1 / 19

Anonymous Credentials on a Standard Java Card

Anonymous Credentials on a Standard Java Card. Thomas Gross Patrik Bichsel , Jan Camenisch , Victor Shoup IBM’s BlueZ Group for Strong Authentication. joint work with. supported by. Overview. Introduction Camenisch-Lysyanskaya Signatures Problem Statement Key Ideas Results.

hallie
Download Presentation

Anonymous Credentials on a Standard Java Card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymous Credentialson a Standard Java Card Thomas Gross PatrikBichsel, Jan Camenisch, Victor Shoup IBM’s BlueZ Group for Strong Authentication joint work with supported by

  2. Overview • Introduction • Camenisch-Lysyanskaya Signatures • Problem Statement • Key Ideas • Results

  3. Example: Age Proof with Strong Privacy Authorities Identity Mixer Certificate Address DoB = 1980/12/01 Nr = 123456… offline Citizen Service Policy: Have an EID card AND Be older than 18. Proof: “I’ve an EID card AND I’m older than 18.”

  4. 8-bit CPU (3.57 MHz) Limited access to public key-CP (only standard RSA, DSA) Limited RAM (2K) Java Card*Limitations *: JCOP 41/v2.2

  5. Basis: Camenisch-Lysyanskaya Signatures [Camenisch & Lysyanskaya ’01] Public key of signer: RSA modulus n andai, b, d ЄQRn, Secret key: factors of n Signature ofL attributes m1, ..., mL Є {0,1}ℓ: (c,e,s) For random prime e > 2ℓand integer s ≈n, compute csuch thatd= a1m1·...· aLmL bsce mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under SRSA assumption. [SRSA: Barić & Pfitzmann '97 and Fujisaki & Okamoto '97]

  6. Basis: Camenisch-Lysyanskaya Signatures [Camenisch & Lysyanskaya ’01] Public key of signer: RSA modulus n andai, b, d ЄQRn, Secret key: factors of n Signature ofL attributes m1, ..., mL Є {0,1}ℓ: (c,e,s) For random prime e > 2ℓand integer s ≈n, compute csuch thatd= a1m1·...· aLmL bsce mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under SRSA assumption. [SRSA: Barić & Pfitzmann '97 and Fujisaki & Okamoto '97]

  7. Basis: Camenisch-Lysyanskaya Signatures [Camenisch & Lysyanskaya ’01] Signature ofL attributes m1, ..., mL Є {0,1}ℓ: (c,e,s) For random prime e > 2ℓand integer s ≈n, compute csuch thatd= a1m1·...· aLmL bsce mod n Abstractly requires computation of: A1x1·...· Aixi ·...· ALxLmod n where xi correspond to attributes in the certificatesand potentially |xi| > |n|

  8. [Independent result: Sterckx, Gierlichs, Preneel, Verbauwhede ‘09] [Balasch ’02, Bichsel ’07, Danes ‘07] Problem Statement Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card. Autonomy All data on card Malicious terminal Joint computation Security CL-Signatures Realistic keys Efficiency Proof in seconds Small keys Wait minutes

  9. Java CardStructure IDMX Applet Basic Ops interface Card Manager Java Card API Java Card VM Card-Specific Operating System 8-bit CPU 3DES CP Public Key CP Source: Prof. Wolfgang Reif – chip cards

  10. modExp()  Adapt RSA key; RSAEnc() Java CardStructure IDMX Applet Transient RSA Basic Ops RSA Enc interface Card Manager Java Card API Java Card VM Card-Specific Operating System 8-bit CPU 3DES CP Public Key CP Source: Prof. Wolfgang Reif – chip cards

  11. (Ab-)Using Standard RSA Interface • Recall RSA Encryption:me mod n (Limited size of e) • ModExp() with Big Exponents  Split exponents: A1x1A2x2 = A1x11 + x12*2kA2x21 + x22*2k mod n = A1x11(A12k) x12A2x21(A22k)x22 mod n = A1x11A’1x12A2x21A’2x22 mod n • ModMultiply(): RSA interface can only do exponentiation Reduce multiply to modExp() by binomial formula: A * B = ((A+B)2 - A2 - B2)/2 mod n

  12. Results • Anonymous credential system on standard Java Card • JCOP 41/v2.2 • Future: Java Card 3.0 standard • Attributes: Focus on proof of possession • rely on hardware tamper resistance for statement, and • detect / revoke broken cards. • Autonomous: secure in face of untrusted terminal • Efficient: 10 sec (at 1536 bits) • 7.5 sec pre-computation / 2.5 sec on-line

  13. BACKUP

  14. Detailed Performance Analysis: Modulus 1536 bitAmortized Estimates over 1000 Ops, Upper Bound on Parameter Length, Percent Rounded Down

  15. Recall: The Strong RSA Assumption Flexible RSA Problem:Given RSA modulus n and zЄ QRn find integers e and u such that ue = z mod n (Recall:QRn= {x: exist ys.t. y2= x mod n } ) • Introduced by Barić & Pfitzmann '97 and Fujisaki & Okamoto '97 • Hard in generic algorithm model [Damgård & Koprowski '01]

  16. Signature Scheme based on the SRSA I [Camenisch & Lysyanskaya ‘02] Public key of signer: RSA modulus n andai, b, d ЄQRn, Secret key: factors of n To signk messages m1, ..., mk Є {0,1}ℓ: • choose random prime e > 2ℓand integer s ≈n • compute csuch thatd= a1m1·...· akmk bsce mod n • signature is (c,e,s)

  17. Signature Scheme based on the SRSA II A signature (c,e,s) on messages m1, ..., mk is valid iff: • m1, ..., mk Є {0,1}ℓ: • e > 2ℓ • d = a1m1·...· akmk bsce mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under SRSA assumption.

  18. Proof of Knowledge of a Signature Observe: • Let c' = c bs'mod n with random s' • then d=c‘ e a1m1· ... · akmkbs*(mod n), with s* = s-es’i.e., (c',e, s*) is a also a valid signature! Therefore, to prove knowledge of signature on some m • provide c' • PK{(e, m1, ..., mk,s) : d := c'ea1m1 · ... · akmk b s ÙmiЄ {0,1}ℓ Ùe Є 2ℓ+1 ± {0,1}ℓ }

  19. Proof of Knowledge of a Signature Using second Commitment • assume second group n, ai, b, n • 2nd commitment C = a1sk b s* To prove knowledge of signature on some m • provide c' • PK{(e, m1, ..., mk,s,s* ) : C = a1m1b s* Ùd := c‘ ea1m1 · ... · akmk b s }

More Related