250 likes | 481 Views
Smart card integration in the pseudonym system idemix. Master’s Thesis / Internship Luuk Danes. Introduction. Master’s Thesis for Mathematics Internship at TNO ICT Presentation for the TNO ICT Security Group (May 2007): The properties of idemix Aspects on privacy and identity theft
E N D
Smart card integration in the pseudonym system idemix Master’s Thesis / Internship Luuk Danes University of Groningen - Mathematics department TNO ICT Security group
Introduction • Master’s Thesis for Mathematics • Internship at TNO ICT • Presentation for the TNO ICT Security Group (May 2007): • The properties of idemix • Aspects on privacy and identity theft • Ideas for implementation • This presentation: • Less about the properties of idemix • More about protocols and mathematics • Integration of a smart card in idemix
Overview • Context • idemix • Use case • Smart card integration • Building blocks of idemix • Zero-knowledge proofs • Complications on smart card integration • Solutions for smart card integration
Context / pseudonymity • A new approach:Don not ask for an identity, ask for what you need. • Using pseudonyms:It does not matter which identity someone has, but which credentials he owns. • If an organisation does not have your identity information,it can not leak or link it. • Unlinkability
idemix • IdeMix: identity mixer • A pseudonym system, developed by IBM • It consists of mathematical protocols • Pseudonyms • A user communicates under pseudonyms with organisations • A pseudonym is bound to an identity • Credentials • Organisations sign combinations of a pseudonym and a statement concerning the user
Rent-a-car Use case : Car Rental
Use case: Car Rental My name is Alex Name, Date of Birth, Place of Birth, Address, Social Security Number Authorisation
I am Alex Alex owns a driver’s license I am Bob Bob owns a driver’s license Authorisation Use case: Car Rental using
Setup FormNym GrantCred Building blocks of idemix • User’s master key xU • Public Key of an organisation (nO,aO,bO,dO,gO,hO) • nO special RSA modulus, nO = pq = (2p’+1)(2q’+1) • aO, bO,dO,gO,hO in the group of Quadratic Residues QRnO • Pseudonyms of a user with an organisation PUO • Binding to xU • Hiding xU • PUO = aOXu bOSuo mod nO • Credential triples (c,e,r) • ‘A RSA-signature on the combination of a pseudonym and a credential identifier’ • ce = PUO br dO mod nO • c = (PUO br dO)d with d such that de = 1 mod Φ(nO)
Building blocks of idemix VerifyCred • Verify that the user owns a triple (c,e,r) such that ce = PUO br dO mod nOfor a specific credential value dO • Check that it is bound to a user’s master key xU • The values c, e, r, xU, sUO must remain secretto avoid linkability • Verify that the user owns a triple (c,e,r) obtained from the Issuer. And the pseudonym at the Issuer and the Verifier are bound to the same user. • As in VerifyCred • But also check whether PUI and PUV are bound to the same xU VerifyCredOnNym
I am Alex Alex owns a driver’s license I am Bob Bob owns a driver’s license Zero-knowledge proof Authorisation Use case: Car Rental using
Zero-knowledge proof: Ali-Baba Peggy Victor
Zero-knowledge proof: Schnorr X, x X = gx mod p X P V Commitment Choose r at random [0,p-1] Calculate R = gr mod p R Challenge Choose c = 0 or 1 c Response Calculate s = r + c x mod p-1 s Verification Check whether gs = gr gcx = R Xc mod p
Proof of knowledge of commitment opening X, x, r X = gx hr mod n X P V Commitment Choose r1, r2 at random [0,2Lr) Calculate R = gr1 hr2 mod n R Challenge Choose c at random [0,2Lc) c Response Calculate s1 = r1 + c x in Z s2 = r2 + c r in Z s1,s2 Verification Check whether RXc = gs1 hs2 mod n
Zero-knowledge proofs for VerifyCred and VerifyCredOnNym • VerifyCred • VerifyCredOnNym
3239504725738993365166548672441602572257297970376304453918873041380845278534189877131490444446960233692222695979921789291563869260286977193103237513440680429116826513716472002774022372199601823650353792318607205847735043881834759495254822419442391103262866727284355047167149619209033605155205883062084396612632395047257389933651665486724416025722572979703763044539188730413808452785341898771314904444469602336922226959799217892915638692602869771931032375134406804291168265137164720027740223721996018236503537923186072058477350438818347594952548224194423911032628667272843550471671496192090336051552058830620843966126 3 76152975134493896342316580079988669967664159646389215023630080838741997955792050706289259074782565561093737224996682680072825033231130971000565613558230979346118664186677897213109730811414004300898673243381813034322659709590300235658417873375122887185724692840829802563143700262103910200639706081203658025999 135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563 7013000258548773281133802936979029275099074080163480608318827013660038389437689460544053073329681466827545934060726847978297341102074276355801925688083211771943935266718197425726773408111960575720453978337676152347563715881277780861723460280649870108203093127958014879038780492417171168767551456133842819854 5 125 5 12 ≈ 60 ms ≈ 1,5 sec A complication: the smart card • A smart card contains a micro processor • …but cannot be compared to a desktop pc! • idemix uses heavy calculations:exponentiations with large numbers • An example: mod = =
Solution 1: Optimising the interval proofs • Exact interval proofs (Boudot 2000) cost about 22 exponentiations per interval. • We can use expanded interval proofs instead. xU The Prover starts with X = gx hr mod n with x in [a,b] a b a – m(b-a) b + m(b-a) secure master key interval The Verifier checks whether the response s1 (= r1 + cx) lies in the correct interval. Then he is convinced that x in [ a – m(b-a), b + m(b-a) ]
Solution 2: Distribution of computation load • Untrusted terminal (pay terminal) • We may give no information to the terminal, because pseudonyms and credentials are ‘linking information’ • Trusted terminal (phone, digital wallet) • Distribution of computation load • We can keep the user’s master key on the smart card and give the pseudonyms and credentials to the terminal.
Conclusions • For security: integration of a smart card in idemix has to be done with a lot of care. (not mentioned earlier in this talk) • No exact interval proofs are needed;use expanded interval proofs instead. • With an untrusted terminal all user-side calculations has to be done on the smart card → VerifyCredOnNym takes +/- 17 seconds. • With a trusted terminal the calculations can be distributed over the smart card and terminal → VerifyCredOnNym takes +/- 6 seconds. • It is possible to integrate a smart card in idemix(in such manner that users do not have to wait too long)
More information… • Website about this thesis: http://www.luukluuk.nl/idemix
www.luukluuk.nl/idemix Thank you for your attention