The 3rd IEEE International Workshop on Big Data and IoT Security in Smart Computing (BITS 2019)

co-held with The 5th IEEE International Conference on Smart Computing (SMARTCOMP 2019)

12 June 2019, Washington D.C., USA

Decentralized Multi-authority Anonymous Authentication

for Global Identities with Non-interactive Proofs

Hiroaki ANADA*1

*1: Dept. Information Security, University of Nagasaki, JAPAN

Table of ContentPart I. Introduction

1. Motivation2. Challenging Problem

Part II. Construction1. Approach2. Building blocks3. How to compose them (& our Ideas)4. Security Analysis on Collusion attacks5. Security Analysis on Anonymity

Conclusion

2

Part I: Motivation

IoT with Cloud• Access to Internet• Delegation of

computation• Collaborative Service

• Key Technology of

SMART CITY

3

INTERNETOF THINGS

Motivation:

Collaborative Service: Example1

Authenticate her single digital IDto generate additional value

4

Motivation

Collaborative Service: Example2 Authenticate her single digital ID

to generate additional value

29 Oct 2018 5

MotivationWhat’s a problem?• Privacy Issue

No ID information should be leaked!

29 Oct 2018 6

MotivationWhat’s a problem? • Privacy Issue

No ID information should be leaked!

29 Oct 2018 7

?

??

Motivation

Decentralized Multi-authority Anonymous Authentication(DMA-A-AUTH)

• Anonymous protocol Not by pseudonym, but by unlinkable processes

8

?

?

Ano.Prot.

Ano.Prot. ?

MotivationWhat’s a problem? • The very anonymity causes potential drawback:Collusion Attack

9

?

?

Ano.Prot.

Ano.Prot.

?

MotivationSo, our challenging problem is:

• Construct DMA-A-AUTH

• For global digital ID So that authorities only have to generate a digital

signature on them

• Capable of preventing collusion attacks

10

?

? ?

Previous Work1. DMA-ABS• Decentralized Multi-authority

Attribute-Based Signature Scheme

• State-of-the-art work; for example;[1] “Decentralized Attribute-Based Signatures” Okamoto and Takashima, PKC 2013

But not for direct signing onglobal digital identifiers

11

Previous Work2. DMA-A-AUTH w. Interactive Protocol

• Some papers: [2] “Anonymous Authentication Scheme with Decentralized Multi-Authorities” Anada and Arita, BITS 2017[3] “Witness-Indistinguishable Arguments with ∑-Protocols for Bundled Witness Spaces and Its Application to Global Identities” Anada and Arita, ICICS 2018

• Three-move protocol

Needs on-line interaction 12

Msg 1

Msg 2

Msg 3

MotivationSo, our challenging problem is:

• Construct DMA-A-AUTH

• For global digital ID So that authorities only have to generate a digital

signature on them

• Non-interactive• Capable of preventing collusion attacks

13

?

? ?

=( , )CertificateAuthority

Part II. Construction

14

Approach Language

What is a language?• Language = a set of “statements”

• For ex., statement • For ex., statement • For ex., statement •

• Relation•• Finding of should be hard, but verifying membership:

“ ” should be easy• is called a “witness” of

15

: “public parameter”

NP language

Approach Language to capture our problem• “Bundled product” of a language

• Why can “Bundled product” capture our problem?• Because if we prove knowledge of such in WI way

statement means:“I’m not colluding cheaters, but a single legitimate person”

16

Approach Proof System for Language• What is a proof system for ?

•• P: a prover, V: a verifier• Under a statement , P tries to convince a verifier V that P

knows a witness of

• What are requirements for ?1. Completeness2. Soundness, or more strongly, Knowledge Soundness3. Zero-Knowledge, or more weakly,

Witness-Indistinguishability (WI):If has plural witnesses: , then V cannot decide the one used by P

17

Building blocks 1. Proof System for Our language

• Groth-Sahai Proof System [4]• Non-interactive• Perfectly witness-indistinguishable (GS-NIWI)• Using “bilinear groups”:

: cyclic groups, order

Bilinearity:

18

[4] “Efficient Non-interactive Proof Systems for Bilinear Groups”, Groth andSahai, Eurocrypt 2008

Building blocks2. Digital Signature Scheme

• For an authority to generate a signature on a global digital identity string of a user

gid, signature

19

= ( , )CertificateAuthority

= ( , )CertificateAuthority

= ( , )CertificateAuthority

Building blocksSignature Scheme for Our Case

• Structure-preserving signature scheme (SPS) [5]• A message is in one of the source groups ( )• A signature is also in the same

source groups ( )

• Suitable for GS-NIWI• Because can be a witness to be proved

20

[5] “Structure-Preserving Signatures and Commitments to Group Elements”, Abe, Fuchsbauer, Groth, Haralambiev and Ohkubo, Crypto 2010

=( , )CertificateAuthority

How to Compose Them (& our Ideas)Language

• A statement is the equation:(Symbols in the boxes are unknown variables)

• Intuitively;: “I know one of the solutions which satisfy the equations for all simultaneously”

21=( , )CertificateAuthority

How to Compose ThemSetup

• Setting-up Public Parameter Algorithm• Executed only once by a tentative central authority

• For example, by NIST

22

How to Compose ThemAuthKG

• Authority-Key Generator• Executed by an authority with an index

23

How to Compose ThemSKG

• Secret-Key Generator for a user w. global digital id• Executed by an authority with an index

to issue a private secret-key for the user

24

How to Compose Them (& our Ideas)Prover• Prover Algorithm• Executed by a user with secret keys for

25

How to Compose Them (& our Ideas)Verifier

• Verify Algorithm• Executed by authorities

26

Security AnalysisCollusion Attacks?

27

• From knowledge-soundness and• Binding Property of Commitment to

Security AnalysisAnonymity?

28

• From hiding property & WI under the mode

Conclusion

We proposed; • DMA-A-AUTH

• Decentralized Multi-authorityAnonymous Authentication Scheme

Our contribution is; • Authorities only have to generate digital signatures on

global digital ID• Non-interactive• Capable of preventing collusion attacks

29

?

? ?

=( , )CertificateAuthority

Thank you for your attention

Hiroaki Anada30

?

? ?

=( , )CertificateAuthority

Security AnalysisCollusion Attacks?

31

• Experiment captures;• Concurrent provers invoked by an adversarial A• Secret-Key Oracle (i.e. Collusion)

Security AnalysisAnonymity?

32

• Experiment captures;• Indistinguishability between two secret keys Indistinguishability between two identifiers