1 / 62

Anonymous Credentials

Anonymous Credentials. Gergely Alpár Collis – November 24, 2011. Crypt assumptions. Crypt assumptions. My assumptions. Modular computation: addition, multiplication Public-key cryptography (PKI) Cryptographic hash function Concatenation. Overview. Zero-knowledge proof of knowledge

adanne
Download Presentation

Anonymous Credentials

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Anonymous Credentials Gergely Alpár Collis – November 24, 2011

  2. Crypt assumptions

  3. Crypt assumptions

  4. My assumptions • Modular computation: addition, multiplication • Public-key cryptography • (PKI) • Cryptographic hash function • Concatenation

  5. Overview • Zero-knowledge proof of knowledge • Credentials • Discrete logarithm preliminaries • U-Prove • RSA preliminaries • Idemix • Comparison

  6. Zero-knowledge proofs

  7. Current practice It’s wachtw0ord2011 I know the password! I don’t believe you. Yes, indeed.

  8. Zero-knowledge proof I can prove it. No, I don’t show it, but I’ll convince you that I know it. I know the secret! I don’t believe you. I'll believe it when I see it. A hard problem

  9. Waldo and ZK

  10. Where’s Waldo? Source: findwaldo.com // The Gobbling Gluttons Idea: Moni Naor et al. How to Convince Your Children You are not Cheating, 1999

  11. ZK – Ali baba’s cave

  12. Credentials

  13. Credential flow

  14. Anonymity requirements • Untraceability • Multi-show unlinkability • Selective disclosure • Attribute property proof • Revocation by user • Revocation by issuer Age > 18 Valid

  15. High-level approaches • Every time: issuing before showing (U-Prove, 1999) • Untraceability • Showing with zero-knowledge proof (Idemix, 2001) • Untraceability and unlinkability • Randomize (self-blindable, 2001) • Unlinkability and untraceability

  16. History of anonymous credentials 1986: Non-interactive ZK (Fiat & Shamir) 2002: Idemix JAVA implementation 2010-14: ABC4Trust (IBM & MS) 2001: Idemix crypto (Camenisch & Lysyanskaya) 1978: RSA 1990-91: Schnorr identification and signature 2010: Microsoft’s U-Prove impl. 1981: Digital pseudonym (Chaum) 1976: Public-key crypto (Diffie & Hellman) 1985: Zero-knowledge proof (GMR) 1999: U-Prove crypto (Brands) 2009: Light-weight Idemix impl. (IBM) 2000 2010 1970 1980 1990

  17. Discrete logarithm – preliminaries

  18. Modular computation mod n ax 73 = 343 = 7.47 + 14 = 14 mod 47 mod n log7 14 = 3 mod 47 logax

  19. Modular exponentiation 10x mod 53 102 103 104 101 1013 x

  20. Discrete logarithm (p = 53, q = 13) 10x mod 53 log10 24= ? mod 53 x

  21. Discrete logarithm (p = 389, q =97) log13 193= ? mod 389 13x mod 389 x

  22. p ~ 21024, q ~ 2160 gb = h(modp) where the order of g isq 120647512938908028867388901435622501660544582652084763778469179795603511596928068284302347645679661284502756586088182980185380205485840303823342758131447025760358124071773512320456087558761236652680084522358687865972828438154299478474984622198115039866220934797393671281602442459774704328099491586290681366721842531452715241719233458597619542522728958116591 = 54908600274008470198448664033645016278929009692729460183531661597245923990838629299281250570649704467074998536491481089013147840556922261199819117470352438726889035130940581816459311611337430791063760559062579953505419658290163926050903654308761279654642666891806788178269114799030238674475936287917164274641 (mod 147540829457233765072451123330814771849279870508740658191364766390571127595133276091294946062334381927384270351919254939797952329145575009188956176344993292905052474988906261438800251337646245695529118629813762877963253295780055957721171296243452181910303437299543284160580397044072404446659484077705433238843)

  23. Efficiently computable • Random numbers • 4, 1, 4, 2, 1, 3, 5, 6, 2, 3, 7, 3, 0, 9, 5, 0, 4, 8, 8, 0, 1, 6, 8, 8, 7, 2, 4, 2, 0, 9, 6, 9, 8, 0, 7, 8, 5, 6, 9 • Modular addition and multiplication • a.b + c (mod n) • Modular exponentiation • 326 = 3(11010) = 32.38.316 = 3 (mod 11) • 32 = 9 mod 11 • 38 = (((9)2)2 mod 11 = 5 mod 11 • 316 = 52 mod 11 = 3 mod 11

  24. ZK as a basic building block U-Prove showing Zero-knowledge (ZK) proof of knowledge Schnorr identification Blind signature Schnorr signature U-Prove issuance

  25. U-Prove

  26. Crypt assumptions Discrete logarithm assumption

  27. Schnorr identification • Complete (P: “If I know, I can convince you.”) • Sound (V: “If you don’t know, you cannot convince me.”) • Zero-knowledge

  28. From outside

  29. Simulation  Zero-knowledgeness Real communication Simulated communication

  30. Schnorr identification

  31. Schnorr identification

  32. Non-interactive Schnorr (Fiat—Shamir)

  33. Schnorr signature (freshness)

  34. Schnorr signature

  35. Schnorr blind signature

  36. Schnorr blind signature

  37. Credential flow Issuing Showing

  38. DL representation

  39. Brands’ issuing protocol (U-Prove)

  40. Brands’ showing protocol (U-Prove)

  41. Selective disclosure (U-Prove) • Certain attributes are revealed • Others are proven in the token but remaining hidden R

  42. Selective disclosure (U-Prove)

  43. RSA – preliminaries

  44. Crypt assumptions Integer factorization is hard

  45. RSA signature – recap

  46. Strong RSA assumption Integer factorization n p, q RSA problem c, e m c = me (mod n) Strong RSA problem c m, e

More Related