Practical Anonymous Subscriptions
Transcript of Practical Anonymous Subscriptions
![Page 1: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/1.jpg)
Practical Anonymous Subscriptions!
Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara Schmidt, Brent Waters,
Emmett Witchel"
![Page 2: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/2.jpg)
Practical Anonymous Subscriptions!
Alan Dunn, Jonathan Katz, Sangman Kim, Michael Lee, Lara Schmidt, Brent Waters,
Emmett Witchel"
![Page 3: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/3.jpg)
Anonymous subscriptions!Provide registered/paid users with the
ability to log in and access a service…!!…while remaining anonymous…!!…yet still allowing the server to enforce
admission control"I.e., users cannot share their login with friends!
Music/video streaming!reading news articles!
transit pass!
![Page 4: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/4.jpg)
Time broken into a series of well-defined epochs!
System model!
![Page 5: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/5.jpg)
Anonymity/unlinkability!n Cannot link a user login to a user
registration"
n Cannot link logins by the same user (in different epochs) to each other!
![Page 6: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/6.jpg)
Anonymity/unlinkability!
?"…" …"
![Page 7: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/7.jpg)
Admission ctr’l (“soundness”)!
n Each registered user can only have one active login per epoch!n I.e., a user cannot freely share their login
information with their friends!n (Formal definition later)!
![Page 8: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/8.jpg)
Soundness!
sk1! sk1!
X"…" …"
![Page 9: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/9.jpg)
How long is an epoch?!
Shorter epochs ⇒ better anonymity!!
Longer epochs ⇒ less computation!
![Page 10: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/10.jpg)
How long is an epoch?!n Here: conditional linkability"
n Logged in user can choose to “re-up” his login for the next epoch!
n Re-up is cheaper than a login!
n Allows server to link user across epochs!n User decides when this is acceptable!n User can do a full login if unlinkability is desired!
![Page 11: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/11.jpg)
Related (but different)!n Anonymous credentials, DAA, group
signatures!n Anonymity, but no admisison control!
n Anonymous blacklisting systems!n Anonymity, revocation, but no notion of per-epoch
admission control!
n E-cash!n Anonymity, double spending detected, but no
notion of unlimited re-use!
![Page 12: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/12.jpg)
Related work!n Unclonable authentication
[Damgård, Dupont, Østergaard]!
n n-time anonymous authentication [Camenisch et al.]!n Uses prior ideas from e-cash [Camenisch,
Hohenberger, Lysyanskaya]!n Different model – multiple verifiers, traceability
after the fact!
![Page 13: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/13.jpg)
Our contributions!n More efficient, simpler construction!
n “Weaker” cryptographic assumptions!n Cleaner definitions!
n Conditional linkability for improved efficiency!
n Implementation and system evaluation!
![Page 14: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/14.jpg)
What we do not prevent!n Users sharing login information to use
at different times!
n Other ways of breaking anonymity!n Traffic analysis, IP addresses!n User behavior!n History of accessed content!
n Address using complementary techniques!
![Page 15: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/15.jpg)
Functional definition I!n Setup – server generates public/private
keys; initializes state including cur/next!
n Registration – user/server interact; user obtains secret key sk (or error)!
![Page 16: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/16.jpg)
Functional definition II!n Login – Using sk and the current epoch
number, user logs in to server!n Server increments cur!
n Link (“re-up”) – User currently logged in during epoch t can log in for epoch t+1!n Server increments next!
![Page 17: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/17.jpg)
Functional definition III!n EndEpoch – server refreshes state;
updates cur/next!n cur = next; next = 0"
![Page 18: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/18.jpg)
Security definitions!n (Honest) user is logged in at some pont in
time if (1) that user previously ran Login in that epoch, or (2) at some point in previous epoch, user was logged in and ran Link!
n (Honest) user i is linked at some point in time if at some previous point during that epoch, user was logged and ran Link!
![Page 19: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/19.jpg)
Soundness (informal)!n Attacker registers any number N of users;
honest users also register!n Attacker interacts with server abritrarily!n Honest users login/link (so affect server
state), but attacker cannot observe!n Attacker controls when epochs end!
Attacker succeeds if, at any point in time,!cur > N + #honest users logged in!
![Page 20: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/20.jpg)
Anonymity (informal)!n Phase 0!
n Attacker outputs arbitrary public key!n Two honest users register (and get secret keys)!
n Phase I!n Attacker induces honest users to Login/Link!
n Phase II – neither user logged in!n Users either permuted or not!n Attacker induces honest users to Login/Link!
n Phase III – neither user logged in!n As in Phase I!
Attacker succeeds if it can guesswhether users were permuted in Phase II!
(with significantly better than ½ probability)!
![Page 21: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/21.jpg)
Construction (intuition)!n Registration: user gets “anonymous
credential” C (i.e., a re-randomizable blind signature) on PRF key k!
n Login in epoch t: user sends C’ + Fk(t) + ZK proof of correctness !n Server verifies signature and proof; checks that
Fk(t) not in table; stores Fk(t) in table!
n Link in epoch t: user sends Fk(t) + Fk(t+1) + ZK proof of correctness!n Look up Fk(t) in table; verify proof; add Fk(t+1)!
![Page 22: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/22.jpg)
Construction (further detail)!n Anonymous credential is based on variant of
Camenisch-Lysyanskaya signatures"n Public key = (gx, gy, gz)!n Signature on (d, r) is (ga, gay, gayz, gax(gdZr)axy)!n Re-randomizable, blindable, efficient ZK proofs!
n Dodis-Yampolskiy PRF"n Fk(t) = g1/(k+t)!n Compatible with various efficient ZK proofs!
![Page 23: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/23.jpg)
Construction (further detail)!n Registration"
User! Server!d, r ← Zq! M = gdZr!
PoK (d, r)!
ga, gay, gayz, gaxMaxy!
a ← Zq!
Verify…!
![Page 24: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/24.jpg)
Construction (further detail)!n Login (epoch t)!
User! Server! sk = (A, B, ZB, C, d, r)!
r, s ← Zq! Ar, Br, ZBr, Crs!
Y = g1/(d+t)! Verify…!Y not in table!
PoK!(d in signature matches d in Y)!
![Page 25: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/25.jpg)
Construction (further detail)!n Link (epoch t)!
User! Server!
Y = g1/(d+t), Y’ = g1/(d+t+1)!
sk = (A, B, ZB, C, d, r)!
Y in table?!PoK!
(Y and Y’ have correct form,!and d in Y matches d in Y’)!
![Page 26: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/26.jpg)
Construction (further detail)!n ZK proofs (of knowledge) fairly standard!
n Made non-interactive using Fiat-Shamir!
![Page 27: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/27.jpg)
Security guarantees!n Soundness holds under LRSW assumption
(essentially, unforgeability of CL signatures)!
n Anonymity holds under DDHI assumption"n g1/x “looks random” even given gx, …, gxn!
n Note: in our security proofs, we assume extraction from all ZKPoKs is possible!n Can be enforced if interactive proofs are used and
sequentiality is enforced!n Heuristic security if Fiat-Shamir proofs are used!
![Page 28: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/28.jpg)
System architecture!
![Page 29: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/29.jpg)
Notes!n Only loose synchronization needed!
n Server sends timestamp when connection is established!
n User caches previous timestamp to prevent rollback attacks on anonymity!
n Login + (multiple) link(s) are done more efficiently than running Login, Link, …!
![Page 30: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/30.jpg)
Implementation!n Using PBC library [Lynn] and PolarSSL!
n Symmetric pairing; 160-bit elliptic-curve group over 512-bit field!
n 1400 loc!n Pre-processing used when possible!
![Page 31: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/31.jpg)
Raw performance!
User" Server"
Login" 13.5 ms! 7.9 ms!
Link" 1.3 ms! 0.72 ms!
(quad-core 2.66 GHz Intel Core 2 CPU, 8GB RAM)!
![Page 32: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/32.jpg)
Evaluation I!n Integrated our system into a streaming-
music service!n 7500 users!n Epoch length = 15 seconds!n Acceptable performance in terms of
playback delay/latency; details in paper!
![Page 33: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/33.jpg)
Evaluation II!n Anonymous public-transit passes!
n Epoch length = 5 minutes!n Estimate <10 servers could handle BART peak-
traffic volumes!
n Implemented user agent as Android app!n Login message displayed as QR code for physical
scanner to read!n No network connectivity required!n Login time: 220 ms (HTC Evo 3D)!
![Page 34: Practical Anonymous Subscriptions](https://reader030.fdocuments.in/reader030/viewer/2022032319/623159f18a744c6f07162ed7/html5/thumbnails/34.jpg)
Conclusions!n Design, implementation, and evaluation
of a system providing anonymous subscriptions"
n Formal definitions, cryptographic proofs!
n Performance acceptable for practical applications!