IBM Research, Zurich 11/12/2009 | ACM CCS 2009 Presentation subtitle: 20pt Arial Regular, teal R045...
-
Upload
jessie-flowers -
Category
Documents
-
view
214 -
download
0
Transcript of IBM Research, Zurich 11/12/2009 | ACM CCS 2009 Presentation subtitle: 20pt Arial Regular, teal R045...
IBM Research Zurich
11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Anonymous Credentialson a Standard Java Card
Thomas GrossThomas GrossPatrik Bichsel Jan Camenisch Victor ShoupPatrik Bichsel Jan Camenisch Victor ShoupIBMrsquos BlueZ Group for Strong AuthenticationIBMrsquos BlueZ Group for Strong Authentication
joint work withsupported by
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation2
Overview
Introduction
Camenisch-Lysyanskaya Signatures
Problem Statement
Key Ideas
Results
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Policy Have an EID card ANDBe older than 18
3
Example Age Proof with Strong Privacy
Authorities
Proof ldquoIrsquove an EID card ANDIrsquom older than 18rdquo
Citizen
Identity Mixer CertificateAddressDoB = 19801201Nr = 123456hellip offline
Service
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to public key-CP (only standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation2
Overview
Introduction
Camenisch-Lysyanskaya Signatures
Problem Statement
Key Ideas
Results
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Policy Have an EID card ANDBe older than 18
3
Example Age Proof with Strong Privacy
Authorities
Proof ldquoIrsquove an EID card ANDIrsquom older than 18rdquo
Citizen
Identity Mixer CertificateAddressDoB = 19801201Nr = 123456hellip offline
Service
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to public key-CP (only standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Policy Have an EID card ANDBe older than 18
3
Example Age Proof with Strong Privacy
Authorities
Proof ldquoIrsquove an EID card ANDIrsquom older than 18rdquo
Citizen
Identity Mixer CertificateAddressDoB = 19801201Nr = 123456hellip offline
Service
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to public key-CP (only standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to public key-CP (only standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓ and integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya rsquo01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xL mod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede lsquo09]
8
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Efficiency
Proof in seconds
Small keys
Joint computatio
nWait
minutes
[Balasch rsquo02 Bichsel rsquo07 Danes lsquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation9
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc
modExp() Adapt RSA keyRSAEnc()
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
(Ab-)Using Standard RSA Interface
Recall RSA Encryption me mod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1
x1 A2
x2 = A1
x11 + x122k A2
x21 + x222k mod n
= A1
x11(A1
2k) x12 A2
x21(A2
2k)x22 mod n
= A1
x11 Arsquo1 x12 A
2
x21Arsquo2 x22 mod n
ModMultiply() RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula
A B = ((A+B)2 - A2 - B2)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possessionbull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)75 sec pre-computation 25 sec on-line
13
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation14
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation15
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓ and integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya lsquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b
s
mi Є 01ℓ e Є 2ℓ+1 plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s