Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the...
Transcript of Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the...
![Page 1: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/1.jpg)
IRMA: Attribute-BasedIdentity Management UsingSmart CardsSummer School on Real-World Crypto and Privacy
Gergely Alpá[email protected] 4, 2015
Page 1 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
![Page 2: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/2.jpg)
Currently we are here...
Security and Privacy Today
Attribute-based identity management
Crypto of ABCs
Smart-card implementation
IRMA: the best of ABCs
![Page 3: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/3.jpg)
“[By 2025 f]ew individuals will have the energy,
interest, or resources to protect themselves from
dataveillance; privacy will become a luxury.”
[Pew Research Center, December 2014]
Page 2 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Security and Privacy Today
![Page 4: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/4.jpg)
Authentication
I Passwords• “38% of adults sometimes think it would be easier to solve world
peace than attempt to remember all their passwords” [HarrisInteractive, 2012]
I Many accounts at service providersI Identity management
• Users• Identity provider(s) = Issuer• Service providers = Relying party = Verifier
Page 3 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Security and Privacy Today
![Page 5: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/5.jpg)
Problems with Identity Management
I Security• Single point of failure• Valuable target
I Privacy• Can log in (?)• Linking all user activities• Profiling
Page 4 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Security and Privacy Today
![Page 6: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/6.jpg)
Authorisation is necessarily identifying
Page 5 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Security and Privacy Today
![Page 7: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/7.jpg)
Outline
Security and Privacy Today
Attribute-based identity management
Crypto of ABCs
Smart-card implementation
IRMA: the best of ABCs
Page 6 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Security and Privacy Today
![Page 8: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/8.jpg)
Currently we are here...
Security and Privacy Today
Attribute-based identity management
Crypto of ABCs
Smart-card implementation
IRMA: the best of ABCs
![Page 9: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/9.jpg)
Identity and Attributes
[FIDIS 2005]
Page 7 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Attribute-based identity management
![Page 10: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/10.jpg)
Digital Identity
I AttributesI Partial identities
I Identifying and non-identifying attributes
I Username + authentication + lookup
I Authorisation based on attributes• Directly looking up relevant attributes• Identifying and non-identifying authorisation (DEMO: � 18)
Page 8 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Attribute-based identity management
![Page 11: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/11.jpg)
Identity Management
Page 9 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Attribute-based identity management
![Page 12: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/12.jpg)
Attribute-Based Identity Management
Page 10 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Attribute-based identity management
![Page 13: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/13.jpg)
Attribute-Based Credential
Page 11 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Attribute-based identity management
![Page 14: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/14.jpg)
Issuing and Showing
Page 12 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Attribute-based identity management
![Page 15: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/15.jpg)
Currently we are here...
Security and Privacy Today
Attribute-based identity management
Crypto of ABCs
Smart-card implementation
IRMA: the best of ABCs
![Page 16: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/16.jpg)
Plan for Crypto
I Commitment
I Zero-knowledge proof
I Attribute-based credential (ABC)
I Selective disclosure
Page 13 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 17: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/17.jpg)
Commitment
I (Temporary) secret in a box with a padlockI . . . and a key.
I Phases:• Commit• Opening
I Examples (related to the DL problem):• h = g
x (mod p). Commit: h, g , p; Opening: x .• h = g
r · g x
1 (mod p). Commit: h, g , g1, p; Opening: r , x .
I Computational hiding and perfect binding.OR
I Perfect hiding and computational binding. [Damgård 99]
Page 14 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 18: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/18.jpg)
Where’s Waldo?—Zero-Knowledge Proof
Page 15 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 19: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/19.jpg)
Where’s Waldo?—Zero-Knowledge Proof
[Naor et al. 99]
Page 16 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 20: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/20.jpg)
Where’s Waldo?
Page 17 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 21: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/21.jpg)
Schnorr’s Proof of Knowledge [Schnorr 91]
I Let us work in G of order qI Discrete logarithm: “I know the discrete logarithm log
g
h.”I PK{�|h = g
�}—Proof of Knowledge
I InteractiveProver G, g , q, h = g
x
Verifier
Secret: x
(1) w 2R
Zq
a := g
w
a��������!(2) c �������� c 2
R
Zq
(3) r := c · x + w (mod q)r��������! a
?= g
r · h�c
(1) Commitment(2) Challenge(3) Response
Page 18 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 22: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/22.jpg)
How to Design ABCs? – In Three Simple Steps
Step 1 Take a commitment scheme
Step 2 Generalise it to multiple values
Step 3 Sign the extended commitment
Step +1 Apply here and there zero-knowledge proofs
Page 19 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 23: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/23.jpg)
IBM’s Idemix Based on CL
I Camenisch–Lysyanskaya (CL) signature [CL 01, CL 02]I Strong RSA assumption [BP 97, FO 97]
• RSA (n = pq) =) Taking the eth root is hard• Strong =) DL is hard
• Group QRn
:I
p, q are safe primesI Quadratic residues in Z⇤
n
I QRn
is a subgroup of order '(n)/4• Some group elements that you’ll see: A,Z , S ,R ,R1,R2,R3, . . .• Some further integers (exponents): e, v , a, . . .
I Let’s “design” Idemix’s ABCs
Page 20 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 24: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/24.jpg)
Step 1: Commitment
Take a commitment scheme – Pedersen on a1
R
a · Ra
1
1 where a is random.
Page 21 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 25: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/25.jpg)
Step 2: Generalisation
Extend it to multiple values – generalise Pedersen on (a1, . . . , aL)
R
a · Ra
1
1 · . . . · Ra
L
L| {z }Q
L
i=1
R
a
i
i
where a is random.
Page 22 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 26: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/26.jpg)
Step 3: Signature
Sign the extended commitment – CL on attributes: a1, . . . , aL
A :=
Z
S
v · Ra ·QL
i=1 Ra
i
i
!1/e
(mod n)
where (a), v , e are random.
Page 23 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 27: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/27.jpg)
Step 3: Signature
Sign the extended commitment – CL on attributes: a1, . . . , aL
A :=
Z
S
v ·Ra ·QL
i=1 Ra
i
i
!1/e
(mod n)
where (a), e, v are random.
Page 24 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 28: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/28.jpg)
Step 3: Signature
Sign the extended commitment – CL on attributes: a1, . . . , aL
A :=
Z
S
v · Ra ·QL
i=1 Ra
i
i
!1/e
(mod n)
where (a), v , e are random.
Page 25 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 29: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/29.jpg)
CL Signature: Idemix ABCs
(A, e, v) where A ⌘
Z
S
v · Ra ·QL
i=1 Ra
i
i
!1/e
(mod n)
I Commitment• Binding: computational (representation problem)• Hiding: perfect (randomised)
I CL Signature• Private key: p, q; Public key: n = pq, Z , S , “all Rs”• A bit like RSA: ( · )1/e (mod n)• More complicated: advanced functions
I Issuing: blind signature (zero-knowledge proof)
Page 26 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 30: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/30.jpg)
Issuing and Showing
Page 27 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 31: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/31.jpg)
CL Signature: Verification
Signature:
(A, e, v) where A ⌘
Z
S
v · Ra ·QL
i=1 Ra
i
i
!1/e
(mod n)
I Public key: n,Z , S ,R ,R1, . . . ,RL
I Attributes (block of messages): (a), a1, . . . , aLI Verification:
Z
?⌘ A
e · Sv · Ra ·LY
i=1
R
a
i
i
| {z }R
0
(mod n)
I IdP �! U; U �! V
Page 28 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 32: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/32.jpg)
CL Signature Randomisation
Signature:
(A, e, v) where A ⌘✓
Z
S
v · R 0
◆1/e
(mod n)
I Select random r
I A := A · S�r (mod n), v := v + er
I Indeed, (A, e, v) is valid:
A
e
S
v
R
0 ⌘ A
e
S
�er
S
v
S
er
R
0 ⌘ A
e
S
v
R
0 ⌘ Z (mod n).
I Can we achieve untraceability with randomisation?
What about e?
Page 29 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 33: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/33.jpg)
What about e? – i.e. How to hide e?
I Randomised signature: (A, e, v)
A
e
S
v · Ra ·LY
i=1
R
a
i
i
⌘ Z (mod n).
I Representation problem is hard:
n; Z ; (A, S ,R ,R1, . . . ,RL
)?�! “(e, v , a, a1, . . . , aL)
00
I So, U proves that she knows:
PK{(", ⌫,↵,↵1, . . . ,↵L
) : Z ⌘ A
"S
⌫R
↵LY
i=1
R
↵i
i
(mod n)}.
But then selective disclosure is easy!
Page 30 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 34: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/34.jpg)
Selective disclosure
I Zero-knowledge proof about all exponents:
PK{(", ⌫,↵,↵1, . . . ,↵L
) : Z ⌘ A
"S
⌫R
↵LY
i=1
R
↵i
i
(mod n)}.
I Disclose some and prove the rest:U �! V disclose: a1, a2 and prove:
PK{(", ⌫,↵,↵3, . . . ,↵L
) : Z · R�a
1
1 · R�a
2
2 ⌘ A
"S
⌫R
↵LY
i=3
R
↵i
i
(mod n)}.
Page 31 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 35: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/35.jpg)
In Sum: ABCs are Powerful!
I Security• Authenticity• Integrity• Non-transferability
I Privacy• Issuer unlinkability• Multi-show unlinkability• Selective disclosure (data minimisation)
I Technics• IBM’s idemix [CL 01, CL 02]• Microsoft’s U-Prove [Brands 99]
Page 32 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Crypto of ABCs
![Page 36: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/36.jpg)
Currently we are here...
Security and Privacy Today
Attribute-based identity management
Crypto of ABCs
Smart-card implementation
IRMA: the best of ABCs
![Page 37: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/37.jpg)
Why Smart Cards?
I SecureI User-friendly
I Feels privateI Looks private
I Restrictions• No user interface (DEMO: Card management)• JavaCard? No (too restricted API)• MULTOS (Infineon SLE78 chip)• Small RAM• Slow EEPROM
Page 33 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Smart-card implementation
![Page 38: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/38.jpg)
Performance: Issuing [VA 13]
Page 34 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Smart-card implementation
![Page 39: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/39.jpg)
Performance: Showing [VA 13]
Page 35 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
Smart-card implementation
![Page 40: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/40.jpg)
Currently we are here...
Security and Privacy Today
Attribute-based identity management
Crypto of ABCs
Smart-card implementation
IRMA: the best of ABCs
![Page 41: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/41.jpg)
IRMA Team
“I Reveal My Attributes”
Page 36 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
IRMA: the best of ABCs
![Page 42: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/42.jpg)
The IRMA Card
Page 37 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
IRMA: the best of ABCs
![Page 43: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/43.jpg)
ABC Examples
Address
countrycity
street & numberpostcode
Junior Age
� 12� 16� 18� 21
Student
universityfield of study
student numberenrollment year
Medical Basics
blood typeallergies
chronic diseases. . .
Page 38 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
IRMA: the best of ABCs
![Page 44: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/44.jpg)
Challenges: ABCs on Smart Cards
I Card anonymityI Card life cycle
I Credential designI Online and offline use cases (DEMO: IRMA Tube)
I User authentication (PIN)I Certification of issuers and verifiersI Secure channel between card and verifier
I User interfaces (consent!)I Card management
I Card revocationI Preventing abuse of anonymity
Page 39 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
IRMA: the best of ABCs
![Page 45: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/45.jpg)
Summary
I “Attributes rather than identifiers”I Attribute-based identity management is becoming practicalI Privacy and user control (without losing functionality)I Nice crypto
I Lots of further questions• Deployment• Socio-technical aspects• Combat suspicion against anonymity• To make other attribute-based technologies practical
Questions?
Page 40 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
IRMA: the best of ABCs
![Page 46: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/46.jpg)
IRMA-related References 1I https://www.irmacard.org
I Gergely Alpár, Lejla Batina, Roel Verdult. Using NFC Phones for Proving Credentials,
PILATES 2012, LNCS 7201, Kaiserslautern, Germany, 2012.
I Gergely Alpár, Lejla Batina, Wouter Lueks. Designated Attribute-Based Proofs for RFID
Applications, In Jaap-Henk Hoepman and Ingrid Verbauwhede, editors, RFID Security
and Privacy (RFIDsec), LNCS 7739, Nijmegen, The Netherlands, pages 59–75. Springer,
2012.
I Pim Vullers and Gergely Alpár. Efficient Selective Disclosure on Smart Cards Using
Idemix. In Simone Fischer-Hübner, Elisabeth de Leeuw, and Chris Mitchell editors,
Policies and Research in Identity Management (IDMAN), 3rd IFIP WG 11.6 Working
Conference, London, UK, IFIP AICT 396, pages 53–67. Springer, 2013.
I Gergely Alpár and Bart Jacobs. Credential Design in Attribute-Based Identity
Management. In Ronald Leenes and Eleni Kosta, editors, Bridging distances in
technology and regulation, pages 189–204, 3rd TILTing Perspectives Conference,
Tilburg, NL, April 25-26, 2013.
Page 41 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
![Page 47: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/47.jpg)
IRMA-related References 2I Gergely Alpár and Jaap-Henk Hoepman. A Secure Channel for Attribute-based
Credentials [Short paper]. In Proceedings of the 2013 ACM Workshop on Digital Identity
Management (DIM 2013), pages 13–18, Berlin, November 8, 2013.
I Merel Koning, Paulan Korenhof, Gergely Alpár and Jaap-Henk Hoepman. The ABC of
ABC: an analysis of attribute-based credentials in the light of data protection, privacy and
identity. In Proceedings of the 10th International Conference on Internet, Law & Politics
(IDP 2014): A decade of transformations, pages 357–374, Barcelona, July 3-4, 2014.
I Antonio de la Piedra, Jaap-Henk Hoepman, and Pim Vullers, Towards a Full-Featured
Implementation of Attribute Based Credentials on Smart Card. In A. Kiayias and D.
Gritzali, editors, 13th Int. Conf. on Cryptology and Network Security (CANS 2014),
Heraklion, Crete, Greece, October 22-24 2014.
I Wouter Lueks, Gergely Alpár, Jaap-Henk Hoepman, and Pim Vullers. Fast Revocation of
Attribute-Based Credentials for Both Users and Verifiers. In Proceedings of the IFIP
International Information Security and Privacy Conference (IFIP SEC 2015), Hamburg,
May 26-28, 2015.
Page 42 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
![Page 48: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/48.jpg)
References 1I [BP 97] N. Barić and B. Pfitzmann. Collision-free accumulators and fail-stop signature
schemes without trees. In Advances in Cryptology–EUROCRYPT’97, pages 480–494.
Springer, 1997.
I [Brands 99] S. A. Brands. Rethinking Public Key Infrastructures and Digital Certificates:
Building in Privacy. MIT Press, Cambridge, MA, USA, 2000.
I [CL 01] J. Camenisch and A. Lysyanskaya. An Efficient System for Non-transferable
Anonymous Credentials with Optional Anonymity Revocation. In B. Pfitzmann, editor,
Advances in Cryptology–EUROCRYPT 2001, volume 2045 of LNCS, pages 93–118.
Springer Berlin / Heidelberg, 2001.
I [CL 02] J. Camenisch and A. Lysyanskaya. A Signature Scheme with Efficient Protocols.
In S. Cimato, G. Persiano, and C. Galdi, editors, Security in Communication Networks,
volume 2576 of LNCS, pages 268–289. Springer Berlin / Heidelberg, 2002.
I [Damgård 99] I. Damgård. Commitment schemes and zero-knowledge protocols. In
Lectures on Data Security, pages 63–86. Springer, 1999.
I [FIDIS 2005] J. Backhouse. D4. 1: Structured account of approaches on interoperability.
FIDIS Deliverables, 2005.
Page 43 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
![Page 49: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/49.jpg)
References 2I [FO 97] E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove
modular polynomial relations. In Advances in Cryptology–CRYPTO’97, pages 16–30.
Springer, 1997.
I [FS 86] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to
identification and signature problems. In A. Odlyzko, editor, Advances in
Cryptology–CRYPTO ’86, volume 263 of LNCS, pages 186–194. Springer, 1987.
I [Naor et al. 99] M. Naor, Y. Naor, and O. Reingold. Applied Kid Cryptography or How
to convince your children you are not cheating. Journal of Craptology, 0 (1) (1999).
I [Schnorr 91] C.-P. Schnorr. Efficient signature generation by smart cards. Journal of
cryptology, 4(3):161–174, 1991.
I [VA 13] Pim Vullers and Gergely Alpár. Efficient Selective Disclosure on Smart Cards
Using Idemix. In Simone Fischer-Hübner, Elisabeth de Leeuw, and Chris Mitchell editors,
Policies and Research in Identity Management (IDMAN), 3rd IFIP WG 11.6 Working
Conference, London, UK, IFIP AICT 396, pages 53–67. Springer, 2013.
Page 44 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
![Page 50: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/50.jpg)
Credential “Tree”
Page 45 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA
![Page 51: Summer School on Real-World Crypto and Privacy - IRMA ...“[By 2025 f]ew individuals will have the energy, interest, or resources to protect themselves from dataveillance;privacywillbecomealuxury.”](https://reader035.fdocuments.in/reader035/viewer/2022071212/6024cf40d455c957057e67d5/html5/thumbnails/51.jpg)
Schnorr Signature, i.e. Schnorr with Fiat–Shamir[FS 86]
I Discrete logarithm: “I know the discrete logarithm logg
h.”I Non-interactive: SPK{�|h = g
�}(n)
Prover G, g , q, h = g
x ,H Verifier
Secret: x
n �������� n 2R
Zq
w 2R
Zq
a := g
w
c := H(a, n)
r := c · x + w (mod q)a,r���������! a
?= g
r · h�H(a,n)
Page 46 of 46 http://www.cs.ru.nl/~gergely/ June 4 IRMA