Self-Blindable Credential Certificates from the Weil Pairing

Eric R. Verheul

April 9, 2004SCLab Jinhae Kim

Introduction I

• What is pseudonym?– A unique identifier by which a user is known by a

certain party. Same user, different pseudonym.• A pseudonymous certificate binds a user’s

pseudonym to his public key.• A credential is a trust provider’s statement

about the user.– Example: “lives in MN”, “has a PhD in CS”– single-use/multiple-use

Introduction II• Credential pseudonymous certificates (CPCs)

– Digital certificates that bind credentials to users.• In Chaum’s1 model

– Pseudonyms are unlinkable.• parties that know a user by different pseudonyms must not have

the ability to combine their logs.

– CPCs must be translatable.• CPC A: “p1 is in good health.”• A is issued by Dr. Yongdae under p1.• Jinhae (owner of p1) presents A to insurance company under p2.

1. D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, 1985

Security Requirement

• Protection against pseudonym/credential forgery.

• Protection against pseudonym/credential sharing.– smartcard based passports– better solution: all-or-nothing– Problems?

• Revocation of pseudonymous certificates and credentials.

Building Blocks I

• Diffie-Hellman (DH) problem– generator g of a group G of (prime) order q.– DHg(gx, gy) = gxy

• Decision Diffie-Hellman (DDH) problem– given a, b, c G decide whether c = DHg(a, b) – An alternative formulation of DDH:

• given g, gx, h, hy in group G decide whether x = y.• hy = DHg(gx, h) (suppose h = ga, then gay = gax)

• Group in which the DDH problem is simple and DH, DL are hard.

Building Blocks II

• Elliptic Curve Cryptography1 (ECC)– EC can provide versions of PK methods – In some case, EC is faster and use smaller key.– Addition in EC is same as multiplication in Zp

*

Zp* Multiplication (ab = c (mod p)) Exponentiation (ab = c (mod p))

EC Addition (X + Y = Z) Multiplication (αX = Y)

ref) a, b, c Zp*

X, Y are points on an elliptic curve and α is constant.

1. David Jablon, Elliptic Curve Cryptography, http://world.std.com/dpj/elliptic.html

Building Block III

• DDH in ECC– <P> is a group of (prime) order q on the curve.– A, B, C is an instance of the DDH problem with

respect to P.– C = DHP(A, B) iff eq(A, D(B)) = eq(P, D(C))– D(.) is the distortion map, and eq(., .) is the Weil

pairing.• Bilinear Map

– B(gx, gy) = B(g, g)xy (= B(g, gxy)) (DDH is solved!)– In ECC: B(aP, bP) = ab B(P, P) (= B(P, abP))

The ‘Proofless’ Variant of the Chaum-Pedersen Scheme1

• A group, G, of prime order q, with generator g.– the DDH problem is simple, while the DL and the

DH problems are practically intractable.• the Chaum-Pedersen scheme

– The public key is y = gx, where 0 ≤ x < q.– A signature on a message m ∈ G

• z = mx (plus a proof that logg(y) = logm(z)).

• Can verify logg(y) = logm(z) iff z = DHg(m, y).

1. D. Chaum, T.P. Pedersen, Wallet Databases with Observers, Proceedings ofCrypto’92

The variant of C-P scheme II

• Signature z = mx is self-blindable.– Without knowing of the signing key x, one can

make another signature zk = (mk)x.• Easy blinding property.

– Message (typically a hash), M– public key of signing party gx – Ask to sign Mr, for 0 ≤ r < q, resulting in Mrx.

Self-blindable Certificates

• Terminology for Self-blindable certificates– U : collection of all possible public keys.– T : collection of all verification public keys of TP.– C : collection of all possible certificates.– Credential on a user public key PU U∈

• {PU, Sig(PU, ST)}, ST is private signing key of TP.• Accompanied by a higher-level certificate

– Cert(PU, “Trust statement”)

• Standard X.509 certificate with the “Trust statement” in one of its extension field.

Self-blindable Certificates II• The certificates are called self-blindable, if:

– There exists a set transformation factor space F.– An efficiently computable transformation map

• D: C ×F → CProperties1. For any certificate C ∈ C and f ∈ F the certificate D(C, f) is signed with the same trust provider public key as C.2. Let C1, C2 be certificates and f ∈ F known. If C2 = D(C1, f) then one can efficiently compute a transformation factor f΄ ∈ F such that C1 = D(C2, f΄).3. If C1, C2 ∈ C are two different certificates on the same user public key, then so are D(C1, f) and D(C2, f).4. Let PU is user public key, f ∈ F is known. Then, a user possesses the private key of PU iff it possesses the private key of D(PU, f).5. If the user’s public key PU ∈ U is fixed and if f ∈ F is a uniformly random element in F, then D(PU, f) is a uniformly random element in U.

CPC System

• pseudonymous credential– {PU, [Sig(PU, SN), Cert(PN, “PP statement”)]}

• PU : the public key of the user.

• Sig(PU, SN) : a signature of the pseudonym provider (PP).

• Cert(PN, “PP statement”) : a (conventional) certificate on the public verification key of the PP.

– With a statement on its applicability included among the usual fields (e.g., expiration date).

– The pseudonym of a user is in fact the user’s public key in its certificate.

CPC System II

• Generation of a new Pseudonymous certificate.– By choosing a (random) factor and transforming an

initially issued pseudonymous certificate.– Credential Pseudonymous Certificate

• Based on Pseudonymous Credential• {PU, [Sig(PU, SN), Cert(PN, “PP statement”)],

[Sig(PU, SC), Cert(PC, “CP statement”)]+}.• 2nd line: credential field.

– Sig(PU, SC) : A signature of the credential provider (CP).– In CP statement: a statement on its credential applicability

(e.g., “is over 18 years old”).

Overview of System Description

High-level System Description

• Initial Registration.– The user registers, typically in a non-anonymous

fashion, with a pseudonym provider. – After registration a First Pseudonymous Certificate

(FPC) is issued. – The pseudonym provider puts the FPC in a

public directory. – When unique pseudonyms are required, the

provider has the option to maintain a private list of physical persons that were issued a pseudonymous certificate.

System Description II• Credential Issuance.

– Transforms its FPC into a random pseudonymous certificates (RPC) by using a random transformation factor.

– Registers with a CP using this RPC which includes a proof of possession of the private key.

– This registration need not be anonymous. The user does what is required to obtain a credential (e.g., takes a driver’s exam, shows other credentials).

– Up-on succeeding, the user is issued a credential on the RPC, that is the CPC.

– The pseudonym provider has the option to put the CPC in a public directory.

System Description III

• Credential Use. – The user registers (typically anonymously) with a service

provider using a new RPC.• If I can make an RPC with my FPC, how about others?

– The user combines all of the CPCs relating to credentials required by the SP into one CPC under the registered pseudonym.

• The second invert transformation property on the transformation factors related with the individual, original CPCs.

• A CPC is first translated to the First Pseudonym and then translated to the registered pseudonym.

• This certificate is presented to the SP, together with a proof of possession of the private key referenced in this CPC.

System Description IV

• Credential Use II– Double spend checking

• SP has the option to require that the user contact a specific trust provider (unicity provider).

• The user sends this trust provider the transformation factor(s), transforming the new RPC to the FPC.

• The trust provider validates that these factor(s) transform the RPC into a FPC on the PP’s directory, and that this FPC was not registered before. - problems?

• Note 1: PP directory does not specify user identities, only FPCs, • Note 2: the specific trust provider need not be the user’s

pseudonym provider.

System Description V

• TP can link two different pseudonyms of a user.– During registration, PP and the user (U)

exchange a secret, S. – If a trust provider (T) wants to provide assurance

on unique pseudonyms, then PP is provided a list consisting of transformed FPCs, in such a way that:

• U’s FPC is transformed using a transformation factor f:– f = H (T, S) (H: secure hash function)

• the order of the FPCs is randomly permuted.

Revocation of Certificate Bases

• 1st Method: Pro-active– Let the trust providers employ signing keys with

a short expiration time (e.g., a week). – If a pseudonymous certificate/credential has not

been revoked, then the trust provider automatically updates the certificates/credentials in its directory with newly signed ones.

– A user can collect the updated pseudonymous certificates/credentials, preferably via an anonymous channel.

Revocation II• 2nd Method: using the flexible secret sharing

technique– To trust provider, send along specific transformation

factors with a (credential) pseudonymous certificate.– TP can retrieve the original issued (credential)

pseudonymous certificates and find out if they have been revoked.

– The trust provider then provides a statement on the status of the (credential) pseudonymous certificate to the service provider.

– The service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC.

A Simple Construction for CPCs• G = <g> be a group of prime order q• The set T of all trust provider’s public keys takes

the form j, js (0 ≤ s < q; private key).• U consists of elements of the form gx. (0 < x < q;

user’s private keys).• A certificate issued by a trust provider with public

key h, hz on a user public key gx :– {gx, gxz}.

• The transformation D: C ×F → C– ({X, Y }, f) → {Xf , Yf}

• the certificate {gx, gxz} is transformed to the certificate {gxf, gxfz} under factor f.

A Simple Construction II

1. The user registers, typically in a non-anonymous fashion, with a pseudonym provider.

2. The PP generates a random 0 < x < q– forms the user public key gx and the certificate {gx, gxz}. – All information is put on a tamper resistant signing

device.– Private key information of (transformed) certificates can

be used but not retrieved.

3. The secure signing device is handed over to the user in a secure fashion.

A more robust construction

• G = <g> be a group of prime order q• There exists embedding E(.) from G into a group G΄

where all three problems are practically intractable.• The set T of all trust provider’s public keys takes the

form j, js (0 ≤ s < q; private key).• PP publishes a certified pair (r , s) = (r , rf )

– r , s G∈ , 0 < f < q unknown by all parties.

• U consists of elements of the form g1, g2, g1x1 , g2

x2. – 0 < x1, x2 < q,

– g1 is random generator and logg1(g2) = f

A more robust construction II

• The certificate with public key h, hz on a user’s public key g1, g2, g1

x1g2x2 :

– {g1, g2, g1x1g2

x2, (g1x1g2

x2)z}.

• The transformation D: C ×F → C– ({X, Y, W, Z }, (k, l)) → {Xl, Yl , Wkl, Zkl}

• the certificate {g1, g2, g1x1g2

x2, (g1x1g2

x2)z} is transformed to the certificate {g1

l, g2l, g1

x1klg2x2kl,

(g1x1klg2

x2kl)z} under factor (k, l).

A more robust construction III1. The user registers, typically in a non-anonymous fashion, with a PP.2. PP generates a random pair (g1, g2)

– g2 = g1f (random power of the elements r , s).

– The pair (g1, g2) is sent to the user or a smart card issuer.3. The user generates a random private key 0 ≤ x < q and forms g2

x . – Sends g2

x and proves possession of the private key x 4. PP forms the public key g1, g2, g1g2

x – Places a Chaum-Pedersen signature on it, i.e., (g1g2

x)z. – Employs the embedding E : G → G΄ – Determines the elements E(g2), E(g2

x) of the group G΄.– Determines a random power r of these elements, i.e., E(g2)r, E(g2

x)r.– Forms a conventional non-repudiation certificate on (E(g2)r, E(g2

x)r). – The first pseudonymous certificate and the non-repudiation certificate are

issued to the user. Both are also stored in separate directories.

A more robust construction IV

• The characteristic of embedding E(.)– Homomorphism: The signing key of E(g2

x )r is x.

– One-way function: Hard to get g2r, g2

xr from E(g2)r, E(g2

x)r.

• It would be impossible to relate E(g2), E(g2x)

(deducible from FPC) to E(g2)r, E(g2x)r

(deducible from the non-repudiation certificate). (DDH is hard in G΄)

Protection against Pseudonym/credential forgery

• Based on an all-or-nothing concept.• The private key in a transformed credential

takes the form (k, k · x mod q) for some 0 < k < q.

• Dividing the second part by the first part yields the user’s non-repudiation key x.

• If the user transfers a credential, then it also transfers a copy of its non-repudiation signing key.

Conclusion

• Anonymity without the need for a trusted third party.

• This system is based on a new paradigm, self-blindable certificates

• Certificates were constructed using the Weil pairing in supersingular elliptic curves

• A robust system provides cryptographic protection against the forgery and transfer of credentials