1 / 29

Self-Blindable Credential Certificates from the Weil Pairing Eric R. Verheul

Self-Blindable Credential Certificates from the Weil Pairing Eric R. Verheul. April 9, 2004 SCLab Jinhae Kim. Introduction I. What is pseudonym ? A unique identifier by which a user is known by a certain party. Same user, different pseudonym.

cloris
Download Presentation

Self-Blindable Credential Certificates from the Weil Pairing Eric R. Verheul

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Self-Blindable Credential Certificates from the Weil PairingEric R. Verheul April 9, 2004 SCLab Jinhae Kim

  2. Introduction I • What is pseudonym? • A unique identifier by which a user is known by a certain party. Same user, different pseudonym. • A pseudonymous certificate binds a user’s pseudonym to his public key. • A credential is a trust provider’s statement about the user. • Example: “lives in MN”, “has a PhD in CS” • single-use/multiple-use

  3. Introduction II • Credential pseudonymous certificates (CPCs) • Digital certificates that bind credentials to users. • In Chaum’s1 model • Pseudonyms are unlinkable. • parties that know a user by different pseudonyms must not have the ability to combine their logs. • CPCs must be translatable. • CPC A: “p1 is in good health.” • A is issued by Dr. Yongdae under p1. • Jinhae (owner of p1) presents A to insurance company under p2. • D. Chaum, Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, 1985

  4. Security Requirement • Protection against pseudonym/credential forgery. • Protection against pseudonym/credential sharing. • smartcard based passports • better solution: all-or-nothing • Problems? • Revocation of pseudonymous certificates and credentials.

  5. Building Blocks I • Diffie-Hellman (DH) problem • generator g of a group G of (prime) order q. • DHg(gx, gy) = gxy • Decision Diffie-Hellman (DDH) problem • given a, b, c G decide whether c =DHg(a, b) • An alternative formulation of DDH: • given g, gx, h, hy in group G decide whether x = y. • hy =DHg(gx, h) (suppose h = ga, then gay = gax) • Group in which the DDH problem is simple and DH, DL are hard.

  6. Building Blocks II • Elliptic Curve Cryptography1 (ECC) • EC can provide versions of PK methods • In some case, EC is faster and use smaller key. • Addition in EC is same as multiplication in Zp* ref) a, b, c  Zp* X, Y are points on an elliptic curve and αis constant. 1. David Jablon, Elliptic Curve Cryptography, http://world.std.com/dpj/elliptic.html

  7. Building Block III • DDH in ECC • <P> is a group of (prime) order q on the curve. • A, B, Cis an instance of the DDH problem with respect to P. • C = DHP(A,B) iff eq(A, D(B)) = eq(P, D(C)) • D(.) is the distortion map, and eq(., .) is the Weil pairing. • Bilinear Map • B(gx, gy) = B(g, g)xy (= B(g, gxy)) (DDH is solved!) • In ECC: B(aP, bP) = ab B(P, P) (= B(P, abP))

  8. The ‘Proofless’ Variant of the Chaum-Pedersen Scheme1 • A group, G, of prime order q, with generator g. • the DDH problem is simple, while the DL and the DH problems are practically intractable. • the Chaum-Pedersen scheme • The public key is y = gx, where 0 ≤ x < q. • A signature on a message m ∈ G • z = mx(plus a proof that logg(y) = logm(z)). • Can verify logg(y) = logm(z) iff z= DHg(m, y). • D. Chaum, T.P. Pedersen, Wallet Databases with Observers, Proceedings of • Crypto’92

  9. The variant of C-P scheme II • Signature z = mx is self-blindable. • Without knowing of the signing key x, one can make another signature zk= (mk)x. • Easy blinding property. • Message (typically a hash), M • public keyof signing party gx • Ask to sign Mr, for 0 ≤ r < q, resulting in Mrx.

  10. Self-blindable Certificates • Terminology for Self-blindablecertificates • U : collection of all possible public keys. • T: collection of all verification public keys of TP. • C : collection of all possible certificates. • Credential on a user public key PU ∈ U • {PU, Sig(PU, ST)}, STis private signing key of TP. • Accompanied by a higher-level certificate • Cert(PU,“Trust statement”) • Standard X.509 certificate with the “Trust statement” in one of its extension field.

  11. Self-blindable Certificates II • The certificates are called self-blindable, if: • There exists a set transformation factor space F. • An efficiently computable transformation map • D:C ×F → C • Properties • For any certificate C ∈ Cand f ∈ Fthe certificate D(C, f) is signed with • the same trust provider public key as C. • Let C1, C2 be certificates and f ∈ Fknown. If C2 = D(C1, f) then one can • efficiently compute a transformation factor f΄∈ Fsuch that C1 = D(C2, f΄). • If C1, C2 ∈ Care two different certificates on the same user public key, • then so are D(C1, f) and D(C2, f). • LetPUis user public key, f ∈ Fis known. Then, a user possesses the • private key of PUiff it possesses the private key of D(PU, f). • If the user’s public key PU ∈ Uis fixed and if f ∈ Fis a uniformly random • element in F, then D(PU, f) is a uniformly random element in U.

  12. CPC System • pseudonymous credential • {PU, [Sig(PU, SN), Cert(PN, “PP statement”)]} • PU : the public key of the user. • Sig(PU, SN) : a signature of the pseudonym provider(PP). • Cert(PN, “PP statement”) : a (conventional) certificate on the public verification key of the PP. • With a statement on its applicability included among the usual fields (e.g., expiration date). • The pseudonym of a user is in fact the user’s public key in its certificate.

  13. CPC System II • Generation of a new Pseudonymous certificate. • By choosing a (random) factor and transforming an initially issued pseudonymous certificate. • Credential Pseudonymous Certificate • Based on Pseudonymous Credential • {PU, [Sig(PU, SN), Cert(PN, “PP statement”)], [Sig(PU, SC), Cert(PC, “CP statement”)]+}. • 2nd line: credential field. • Sig(PU, SC) : A signature of the credential provider (CP). • In CP statement: a statement on its credential applicability (e.g., “is over 18 years old”).

  14. Overview of System Description

  15. High-level System Description • Initial Registration. • The user registers, typically in a non-anonymous fashion, with a pseudonym provider. • After registration a First Pseudonymous Certificate (FPC) is issued. • The pseudonym provider puts the FPC in a public directory. • When unique pseudonyms are required, the provider has the option to maintain a private list of physical persons that were issued a pseudonymous certificate.

  16. System Description II • Credential Issuance. • Transforms its FPC into a random pseudonymous certificates (RPC) by using a random transformation factor. • Registers with a CP using this RPC which includes a proof of possession of the private key. • This registration need not be anonymous. The user does what is required to obtain a credential (e.g., takes a driver’s exam, shows other credentials). • Up-on succeeding, the user is issued a credential on the RPC, that is the CPC. • The pseudonym provider has the option to put the CPC in a public directory.

  17. System Description III • Credential Use. • The user registers (typically anonymously) with a service provider using a new RPC. • If I can make an RPC with my FPC, how about others? • The user combines all of the CPCs relating to credentials required by the SP into one CPC under the registered pseudonym. • The second invert transformation property on the transformation factors related with the individual, original CPCs. • A CPC is first translated to the First Pseudonym and then translated to the registered pseudonym. • This certificate is presented to the SP, together with a proof of possession of the private key referenced in this CPC.

  18. System Description IV • Credential Use II • Double spend checking • SP has the option to require that the user contact a specific trust provider (unicity provider). • The user sends this trust provider the transformation factor(s), transforming the new RPC to the FPC. • The trust provider validates that these factor(s) transform the RPC into a FPC on the PP’s directory, and that this FPC was not registered before. - problems? • Note 1: PP directory does not specify user identities, only FPCs, • Note 2: the specific trust provider need not be the user’s pseudonym provider.

  19. System Description V • TP can link two different pseudonyms of a user. • During registration, PP and the user (U) exchange a secret, S. • If a trust provider (T) wants to provide assurance on unique pseudonyms, then PPis provided a list consisting of transformed FPCs, in such a way that: • U’s FPC is transformed using a transformation factor f: • f = H (T, S) (H: secure hash function) • the order of the FPCs is randomly permuted.

  20. Revocation of Certificate Bases • 1st Method: Pro-active • Let the trust providers employ signing keys with a short expiration time (e.g., a week). • If a pseudonymous certificate/credential has not been revoked, then the trust provider automatically updates the certificates/credentials in its directory with newly signed ones. • A user can collect the updated pseudonymous certificates/credentials, preferably via an anonymous channel.

  21. Revocation II • 2nd Method: using the flexible secret sharing technique • To trust provider, send along specific transformation factors with a (credential) pseudonymous certificate. • TP can retrieve the original issued (credential) pseudonymous certificates and find out if they have been revoked. • The trust provider then provides a statement on the status of the (credential) pseudonymous certificate to the service provider. • The service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC.

  22. A Simple Construction for CPCs • G = <g>be a group of prime order q • The set Tof all trust provider’s public keys takes the form j, js(0 ≤ s < q; private key). • Uconsists of elements of the form gx. (0 < x < q; user’s private keys). • A certificate issued by a trust provider with public key h, hzon a user public key gx : • {gx, gxz}. • The transformation D:C ×F → C • ({X, Y }, f) → {Xf, Yf} • the certificate {gx, gxz}is transformed to the certificate {gxf, gxfz}under factor f.

  23. A Simple Construction II • The user registers, typically in a non-anonymous fashion, with a pseudonym provider. • The PP generates a random 0 < x < q • forms the user public key gxand the certificate {gx, gxz}. • All information is put on a tamper resistant signing device. • Private key information of (transformed) certificates can be used but not retrieved. • The secure signing device is handed over to the user in a secure fashion.

  24. A more robust construction • G = <g>be a group of prime order q • There exists embedding E(.) from Ginto a group G΄where all three problems are practically intractable. • The set Tof all trust provider’s public keys takes the form j, js(0 ≤ s < q; private key). • PP publishes a certified pair (r , s) = (r , rf) • r , s∈ G, 0 < f < qunknown by all parties. • Uconsists of elements of the form g1, g2, g1x1 , g2x2. • 0 < x1, x2 < q, • g1 is random generator and logg1(g2) = f

  25. A more robust construction II • The certificate with public key h, hzon a user’s public key g1, g2, g1x1g2x2 : • {g1, g2, g1x1g2x2,(g1x1g2x2)z}. • The transformation D:C ×F → C • ({X, Y, W, Z }, (k, l)) → {Xl, Yl , Wkl, Zkl} • the certificate {g1, g2, g1x1g2x2,(g1x1g2x2)z}is transformed to the certificate {g1l, g2l, g1x1klg2x2kl,(g1x1klg2x2kl)z}under factor (k, l).

  26. A more robust construction III • The user registers, typically in a non-anonymous fashion, with a PP. • PP generates a random pair (g1, g2) • g2 = g1f (random power of the elements r , s). • The pair (g1, g2) is sent to the user or a smart card issuer. • The user generates a random private key 0 ≤ x < qand forms g2x . • Sends g2x and proves possession of the private key x • PP forms the public key g1, g2, g1g2x • Places a Chaum-Pedersen signature on it, i.e., (g1g2x)z. • Employs the embedding E : G → G΄ • Determines the elements E(g2), E(g2x) of the group G΄. • Determines a random power rof these elements, i.e., E(g2)r, E(g2x)r. • Forms a conventional non-repudiation certificate on (E(g2)r, E(g2x)r). • The first pseudonymous certificate and the non-repudiation certificate are issued to the user. Both are also stored in separate directories.

  27. A more robust construction IV • The characteristic of embedding E(.) • Homomorphism: The signing key of E(g2x )r is x. • One-way function: Hard to get g2r, g2xr from E(g2)r, E(g2x)r. • It would be impossible to relate E(g2), E(g2x) (deducible from FPC) to E(g2)r, E(g2x)r (deducible from the non-repudiation certificate). (DDH is hard in G΄)

  28. Protection against Pseudonym/credential forgery • Based on an all-or-nothing concept. • The private key in a transformed credential takes the form (k, k · xmod q) for some 0 < k < q. • Dividing the second part by the first part yields the user’s non-repudiation key x. • If the user transfers a credential, then it also transfers a copy of its non-repudiation signing key.

  29. Conclusion • Anonymity without the need for a trusted third party. • This system is based on a new paradigm, self-blindable certificates • Certificates were constructed using the Weil pairing in supersingular elliptic curves • A robust system provides cryptographic protection against the forgery and transfer of credentials

More Related