Anonymous identification in ad hoc groups
1 / 16

Anonymous Identification in Ad Hoc Groups - PowerPoint PPT Presentation

  • Uploaded on

Anonymous Identification in Ad Hoc Groups. Yevgeniy Dodis, Antonio Nicolosi , Victor Shoup {dodis, nicolosi ,[email protected] New York University. Aggelos Kiayias [email protected] University of Connecticut. April 6 th , 2004. New York, NY, USA.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Anonymous Identification in Ad Hoc Groups' - zephr-cochran

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Anonymous identification in ad hoc groups

Anonymous Identification in Ad Hoc Groups

Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup

{dodis,nicolosi,[email protected]

New York University

Aggelos Kiayias

[email protected]

University of Connecticut

April 6th, 2004

New York, NY, USA

Enabling privacy aware access control
Enabling Privacy-Aware Access Control

  • Want to control access to many objects

    • Each with its own set of authorized users

  • For privacy concerns, users won’t reveal their identity when accessing an object

  • Solution:

    • Have one ad hoc group for each object

    • To access an object, users anonymously identify as members of corresponding group

Antonio Nicolosi — NYU

Example access controlled blog
Example: Access-controlled Blog

  • Alice is keeping a cool blog about her poems

  • Since she’s shy, she only wants her friends to access it

  • But her friends are shy, too:

    • Maybe one of them is making too much reading …

 Solution: Ad Hoc Anonymous Identification scheme

Antonio Nicolosi — NYU

Identification schemes
Identification Schemes

Antonio Nicolosi — NYU

Anonymous identification
Anonymous Identification

Antonio Nicolosi — NYU

Anonymous identification cont d
Anonymous Identification (cont’d)

  • Alice cannot tell whom she is talking to

    • Even in the case of two sessions with the same user (unlinkability)

Antonio Nicolosi — NYU

Ad hoc groups

“Structured” Groupsvs.

E.g. organizations

Group Manager

Users need a different key per group

Ad Hoc Groups

  • Ad Hoc Groups

  • E.g. poetry clubs

  • No central authority

  • Can use same key for multiple groups

Antonio Nicolosi — NYU

Ad hoc anonymous id syntax
Ad Hoc Anonymous ID: Syntax

  • Setup: system-wide initialization phase

  • Register: per-user initialization

    • Each user picks a secret key/public key pair

    • Run only once, regardless of # groups user joins

  • Make-GPK: combines a set of PKs into one GPK

  • Make-GSK: combines a user’s SK with a set of PKs, yielding a single GSK

  • Anon-ID: protocol between a group member (holding GSK) and a verifier (holding GPK)

Antonio Nicolosi — NYU

Ad hoc anonymous id syntax cont d
Ad Hoc Anonymous ID: Syntax (cont’d)

  • Make-GPK (running time / to group size)

  • Make-GSK (running time / to group size)

  • Anon-ID (constant running time)

Antonio Nicolosi — NYU

Background one way functions
Background: One-Way Functions

  • At the core of all modern Cryptography

    • Several instances are widely accepted …

    • … but nobody knows if they exist (in particular, cannot exist if P = NP)

  • Family of functions easy to compute, but very hard to invert at a random point





Antonio Nicolosi — NYU

Background accumulators
Background: Accumulators

  • Intuition: Secure Dictionary ADT

    • Element Insertion/Membership Testing

  • Element Insertion

    • Adding to a set yields a different, larger set

  • Adding to an accumulator yields a different value of the same size + a witness

Antonio Nicolosi — NYU

Background accumulators cont d
Background: Accumulators (cont’d)

  • Membership Testing

    • Sets are transparent: anybody can inspect their content

  • Accumulators are opaque:

    • Infeasible to check for membership …

  • … unless the proper witness is known

  • Hard to compute “fake witness’’

Antonio Nicolosi — NYU

Constructing ad hoc anonymous id
Constructing Ad Hoc Anonymous ID

  • Register sets SK=random, PK=f( SK )

  • Make-GPK combines PKs by inserting them all into the accumulator

  • Make-GSK runs as Make-GPK, but also keeps track of SK and of the witness for PK

  • In the Anon-ID protocol, the user proves that

    • he knows the SK corresponding to some PK

    • PK has been added in the accumulator

Antonio Nicolosi — NYU

Ad hoc anonymous id variations
Ad Hoc Anonymous ID: Variations

  • Identity Escrow

    • To prevent abuse of anonymity, possible to amend the scheme so that user identity can be recovered by a trusted party

  • Supporting large ad hoc groups

    • If group changes, need to build new value of GPK from scratch with Make-GPK

    • But if changes are just user additions, can compute new GPK (and GSK) efficiently

Antonio Nicolosi — NYU


  • We design an instance based on a new tool (One-Way Accumulators), efficiently constructible based on standard assumptions

  • We discuss possible variations to handle identity escrow and growingad hoc groups


Antonio Nicolosi — NYU

Any questions?

Thank you!

Antonio Nicolosi — NYU