Créer une présentation
Télécharger la présentation

Télécharger la présentation
## Cryptographic Privacy Protocols

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Microsoft Research, May 2010**Markulf Kohlweiss, Microsoft Research markulf@microsoft.com Cryptographic Privacy Protocols**Privacy Friendly Services and Identity Management**Political orientation Hobbies / obsessions Behavioral data Favorite news site Book purchases Location data Anonymous Credentials User Service Providers age Personal data Access credentials alice@email.com 3445 7455 4397 3534 • Laws of Identity • User Control and Consent • Minimal Disclosure for a Constrained Use • Kim Cameron**Anonymous Service Access**I need to know something right? Have you subscribed? Are you old enough? unidentified location data I want to be anonymous. Anonymous data Behavioral data Someones e-book purchases Anonymous credentials Interactions using unlinkable pseudonyms Alice Bob Personal data age>18 Anonymous data Anonymous e-coins**name**surname age ... Anonymous Credentials I issue a digital identity card • [Chaum85, Brands99, CL01] I want to selectively reveal data. I don’t want my actions to be linked. Identity Provider User unlinkable real human, subscription, age > 18, pseudonym, encrypted identity Service Providers 5 Camenisch, Lysyanskaya, 2001**Private Service Computation**I don’t want Bob to know what I am doing. Hello Alice. Use my service. I promise I won’t watch. Really! Behavioral data Access credentials IP address: 207.46.197.32 Alice Bob Personal data CC number: 3465 7568 9867 3254**Private Information Retrieval**• [Rabin, Chor et al.] • Learns nothing about Alice’s query, • except maybe that authorized(may include private payment) I want to selectively and privately learn information IP address: 207.46.197.32 User Service Provider CC number: 3465 7568 9867 354 Benny Chor, EyalKushilevitz, OdedGoldreich, Madhu Sudan**Secure Protocol Design**• Anonymity and Private Access needs to be balanced. • many extensions to basic system [CL02, CCS06, PKC09, JCS10,AIR01]. • Will privacy protocols be less prone to errors than conventional protocols (e.g. key agreement)? • What about other privacy enhancing protocols?(RFID Authentication [LBV09], Oblivious Transfer [AIR01) Lee, Batina,.Verbauwhede 2009 CamenischLysyanskaya2002 Aiello, Ishai, Reingold, 2001**Until 1980s: Cryptography as a “craft”**design, bug, design ... when to stop? More recently: Cryptography as a “science” formalized goals:attacker model, security definitions explicit assumptions: security of (ideal) building blocks, mathematical assumptions, construction and rigorous analysis Modern Protocol Design**Outline**• Cryptographic Definitions • Ideal functionality based definitions • Anonymous Credentials • U-Prove • Delegatable Anonymous Credentials • Private Computation • Location-based Services • Priced Oblivious Transfer • Privacy Preserving Smart Metering • Conclusions • Two approaches to data minimization**I. Cryptographic Definitions**Description of building blocks, and specification of desired result**Classical Cryptography**Probabilistic Public-key Encryption Alice & Others Bob**Exclude Unwanted Adversarial Behavior**• Define security negatively: • Secure if no realistic attacker has advantage > ε . • Game between attacker and challenger • IND-CPA and IND-CCA games pk m0, m1 Enc(pk, mb) b* = b**Define Desired Ideal Behavior**• Define security positively:Behaves as ideal protocol, except with probability ≤ ε . • Defined using ideal functionality , and proven by simulation • Adversary plays standardized game:goal is to make simulation fail with probability > ε**Define Desired Ideal Behavior**Environment Interface Network Interface Alice & Others Bob**Define Desired Ideal Behavior**Environment Interface Network Interface Alice & Others Bob Init: Dec: Enc:**More Schematically**Environment Interface Network Interface**Zero-knowledge Proofs**Language: • Zero-knowledge • Soundness Environment Interface Network Interface Prover Verifier in Relation R?**Interactive Zero-knowledge Proofs**Language: Environment Interface Network Interface Zero-knowledge proof protocol Prover Verifier in Relation**Proof π**Non-interactive Zero-knowledge Language: Environment Interface Network Interface Prover Verifier / common reference string random oracle**Oblivious Transfer**Environment Interface Network Interface i Receiver Sender mi select ith message**Compute any Function**Secure Two-Party Computation of Environment Interface Network Interface Alice Bob compute:**II. Anonymous Service Access**Gaining access to services without revealing ones identity**Outline**• Cryptographic Definitions • Ideal functionality based definitions • Anonymous Credentials • U-Prove • Delegatable Anonymous Credentials • Private Computation • Location-based Services • Priced Oblivious Transfer • Privacy Preserving Smart Metering • Conclusions • Two approaches to data minimization**Anonymous Service Access**I need to know something right? Have you subscribed? Are you old enough? unidentified location data I want to be anonymous. Anonymous data Behavioral data Someones e-book purchases Anonymous credentials Interactions using unlinkable pseudonyms Alice Bob Personal data age>18 Anonymous data Anonymous e-coins**A critique of identity**• Identity as a proxy to check credentials • Username decides access in Access Control Matrix • Sometime it leaks too much information • Real world examples • Tickets allow you to use cinema / train • Bars require customers to be older than 18 • But do you want the barman to know your address?**name**surname age ... Anonymous Credentials Based on zero-knowledge proofs I issue a digital identity card I want to selectively reveal data. I don’t want my actions to be linked. x = Identity Provider unlinkable (x, y) such that x contains age > 18? Alice y = [ age > 18 ] (real human subscription pseudonym encrypted identity) Cannot learn anything beyond age Service Providers**Two flavours of credentials**• Multi-show (Camenisch & Lysyanskaya) • Random oracle free signatures for issuing (CL) • Blinded showing • Prover shows that he knows signature on attributes with some property. • Cannot link multiple shows of the credential • More complex • Single-show credential (Brands & Chaum) • Blind the issuing protocol (blindly sign a commitment • Show the signature on commitment in clear • Prover shows that commitment contains attributes with some property. • Multiple shows are linkable – BAD • Protocols are simpler – GOOD**Technical Outline**• Cryptographic preliminaries • The discrete logarithm problem • Schnorr’s Identification protocol • Unforgeability, simulator, Fiat-Shamir Heuristic • Generalization to representation • Showing protocol • Linear relations of attributes • Issuing protocol • Blinded issuing**Modular arithmetics**• Assume p a large prime • (>1024 bits—2048 bits) • Detail: p = qr+1 where q also large prime • Denote the field of integers modulo p as Zp • Example with p=7 • Addition works fine: 1+2 = 3, 3+5 = 1, ... • Multiplication too: 2*2 = 4, 2*4 = 1, ... • Exponentiation is as expected: 22 = 4 • Choose g in the multiplicative group of Zp • Such that g is a generator • Example: g=3 (3∗3 = 9-7 = 2) • Subgroup: g=2 (2*2*2=1)**Discrete logarithms**• Exponentiation is computationally easy: • Given g and x, easy to compute gx • But logarithm is computationally hard: • Given g and gx, difficult to find x = logggx • If p is large it is practically impossible • Related DH problem • Given (g, gx, gy) difficult to find gxy • Stronger assumption than DL problem**More on Zp**• Efficient to find inverses • Given c easy to calculate g-c mod p • (p-1) – c mod p-1 • Efficient to find roots • Given c easy to find g1/c mod p • c (1/c) = 1 mod (p-1) • Not the case N=pq (RSA security) • No need to be scared of this field.**Schnorr’s protocol**Public: g, p Knows: x Knows: y=gx P->V: gw= a (first message) V->P: c (challenge) Alice (Prover) Bob (Verifier) P->V: cx+w= r (response) Random: w Check: gr = yca g cx+w = (gx)cgw**No Schnorr Forgery (intuition)**• Assume that Alice (Prover) does not know ? • If, for the same first message, Alice forges two valid responses to two of Bob’s challenges • Then Alice must know • 2 equations, 2 unknowns – can find**Zero-knowledge (intuition)**• The verifier learns nothing new about . • How do we go about proving this? • Verifier can simulate protocol executions • On his own! • Without any help from Alice (Prover) • This means that the transcript gives no information about • How does Bob simulate a transcript? • (First message, challenge, response)**Simulator**• Need to fake a transcript • Simulator: • Trick: do not follow the protocol order! • First pick the challenge • Then pick a random response • Then note that the response must satisfy: • Solve for • Proof technique for ZK**Non-interactive proof?**• Schnorr’s protocol • Requires interaction between Alice and Bob • Bob cannot transfer proof to convince Charlie • (In fact we saw he can completely fake a transcript) • Fiat-Shamir Heuristic • H[∙] is a cryptographic hash function • Alice sets c = H[gw] • Note that the simulator cannot work any more • gw has to be set first to derive c • Signature scheme • Alice sets c = H[gw, M]**Generalise to DL representations**• Traditional Schnorr • For fixed and public key • Alice proves she knows such that • General problem • Fix prime , generators • Public key • Alice proves she knows such that**DL represenation – protocol**Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca**DL represenation vs. Schnorr**Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca**DL represenation vs. Schnorr**Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca**Credentials – showing**• Credential representation: • Attributes • Credential , • Credential showing protocol • Alice gives the credential to Bob • Alice proves a statement on values • e.g. • Merely DL rep. proof that she knows remaining ,i.e.**Com(name,**surname age ...) Issuing Protocol Based on blind signatures I half-blindly issue a digital identity card I want to selectively reveal data. I don’t want my actions to be linked. = Identity Provider unlinkable (x, h)such that x contains age > 18? Alice x = attributes and opening for h Cannot learn anything beyond age Service Providers**2**2 1 name surname age ... Delegatable Anonymous Credentials I issue a digital identity card Alice Identity Provider unlinkable unlinkable Carol Service Providers**pkA**pkA pkA pkC pkC fresh nonce skB skB skS skA skA skC Non-Anonymous Delegation using signatures: Alice Service Providers Carol**Randomize Proofs**Size of randomized proofs stays constant, no blowup**Randomizable Proofs**• Completeness, Soundness, Zero-knowledge • New property: Randomizability • Randomized proof looks like freshly generated proof • Construction for NP [GOS06] and efficient applications [GS08] randomize Groth, Ostrovsky, Sahai Groth, Sahai**Randomizability and Malleability**• Malleability as a bug [DDN91] • Malleability as a feature • Homomorphic encryption [ElGamal, Paillier, Gentry] • Translation between pseudonyms: about , about maul randomize Dolev, Dwork, Naor**: proof that , and correct**1 Delegatable Anonymous Credentials Alice Carol Service Providers**: and correct**: and correct maul & randomize 2 2 : proof that , and correct 1 1 1 : proof that and correct Delegatable Anonymous Credentials Alice Carol maul & randomize Service Providers