Master’s Thesis / Internship Luuk Danes
description
Transcript of Master’s Thesis / Internship Luuk Danes
![Page 1: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/1.jpg)
University of Groningen - Mathematics department TNO ICT Security group
Master’s Thesis / Internship Luuk Danes
Smart card integration in the pseudonym system idemix
![Page 2: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/2.jpg)
2
Introduction
• Master’s Thesis for Mathematics• Internship at TNO ICT
• Presentation for the TNO ICT Security Group (May 2007):• The properties of idemix• Aspects on privacy and identity theft• Ideas for implementation
• This presentation:• Less about the properties of idemix• More about protocols and mathematics• Integration of a smart card in idemix
![Page 3: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/3.jpg)
3
Overview
• Context
• idemix
• Use case
• Smart card integration
• Building blocks of idemix
• Zero-knowledge proofs
• Complications on smart card integration
• Solutions for smart card integration
![Page 4: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/4.jpg)
4
Context / pseudonymity
• A new approach:Don not ask for an identity, ask for what you need.
• Using pseudonyms:It does not matter which identity someone has, but which credentials he owns.
• If an organisation does not have your identity information,it can not leak or link it.
• Unlinkability
![Page 5: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/5.jpg)
5
idemix
• IdeMix: identity mixer
• A pseudonym system, developed by IBM
• It consists of mathematical protocols
• Pseudonyms• A user communicates under pseudonyms with organisations• A pseudonym is bound to an identity
• Credentials• Organisations sign combinations of a pseudonym
and a statement concerning the user
![Page 6: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/6.jpg)
6
Use case
Rent-a-car
: Car Rental
![Page 7: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/7.jpg)
7
Use case: Car Rental
My name is Alex
Authorisation
Name, Date of Birth, Place of Birth, Address, Social Security Number
![Page 8: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/8.jpg)
8
Authorisation
Use case: Car Rental using
I am Alex
Alex owns a driver’s license
I am BobBob owns a driver’s license
![Page 9: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/9.jpg)
9
Can we integrate a smart card in idemix ?
![Page 10: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/10.jpg)
10
Building blocks of idemix
• User’s master key xU
• Public Key of an organisation (nO,aO,bO,dO,gO,hO)• nO special RSA modulus, nO = pq = (2p’+1)(2q’+1)• aO, bO,dO,gO,hO in the group of Quadratic Residues QRnO
• Pseudonyms of a user with an organisation PUO• Binding to xU• Hiding xU• PUO = aO
Xu bOSuo mod nO
• Credential triples (c,e,r)• ‘A RSA-signature on the combination of
a pseudonym and a credential identifier’• ce = PUO br dO mod nO • c = (PUO br dO)d with d such that de = 1 mod Φ(nO)
Setup
FormNym
GrantCred
![Page 11: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/11.jpg)
11
Building blocks of idemix
• Verify that the user owns a triple (c,e,r) such that ce = PUO br dO mod nO for a specific credential value dO
• Check that it is bound to a user’s master key xU
• The values c, e, r, xU, sUO must remain secretto avoid linkability
• Verify that the user owns a triple (c,e,r) obtained from the Issuer. And the pseudonym at the Issuer and the Verifier are bound to the same user.
• As in VerifyCred• But also check whether PUI and PUV are bound to the same xU
VerifyCred
VerifyCredOnNym
![Page 12: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/12.jpg)
12
Authorisation
Use case: Car Rental using
I am BobBob owns a driver’s licenseZero-knowledge proof
I am Alex
Alex owns a driver’s license
![Page 13: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/13.jpg)
13
Zero-knowledge proof: Ali-Baba
Peggy Victor
![Page 14: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/14.jpg)
14
Zero-knowledge proof: Schnorr
CommitmentChoose r at random [0,p-1]Calculate R = gr mod p Challenge
Choose c = 0 or 1ResponseCalculate s = r + c x mod p-1 Verification
Check whethergs = gr gcx = R Xc mod p
R
c
s
X = gx mod pX, x X
P V
![Page 15: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/15.jpg)
15
Proof of knowledge of commitment opening
X = gx hr mod nX, x, r X
CommitmentChoose r1, r2 at random [0,2Lr)Calculate R = gr1 hr2 mod n Challenge
Choose c at random [0,2Lc)Response
Calculate s1 = r1 + c x in Z s2 = r2 + c r in Z
VerificationCheck whetherRXc = gs1 hs2 mod n
R
c
s1,s2
P V
![Page 16: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/16.jpg)
16
Zero-knowledge proofs for VerifyCred and VerifyCredOnNym
• VerifyCred
• VerifyCredOnNym
![Page 17: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/17.jpg)
17
A complication: the smart card
• A smart card contains a micro processor• …but cannot be compared to a desktop pc!
• idemix uses heavy calculations:exponentiations with large numbers
• An example:
7013000258548773281133802936979029275099074080163480608318827013660038389437689460544053073329681466827545934060726847978297341102074276355801925688083211771943935266718197425726773408111960575720453978337676152347563715881277780861723460280649870108203093127958014879038780492417171168767551456133842819854
76152975134493896342316580079988669967664159646389215023630080838741997955792050706289259074782565561093737224996682680072825033231130971000565613558230979346118664186677897213109730811414004300898673243381813034322659709590300235658417873375122887185724692840829802563143700262103910200639706081203658025999
135066410865995223349603216278805969938881475605667027524485143851526510604859533833940287150571909441798207282164471551373680419703964191743046496589274256239341020864383202110372958725762358509643110564073501508187510676594629205563685529475213500852879416377328533906109750544334999811150056977236890927563
32395047257389933651665486724416025722572979703763044539188730413808452785341898771314904444469602336922226959799217892915638692602869771931032375134406804291168265137164720027740223721996018236503537923186072058477350438818347594952548224194423911032628667272843550471671496192090336051552058830620843966126
= mod 1253
5 125=≈ 60 ms ≈ 1,5 sec
![Page 18: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/18.jpg)
18
Solution 1: Optimising the interval proofs
• Exact interval proofs (Boudot 2000) cost about 22 exponentiations per interval.
• We can use expanded interval proofs instead.
xU
secure master key interval
The Prover starts with X = gx hr mod n with x in [a,b]
The Verifier checks whether the response s1 (= r1 + cx) lies in the correct interval.Then he is convinced that x in [ a – m(b-a), b + m(b-a) ]
a b
a – m(b-a) b + m(b-a)
![Page 19: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/19.jpg)
19
Solution 2: Distribution of computation load
• Untrusted terminal (pay terminal)• We may give no information to the terminal, because
pseudonyms and credentials are ‘linking information’
• Trusted terminal (phone, digital wallet)• Distribution of computation load• We can keep the user’s master key on the smart card
and give the pseudonyms and credentials to the terminal.
![Page 20: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/20.jpg)
20
Solution 2: Distribution of computation load
![Page 21: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/21.jpg)
21
Conclusions
• For security: integration of a smart card in idemix has to be done with a lot of care. (not mentioned earlier in this talk)
• No exact interval proofs are needed;use expanded interval proofs instead.
• With an untrusted terminal all user-side calculations has to be done on the smart card → VerifyCredOnNym takes +/- 17 seconds.
• With a trusted terminal the calculations can be distributed over the smart card and terminal → VerifyCredOnNym takes +/- 6 seconds.
• It is possible to integrate a smart card in idemix (in such manner that users do not have to wait too long)
![Page 22: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/22.jpg)
22
More information…
• Website about this thesis: http://www.luukluuk.nl/idemix
![Page 23: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/23.jpg)
23
Questions?
![Page 24: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/24.jpg)
24www.luukluuk.nl/idemix
Thank you for your attention
![Page 25: Master’s Thesis / Internship Luuk Danes](https://reader034.fdocuments.in/reader034/viewer/2022042719/56814bc6550346895db89a3a/html5/thumbnails/25.jpg)
25