290 likes | 429 Views
Self-Blindable Credential Certificates from the Weil Pairing Eric R. Verheul. April 9, 2004 SCLab Jinhae Kim. Introduction I. What is pseudonym ? A unique identifier by which a user is known by a certain party. Same user, different pseudonym.
E N D
Self-Blindable Credential Certificates from the Weil PairingEric R. Verheul April 9, 2004 SCLab Jinhae Kim
Introduction I • What is pseudonym? • A unique identifier by which a user is known by a certain party. Same user, different pseudonym. • A pseudonymous certificate binds a user’s pseudonym to his public key. • A credential is a trust provider’s statement about the user. • Example: “lives in MN”, “has a PhD in CS” • single-use/multiple-use
Introduction II • Credential pseudonymous certificates (CPCs) • Digital certificates that bind credentials to users. • In Chaum’s1 model • Pseudonyms are unlinkable. • parties that know a user by different pseudonyms must not have the ability to combine their logs. • CPCs must be translatable. • CPC A: “p1 is in good health.” • A is issued by Dr. Yongdae under p1. • Jinhae (owner of p1) presents A to insurance company under p2. • D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, 1985
Security Requirement • Protection against pseudonym/credential forgery. • Protection against pseudonym/credential sharing. • smartcard based passports • better solution: all-or-nothing • Problems? • Revocation of pseudonymous certificates and credentials.
Building Blocks I • Diffie-Hellman (DH) problem • generator g of a group G of (prime) order q. • DHg(gx, gy) = gxy • Decision Diffie-Hellman (DDH) problem • given a, b, c G decide whether c =DHg(a, b) • An alternative formulation of DDH: • given g, gx, h, hy in group G decide whether x = y. • hy =DHg(gx, h) (suppose h = ga, then gay = gax) • Group in which the DDH problem is simple and DH, DL are hard.
Building Blocks II • Elliptic Curve Cryptography1 (ECC) • EC can provide versions of PK methods • In some case, EC is faster and use smaller key. • Addition in EC is same as multiplication in Zp* ref) a, b, c Zp* X, Y are points on an elliptic curve and αis constant. 1. David Jablon, Elliptic Curve Cryptography, http://world.std.com/dpj/elliptic.html
Building Block III • DDH in ECC • <P> is a group of (prime) order q on the curve. • A, B, Cis an instance of the DDH problem with respect to P. • C = DHP(A,B) iff eq(A, D(B)) = eq(P, D(C)) • D(.) is the distortion map, and eq(., .) is the Weil pairing. • Bilinear Map • B(gx, gy) = B(g, g)xy (= B(g, gxy)) (DDH is solved!) • In ECC: B(aP, bP) = ab B(P, P) (= B(P, abP))
The ‘Proofless’ Variant of the Chaum-Pedersen Scheme1 • A group, G, of prime order q, with generator g. • the DDH problem is simple, while the DL and the DH problems are practically intractable. • the Chaum-Pedersen scheme • The public key is y = gx, where 0 ≤ x < q. • A signature on a message m ∈ G • z = mx(plus a proof that logg(y) = logm(z)). • Can verify logg(y) = logm(z) iff z= DHg(m, y). • D. Chaum, T.P. Pedersen, Wallet Databases with Observers, Proceedings of • Crypto’92
The variant of C-P scheme II • Signature z = mx is self-blindable. • Without knowing of the signing key x, one can make another signature zk= (mk)x. • Easy blinding property. • Message (typically a hash), M • public keyof signing party gx • Ask to sign Mr, for 0 ≤ r < q, resulting in Mrx.
Self-blindable Certificates • Terminology for Self-blindablecertificates • U : collection of all possible public keys. • T: collection of all verification public keys of TP. • C : collection of all possible certificates. • Credential on a user public key PU ∈ U • {PU, Sig(PU, ST)}, STis private signing key of TP. • Accompanied by a higher-level certificate • Cert(PU,“Trust statement”) • Standard X.509 certificate with the “Trust statement” in one of its extension field.
Self-blindable Certificates II • The certificates are called self-blindable, if: • There exists a set transformation factor space F. • An efficiently computable transformation map • D:C ×F → C • Properties • For any certificate C ∈ Cand f ∈ Fthe certificate D(C, f) is signed with • the same trust provider public key as C. • Let C1, C2 be certificates and f ∈ Fknown. If C2 = D(C1, f) then one can • efficiently compute a transformation factor f΄∈ Fsuch that C1 = D(C2, f΄). • If C1, C2 ∈ Care two different certificates on the same user public key, • then so are D(C1, f) and D(C2, f). • LetPUis user public key, f ∈ Fis known. Then, a user possesses the • private key of PUiff it possesses the private key of D(PU, f). • If the user’s public key PU ∈ Uis fixed and if f ∈ Fis a uniformly random • element in F, then D(PU, f) is a uniformly random element in U.
CPC System • pseudonymous credential • {PU, [Sig(PU, SN), Cert(PN, “PP statement”)]} • PU : the public key of the user. • Sig(PU, SN) : a signature of the pseudonym provider(PP). • Cert(PN, “PP statement”) : a (conventional) certificate on the public verification key of the PP. • With a statement on its applicability included among the usual fields (e.g., expiration date). • The pseudonym of a user is in fact the user’s public key in its certificate.
CPC System II • Generation of a new Pseudonymous certificate. • By choosing a (random) factor and transforming an initially issued pseudonymous certificate. • Credential Pseudonymous Certificate • Based on Pseudonymous Credential • {PU, [Sig(PU, SN), Cert(PN, “PP statement”)], [Sig(PU, SC), Cert(PC, “CP statement”)]+}. • 2nd line: credential field. • Sig(PU, SC) : A signature of the credential provider (CP). • In CP statement: a statement on its credential applicability (e.g., “is over 18 years old”).
High-level System Description • Initial Registration. • The user registers, typically in a non-anonymous fashion, with a pseudonym provider. • After registration a First Pseudonymous Certificate (FPC) is issued. • The pseudonym provider puts the FPC in a public directory. • When unique pseudonyms are required, the provider has the option to maintain a private list of physical persons that were issued a pseudonymous certificate.
System Description II • Credential Issuance. • Transforms its FPC into a random pseudonymous certificates (RPC) by using a random transformation factor. • Registers with a CP using this RPC which includes a proof of possession of the private key. • This registration need not be anonymous. The user does what is required to obtain a credential (e.g., takes a driver’s exam, shows other credentials). • Up-on succeeding, the user is issued a credential on the RPC, that is the CPC. • The pseudonym provider has the option to put the CPC in a public directory.
System Description III • Credential Use. • The user registers (typically anonymously) with a service provider using a new RPC. • If I can make an RPC with my FPC, how about others? • The user combines all of the CPCs relating to credentials required by the SP into one CPC under the registered pseudonym. • The second invert transformation property on the transformation factors related with the individual, original CPCs. • A CPC is first translated to the First Pseudonym and then translated to the registered pseudonym. • This certificate is presented to the SP, together with a proof of possession of the private key referenced in this CPC.
System Description IV • Credential Use II • Double spend checking • SP has the option to require that the user contact a specific trust provider (unicity provider). • The user sends this trust provider the transformation factor(s), transforming the new RPC to the FPC. • The trust provider validates that these factor(s) transform the RPC into a FPC on the PP’s directory, and that this FPC was not registered before. - problems? • Note 1: PP directory does not specify user identities, only FPCs, • Note 2: the specific trust provider need not be the user’s pseudonym provider.
System Description V • TP can link two different pseudonyms of a user. • During registration, PP and the user (U) exchange a secret, S. • If a trust provider (T) wants to provide assurance on unique pseudonyms, then PPis provided a list consisting of transformed FPCs, in such a way that: • U’s FPC is transformed using a transformation factor f: • f = H (T, S) (H: secure hash function) • the order of the FPCs is randomly permuted.
Revocation of Certificate Bases • 1st Method: Pro-active • Let the trust providers employ signing keys with a short expiration time (e.g., a week). • If a pseudonymous certificate/credential has not been revoked, then the trust provider automatically updates the certificates/credentials in its directory with newly signed ones. • A user can collect the updated pseudonymous certificates/credentials, preferably via an anonymous channel.
Revocation II • 2nd Method: using the flexible secret sharing technique • To trust provider, send along specific transformation factors with a (credential) pseudonymous certificate. • TP can retrieve the original issued (credential) pseudonymous certificates and find out if they have been revoked. • The trust provider then provides a statement on the status of the (credential) pseudonymous certificate to the service provider. • The service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC.
A Simple Construction for CPCs • G = <g>be a group of prime order q • The set Tof all trust provider’s public keys takes the form j, js(0 ≤ s < q; private key). • Uconsists of elements of the form gx. (0 < x < q; user’s private keys). • A certificate issued by a trust provider with public key h, hzon a user public key gx : • {gx, gxz}. • The transformation D:C ×F → C • ({X, Y }, f) → {Xf, Yf} • the certificate {gx, gxz}is transformed to the certificate {gxf, gxfz}under factor f.
A Simple Construction II • The user registers, typically in a non-anonymous fashion, with a pseudonym provider. • The PP generates a random 0 < x < q • forms the user public key gxand the certificate {gx, gxz}. • All information is put on a tamper resistant signing device. • Private key information of (transformed) certificates can be used but not retrieved. • The secure signing device is handed over to the user in a secure fashion.
A more robust construction • G = <g>be a group of prime order q • There exists embedding E(.) from Ginto a group G΄where all three problems are practically intractable. • The set Tof all trust provider’s public keys takes the form j, js(0 ≤ s < q; private key). • PP publishes a certified pair (r , s) = (r , rf) • r , s∈ G, 0 < f < qunknown by all parties. • Uconsists of elements of the form g1, g2, g1x1 , g2x2. • 0 < x1, x2 < q, • g1 is random generator and logg1(g2) = f
A more robust construction II • The certificate with public key h, hzon a user’s public key g1, g2, g1x1g2x2 : • {g1, g2, g1x1g2x2,(g1x1g2x2)z}. • The transformation D:C ×F → C • ({X, Y, W, Z }, (k, l)) → {Xl, Yl , Wkl, Zkl} • the certificate {g1, g2, g1x1g2x2,(g1x1g2x2)z}is transformed to the certificate {g1l, g2l, g1x1klg2x2kl,(g1x1klg2x2kl)z}under factor (k, l).
A more robust construction III • The user registers, typically in a non-anonymous fashion, with a PP. • PP generates a random pair (g1, g2) • g2 = g1f (random power of the elements r , s). • The pair (g1, g2) is sent to the user or a smart card issuer. • The user generates a random private key 0 ≤ x < qand forms g2x . • Sends g2x and proves possession of the private key x • PP forms the public key g1, g2, g1g2x • Places a Chaum-Pedersen signature on it, i.e., (g1g2x)z. • Employs the embedding E : G → G΄ • Determines the elements E(g2), E(g2x) of the group G΄. • Determines a random power rof these elements, i.e., E(g2)r, E(g2x)r. • Forms a conventional non-repudiation certificate on (E(g2)r, E(g2x)r). • The first pseudonymous certificate and the non-repudiation certificate are issued to the user. Both are also stored in separate directories.
A more robust construction IV • The characteristic of embedding E(.) • Homomorphism: The signing key of E(g2x )r is x. • One-way function: Hard to get g2r, g2xr from E(g2)r, E(g2x)r. • It would be impossible to relate E(g2), E(g2x) (deducible from FPC) to E(g2)r, E(g2x)r (deducible from the non-repudiation certificate). (DDH is hard in G΄)
Protection against Pseudonym/credential forgery • Based on an all-or-nothing concept. • The private key in a transformed credential takes the form (k, k · xmod q) for some 0 < k < q. • Dividing the second part by the first part yields the user’s non-repudiation key x. • If the user transfers a credential, then it also transfers a copy of its non-repudiation signing key.
Conclusion • Anonymity without the need for a trusted third party. • This system is based on a new paradigm, self-blindable certificates • Certificates were constructed using the Weil pairing in supersingular elliptic curves • A robust system provides cryptographic protection against the forgery and transfer of credentials