Zero- Knowledge Proofs in Anonymous Creden6al Systems. Gergely Alpár October 21, 2011

Size: px

Start display at page:

Download "Zero- Knowledge Proofs in Anonymous Creden6al Systems. Gergely Alpár October 21, 2011"

Hugo Hall
5 years ago
Views:

1 Zero- Knowledge Proofs in Anonymous Creden6al Systems Gergely Alpár October 21, 2011

2 Waldo

3 Source: findwaldo.com // Department Store Idea: Moni Naor et al. How to Convince your children you are not chea6ng, 1999

5 ?

6 Overview Zero- knowledge proof of knowledge Signatures from ZK PK U- Prove Idemix Comparison

7 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q Complete Sound a c r Verifier! Commitment c 2 R {0, 1} Challenge! Verification: Response a =? g r h c (mod p)

8 From outside? (a, c, r)

9 Simula6on à Zero- knowledgeness Real communica6on Input: private key x Output: conversation (a, c, r) 1. w2 R Z q 2. a:= g w (mod p) a c2 R {0,1}! V 5. r:= w + cx (mod q) 6. Output: (a, c, r) Simulated communica6on Input: public key h Output: conversation (a, c, r) 1. c2 R {0, 1}; r 2 R Z q 2. a:= g r h c (mod p) a ĉ2 R {0,1}! V 5. If c 6= ĉ: RewindV Go to step Output: (a, c, r)

10 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q a c r Verifier! Commitment c 2 R Z q Challenge! Verification: Response a =? g r h c (mod p)

11 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q a c r Verifier! Commitment c 2 R Z q Challenge! Verification: Response a? = g r h c (mod p)

12 Schnorr iden6fica6on System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x w 2 R Z q a := g w mod p r := c x + w mod q a c r Verifier! Commitment c 2 R Z q Challenge! Verification: Response a =? g r h c (mod p) PK{( ) :h g (mod p)}

13 Non- interac6ve Schnorr (Fiat- Shamir) System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x Verifier w 2 R Z q a := g w mod p Commitment c := H(a) Challenge r := c x + w mod q a,r! Verification: Response c 0 := H(a) a? = g r h c0 (mod p) PK{( ) :h g (mod p)}

14 Schnorr signature (freshness) System parameters: (p, q, g) Public key: h g x (mod p) Prover Secret: x n Verifier w 2 R Z q n 2 R Z q a := g w mod p Commitment c := H(akn) Challenge r := c x + w mod q a,r! Verification: Response c 0 := H(akn) a? g r h c0 (mod p) SPK{( ) :h g (mod p)}(n)

15 Schnorr signature System parameters: (p, q, g) Public key: h g x (mod p) Message: m 2 Z q Prover Secret: x Verifier w 2 R Z q a := g w mod p Commitment c := H(akm) Challenge r := c x + w mod q a,r! Verification: Response c 0 := H(akm) a? = g r h c0 (mod p) SPK{ : h g (mod p)}(m)

16 Schnorr blind signature System parameters: (p, q, g) Public key: h g x (mod p) Signer Secret: x w 2 R Z q a := g w (mod p) r := c x + w (mod q) a c r Receipient!, 2 R Z q Commitment a 0 := a g h (mod p) c 0 := H(a 0 km) c := c 0 + (mod q) Challenge! a? g r h c (mod p) Response r 0 := r + (mod q) Signature: (c 0,r 0 ) Verification: c 0? = H(g r 0 h c0 km)

17 Schnorr blind signature System parameters: (p, q, g) Public key: h g x (mod p) Signer Secret: x w 2 R Z q a := g w (mod p) r := c x + w (mod q) a c r Receipient!, 2 R Z q Commitment a 0 := a g h (mod p) c 0 := H(a 0 km) c := c 0 + (mod q) Challenge! a? g r h c (mod p) Response r 0 := r + (mod q) Signature: (c 0,r 0 ) SPK{( ) :h g (mod p)}(m)

18 Brands issuing protocol (U- Prove) System parameters: (p, q, g, g 1 p g y 1,...,g l p g y l ) Issuer Secret: x, y 1,...,y l w 2 R Z q a := g w (mod p) r := c Public key: h g x (mod p) Attributes: x 1,...,x l x + P l 1 x iy i + w (mod q) Verification: c 0 a c r? = H h 0 kg r0 (h h 0 ) c0! h U := Y g x i i (mod p) User!,, 2 R Z q Commitment h 0 := g h U (mod p) c 0 := H(h 0 kg (h h U ) a) c := c 0 + (mod q) Challenge! a? g r (h h U ) c (mod p) Response r 0 := r + + c 0 (mod q) Signature: (c 0,r 0 ) on h 0

19 Brands issuing protocol (U- Prove) System parameters: (p, q, g, g 1 p g y 1,...,g l p g y l ) Issuer Secret: x, y 1,...,y l Public key: h g x (mod p) Attributes: x 1,...,x l! h U := Y g x i i (mod p) User w 2 R Z q a := g w (mod p) r := c x + P l 1 x iy i + w (mod q) a c r!,, 2 R Z q Commitment h 0 := g h U (mod p) c 0 := H(h 0 kg (h h U ) a) c := c 0 + (mod q) Challenge! a? g r (h h U ) c (mod p) Response r 0 := r + + c 0 (mod q) Signature: (c 0,r 0 ) on h 0 SPK{( ) :h g (mod p)}(,x 1,...,x l )

20 Brands showing protocol (U- Prove) System parameters: (p, q, g, g 1,...,g l ) Public key: h g x (mod p) Credential: (h 0, (c 0,r 0 )) User Secret:,x 1,...,x l Verifier 2 R Z q i 2 {1,...,l} : w i 2 R Z q a := g Q g w i i (mod p) r 0 := c + (mod q) r i := c x i + w i (mod q) PK{(,µ 1,...,µ l ):h 0 g a! Commitment c c 2 R Z q Challenge r 0,r 1,...,r l! Verification: Response a? g r0 Q g r i i h 0 c (mod p) ly 1 g µ i i (mod p)}

21 Brands showing: selec6ve disclosure System parameters: (p, q, g, g 1,...,g l ) Public key: h g x (mod p) Some attributes: x 1,x 2 Credential: (h 0, (c 0,r 0 )) User Secret:,x 3,...,x l Verifier 2 R Z q i 2 {1,...,l} : w i 2 R Z q a := g Ql 3 gw i i (mod p) r 0 := c + (mod q) r i := c x i + w i (mod q) PK{(,µ 3,...,µ l ): a! Commitment c c 2 R Z q Challenge r 0,r 3,...,r l! Verification: Response a? g r0 Ql 3 gr i i h 0 c (mod p) h 0 ly g x g g µ i 1 1 gx 2 i (mod p)} 2 3

22 CL issuing protocol (Idemix) * Issuer System parameters: (n, R 0,...,R l,s,z) Attributes: x 1,...,x l! R := ly 1 User Secret: p, q Secret: x 0 Random v 0 Random v 00 and prime e 1/e Z A := US Q v00 l 1 Rx i (mod n) i PK{( ):A ± Z US v00 Q l 1 Rx i i (mod n)} U, P K R x i i (mod n) U := S v0 R x 0 0 (mod n) PK{( 0,µ 0 ):U ±S 0 R µ 0 0 (mod n)} (A,e,v 00 ),P K! v := v 0 + v 00! (A, e, v) Z? A e S v Q l 0 Rx i i Plus: freshness with nonces! à SPKs * without intervals

23 Randomized CL- signature (A, e, v)! Z? A e S v ly Randomization: A 0 := A S r (mod n) 0 R x i i (mod n) v 0 := v + er ly ly A 0e S v0 R x i i A e S er S v S er R x i i 0 0 ly A e S v R x i i 0 Z (mod n)

24 CL showing protocol (Idemix) * System parameters: (n, R 0,...,R l,s,z) Attributes: x 1,...,x l! R := ly 1 R x i i (mod n) User Secret: x 0, (A, e, v) Random r! (A 0,e,v 0 ) PK{(", ˆ,µ 0 ):Z Q l 1 R x i i ±A 0" S ˆ R µ 0 0 (mod n)} A 0,PK! Verifier Verif. Plus: freshness with a nonce! à SPK * without intervals

25 CL showing: selec6ve disclosure * System parameters: (n, R 0,...,R l,s,z) Some attributes: x 1,x 2! R := R x 1 1 Rx 2 2 (mod n) User Secret: x 0,x 3,...x l, (A, e, v) Random r! (A 0,e,v 0 ) PK{(", ˆ,µ 0,µ 3,...,µ l ): Verifier Z R x 1 1 R x 2 2 ±A 0" S ˆ R µ 0 0 Q l 3 Rµ i i (mod n)} A 0,PK! Verif. Plus: freshness with a nonce! à SPK * without intervals

26 Similari6es Representa6on problem for signing mul6ple a_ributes Protec6ng anonymity Selec6ve disclosure Comparable efficiency l: # attributes d: # revealed attributes Step U-Prove Idemix Issuing credential # exponentation l +5 l +7 Selective disclosure # exponentations l d +1 l d +3

27 Differences Basic assump6on: DL vs. (strong) RSA Blind signature: only the secret key vs. a_ributes can be hidden from the issuer User s secret key used only once vs. always One- 6me showing vs. randomizable signature

Self-Scrambling Anonymizer. Overview

Self-Scrambling Anonymizer. Overview Financial Cryptography 2000 21-25 february 2000 - Anguilla Self-Scrambling Anonymizers Département d Informatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Introduction