1 / 97

Privacy-Preserving Authentication: A Tutorial

Privacy-Preserving Authentication: A Tutorial. Anna Lysyanskaya Brown University. What is Authentication?. Today’s news?. projo.com. Who are you? Do you have a subscription?. It’s Bond. James Bond. Here’s my subscription. What is Authentication?. Today’s news?. projo.com.

moira
Download Presentation

Privacy-Preserving Authentication: A Tutorial

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-Preserving Authentication: A Tutorial Anna Lysyanskaya Brown University

  2. What is Authentication? Today’s news? projo.com Who are you? Do you have a subscription? It’s Bond. James Bond. Here’smy subscription.

  3. What is Authentication? Today’s news? projo.com Who are you? Do you have a subscription? It’s Bond. James Bond. Here’smy subscription. Identification Digital signature

  4. Signature Schemes

  5. Signature Schemes • Setup: I run a setup algorithm to obtain my public key PK and secret key SK PK PK SK

  6. PK Signature Schemes • Setup: I run a setup algorithm to obtain my public key PK and secret key SK • Now I can sign (using SK): • Sign(SK,m) σ (denoted σPK(m) ) • And you can verify it (using PK) • Verify(PK,m,σ)  Yes/No

  7. Signature Schemes • Security: no adversary can forge a signature even after seeing sigs on messages of his choice m1 m2 ... m,σPK(m) σPK(m1) σPK(m2) ... PK Secure if this is unlikely

  8. History of Signature Schemes • 1970s: invention of PK crypto, DH, RSA, Lamport, Merkle • Definition & first provably secure construction: GMR84 • Random-oracle-based constructions: Fiat-Shamir, Schnorr, GQ, Bellare-Rogaway, ... • Lattice-based [GGH97], NTRU • Minimal assumptions: Naor-Yung, Rompel (OWF) • Stateless and provably secure • under SRSA: Gennaro-Halevi-Rabin’99, Cramer-Shoup’99 • under BDH: Boneh-Boyen [Eurocrypt 2004] • Other flavors: group sigs, blind sigs [Chaum] • This talk: signatures that allow you to prove that you have a signed document, efficiently, without revealing (too much) about the contents of the document [...,L02,CL04,CL05,...,BL12].

  9. Using Signature Schemes I am James Bond. Please give me a cert that I havea ProJo subscription. projo.com σ=σProJo(James Bond) PKProJo Certification authority (CA) Today’s news?  Digital signature projo.com Let me check that you have a valid subscription. Who are you? Identification James Bond. My σ.

  10. Using Signature Schemes I am James Bond. Please give me a cert that I havea ProJo subscription. projo.com PKJB σ=σProJo(James Bond) PKProJo Certification authority (CA) Today’s news?  Digital signature projo.com Let me check that you have a valid subscription. Who are you? PKJB  Identification PKJB. My σ.

  11. That’s how authentication with identification is done.Why do you want to do it without?How do you do it without?

  12. Anonymous Access Today’s news? projo.com Who are you? Do you have a subscription? It’s Bond. James Bond. I can tell you, but then I’ll have to kill you...

  13. Anonymous Access Today’s news? projo.com Show me your subscription. Subscription #76590

  14. Anonymous Access Today’s news? projo.com Prove that you are authorized. Here is a zero-knowledge proof

  15. Zero-Knowledge Proof [GMR] Let L be a language. A zero-knowledge (ZK) proof system for L is a protocol between a prover P (can be computationally unbounded) and a verifier V (poly-time TM) such that: (Completeness) For an x in L, P convinces V (Soundness 1-ε) For any x not in L, no malicious P’ can cause V to accept with more than εprobability (Zero-knowledge - informal) Everything V learns as a result of talking to P, he can learn without talking to P.

  16. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  17. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  18. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  19. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  20. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  21. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  22. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  23. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  24. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  25. Example: The Set of 3-ColorableGraphs 1. Each vertex colored red, green or blue 2. No monochromatic edges

  26. Is every graph 3-colorable?

  27. Is every graph 3-colorable?

  28. Is every graph 3-colorable?

  29. Is every graph 3-colorable? No...

  30. ZK Proof of 3-Colorability

  31. ZK Proof of 3-Colorability You are just trying to trick me! This graph is not 3-colorable!

  32. ZK Proof of 3-Colorability You are just trying to trick me! This graph is not 3-colorable!

  33. ZK Proof of 3-Colorability You are just trying to trick me! This graph is not 3-colorable!

  34. ZK Proof of 3-Colorability

  35. ZK Proof of 3-Colorability

  36. ZK Proof of 3-Colorability

  37. ZK Proof of 3-Colorability

  38. ZK Proof of 3-Colorability If you’re cheating, I have 1 in 11 chance to catch you.

  39. ZK Proof of 3-Colorability I want better odds!

  40. ZK Proof of 3-Colorability

  41. ZK Proof of 3-Colorability

  42. ZK Proof of 3-Colorability

  43. ZK Proof of 3-Colorability

  44. ZK Proof of 3-Colorability

  45. ZK Proof of 3-Colorability

  46. ZK Proof of 3-Colorability

  47. ZK Proof of 3-Colorability If we repeat 100 times and you are lying, I’ll surely catch you! [GMW86]

  48. Zero-Knowledge: A Crash Course Theorem [GMW87]: every L in NP has a zero-knowledge proof system. Proof. Reduce the language at hand to graph 3-colorability (recall that 3-col is NP-complete). Use: Lemma: 3-colorability has a zero-knowledge proof system.

  49. Zero-Knowledge: A Crash Course Theorem [GMW]: every language in NP has a zero-knowledge proof system. Theorem [FLS]: every language in NP has anon-interactive ZK proof system (NIZK). ZK POK: a ZK proof of knowledge, ie V acceptsif the prover knows a value that satisfies an NP relation,e.g. a valid 3-coloring of a graph.

  50. I need access to SIAM J on Computing, 17:2 Prove to me that you have a valid subscription! Sure! Here’s a zero-knowledge proof: ... Online library User Accessing a Resource PKJS

More Related