Download
markulf kohlweiss microsoft research markulf@microsoft com n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cryptographic Privacy Protocols PowerPoint Presentation
Download Presentation
Cryptographic Privacy Protocols

Cryptographic Privacy Protocols

142 Vues Download Presentation
Télécharger la présentation

Cryptographic Privacy Protocols

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Microsoft Research, May 2010 Markulf Kohlweiss, Microsoft Research markulf@microsoft.com Cryptographic Privacy Protocols

  2. User

  3. Privacy Friendly Services and Identity Management Political orientation Hobbies / obsessions Behavioral data Favorite news site Book purchases Location data Anonymous Credentials User Service Providers age Personal data Access credentials alice@email.com 3445 7455 4397 3534 • Laws of Identity • User Control and Consent • Minimal Disclosure for a Constrained Use • Kim Cameron

  4. Anonymous Service Access I need to know something right? Have you subscribed? Are you old enough? unidentified location data I want to be anonymous. Anonymous data Behavioral data Someones e-book purchases Anonymous credentials Interactions using unlinkable pseudonyms Alice Bob Personal data age>18 Anonymous data Anonymous e-coins

  5. name surname age ... Anonymous Credentials I issue a digital identity card • [Chaum85, Brands99, CL01] I want to selectively reveal data. I don’t want my actions to be linked. Identity Provider User unlinkable real human, subscription, age > 18, pseudonym, encrypted identity Service Providers 5 Camenisch, Lysyanskaya, 2001

  6. Private Service Computation I don’t want Bob to know what I am doing. Hello Alice. Use my service. I promise I won’t watch. Really! Behavioral data Access credentials IP address: 207.46.197.32 Alice Bob Personal data CC number: 3465 7568 9867 3254

  7. Private Information Retrieval • [Rabin, Chor et al.] • Learns nothing about Alice’s query, • except maybe that authorized(may include private payment) I want to selectively and privately learn information IP address: 207.46.197.32 User Service Provider CC number: 3465 7568 9867 354 Benny Chor, EyalKushilevitz, OdedGoldreich, Madhu Sudan

  8. Secure Protocol Design • Anonymity and Private Access needs to be balanced. • many extensions to basic system [CL02, CCS06, PKC09, JCS10,AIR01]. • Will privacy protocols be less prone to errors than conventional protocols (e.g. key agreement)? • What about other privacy enhancing protocols?(RFID Authentication [LBV09], Oblivious Transfer [AIR01) Lee, Batina,.Verbauwhede 2009 CamenischLysyanskaya2002 Aiello, Ishai, Reingold, 2001

  9. Until 1980s: Cryptography as a “craft” design, bug, design ... when to stop? More recently: Cryptography as a “science” formalized goals:attacker model, security definitions explicit assumptions: security of (ideal) building blocks, mathematical assumptions, construction and rigorous analysis Modern Protocol Design

  10. Outline • Cryptographic Definitions • Ideal functionality based definitions • Anonymous Credentials • U-Prove • Delegatable Anonymous Credentials • Private Computation • Location-based Services • Priced Oblivious Transfer • Privacy Preserving Smart Metering • Conclusions • Two approaches to data minimization

  11. I. Cryptographic Definitions Description of building blocks, and specification of desired result

  12. Classical Cryptography Probabilistic Public-key Encryption Alice & Others Bob

  13. Exclude Unwanted Adversarial Behavior • Define security negatively: • Secure if no realistic attacker has advantage > ε . • Game between attacker and challenger • IND-CPA and IND-CCA games pk m0, m1 Enc(pk, mb) b* = b

  14. Define Desired Ideal Behavior • Define security positively:Behaves as ideal protocol, except with probability ≤ ε . • Defined using ideal functionality , and proven by simulation • Adversary plays standardized game:goal is to make simulation fail with probability > ε

  15. Define Desired Ideal Behavior Environment Interface Network Interface Alice & Others Bob

  16. Define Desired Ideal Behavior Environment Interface Network Interface Alice & Others Bob Init: Dec: Enc:

  17. More Schematically Environment Interface Network Interface

  18. Zero-knowledge Proofs Language: • Zero-knowledge • Soundness Environment Interface Network Interface Prover Verifier in Relation R?

  19. Interactive Zero-knowledge Proofs Language: Environment Interface Network Interface Zero-knowledge proof protocol Prover Verifier in Relation

  20. Proof π Non-interactive Zero-knowledge Language: Environment Interface Network Interface Prover Verifier / common reference string random oracle

  21. Oblivious Transfer Environment Interface Network Interface i Receiver Sender mi select ith message

  22. Compute any Function Secure Two-Party Computation of Environment Interface Network Interface Alice Bob compute:

  23. II. Anonymous Service Access Gaining access to services without revealing ones identity

  24. Outline • Cryptographic Definitions • Ideal functionality based definitions • Anonymous Credentials • U-Prove • Delegatable Anonymous Credentials • Private Computation • Location-based Services • Priced Oblivious Transfer • Privacy Preserving Smart Metering • Conclusions • Two approaches to data minimization

  25. Anonymous Service Access I need to know something right? Have you subscribed? Are you old enough? unidentified location data I want to be anonymous. Anonymous data Behavioral data Someones e-book purchases Anonymous credentials Interactions using unlinkable pseudonyms Alice Bob Personal data age>18 Anonymous data Anonymous e-coins

  26. A critique of identity • Identity as a proxy to check credentials • Username decides access in Access Control Matrix • Sometime it leaks too much information • Real world examples • Tickets allow you to use cinema / train • Bars require customers to be older than 18 • But do you want the barman to know your address?

  27. name surname age ... Anonymous Credentials Based on zero-knowledge proofs I issue a digital identity card I want to selectively reveal data. I don’t want my actions to be linked. x = Identity Provider unlinkable (x, y) such that x contains age > 18? Alice y = [ age > 18 ] (real human subscription pseudonym encrypted identity) Cannot learn anything beyond age Service Providers

  28. Two flavours of credentials • Multi-show (Camenisch & Lysyanskaya) • Random oracle free signatures for issuing (CL) • Blinded showing • Prover shows that he knows signature on attributes with some property. • Cannot link multiple shows of the credential • More complex • Single-show credential (Brands & Chaum) • Blind the issuing protocol (blindly sign a commitment • Show the signature on commitment in clear • Prover shows that commitment contains attributes with some property. • Multiple shows are linkable – BAD • Protocols are simpler – GOOD

  29. Technical Outline • Cryptographic preliminaries • The discrete logarithm problem • Schnorr’s Identification protocol • Unforgeability, simulator, Fiat-Shamir Heuristic • Generalization to representation • Showing protocol • Linear relations of attributes • Issuing protocol • Blinded issuing

  30. Modular arithmetics • Assume p a large prime • (>1024 bits—2048 bits) • Detail: p = qr+1 where q also large prime • Denote the field of integers modulo p as Zp • Example with p=7 • Addition works fine: 1+2 = 3, 3+5 = 1, ... • Multiplication too: 2*2 = 4, 2*4 = 1, ... • Exponentiation is as expected: 22 = 4 • Choose g in the multiplicative group of Zp • Such that g is a generator • Example: g=3 (3∗3 = 9-7 = 2) • Subgroup: g=2 (2*2*2=1)

  31. Discrete logarithms • Exponentiation is computationally easy: • Given g and x, easy to compute gx • But logarithm is computationally hard: • Given g and gx, difficult to find x = logggx • If p is large it is practically impossible • Related DH problem • Given (g, gx, gy) difficult to find gxy • Stronger assumption than DL problem

  32. More on Zp • Efficient to find inverses • Given c easy to calculate g-c mod p • (p-1) – c mod p-1 • Efficient to find roots • Given c easy to find g1/c mod p • c (1/c) = 1 mod (p-1) • Not the case N=pq (RSA security) • No need to be scared of this field.

  33. Schnorr’s protocol Public: g, p Knows: x Knows: y=gx P->V: gw= a (first message) V->P: c (challenge) Alice (Prover) Bob (Verifier) P->V: cx+w= r (response) Random: w Check: gr = yca g cx+w = (gx)cgw

  34. No Schnorr Forgery (intuition) • Assume that Alice (Prover) does not know ? • If, for the same first message, Alice forges two valid responses to two of Bob’s challenges • Then Alice must know • 2 equations, 2 unknowns – can find

  35. Zero-knowledge (intuition) • The verifier learns nothing new about . • How do we go about proving this? • Verifier can simulate protocol executions • On his own! • Without any help from Alice (Prover) • This means that the transcript gives no information about • How does Bob simulate a transcript? • (First message, challenge, response)

  36. Simulator • Need to fake a transcript • Simulator: • Trick: do not follow the protocol order! • First pick the challenge • Then pick a random response • Then note that the response must satisfy: • Solve for • Proof technique for ZK

  37. Non-interactive proof? • Schnorr’s protocol • Requires interaction between Alice and Bob • Bob cannot transfer proof to convince Charlie • (In fact we saw he can completely fake a transcript) • Fiat-Shamir Heuristic • H[∙] is a cryptographic hash function • Alice sets c = H[gw] • Note that the simulator cannot work any more • gw has to be set first to derive c • Signature scheme • Alice sets c = H[gw, M]

  38. Generalise to DL representations • Traditional Schnorr • For fixed and public key • Alice proves she knows such that • General problem • Fix prime , generators • Public key • Alice proves she knows such that

  39. DL represenation – protocol Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca

  40. DL represenation vs. Schnorr Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca

  41. DL represenation vs. Schnorr Public: g, p Knows: h = g1X1g2X2 ... glXl Knows: x1, ..., xl l random: wi P->V: ∏0<i<l gwi= a (first message) Alice (Prover) Bob (Verifier) V->P: c (challenge) ri =cxi+wi P->V: r1, ..., rl (response) Check: (∏0<i<lgiri) = hca Let’s convince ourselves: (∏0<i<lgiri)= (∏0<i<lgixi)c(∏0<i<lgwi) = hca

  42. Credentials – showing • Credential representation: • Attributes • Credential , • Credential showing protocol • Alice gives the credential to Bob • Alice proves a statement on values • e.g. • Merely DL rep. proof that she knows remaining ,i.e.

  43. Com(name, surname age ...) Issuing Protocol Based on blind signatures I half-blindly issue a digital identity card I want to selectively reveal data. I don’t want my actions to be linked. = Identity Provider unlinkable (x, h)such that x contains age > 18? Alice x = attributes and opening for h Cannot learn anything beyond age Service Providers

  44. 2 2 1 name surname age ... Delegatable Anonymous Credentials I issue a digital identity card Alice Identity Provider unlinkable unlinkable Carol Service Providers

  45. pkA pkA pkA pkC pkC fresh nonce skB skB skS skA skA skC Non-Anonymous Delegation using signatures: Alice Service Providers Carol

  46. Randomize Proofs Size of randomized proofs stays constant, no blowup

  47. Randomizable Proofs • Completeness, Soundness, Zero-knowledge • New property: Randomizability • Randomized proof looks like freshly generated proof • Construction for NP [GOS06] and efficient applications [GS08] randomize Groth, Ostrovsky, Sahai Groth, Sahai

  48. Randomizability and Malleability • Malleability as a bug [DDN91] • Malleability as a feature • Homomorphic encryption [ElGamal, Paillier, Gentry] • Translation between pseudonyms: about , about maul randomize Dolev, Dwork, Naor

  49. : proof that , and correct 1 Delegatable Anonymous Credentials Alice Carol Service Providers

  50. : and correct : and correct maul & randomize 2 2 : proof that , and correct 1 1 1 : proof that and correct Delegatable Anonymous Credentials Alice Carol maul & randomize Service Providers