Upload
cloris
View
48
Download
1
Embed Size (px)
DESCRIPTION
Self-Blindable Credential Certificates from the Weil Pairing Eric R. Verheul. April 9, 2004 SCLab Jinhae Kim. Introduction I. What is pseudonym ? A unique identifier by which a user is known by a certain party. Same user, different pseudonym. - PowerPoint PPT Presentation
Citation preview
Self-Blindable Credential Certificates from the Weil Pairing
Eric R. Verheul
April 9, 2004SCLab Jinhae Kim
Introduction I
• What is pseudonym?– A unique identifier by which a user is known by a
certain party. Same user, different pseudonym.• A pseudonymous certificate binds a user’s
pseudonym to his public key.• A credential is a trust provider’s statement
about the user.– Example: “lives in MN”, “has a PhD in CS”– single-use/multiple-use
Introduction II• Credential pseudonymous certificates (CPCs)
– Digital certificates that bind credentials to users.• In Chaum’s1 model
– Pseudonyms are unlinkable.• parties that know a user by different pseudonyms must not have
the ability to combine their logs.
– CPCs must be translatable.• CPC A: “p1 is in good health.”• A is issued by Dr. Yongdae under p1.• Jinhae (owner of p1) presents A to insurance company under p2.
1. D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, 1985
Security Requirement
• Protection against pseudonym/credential forgery.
• Protection against pseudonym/credential sharing.– smartcard based passports– better solution: all-or-nothing– Problems?
• Revocation of pseudonymous certificates and credentials.
Building Blocks I
• Diffie-Hellman (DH) problem– generator g of a group G of (prime) order q.– DHg(gx, gy) = gxy
• Decision Diffie-Hellman (DDH) problem– given a, b, c G decide whether c = DHg(a, b) – An alternative formulation of DDH:
• given g, gx, h, hy in group G decide whether x = y.• hy = DHg(gx, h) (suppose h = ga, then gay = gax)
• Group in which the DDH problem is simple and DH, DL are hard.
Building Blocks II
• Elliptic Curve Cryptography1 (ECC)– EC can provide versions of PK methods – In some case, EC is faster and use smaller key.– Addition in EC is same as multiplication in Zp
*
Zp* Multiplication (ab = c (mod p)) Exponentiation (ab = c (mod p))
EC Addition (X + Y = Z) Multiplication (αX = Y)
ref) a, b, c Zp*
X, Y are points on an elliptic curve and α is constant.
1. David Jablon, Elliptic Curve Cryptography, http://world.std.com/dpj/elliptic.html
Building Block III
• DDH in ECC– <P> is a group of (prime) order q on the curve.– A, B, C is an instance of the DDH problem with
respect to P.– C = DHP(A, B) iff eq(A, D(B)) = eq(P, D(C))– D(.) is the distortion map, and eq(., .) is the Weil
pairing.• Bilinear Map
– B(gx, gy) = B(g, g)xy (= B(g, gxy)) (DDH is solved!)– In ECC: B(aP, bP) = ab B(P, P) (= B(P, abP))
The ‘Proofless’ Variant of the Chaum-Pedersen Scheme1
• A group, G, of prime order q, with generator g.– the DDH problem is simple, while the DL and the
DH problems are practically intractable.• the Chaum-Pedersen scheme
– The public key is y = gx, where 0 ≤ x < q.– A signature on a message m ∈ G
• z = mx (plus a proof that logg(y) = logm(z)).
• Can verify logg(y) = logm(z) iff z = DHg(m, y).
1. D. Chaum, T.P. Pedersen, Wallet Databases with Observers, Proceedings ofCrypto’92
The variant of C-P scheme II
• Signature z = mx is self-blindable.– Without knowing of the signing key x, one can
make another signature zk = (mk)x.• Easy blinding property.
– Message (typically a hash), M– public key of signing party gx – Ask to sign Mr, for 0 ≤ r < q, resulting in Mrx.
Self-blindable Certificates
• Terminology for Self-blindable certificates– U : collection of all possible public keys.– T : collection of all verification public keys of TP.– C : collection of all possible certificates.– Credential on a user public key PU U∈
• {PU, Sig(PU, ST)}, ST is private signing key of TP.• Accompanied by a higher-level certificate
– Cert(PU, “Trust statement”)
• Standard X.509 certificate with the “Trust statement” in one of its extension field.
Self-blindable Certificates II• The certificates are called self-blindable, if:
– There exists a set transformation factor space F.– An efficiently computable transformation map
• D: C ×F → CProperties1. For any certificate C ∈ C and f ∈ F the certificate D(C, f) is signed with the same trust provider public key as C.2. Let C1, C2 be certificates and f ∈ F known. If C2 = D(C1, f) then one can efficiently compute a transformation factor f΄ ∈ F such that C1 = D(C2, f΄).3. If C1, C2 ∈ C are two different certificates on the same user public key, then so are D(C1, f) and D(C2, f).4. Let PU is user public key, f ∈ F is known. Then, a user possesses the private key of PU iff it possesses the private key of D(PU, f).5. If the user’s public key PU ∈ U is fixed and if f ∈ F is a uniformly random element in F, then D(PU, f) is a uniformly random element in U.
CPC System
• pseudonymous credential– {PU, [Sig(PU, SN), Cert(PN, “PP statement”)]}
• PU : the public key of the user.
• Sig(PU, SN) : a signature of the pseudonym provider (PP).
• Cert(PN, “PP statement”) : a (conventional) certificate on the public verification key of the PP.
– With a statement on its applicability included among the usual fields (e.g., expiration date).
– The pseudonym of a user is in fact the user’s public key in its certificate.
CPC System II
• Generation of a new Pseudonymous certificate.– By choosing a (random) factor and transforming an
initially issued pseudonymous certificate.– Credential Pseudonymous Certificate
• Based on Pseudonymous Credential• {PU, [Sig(PU, SN), Cert(PN, “PP statement”)],
[Sig(PU, SC), Cert(PC, “CP statement”)]+}.• 2nd line: credential field.
– Sig(PU, SC) : A signature of the credential provider (CP).– In CP statement: a statement on its credential applicability
(e.g., “is over 18 years old”).
Overview of System Description
High-level System Description
• Initial Registration.– The user registers, typically in a non-anonymous
fashion, with a pseudonym provider. – After registration a First Pseudonymous Certificate
(FPC) is issued. – The pseudonym provider puts the FPC in a
public directory. – When unique pseudonyms are required, the
provider has the option to maintain a private list of physical persons that were issued a pseudonymous certificate.
System Description II• Credential Issuance.
– Transforms its FPC into a random pseudonymous certificates (RPC) by using a random transformation factor.
– Registers with a CP using this RPC which includes a proof of possession of the private key.
– This registration need not be anonymous. The user does what is required to obtain a credential (e.g., takes a driver’s exam, shows other credentials).
– Up-on succeeding, the user is issued a credential on the RPC, that is the CPC.
– The pseudonym provider has the option to put the CPC in a public directory.
System Description III
• Credential Use. – The user registers (typically anonymously) with a service
provider using a new RPC.• If I can make an RPC with my FPC, how about others?
– The user combines all of the CPCs relating to credentials required by the SP into one CPC under the registered pseudonym.
• The second invert transformation property on the transformation factors related with the individual, original CPCs.
• A CPC is first translated to the First Pseudonym and then translated to the registered pseudonym.
• This certificate is presented to the SP, together with a proof of possession of the private key referenced in this CPC.
System Description IV
• Credential Use II– Double spend checking
• SP has the option to require that the user contact a specific trust provider (unicity provider).
• The user sends this trust provider the transformation factor(s), transforming the new RPC to the FPC.
• The trust provider validates that these factor(s) transform the RPC into a FPC on the PP’s directory, and that this FPC was not registered before. - problems?
• Note 1: PP directory does not specify user identities, only FPCs, • Note 2: the specific trust provider need not be the user’s
pseudonym provider.
System Description V
• TP can link two different pseudonyms of a user.– During registration, PP and the user (U)
exchange a secret, S. – If a trust provider (T) wants to provide assurance
on unique pseudonyms, then PP is provided a list consisting of transformed FPCs, in such a way that:
• U’s FPC is transformed using a transformation factor f:– f = H (T, S) (H: secure hash function)
• the order of the FPCs is randomly permuted.
Revocation of Certificate Bases
• 1st Method: Pro-active– Let the trust providers employ signing keys with
a short expiration time (e.g., a week). – If a pseudonymous certificate/credential has not
been revoked, then the trust provider automatically updates the certificates/credentials in its directory with newly signed ones.
– A user can collect the updated pseudonymous certificates/credentials, preferably via an anonymous channel.
Revocation II• 2nd Method: using the flexible secret sharing
technique– To trust provider, send along specific transformation
factors with a (credential) pseudonymous certificate.– TP can retrieve the original issued (credential)
pseudonymous certificates and find out if they have been revoked.
– The trust provider then provides a statement on the status of the (credential) pseudonymous certificate to the service provider.
– The service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC.
A Simple Construction for CPCs• G = <g> be a group of prime order q• The set T of all trust provider’s public keys takes
the form j, js (0 ≤ s < q; private key).• U consists of elements of the form gx. (0 < x < q;
user’s private keys).• A certificate issued by a trust provider with public
key h, hz on a user public key gx :– {gx, gxz}.
• The transformation D: C ×F → C– ({X, Y }, f) → {Xf , Yf}
• the certificate {gx, gxz} is transformed to the certificate {gxf, gxfz} under factor f.
A Simple Construction II
1. The user registers, typically in a non-anonymous fashion, with a pseudonym provider.
2. The PP generates a random 0 < x < q– forms the user public key gx and the certificate {gx, gxz}. – All information is put on a tamper resistant signing
device.– Private key information of (transformed) certificates can
be used but not retrieved.
3. The secure signing device is handed over to the user in a secure fashion.
A more robust construction
• G = <g> be a group of prime order q• There exists embedding E(.) from G into a group G΄
where all three problems are practically intractable.• The set T of all trust provider’s public keys takes the
form j, js (0 ≤ s < q; private key).• PP publishes a certified pair (r , s) = (r , rf )
– r , s G∈ , 0 < f < q unknown by all parties.
• U consists of elements of the form g1, g2, g1x1 , g2
x2. – 0 < x1, x2 < q,
– g1 is random generator and logg1(g2) = f
A more robust construction II
• The certificate with public key h, hz on a user’s public key g1, g2, g1
x1g2x2 :
– {g1, g2, g1x1g2
x2, (g1x1g2
x2)z}.
• The transformation D: C ×F → C– ({X, Y, W, Z }, (k, l)) → {Xl, Yl , Wkl, Zkl}
• the certificate {g1, g2, g1x1g2
x2, (g1x1g2
x2)z} is transformed to the certificate {g1
l, g2l, g1
x1klg2x2kl,
(g1x1klg2
x2kl)z} under factor (k, l).
A more robust construction III1. The user registers, typically in a non-anonymous fashion, with a PP.2. PP generates a random pair (g1, g2)
– g2 = g1f (random power of the elements r , s).
– The pair (g1, g2) is sent to the user or a smart card issuer.3. The user generates a random private key 0 ≤ x < q and forms g2
x . – Sends g2
x and proves possession of the private key x 4. PP forms the public key g1, g2, g1g2
x – Places a Chaum-Pedersen signature on it, i.e., (g1g2
x)z. – Employs the embedding E : G → G΄ – Determines the elements E(g2), E(g2
x) of the group G΄.– Determines a random power r of these elements, i.e., E(g2)r, E(g2
x)r.– Forms a conventional non-repudiation certificate on (E(g2)r, E(g2
x)r). – The first pseudonymous certificate and the non-repudiation certificate are
issued to the user. Both are also stored in separate directories.
A more robust construction IV
• The characteristic of embedding E(.)– Homomorphism: The signing key of E(g2
x )r is x.
– One-way function: Hard to get g2r, g2
xr from E(g2)r, E(g2
x)r.
• It would be impossible to relate E(g2), E(g2x)
(deducible from FPC) to E(g2)r, E(g2x)r
(deducible from the non-repudiation certificate). (DDH is hard in G΄)
Protection against Pseudonym/credential forgery
• Based on an all-or-nothing concept.• The private key in a transformed credential
takes the form (k, k · x mod q) for some 0 < k < q.
• Dividing the second part by the first part yields the user’s non-repudiation key x.
• If the user transfers a credential, then it also transfers a copy of its non-repudiation signing key.
Conclusion
• Anonymity without the need for a trusted third party.
• This system is based on a new paradigm, self-blindable certificates
• Certificates were constructed using the Weil pairing in supersingular elliptic curves
• A robust system provides cryptographic protection against the forgery and transfer of credentials