1 / 22

Anonymous Identification in Ad Hoc Groups

Anonymous Identification in Ad Hoc Groups. Yevgeniy Dodis, Antonio Nicolosi , Victor Shoup {dodis, nicolosi ,shoup}@cs.nyu.edu New York University. Aggelos Kiayias aggelos@cse.uconn.edu University of Connecticut. EuroCrypt 2004 Interlaken, Switzerland. May 6 th , 2004.

ria-mullen
Download Presentation

Anonymous Identification in Ad Hoc Groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymous Identification in Ad Hoc Groups Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup {dodis,nicolosi,shoup}@cs.nyu.edu New York University Aggelos Kiayias aggelos@cse.uconn.edu University of Connecticut EuroCrypt 2004 Interlaken, Switzerland May 6 th, 2004

  2. Toy Example: Access-controlled Blog • Alice is keeping a blog about her poems … • … and she only wants her friends to read them • But if one of them is doing all the reading, he may not want Alice to notice …  Solution: Ad Hoc Anonymous Identification schemes (AHAIs) Eurocrypt 2004—Antonio Nicolosi—NYU

  3. Identification Schemes [FS86] Eurocrypt 2004—Antonio Nicolosi—NYU

  4. Anonymous Identification [CvH91,KP98] Eurocrypt 2004—Antonio Nicolosi—NYU

  5. Anonymous Identification (cont’d) • Alice cannot tell whom she is talking to  Eurocrypt 2004—Antonio Nicolosi—NYU

  6. Ad Hoc Groups (a.k.a. Rings) • Universe of users under a common PKI • Ad Hoc group formation: Do not need user’s cooperation to include him into a group • Useful for leaking secrets [RST01] • Ethical implications [Na02]? • Proactive group creation: A group can be formed before all its members acted to join it Eurocrypt 2004—Antonio Nicolosi—NYU

  7. Our Contributions • New Cryptographic Functionality/Formal Model • Generic Construction • Accumulators with One-Way Domain • Efficient Instantiation (Based on Strong-RSA) • AHAIs: Variations • Identity Escrow • Dynamic Joins • Applications: • Constant-Size Ring Signatures • Group Signatures via Fiat-ShamirHeuristic Eurocrypt 2004—Antonio Nicolosi—NYU

  8. AHAI Syntax • Setup: system-wide initialization phase • Register: per-user initialization • Each user picks a secret key/public key pair • Run only once, regardless of # groups user joins • Make-GPK: combines a set of PKs into one GPK • Make-GSK: combines a user’s SK with a set of PKs to yield a GSK • Anon-ID: protocol between a group member (holding GSK) and a verifier (holding GPK) Eurocrypt 2004—Antonio Nicolosi—NYU

  9. AHAI Syntax revisited • Make-GPK (running time / to group size) • Make-GSK (running time / to group size) • Anon-ID (constant running time) Eurocrypt 2004—Antonio Nicolosi—NYU

  10. Roadmap • New Cryptographic Functionality/Formal Model • Generic Construction • Accumulators with One-Way Domain • Efficient Instantiation (Based on Strong-RSA) • AHAIs: Variations • Identity Escrow • Dynamic Joins • Applications: • Constant-Size Ring Signatures • Group Signatures Eurocrypt 2004—Antonio Nicolosi—NYU

  11. Accumulators: Review • Intuition: Sets that don’t grow in size • Insertion into a set yields a larger set • Insertion into an accumulator yields a new accumulator of the same size + a witness Eurocrypt 2004—Antonio Nicolosi—NYU

  12. If accumulators don’t grow in size, how to tell what’s inside them? ?  Accumulators: Witnesses • Answer: the witness of a value “proves” its membership • However, cannot prove non-membership • Collision-Resistance: Hard to “fake” witnesses for elements not in the accumulator Eurocrypt 2004—Antonio Nicolosi—NYU

  13. Domain One-wayness: Elements of the accumulator belongs to the range of a one-way function f f Accumulators with One-Way Domain • Efficient instance based on the Strong-RSA Assumption[BdM93,BP97,CL02] Eurocrypt 2004—Antonio Nicolosi—NYU

  14. SKB PKB f … =: GPK A Generic Construction of AHAI • Register: • Make-GPK: Eurocrypt 2004—Antonio Nicolosi—NYU

  15. GSKB := f • Anon-ID: ZK-PoK{ , | ^ } =: GPK GSKB := A Generic Construction of AHAI (cont’d) • Make-GSK: as Make-GPK, but also keeps track of SK and of the witness for PK Eurocrypt 2004—Antonio Nicolosi—NYU

  16. Roadmap • New Cryptographic Functionality/Formal Model • Generic Construction • Accumulators with One-Way Domain • Efficient Instantiation (Based on Strong-RSA) • AHAIs: Variations • Identity Escrow • Dynamic Joins • Applications: • Constant-Size Ring Signatures • Group Signatures Eurocrypt 2004—Antonio Nicolosi—NYU

  17. AHAI Variations: • ID Escrow: To prevent abuse of anonymity, can amend the scheme so that user identity can be recovered by a trusted party • Use efficient verifiable encryption/decryption [CS03] • Soundness of the Anon-ID protocol also holds against Identity Escrow Authority • Dynamic Joins • If group changes, need to build a new GPK from scratch (time / to group size) • But if changes are just user additions, can update GPK (and GSK) in time / to changes Eurocrypt 2004—Antonio Nicolosi—NYU

  18. Roadmap • New Cryptographic Functionality/Formal Model • Generic Construction • Accumulators with One-Way Domain • Efficient Instantiation (Based on Strong-RSA) • AHAIs: Variations • Identity Escrow • Dynamic Joins • Applications: • Constant-Size Ring Signatures • Group Signatures via Fiat-ShamirHeuristic Eurocrypt 2004—Antonio Nicolosi—NYU

  19. Application: Constant-Size Ring Sigs • What’s the size of a ring signature? • Should only measure the piece of info that the verifier needs besidedescription of the ring… • … bothfor theoretical and for practical reasons • Since Anon-ID uses only O(1) communication, Anon-Sign yields signatures of constant size • Anon-Sign also gives “off-line” ring signatures: • After linear-time pre-processing, can sign and verify arbitrarily many messages in constant time Eurocrypt 2004—Antonio Nicolosi—NYU

  20. SKB := =: PKB Join: =: {GPK}SKGM =: GSKB f Application: Group Signatures • “Passive” Group Manager: just certifies GPK • Since GPK is provided by GM, producing and verifying group signatures takes O(1) • Storage Efficiency: Member ofk groups (run by different GMs) only needs O(1) secret storage + O(k)world-readable storage Eurocrypt 2004—Antonio Nicolosi—NYU

  21. We proposed a novel cryptographic functionality (AHAI) enabling flexible, privacy-aware access control • We designed an instance based on a new tool, efficiently constructible based on standard assumptions • We discussed possible variations and applications (Ring Signatures with O(1) overhead) Summary Eurocrypt 2004—Antonio Nicolosi—NYU

  22. Thank you! Eurocrypt 2004—Antonio Nicolosi—NYU

More Related