π could have been generated by π
β’ To prove that π gained no knowledge from the interaction, we construct an algorithm called a βsimulatorβ where π generates a transcript of the protocol that is indistinguishable from a real interaction with π
ZKP of Equality of Discrete Logarithm
β’ π: Prover
β’ π: Verifier
β’ Common Input: π, πβ² βπ β€π Γ β€π generators, β, ββ² β β€π Γ β€π
β’ π wants to convince π that it knows an π₯ β β€π s. t. β = ππ₯, ββ² = πβ²π₯
β’ π does not want π to learn the value of π₯ or otherwise be able to compute it any easier because of their interaction
β’ We will use an interactive zero-knowledge protocol to prove this statement
ZKP of Equality of Discrete Logarithm
π β π: Choose π βπ β€π, Send π΄ = ππ, π΅ = πβ²π
π β π: Choose π βπ β€π, Send (π)
π β π: Send (π¦ = π + ππ₯ πππ π)
π: Check that ππ¦ = π΄βπ and πβ²π¦ = π΅ββ²π
Check:ππ¦ = ππ+ππ₯ = πππππ₯ = π΄πππ₯ = π΄βπ
πβ²π¦ = πβ²π+ππ₯ = πβ²ππβ²ππ₯ = π΅πβ²ππ₯ = π΅ββ²π
β’ Is this sound?
β’ Is this complete?
β’ Is this zero-knowledge?
β’ If the prover showed this protocol to the verifier a few days later, would the verifier recognize it?
β’ Produce a βblindedβ version of the protocol where it will not be recognized.
β’ Transcripts: {(A,B), (c), (y)}
β’ Can someone get any information on x from this?
ππ, ππππ, ππ , ππ
I want to generate a nym with you
Interactive nym generation protocol
ππ, ππ , ππ, πΊπ°πΌ,πΆπΌ , π΅πΌ,πΆ ππ, ππ , ππ, πΊπ°π΅,πΆ
πΆ , π΅πΌ,πΆ
Generating Nyms
Nym Generation Protocol
β’ π: ππ , ππ , ππ = ππ₯, π₯ , ππ¦
β’ π: ππ, ππ = (ππ¦ , π¦)
π: Choose πΎ βπ β€π, Set πβ² = ππΎ , πβ² = πβ²π₯
π β π: Send πβ², πβ²
π: Choose π βπ β€π, Set π = πβ²π
π β π: Send π
π: Compute π = ππ₯
π ββ π: Execute Ξ to show that logπ π = ππππβ² πβ²
π, π: Remember πβ²π nym as π = π, π
Issuing Credential
β’ π: ππ, ππ , ππ = ππ₯, π₯ , ππ¦, ππ,π = π, π = ππ₯ = ππΎπ , ππΎππ₯
β’ π: ππ, ππ = ππ¦, π¦ , ππ,π = (π, π)
β’ Public Credential Key: π, β1, = ππ 1 , β2 = ππ 2 , Secret Credential Key: π 1, π 2
π β π: Send π΄ = ππ 2 , π΅ = πππ 2 π 1
π: Choose πΎ βπ β€π
π ββ π: Run Ξ to show logπ π΄ = logπ β2 with verifier input πΎ, Obtain transcript π1
π ββ π: Run Ξ to show log(π,π΄) π΅ = logπ β1 with verifier input πΎ, Obtain transcript π2
π: Remember credential πΆπ,π = (ππΎ , ππΎ, π΄πΎ, π΅πΎ , π1, π2)
Transferring Credential
β’ πβ²π public credential keys: π, β1 = ππ 1 , β2 = ππ 2
β’ πβ²π nym with πβ²: (πβ²β², πβ²β²) where πβ²β² = πβ²β²π₯
β’ Userβs credential from π: πΆπ,π = πβ², πβ², π΄β², π΅β², π1, π2
πβ²: Verify correctness of π1 and π2 as transcripts for Ξ ππΌ
by showing logπβ² π΄β² = logπ β2 and logπβ²π΄β² π΅
β² = logπ β1
π ββ πβ²: Execute protocol Ξ to show logπβ² πβ² = logπ π
Single-Use / Multiple-Use Credentials
β’ Single-Use Credential: May safely be used once, but if used more than once, it would allow the userβs nyms to be linked together
β’ Multiple-Use Credential: May safely be used unlimited times without allowing the userβs nyms to be linked
β’ K-Use Credentials?β’ Can you create a credential that can be used a finite number of times before being able to link
together a userβs nyms?
β’ Yes, but its hard and very complicated
Expiration Date
β’ Add a date field into the non-interactive proof protocol such that the verifier only accepts if the current date is less than the expiration date
β’ Also needs to add corresponding fields into the credential and the corresponding machinery when verifying the credential
Revocation of Credential
β’ This is going to require a trusted third party like CA
β’ Revocations would have to be input with the CA
β’ When a credential is used, before it is verified, the organization will check with the CA to see if the credential has been revoked
Are there other problems here?
{aLiCe, yasuo_only}
(aLiCe, Birthdate, Patient File, β¦) (yasuo_only, Birthdate, Prescriptions, β¦)
Prescription foraLiCe I donβt know who aLiCe is,
you are yasuo_only
Credentials for a Review System?
{aLiCe} {b0B}
Interactive Point of Sale
Leave a ReviewQuery Reviews
Thanks!