1 / 71

Cryptographic Privacy Protocols

Microsoft Research, May 2010. Markulf Kohlweiss, Microsoft Research markulf@microsoft.com . Cryptographic Privacy Protocols. User. Privacy Friendly Services and Identity Management. Political orientation. Hobbies / obsessions. Behavioral data. Favorite news site. Book purchases.

eilis
Download Presentation

Cryptographic Privacy Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft Research, May 2010 Markulf Kohlweiss, Microsoft Research markulf@microsoft.com Cryptographic Privacy Protocols

  2. User

  3. Privacy Friendly Services and Identity Management Political orientation Hobbies / obsessions Behavioral data Favorite news site Book purchases Location data Anonymous Credentials User Service Providers age Personal data Access credentials alice@email.com 3445 7455 4397 3534 • Laws of Identity • User Control and Consent • Minimal Disclosure for a Constrained Use • Kim Cameron

  4. Anonymous Service Access I need to know something right? Have you subscribed? Are you old enough? unidentified location data I want to be anonymous. Anonymous data Behavioral data Someones e-book purchases Anonymous credentials Interactions using unlinkable pseudonyms Alice Bob Personal data age>18 Anonymous data Anonymous e-coins

  5. name surname age ... Anonymous Credentials I issue a digital identity card • [Chaum85, Brands99, CL01] I want to selectively reveal data. I don’t want my actions to be linked. Identity Provider User unlinkable real human, subscription, age > 18, pseudonym, encrypted identity Service Providers 5 Camenisch, Lysyanskaya, 2001

  6. Private Service Computation I don’t want Bob to know what I am doing. Hello Alice. Use my service. I promise I won’t watch. Really! Behavioral data Access credentials IP address: 207.46.197.32 Alice Bob Personal data CC number: 3465 7568 9867 3254

  7. Private Information Retrieval • [Rabin, Chor et al.] • Learns nothing about Alice’s query, • except maybe that authorized(may include private payment) I want to selectively and privately learn information IP address: 207.46.197.32 User Service Provider CC number: 3465 7568 9867 354 Benny Chor, EyalKushilevitz, OdedGoldreich, Madhu Sudan

  8. Secure Protocol Design • Anonymity and Private Access needs to be balanced. • many extensions to basic system [CL02, CCS06, PKC09, JCS10,AIR01]. • Will privacy protocols be less prone to errors than conventional protocols (e.g. key agreement)? • What about other privacy enhancing protocols?(RFID Authentication [LBV09], Oblivious Transfer [AIR01) Lee, Batina,.Verbauwhede 2009 CamenischLysyanskaya2002 Aiello, Ishai, Reingold, 2001

  9. Until 1980s: Cryptography as a “craft” design, bug, design ... when to stop? More recently: Cryptography as a “science” formalized goals:attacker model, security definitions explicit assumptions: security of (ideal) building blocks, mathematical assumptions, construction and rigorous analysis Modern Protocol Design

  10. Outline • Cryptographic Definitions • Ideal functionality based definitions • Anonymous Credentials • U-Prove • Delegatable Anonymous Credentials • Private Computation • Location-based Services • Priced Oblivious Transfer • Privacy Preserving Smart Metering • Conclusions • Two approaches to data minimization

  11. I. Cryptographic Definitions Description of building blocks, and specification of desired result

  12. Classical Cryptography Probabilistic Public-key Encryption Alice & Others Bob

  13. Exclude Unwanted Adversarial Behavior • Define security negatively: • Secure if no realistic attacker has advantage > ε . • Game between attacker and challenger • IND-CPA and IND-CCA games pk m0, m1 Enc(pk, mb) b* = b

  14. Define Desired Ideal Behavior • Define security positively:Behaves as ideal protocol, except with probability ≤ ε . • Defined using ideal functionality , and proven by simulation • Adversary plays standardized game:goal is to make simulation fail with probability > ε

  15. Define Desired Ideal Behavior Environment Interface Network Interface Alice & Others Bob

  16. Define Desired Ideal Behavior Environment Interface Network Interface Alice & Others Bob Init: Dec: Enc:

  17. More Schematically Environment Interface Network Interface

  18. Zero-knowledge Proofs Language: • Zero-knowledge • Soundness Environment Interface Network Interface Prover Verifier in Relation R?

  19. Interactive Zero-knowledge Proofs Language: Environment Interface Network Interface Zero-knowledge proof protocol Prover Verifier in Relation

  20. Proof π Non-interactive Zero-knowledge Language: Environment Interface Network Interface Prover Verifier / common reference string random oracle

  21. Oblivious Transfer Environment Interface Network Interface i Receiver Sender mi select ith message

  22. Compute any Function Secure Two-Party Computation of Environment Interface Network Interface Alice Bob compute:

  23. II. Anonymous Service Access Gaining access to services without revealing ones identity

  24. Outline • Cryptographic Definitions • Ideal functionality based definitions • Anonymous Credentials • U-Prove • Delegatable Anonymous Credentials • Private Computation • Location-based Services • Priced Oblivious Transfer • Privacy Preserving Smart Metering • Conclusions • Two approaches to data minimization

  25. Anonymous Service Access I need to know something right? Have you subscribed? Are you old enough? unidentified location data I want to be anonymous. Anonymous data Behavioral data Someones e-book purchases Anonymous credentials Interactions using unlinkable pseudonyms Alice Bob Personal data age>18 Anonymous data Anonymous e-coins

  26. A critique of identity • Identity as a proxy to check credentials • Username decides access in Access Control Matrix • Sometime it leaks too much information • Real world examples • Tickets allow you to use cinema / train • Bars require customers to be older than 18 • But do you want the barman to know your address?

  27. name surname age ... Anonymous Credentials Based on zero-knowledge proofs I issue a digital identity card I want to selectively reveal data. I don’t want my actions to be linked. x = Identity Provider unlinkable (x, y) such that x contains age > 18? Alice y = [ age > 18 ] (real human subscription pseudonym encrypted identity) Cannot learn anything beyond age Service Providers

  28. Two flavours of credentials • Multi-show (Camenisch & Lysyanskaya) • Random oracle free signatures for issuing (CL) • Blinded showing • Prover shows that he knows signature on attributes with some property. • Cannot link multiple shows of the credential • More complex • Single-show credential (Brands & Chaum) • Blind the issuing protocol (blindly sign a commitment • Show the signature on commitment in clear • Prover shows that commitment contains attributes with some property. • Multiple shows are linkable – BAD • Protocols are simpler – GOOD

  29. Technical Outline • Cryptographic preliminaries • The discrete logarithm problem • Schnorr’s Identification protocol • Unforgeability, simulator, Fiat-Shamir Heuristic • Generalization to representation • Showing protocol • Linear relations of attributes • Issuing protocol • Blinded issuing

  30. Modular arithmetics • Assume p a large prime • (>1024 bits—2048 bits) • Detail: p = qr+1 where q also large prime • Denote the field of integers modulo p as Zp • Example with p=7 • Addition works fine: 1+2 = 3, 3+5 = 1, ... • Multiplication too: 2*2 = 4, 2*4 = 1, ... • Exponentiation is as expected: 22 = 4 • Choose g in the multiplicative group of Zp • Such that g is a generator • Example: g=3 (3∗3 = 9-7 = 2) • Subgroup: g=2 (2*2*2=1)

  31. Discrete logarithms • Exponentiation is computationally easy: • Given g and x, easy to compute gx • But logarithm is computationally hard: • Given g and gx, difficult to find x = logggx • If p is large it is practically impossible • Related DH problem • Given (g, gx, gy) difficult to find gxy • Stronger assumption than DL problem

  32. More on Zp • Efficient to find inverses • Given c easy to calculate g-c mod p • (p-1) – c mod p-1 • Efficient to find roots • Given c easy to find g1/c mod p • c (1/c) = 1 mod (p-1) • Not the case N=pq (RSA security) • No need to be scared of this field.

  33. Schnorr’s protocol Public: g, p Knows: x Knows: y=gx P->V: gw= a (first message) V->P: c (challenge) Alice (Prover) Bob (Verifier) P->V: cx+w= r (response) Random: w Check: gr = yca g cx+w = (gx)cgw

  34. No Schnorr Forgery (intuition) • Assume that Alice (Prover) does not know ? • If, for the same first message, Alice forges two valid responses to two of Bob’s challenges • Then Alice must know • 2 equations, 2 unknowns – can find

  35. Zero-knowledge (intuition) • The verifier learns nothing new about . • How do we go about proving this? • Verifier can simulate protocol executions • On his own! • Without any help from Alice (Prover) • This means that the transcript gives no information about • How does Bob simulate a transcript? • (First message, challenge, response)

  36. Simulator • Need to fake a transcript • Simulator: • Trick: do not follow the protocol order! • First pick the challenge • Then pick a random response • Then note that the response must satisfy: • Solve for • Proof technique for ZK

  37. Non-interactive proof? • Schnorr’s protocol • Requires interaction between Alice and Bob • Bob cannot transfer proof to convince Charlie • (In fact we saw he can completely fake a transcript) • Fiat-Shamir Heuristic • H[∙] is a cryptographic hash function • Alice sets c = H[gw] • Note that the simulator cannot work any more • gw has to be set first to derive c • Signature scheme • Alice sets c = H[gw, M]

  38. Generalise to DL representations • Traditional Schnorr • For fixed and public key • Alice proves she knows such that • General problem • Fix prime , generators • Public key • Alice proves she knows such that

  39. DL represenation – protocol Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca

  40. DL represenation vs. Schnorr Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca

  41. DL represenation vs. Schnorr Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca

  42. Credentials – showing • Credential representation: • Attributes • Credential , • Credential showing protocol • Alice gives the credential to Bob • Alice proves a statement on values • e.g. • Merely DL rep. proof that she knows remaining ,i.e.

  43. Com(name, surname age ...) Issuing Protocol Based on blind signatures I half-blindly issue a digital identity card I want to selectively reveal data. I don’t want my actions to be linked. = Identity Provider unlinkable (x, h)such that x contains age > 18? Alice x = attributes and opening for h Cannot learn anything beyond age Service Providers

  44. 2 2 1 name surname age ... Delegatable Anonymous Credentials I issue a digital identity card Alice Identity Provider unlinkable unlinkable Carol Service Providers

  45. pkA pkA pkA pkC pkC fresh nonce skB skB skS skA skA skC Non-Anonymous Delegation using signatures: Alice Service Providers Carol

  46. Randomize Proofs Size of randomized proofs stays constant, no blowup

  47. Randomizable Proofs • Completeness, Soundness, Zero-knowledge • New property: Randomizability • Randomized proof looks like freshly generated proof • Construction for NP [GOS06] and efficient applications [GS08] randomize Groth, Ostrovsky, Sahai Groth, Sahai

  48. Randomizability and Malleability • Malleability as a bug [DDN91] • Malleability as a feature • Homomorphic encryption [ElGamal, Paillier, Gentry] • Translation between pseudonyms: about , about maul randomize Dolev, Dwork, Naor

  49. : proof that , and correct 1 Delegatable Anonymous Credentials Alice Carol Service Providers

  50. : and correct : and correct maul & randomize 2 2 : proof that , and correct 1 1 1 : proof that and correct Delegatable Anonymous Credentials Alice Carol maul & randomize Service Providers

More Related