1 / 25

Master’s Thesis / Internship Luuk Danes

Smart card integration in the pseudonym system idemix. Master’s Thesis / Internship Luuk Danes. Introduction. Master’s Thesis for Mathematics Internship at TNO ICT Presentation for the TNO ICT Security Group (May 2007): The properties of idemix Aspects on privacy and identity theft

bryga
Download Presentation

Master’s Thesis / Internship Luuk Danes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart card integration in the pseudonym system idemix Master’s Thesis / Internship Luuk Danes University of Groningen - Mathematics department TNO ICT Security group

  2. Introduction • Master’s Thesis for Mathematics • Internship at TNO ICT • Presentation for the TNO ICT Security Group (May 2007): • The properties of idemix • Aspects on privacy and identity theft • Ideas for implementation • This presentation: • Less about the properties of idemix • More about protocols and mathematics • Integration of a smart card in idemix

  3. Overview • Context • idemix • Use case • Smart card integration • Building blocks of idemix • Zero-knowledge proofs • Complications on smart card integration • Solutions for smart card integration

  4. Context / pseudonymity • A new approach:Don not ask for an identity, ask for what you need. • Using pseudonyms:It does not matter which identity someone has, but which credentials he owns. • If an organisation does not have your identity information,it can not leak or link it. • Unlinkability

  5. idemix • IdeMix: identity mixer • A pseudonym system, developed by IBM • It consists of mathematical protocols • Pseudonyms • A user communicates under pseudonyms with organisations • A pseudonym is bound to an identity • Credentials • Organisations sign combinations of a pseudonym and a statement concerning the user

  6. Rent-a-car Use case : Car Rental

  7. Use case: Car Rental My name is Alex Name, Date of Birth, Place of Birth, Address, Social Security Number Authorisation

  8. I am Alex Alex owns a driver’s license I am Bob Bob owns a driver’s license Authorisation Use case: Car Rental using

  9. Can we integrate a smart card in idemix ?

  10. Setup FormNym GrantCred Building blocks of idemix • User’s master key xU • Public Key of an organisation (nO,aO,bO,dO,gO,hO) • nO special RSA modulus, nO = pq = (2p’+1)(2q’+1) • aO, bO,dO,gO,hO in the group of Quadratic Residues QRnO • Pseudonyms of a user with an organisation PUO • Binding to xU • Hiding xU • PUO = aOXu bOSuo mod nO • Credential triples (c,e,r) • ‘A RSA-signature on the combination of a pseudonym and a credential identifier’ • ce = PUO br dO mod nO • c = (PUO br dO)d with d such that de = 1 mod Φ(nO)

  11. Building blocks of idemix VerifyCred • Verify that the user owns a triple (c,e,r) such that ce = PUO br dO mod nOfor a specific credential value dO • Check that it is bound to a user’s master key xU • The values c, e, r, xU, sUO must remain secretto avoid linkability • Verify that the user owns a triple (c,e,r) obtained from the Issuer. And the pseudonym at the Issuer and the Verifier are bound to the same user. • As in VerifyCred • But also check whether PUI and PUV are bound to the same xU VerifyCredOnNym

  12. I am Alex Alex owns a driver’s license I am Bob Bob owns a driver’s license Zero-knowledge proof Authorisation Use case: Car Rental using

  13. Zero-knowledge proof: Ali-Baba Peggy Victor

  14. Zero-knowledge proof: Schnorr X, x X = gx mod p X P V Commitment Choose r at random [0,p-1] Calculate R = gr mod p R Challenge Choose c = 0 or 1 c Response Calculate s = r + c x mod p-1 s Verification Check whether gs = gr gcx = R Xc mod p

  15. Proof of knowledge of commitment opening X, x, r X = gx hr mod n X P V Commitment Choose r1, r2 at random [0,2Lr) Calculate R = gr1 hr2 mod n R Challenge Choose c at random [0,2Lc) c Response Calculate s1 = r1 + c x in Z s2 = r2 + c r in Z s1,s2 Verification Check whether RXc = gs1 hs2 mod n

  16. Zero-knowledge proofs for VerifyCred and VerifyCredOnNym • VerifyCred • VerifyCredOnNym

  17. 3239504725738993365166548672441602572257297970376304453918873041380845278534189877131490444446960233692222695979921789291563869260286977193103237513440680429116826513716472002774022372199601823650353792318607205847735043881834759495254822419442391103262866727284355047167149619209033605155205883062084396612632395047257389933651665486724416025722572979703763044539188730413808452785341898771314904444469602336922226959799217892915638692602869771931032375134406804291168265137164720027740223721996018236503537923186072058477350438818347594952548224194423911032628667272843550471671496192090336051552058830620843966126 3 76152975134493896342316580079988669967664159646389215023630080838741997955792050706289259074782565561093737224996682680072825033231130971000565613558230979346118664186677897213109730811414004300898673243381813034322659709590300235658417873375122887185724692840829802563143700262103910200639706081203658025999 135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563 7013000258548773281133802936979029275099074080163480608318827013660038389437689460544053073329681466827545934060726847978297341102074276355801925688083211771943935266718197425726773408111960575720453978337676152347563715881277780861723460280649870108203093127958014879038780492417171168767551456133842819854 5 125 5 12 ≈ 60 ms ≈ 1,5 sec A complication: the smart card • A smart card contains a micro processor • …but cannot be compared to a desktop pc! • idemix uses heavy calculations:exponentiations with large numbers • An example: mod = =

  18. Solution 1: Optimising the interval proofs • Exact interval proofs (Boudot 2000) cost about 22 exponentiations per interval. • We can use expanded interval proofs instead. xU The Prover starts with X = gx hr mod n with x in [a,b] a b a – m(b-a) b + m(b-a) secure master key interval The Verifier checks whether the response s1 (= r1 + cx) lies in the correct interval. Then he is convinced that x in [ a – m(b-a), b + m(b-a) ]

  19. Solution 2: Distribution of computation load • Untrusted terminal (pay terminal) • We may give no information to the terminal, because pseudonyms and credentials are ‘linking information’ • Trusted terminal (phone, digital wallet) • Distribution of computation load • We can keep the user’s master key on the smart card and give the pseudonyms and credentials to the terminal.

  20. Solution 2: Distribution of computation load

  21. Conclusions • For security: integration of a smart card in idemix has to be done with a lot of care. (not mentioned earlier in this talk) • No exact interval proofs are needed;use expanded interval proofs instead. • With an untrusted terminal all user-side calculations has to be done on the smart card → VerifyCredOnNym takes +/- 17 seconds. • With a trusted terminal the calculations can be distributed over the smart card and terminal → VerifyCredOnNym takes +/- 6 seconds. • It is possible to integrate a smart card in idemix(in such manner that users do not have to wait too long)

  22. More information… • Website about this thesis: http://www.luukluuk.nl/idemix

  23. Questions?

  24. www.luukluuk.nl/idemix Thank you for your attention

More Related