Cryptography 4 Privacy 2016 IBM Corporation Cryptography 4 Privacy Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research – Zurich @JanCamenisch ibm.biz/jancamenisch

copy 2016 IBM Corporation

Cryptography 4 Privacy

Jan CamenischPrinciple RSM Member IBM Academy of TechnologyIBM Research ndash Zurich

JanCamenischibmbizjancamenisch

SuRI School of Computer and Communication Sciences EPFL

copy 2016 IBM Corporation2 Jan Camenisch - Cryptography 4 Privacy - Summer Research Institute - EPFL

We all increasingly conduct our daily tasks electronically

are becoming increasingly vulnerable to cybercrimes

33 of cyber crimes including identity theft take less time than to make a cup of tea

10 Years ago your identity information on the black market was worth $150 Todayhellip

$4500000000 cost of identity theft worldwide

Houston we have a problem

ldquoBuzz Aldrins footprints are still up thererdquo(Robin Wilton)

Computers dont forget

Apps built to use amp generate (too much) data

Data is stored by default

Data mining gets ever better

New (ways of) businesses using personal data

Humans forget most things too quickly

Paper collects dust in drawers

Wheres all my data

The ways of data are hard to understand

Devices operating systems amp apps are getting more complex and intertwined

ndash Mashups Ad networksndash Machines virtual and realtime configuredndash Not visible to users and expertsndash Data processing changes constantly

rarr No control over data and far too easy to loose them

The real problem

Applications are designed with the sandy beach in mind but are then built on the moon

ndash Feature creep security comes last if at allndash Everyone can do apps and sell them ndash Networks and systems hard not (well) protected

We need paradigm shift ampbuild stuff for the moon

rather than the sandy beach

Security amp Privacy is not a lost cause

That means Reveal only minimal data necessary Encrypt every bit Attach usage policies to each bit

Cryptography can do that

copy 2016 IBM Corporation13 2015 Information Security Summer School - Bilbao

Cryptography to the Aid

copy 2016 IBM Corporation14 October 15 2015 - Press Day

Today two solutions

Identity mixer privacy protecting authentication

Password-based security from humans to cryptographic keys

Identity Mixer

Alice wants to watch a movie at Movie Streaming Service

Movie Streaming Service

I wish to see Alice in Wonderland

You need- subscription- be older than 12

Watching the movie with the traditional solution

ok heres - my eID - my subscription

Using digital equivalent of paper world eg with X509 Certificates

Aha you are- Alice Doe- born on Dec 12 1975- 7 Waterdrive- CH 8003 Zurich - Married- Expires Aug 4 2018

Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016

with X509 Certificates

This is a privacy and security problem - identity theft - discrimination - profiling possibly in connection with other services

With OpenID (similar protocols) eg log-in with Facebook

With OpenID and similar solution eg log-in with Facebook

Aha Alice is watching a 12+ movie

Aha you are- Alicefacebookcom- 12+Mplex Customer - 1029347 - Premium Subscription - Expires Jan 13 2016

Proper cryptography solves this Identity Mixer

When Alice authenticates to the Movie StreamingService with Identity Mixer all the services learns isthat Alice

has a subscriptionis older than 12

and no more

Users Keys One secret Identity (secret key) Many Public Pseudonyms (public keys)

Privacy-protecting authentication with Privacy ABCs

rarr use a different identity for each communication partner or even transaction

Certified attributes from Identity provider Issuing a credential

Name = Alice DoeBirth date = April 3 1997

Certified attributes from purchasing department Issuing a credential

Proving identity claims but does not send credentials only minimal disclosure

- valid subscription - eID with age ge 12

Proving Identity Claims Minimal Disclosure

Alice DoeDec 12 1998Hauptstr 7 ZurichCHsingleExp Aug 4 2018 ve

rified

Alice DoeAge 12+Hauptstr 7 ZurichCHsingleExp Valid ve

rified

Aha you are- older than 12- have a subscription

Proving identity claims but does not send credential only minimal disclosure (Public Verification Key

of issuer)

Transaction is not linkable to any other of Alices transactions

Try Identity Mixer for yourself

Try yourself idemixdemomybluemixnetrarrBuild your app githubcomIBM-Bluemixidemix-issuer-verifierrarrSource code githubcomgithubcomp2abcenginep2abcenginerarrInfo ibmbizidentity_mixerrarr

You might already have Identity Mixer on your devices

Identity Mixer (and related protocols) in standards TPM V12 (2004) and V20 (2015) call it ndash Direct Anonymous Attestation FIDO Alliance authentication is standardizing this as well (w and wout chip)

TPMs allow one to store secret key in a secure place

Other examples secure and privacy access to databases

DNA databases NewsJournalsMagazines Patent database

Cryptography access protocol st database provider has no information about which user accesses which data

Who accesses which data at which time can reveal sensitive information about the users (their research strategy location habits etc)

A glimpse at the underlying cryptography

A Glimpse at the technical realization

Zero knowledge proof of knowledge

Signature schemecompatible with ZKP

Commitment schemecompatible with ZKP amp sig scheme

Given group ltggt and element y Є ltggt Prover wants to convince verifier that she knows x = log g y such that verifier only learns y and g

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Zero Knowledge Proofs of Knowledge of Discrete Logarithms

Logical combinations

PK(αβ) y = gα and z = gβ and u = gβhα PK(αβ) y = gα or z = gβ

Non-interactive (Fiat-Shamir heuristic Schnorr Signatures) PK(α) y = gα (m)

Many Exponents

PK(αβγδ) y = gα hβzγkδuβ

Intervals and groups of different order (under SRSA)PK(α) y = gα and α Є [AB]

PK(α) y = gα and z = gα and α Є [0minord(g)ord(g)]

RSA Signature Scheme

Rivest Shamir and Adlemann 1978

Secret Key two random primes p and qPublic Key n = pq prime e

and collision-free hash function H 01 -gt 01ℓ

Computing signature on a message m Є 01 d = 1e mod (p-1)(q-1)

s = H(m) d mod n

Verification of signature s on a message m Є 01

se = H(m) (mod n)

Correctness se = (H(m)d)e = H(m)dmiddote = H(m) (mod n)

Verification signature on a message m Є 01 se = H(m) (mod n)

Wanna do proof of knowledge of signature on a message eg PK (ms) se = H(m) (mod n)

But this is not a valid proof expression -(

Public key of signer RSA modulus n and ai b d Є QRn

Secret key factors of n

To sign k messages m1 mk Є 01ℓ choose random prime 2ℓ+2 gt e gt 2ℓ+1 and integer s asymp n compute c

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

To verify a signature (ces) on messages m1 mk m1 mk Є 01ℓ e gt 2ℓ+1

d = ce a1m1 ak

mk bs mod n

Theorem Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption

CL-Signature Scheme

Observendash d = ce am bs mod nndash Let c = c btmod n with randomly chosen t

then d = ce a1m1a2m2 bs-et (mod n) ie(ce s = s-et) is also signature on m1 and m2

To prove knowledge of signature (ce s) on m2 and some m1 provide c PK(ε micro1 σ) da2m2 = cε a1micro1 b σ and micro Є 01ℓ and ε gt 2ℓ+1

Proving Knowledge of a CL-signature

Password-based Security

Password are insecure arent they

Passwords inherently insecureNo Wersquore just using them incorrectly

username-password the most prominent form of user authentication

The problem with passwords

password salted PW hash

correctcorrectcorrectcorrectcorrecthellipcorrect

Passwords are symmetric secrets need protection on server amp userrarr Password (hashes) useless against offline attacks

ndash Human-memorizable passwords are inherently weakndash NIST 16-character passwords have 30 bits of entropy asymp 1 billion possibilitiesndash Rig of 25 GPUs tests 350 billion possibilities second so asymp 3ms for 16 charsndash 60 of LinkedIn passwords cracked within 24h

More expensive hash functions provide very little help onlyndash increases verification time as wellndash does not work for short passwords such as pins etc

Single-server solutions inherently vulnerable to offline attacksndash Server administrator hacker can always guess amp test

The solution distributed password verification

Setup Open account w password p

p2p1 p2

Login to account with password p

no server alone can test password passwords safe as long as not all servers are hacked

ndash off-line attacks no longer possiblendash on-line attacks can be throttled

pro-active re-sharing possible First server

ndash web-server replaces hash-data filesrarrndash users computer secure against loss or theft of user devicerarr

p1 p2=

How it works in a nutshell [CLN12CEN15]

E = (EncX(1p) ⟐ E)r

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

Servers share encryption secret key x1 and x2 for PK X of a homomorphic scheme At setup user encrypts p under X E= EncX(p) Password verification check for encryption of 1

Servers do not learn anythingndash 1 if passwords match random number otherwise

User could even be talking to the wrong servers

From password to cryptographic keys [CLN12CLLN14CEN15]

One of the servers could be your smart phone laptop hellip Get key share from if password check succeeded Decrypt all your files on phone (or stored in the cloud etc)

p p1 p2=

Further Research Needed

Securing the infrastructure amp IoTndash ldquoad-hocrdquo establishment of secure authentication and communication ndash audit-ability amp privacy (where is my information crime traces)ndash security services eg better CA oblivious TTPs anon routing hellip

Usability

ndash HCIndash Infrastructure (setup use changes by end users)

Provably secure protocolsndash Properly modeling protocols (UC realistic attacks models )ndash Verifiable security proofsndash Retaining efficiency

Quantum ComputersndashLots of new crypto needed stillndashBuild apps algorithm agnostic

Towards a secure information societyndashSociety gets shaped by quickly changing technologyndashConsequences are hard to grasp yetndashWe must inform and engage in a dialog

Conclusion

Let engage in some rocket science Much of the needed technology exists hellip need to use them amp build apps ldquofor the moonrdquo hellip and make apps usable amp secure for end users

Thank youJoint work w Maria Dubovitskaya Anja Lehmann Anna Lysyanskaya Gregory Neven and many many more

jcazurichibmcom JanCamenisch ibmbizjancamenisch

IBM Presentation Template Full Version

We all increasingly conduct our daily tasks electronically

are becoming increasingly vulnerable to cybercrimes

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Wheres all my data

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

The real problem

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Today two solutions

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Identity Mixer

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

and no more

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

rified

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

of issuer)

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

t = gs yc

Prover

random r t = gr

Verifier

random c

s = r - cx

PK(α) y = gα

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

Many Exponents

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

s = H(m) d mod n

se = H(m) (mod n)

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

c = (d (a1m1 ak

mk bs ))1e mod n

signature is (ces)

CL-Signature Scheme

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

d = ce a1m1 ak

mk bs mod n

CL-Signature Scheme

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p2p1 p2

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p1 p2=

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

= EncX( (pp)r)

E= EncX(p)x1

p = p harr

DecX(E) = 1

E=EncX(p)x2

p p1 p2=

Usability

Conclusion

p p1 p2=

Usability

Conclusion

p p1 p2=

Usability

Conclusion

Usability

Conclusion

Documents

Cryptography 4 Privacy 2016 IBM Corporation Cryptography 4 Privacy Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research – Zurich @JanCamenisch ibm.biz/jancamenisch