© 2016 IBM Corporation
Cryptography 4 People
Jan CamenischPrinciple RSM; Member, IBM Academy of TechnologyIBM Research – Zurich
@JanCamenischibm.biz/jancamenisch
International Workshop on Inference & Privacy in a Hyperconnected World 2016
© 2016 IBM Corporation2 Infer 2016 - Jan Camenisch - IBM Research - Zurich
We increasingly conduct our daily task electronically, in an increasingly electronic environment, and
Facts
....are becoming increasingly vulnerable to cybercrimes
© 2016 IBM Corporation3 Infer 2016 - Jan Camenisch - IBM Research - Zurich
33% of cyber crimes, including identity theft, take less time than to make a cup of tea.
Facts
© 2016 IBM Corporation4 Infer 2016 - Jan Camenisch - IBM Research - Zurich
10 Years ago, your identity information on the black market was worth $150. Today….
Facts
© 2016 IBM Corporation5 Infer 2016 - Jan Camenisch - IBM Research - Zurich
$4'500'000'000 cost of identity theft worldwide
Facts
© 2016 IBM Corporation6 Infer 2016 - Jan Camenisch - IBM Research - Zurich
ᄅ
Houston, we have a problem!
© 2016 IBM Corporation7 Infer 2016 - Jan Camenisch - IBM Research - Zurich
ᄅ
Houston, we have a problem!
“Buzz Aldrin's footprints are still up there”(Robin Wilton)
© 2016 IBM Corporation8 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Computers don't forget
" Apps built to use & generate (too much) data
" Data is stored by default
" Data mining gets ever better
" New (ways of) businesses using personal data
" Humans forget most things too quickly
" Paper collects dust in drawers
© 2016 IBM Corporation9 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Where's all my data?
The ways of data are hard to understand
" Devices, operating systems, & apps are getting more complex and intertwined
– Mashups, Ad networks– Machines virtual and realtime configured– Not visible to users, and experts– Data processing changes constantly
" IoT makes things harder still– unprotected network, – devices with low footprint– different operators– no or small UI
→ No control over data and far too easy to loose them
© 2016 IBM Corporation10 Infer 2016 - Jan Camenisch - IBM Research - Zurich
The real problem
Applications are designed with the sandy beach in mind but are then built on the moon.
– Feature creep, security comes last, if at all– Everyone can do apps and sell them – Networks and systems hard not (well) protected
© 2016 IBM Corporation11 Infer 2016 - Jan Camenisch - IBM Research - Zurich
We need paradigm shift: build stuff for the moon
rather than the sandy beach!
Security & Privacy is not a lost cause!
© 2016 IBM Corporation12 Infer 2016 - Jan Camenisch - IBM Research - Zurich
That means:" Reveal only minimal data necessary" Encrypt every bit" Attach usage policies to each bit
Cryptography can do that!
Security & Privacy is not a lost cause!
© 2016 IBM Corporation13 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Cryptography to the Aid
© 2016 IBM Corporation14 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Vehicle-to-vehicle/infrastructure/cloud communication
Secure communication requirements:
Security: authenticate real vehicles to prevent attacker from disrupting traffic
Privacy: impossible to track individual vehicles
V2V/V2I: high message frequency, low communication bandwidth
V2Cloud: less resource-critical
© 2016 IBM Corporation15 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Anonymous authentication with classical crypto
● same signing key built into all vehicles● perfect privacy● bad security: key compromised revoke all vehicles→
● same key in batches of vehicles● poor privacy: only anonymous within batch● poor security: only anonymous
● online pseudonym authority:● authority becomes security/efficiency bottleneck● vehicles have to store/fetch fresh pseudonyms
● different signing key in each vehicle● good security● no privacy: vehicles traceable by their public keys
Car2Car
secu
rity
priv
acy
© 2016 IBM Corporation16 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Privacy ABCs in V2V: privacy and security can co-exist
Different key (“credential”) in each vehicle,can be individually revoked
Offline authority (or multiple) can de-anonymize signatures
Vehicles can locally self-certify pseudonyms
no server interaction needed
optionally limit number of pseudonyms per vehicle/day/...
Big challenge: efficiency (signature size + computation)
optimal privacy
optimal security
© 2016 IBM Corporation17 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-ABCsIdentity Mixer
© 2016 IBM Corporation18 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Users' Keys:" One secret Identity (secret key)" Many Public Pseudonyms (public keys)" Variation: domain pseudonym – unique per domain
Privacy-protecting authentication with Privacy ABCs
→ use a different identity for each communication partner or even transaction
© 2016 IBM Corporation19 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Certified attributes from Identity provider" Issuing a credential
Privacy-protecting authentication with Privacy ABCs
Name = Alice DoeBirth date = April 3, 1997
© 2016 IBM Corporation20 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-protecting authentication with Privacy ABCs
Certified attributes from purchasing department" Issuing a credential
© 2016 IBM Corporation21 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-protecting authentication with Privacy ABCs
I wish to see Alice in Wonderland
You need:- subscription- be older than 12
© 2016 IBM Corporation22 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Proving identity claims" but does not send credentials" only minimal disclosure
Privacy-protecting authentication with Privacy ABCs
- valid subscription - eID with age ≥ 12
© 2016 IBM Corporation23 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Proving Identity Claims: Minimal Disclosure
Alice DoeDec 12, 1998Hauptstr. 7, ZurichCHsingleExp. Aug 4, 2018 ve
rified
ID
Alice DoeAge: 12+Hauptstr 7, ZurichCHsingleExp. Valid ve
rified
ID
© 2016 IBM Corporation24 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Privacy-protecting authentication with Privacy ABCs
Aha, you are- older than 12- have a subscription
Proving identity claims" but does not send credential" only minimal disclosure (Public Verification Key
of issuer)
Transaction is not linkable to any other of Alice's transactions!
© 2016 IBM Corporation25 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Healthcare Use Case
Anonymous consultations with specialists– online chat with at physician / online consultation with IBM Watson to check eligibility
1. Alice proves she has insurance2. Alice describes symptoms 3. Alice gets credential that she is allowed to get treatment
Alice gets a health insurance credential
Insurance
Insurance
Health portal
5. Alice sends bill to insurance and proves that she had gottenthe necessary permission for the treatment.
4. Alice gets treatment from physician, hospital, etc
© 2016 IBM Corporation26 Infer 2016 - Jan Camenisch - IBM Research - Zurich
TTP
If car is broken: ID with insurance needs be retrieved
Can verifiably encrypt any certified attribute (optional)
TTP is off-line & can be distributed to lessen trust
Concept: Inspection
© 2016 IBM Corporation27 Infer 2016 - Jan Camenisch - IBM Research - Zurich
You might already have Identity Mixer on your devices
Alice
Identity Mixer (and related protocols) in standards" TPM V1.2 (2004) and V2.0 (2015) call it – Direct Anonymous Attestation" FIDO Alliance authentication is standardizing this as well (w/ and w/out chip)
TPMs allow one to store secret key in a secure place!
© 2016 IBM Corporation28 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Unlinkable Identifiers for Databases [Camenisch Lehmann CCS' 15]
© 2016 IBM Corporation29 Infer 2016 - Jan Camenisch - IBM Research - Zurich
How to maintain related yet distributed data?
Example use case: social security system" Different entities maintain data of citizens" Eventually data needs to be exchanged or correlated
Health Insurance
HospitalDoctor B
Doctor A
Welfare CenterTaxAuthority
Pension Fund
Many other different use case: IoT, Industry 4.0, Home Appliances, Metering, ...
© 2016 IBM Corporation30 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Globally Unique Identifier
" user data is associated with globally unique identifier– e.g., social security number, insurance ID
" different entities can easily share & link related data records
ID Data
Bob.0411
Carol.2503
Dave.1906
ID Data
Alice.1210
Bob.0411
Carol.2503
Hospital
Doctor A
Record ofBob.0411?
© 2016 IBM Corporation31 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Globally Unique Identifier
" user data is associated with globally unique identifier– e.g., social security number, insurance ID
" different entities can easily share & link related data records
ID Data
Bob.0411
Carol.2503
Dave.1906
ID Data
Alice.1210
Bob.0411
Carol.2503
Hospital
Doctor A
+ simple data exchange
– no control about data exchange– if records are lost, pieces can be linked together– data has high-value requires strong protection→
Record ofBob.0411?
© 2016 IBM Corporation32 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
" Use Domain pseudonym
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation33 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
" Use Domain pseudonym" Needs credential to ensure consistency
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation34 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
" Use Domain pseudonym" Needs credential to ensure consistency
– Can also transfer attributes– proof of ownership of pseudonym
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation35 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Using Privacy-ABCs to derive Identifiers
" Use Domain pseudonym" Needs credential to ensure consistency
– Can also transfer attributes– proof of ownership of pseudonym
" Approach also works for IoT collected data – authenticate data with pseudonym & credentials
ID Data
fadl039nd
d028naid8
10nziadod
Doctor A
– data exchange needs to involve user
+ control about data exchange+ lost records are cannot be linked together
ID Data
o1anlpzAd
Landi1nad
p1msLzna
Hospital
© 2016 IBM Corporation36 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Local Pseudonyms & Trusted “Converter”
" central converter derives independent server-local identifiers from unique identifier" user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”" only converter can link & convert pseudonyms
→ central hub for data exchange
Main ID ID-A ID-H
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Dave.1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
© 2016 IBM Corporation37 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Main ID ID-A ID-H
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Dave.1906 5G3wx y2B4m
Local Pseudonyms & Trusted “Converter”
Record of ML3m5 ?
" central converter derives independent server-local identifiers from unique identifier" user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”" only converter can link & convert pseudonyms
→ central hub for data exchange
Converter
Record of P89dy from Hospital?
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
© 2016 IBM Corporation38 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Local Pseudonyms & Trusted “Converter”
" central converter derives independent server-local identifiers from unique identifier" user data is associated with (unlinkable) server-local identifiers aka “pseudonyms”" only converter can link & convert pseudonyms
→ central hub for data exchange
Record of P89dy from Hospital?
Record of ML3m5 ?
+ control about data exchange+ if records are lost, pieces cannot be linked together
– converter learns all request & knows all correlations
Main ID ID-A ID-H
Alice.1210 Hba02 7twnG
Bob.0411 P89dy ML3m5
Carol.2503 912uj sD7Ab
Dave.1906 5G3wx y2B4m
Converter
ID Data
ML3m5
sD7Ab
y2B4m
ID Data
Hba02
P89dy
912uj
Hospital
Doctor A
© 2016 IBM Corporation39 Infer 2016 - Jan Camenisch - IBM Research - Zurich
(Un)linkable Pseudonyms | Pseudonym Generation
Main ID
Alice.1210
Bob.0411
Carol.2503
Dave.1906
ID Data
Hba02
P89dy
912uj
Converter
Doctor A
Pseudonym for Bob.0411 @ Doctor A
P89dy
" converter & servers jointly derive pseudonyms from unique identifiers– servers do not learn unique identifiers, converter does not learn the
pseudonyms
© 2016 IBM Corporation40 Infer 2016 - Jan Camenisch - IBM Research - Zurich
" converter & servers jointly derive pseudonyms from unique identifiers– servers do not learn unique identifiers, converter does not learn the
pseudonyms" only converter can link & convert pseudonyms
→ but does so in a blind way
Converter
(Un)linkable Pseudonyms | Pseudonym Conversion
ID Data
Hba02
P89dy
912uj
Doctor A
© 2016 IBM Corporation41 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Record of P89dy
at Hospital
Record of P89dy
at Hospital
Record of P89dy
at Hospitalblind conversion request
" converter & servers jointly derive pseudonyms from unique identifiers– servers do not learn unique identifiers, converter does not learn the
pseudonyms" only converter can link & convert pseudonyms
→ but does so in a blind way
Converter
(Un)linkable Pseudonyms | Pseudonym Conversion
ID Data
ML3m5
sD7Ab
y2B4m
Hospital
ID Data
Hba02
P89dy
912uj
Doctor A
© 2016 IBM Corporation42 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Record of P89dy
at Hospital
Record of P89dy
at Hospital
Record of P89dy
at Hospitalblind conversion request
Record of ML3m5 ?
Record of P89dy ?
Record of P89dy ?
blind conversion
unblinding conversion response
" converter & servers jointly derive pseudonyms from unique identifiers– servers do not learn unique identifiers, converter does not learn the
pseudonyms" only converter can link & convert pseudonyms
→ but does so in a blind way
Converter
(Un)linkable Pseudonyms | Pseudonym Conversion
ID Data
ML3m5
sD7Ab
y2B4m
Hospital
ID Data
Hba02
P89dy
912uj
Doctor A
© 2016 IBM Corporation43 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Record of P89dy
at Hospital
Record of P89dy
at Hospital
Record of P89dy
at Hospitalblind conversion request
+ control about data exchange+ if records are lost, pieces cannot be linked together
+ converter does not learn pseudonyms in request → can not even tell if requests are for the same pseudonym+ converter can not link data itself
" converter & servers jointly derive pseudonyms from unique identifiers– servers do not learn unique identifiers, converter does not learn the
pseudonyms" only converter can link & convert pseudonyms
→ but does so in a blind way
Record of ML3m5 ?
Record of P89dy ?
Record of P89dy ?
blind conversion
unblinding conversion response
Converter
(Un)linkable Pseudonyms | Security
ID Data
ML3m5
sD7Ab
y2B4m
Hospital
ID Data
Hba02
P89dy
912uj
Doctor A
© 2016 IBM Corporation44 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Main ID
Bob.0411
ID Data
ML3m5
sD7Ab
y2B4m
" pseudonyms are unique & consistent– generation is deterministic, injective and consistent with blind conversion
Hospital
Converter
(Un)linkable Pseudonyms | Consistency
P89dy
ML3m5
ID Data
Hba02
P89dy
912uj
Doctor A
© 2016 IBM Corporation45 Infer 2016 - Jan Camenisch - IBM Research - Zurich
ID Data
6Wz6P
fX4o7RtE14
ID Data
ML3m5
sD7Ab
y2B4m
" pseudonyms are unique & consistent– generation is deterministic, injective and consistent with blind conversion– conversions are consistent and transitive
Hospital
Invoice for ML3m5
Converter
(Un)linkable Pseudonyms | Consistency
Insurance
$$
$
Invoice for P89dy
Invoice for RtE14
ID Data
Hba02
P89dy
912uj
Doctor A
© 2016 IBM Corporation46 Infer 2016 - Jan Camenisch - IBM Research - Zurich
(Un)linkable Pseudonyms | Construction
" security formally defined in the Universal Composability (UC) framework– ideal functionality describing the optimal behaviour of such a system– converter and servers can be fully corrupt
" provably secure construction based on – homomorphic encryption scheme (ElGamal encryption) – verifiable pseudorandom function (Dodis-Yampolskiy-PRF)– pseudorandom permutation (“lazy sampling”)– dual-mode and standard signature schemes (AGOT+, Schnorr signatures)– zero-knowledge proofs (Fiat-Shamir NIZKs with trapdoored ElGamal)
© 2016 IBM Corporation47 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Generation
Converter Xxnymi,A
" converter X and server SA jointly compute a pseudonym nymi,A for user uidi
X's input: unique user-id uidi and server ID SA
1) compute global core identifier using secret key k
zi PRF(k,uid← i)
2) compute server-local “inner” pseudonym using server-specific secret key xA
xnymi,A z← ixA
3) compute final pseudonym using a secret key kA nymi,A PRP(k← A,xnymi,A)
k, skX, for each server: xA, xB, xC, …
kA, skAServer A
© 2016 IBM Corporation48 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Conversion
Converter X
Server A
" server SA wishes to convert a pseudonym nymi,A for server SB
SA's input: nymi,A, SB, qid
k, skX , for each server: xA, xB, xC, …
Server B
kA ,skA
kB ,skB
© 2016 IBM Corporation49 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Conversion
Converter X
Server A
" server SA wishes to convert a pseudonym nymi,A for server SB
SA's input: nymi,A, SB, qid
k, skX , for each server: xA, xB, xC, …
Server B
kA ,skA
kB ,skB
xnymi,A = zixA
xnymi,B = zixB
nymi,A
nymi,B
© 2016 IBM Corporation50 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Conversion
Converter X
Server A
" server SA wishes to convert a pseudonym nymi,A for server SB
SA's input: nymi,A, SB, qid
k, skX , for each server: xA, xB, xC, …
Server B
kA ,skA
kB ,skB
xnymi,A = zixA
xnymi,B = zixB
nymi,A
nymi,B
xnymi,B = xnymi,A xB /xA
PRP(kB, xnymi,B)
PRP-1(kA, nymi,A)
© 2016 IBM Corporation51 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Conversion
Converter X
Server A
" server SA wishes to convert a pseudonym nymi,A for server SB
SA's input: nymi,A, SB, qid
k, skX , for each server: xA, xB, xC, …
Server B
C, SB, qid kA ,skA
kB ,skB
1) re-obtain xnymi,A PRP← -1(kA, nymi,A)
2) encrypt xnymi,A under SB's and Converter X''s keyC Enc(p← kX , (Enc(pkB, xnymi,A))
© 2016 IBM Corporation52 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Conversion
Converter X
Server A
" server SA wishes to convert a pseudonym nymi,A for server SB
SA's input: nymi,A, SB, qid
3) decrypt first layer asC' Dec(s← kX , C)
4) blindly transform encrypted pseudonymC'' C' ← Δ with Δ = xB / xA
C'' = Enc(pkB, xnymi,A) xB / xA
C'' = Enc(pkB, PRF(k,uidi) xA) xB / xA
C'' = Enc(pkB, PRF(k,uidi) xB) C'' = Enc(pkB, xnymi,B)
k, skX , for each server: xA, xB, xC, …
Server B
kA ,skA
kB ,skB
1) re-obtain xnymi,A PRP← -1(kA, nymi,A)
2) encrypt xnymi,A under SB's and Converter X''s keyC Enc(p← kX , (Enc(pkB, xnymi,A))
C, SB, qid
© 2016 IBM Corporation53 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Pseudonym Conversion
Converter X
Server A
" server SA wishes to convert a pseudonym nymi,A for server SB
SA's input: nymi,A, SB, qid
3) decrypt first layer asC' Dec(s← kX , C)
4) blindly transform encrypted pseudonymC'' C' ← Δ with Δ = xB / xA
C'' = Enc(pkB, xnymi,A) xB / xA
C'' = Enc(pkB, PRF(k,uidi) xA) xB / xA
C'' = Enc(pkB, PRF(k,uidi) xB) C'' = Enc(pkB, xnymi,B)
k, skX , for each server: xA, xB, xC, …
Server B
C'', SA, qid
5) decrypt inner pseudonym xnymi,B Dec(sk← B , C'')
6) compute final pseudonym as nymi,B PRP(k← B, xnymi,B)
kA ,skA
kB ,skB
1) re-obtain xnymi,A PRP← -1(kA, nymi,A)
2) encrypt xnymi,A under SB's and Converter X''s keyC Enc(p← kX , (Enc(pkB, xnymi,A))
C, SB, qid
© 2016 IBM Corporation54 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions
Converter X
Server A
Server B
C, SB, qid
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation55 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Server)
Converter X
Server A
" ensure that servers can convert only their pseudonyms
Server B
C, SB, qid
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA nymi,A PRP(k← A,xnymi,A)
C'' ← Dec(skX , C) xB / xA
GenerationConversion
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation56 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Server)
Converter X
Server A
" ensure that servers can convert only their pseudonyms → generation: “bind” pseudonym nymi,A to server SA via server-specific signature
conversion: SA proves that C contains a correctly signed pseudonym
Server B
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C, SB, qid, πA
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation57 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Server)
Converter X
Server A
" ensure that servers can convert only their pseudonyms → generation: “bind” pseudonym nymi,A to server SA via server-specific signature
conversion: SA proves that C contains a correctly signed pseudonym
" challenge: how to sign pseudonyms in a blind conversion?
Server B
C, SB, qid, πA
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation58 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Server)
Converter X
Server A
" ensure that servers can convert only their pseudonyms → generation: “bind” pseudonym nymi,A to server SA via server-specific signature
conversion: SA proves that C contains a correctly signed pseudonym
" challenge: how to sign pseudonyms in a blind conversion? “→ dual-mode” signatures: signature on ciphertext, can be “decrypted” to signature on
plaintext
Server B
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C, SB, qid, πA
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation59 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Server)
Converter X
Server A
" ensure that servers can convert only their pseudonyms → generation: “bind” pseudonym nymi,A to server SA via server-specific signature
conversion: SA proves that C contains a correctly signed pseudonym
" challenge: how to sign pseudonyms in a blind conversion? “→ dual-mode” signatures: signature on ciphertext, can be “decrypted” to signature on
plaintext
Server B
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C, SB, qid, πA
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation60 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Converter)
Converter X
Server A
" ensure consistency of pseudonyms and conversions even in the presence of a corrupt converter
→ let converter X prove correctness of his computations via NIZKs
Server B
Converter X xnymi,A Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C, SB, qid, πA
C'', SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation61 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Converter)
Converter X
Server A
" ensure consistency of pseudonyms and conversions even in the presence of a corrupt converter
→ let converter X prove correctness of his computations via NIZKs
Server B
Converter X xnymi,A,πnym Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C, SB, qid, πA
C'', C ,πA ,πX , SA, qid
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
© 2016 IBM Corporation62 Infer 2016 - Jan Camenisch - IBM Research - Zurich
High-level Idea | Active Corruptions (Converter)
Converter X
Server A
" ensure consistency of pseudonyms and conversions even in the presence of a corrupt converter
→ let converter X prove correctness of his computations via NIZKs" pseudonym generation can be anonymous or not
→ non-anon: Server SA can verify that xnymi,A was correctly derived from uidi option important for bootstrapping / migration
Server B
Converter X xnymi,A, πnym,, (uidi) Server A
xnymi,A PRF(k,uid← i) xA
C'' ← Dec(skX , C) xB / xA
GenerationConversion
nymi,A PRP(k← A,xnymi,A)
C Enc(pk← X , (Enc(pkB, xnymi,A))
nymi,B PRP(k← B,Dec(skB , C''))
C, SB, qid, πA
C'', C ,πA ,πX , SA, qid
© 2016 IBM Corporation63 Infer 2016 - Jan Camenisch - IBM Research - Zurich
(Un)linkable Pseudonyms | Efficiency & Summary
efficiency– security against corrupt converter and corrupt servers:
• generation (X +SA): 15 exponentiations + 8 pairings• conversion (X +SA+SB): 84 exponentiations + 30 pairings
– more efficient variant if converter is honest-but-curious (but servers fully corrupt)• generation (X +SA): 7 exponentiations• conversion (X +SA+SB): 40 exponentiations + 16 pairings
(un)linkable pseudonyms without trusted converter– unlinkable data storage with controlled data exchange
• servers maintain data w.r.t. local, random-looking pseudonyms• pseudonyms can only be linked via a central converter
– conversions done in a blind way → converter must not be a trusted entity– efficient and provably secure protocol
→ paradigm shift: unlinkable as default, linkable only when necessary
(most exp. can be merged into multi-exponentiations)
© 2016 IBM Corporation64 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Further Research Needed!
"Securing the infrastructure & IoT– “ad-hoc” establishment of secure authentication and communication – audit-ability & privacy (where is my information, crime traces)– security services, e.g., better CA, oblivious TTPs, anon. routing, …
"Usability
– HCI– Infrastructure (setup, use, changes by end users)
"Provably secure protocols– Properly modeling protocols (UC, realistic attacks models, ...)– Verifiable security proofs– Retaining efficiency
© 2016 IBM Corporation65 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Further Research Needed!
"Quantum Computers–Lots of new crypto needed still–Build apps algorithm agnostic
"Towards a secure information society–Society gets shaped by quickly changing technology–Consequences are hard to grasp yet–We must inform and engage in a dialog
© 2016 IBM Corporation66 Infer 2016 - Jan Camenisch - IBM Research - Zurich
Conclusion
Let engage in some rocket science!" Much of the needed technology exists" … need to use them & build apps “for the moon”" … and make apps usable & secure for end users
Thank you!Joint work w/ Maria Dubovitskaya, Anja Lehmann, Anna Lysyanskaya, Gregory Neven, and many many more.
[email protected] @JanCamenisch ibm.biz/jancamenisch
Top Related