Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
The 3rd IEEE International Workshop on Big Data and IoT Security in Smart Computing (BITS 2019)
co-held with The 5th IEEE International Conference on Smart Computing (SMARTCOMP 2019)
12 June 2019, Washington D.C., USA
Decentralized Multi-authority Anonymous Authentication
for Global Identities with Non-interactive Proofs
Hiroaki ANADA*1
*1: Dept. Information Security, University of Nagasaki, JAPAN
Table of ContentPart I. Introduction
1. Motivation2. Challenging Problem
Part II. Construction1. Approach2. Building blocks3. How to compose them (& our Ideas)4. Security Analysis on Collusion attacks5. Security Analysis on Anonymity
Conclusion
2
Part I: Motivation
IoT with Cloud• Access to Internet• Delegation of
computation• Collaborative Service
• Key Technology of
SMART CITY
3
INTERNETOF THINGS
Motivation:
Collaborative Service: Example1
Authenticate her single digital IDto generate additional value
4
Motivation
Collaborative Service: Example2 Authenticate her single digital ID
to generate additional value
29 Oct 2018 5
MotivationWhat’s a problem?• Privacy Issue
No ID information should be leaked!
29 Oct 2018 6
MotivationWhat’s a problem? • Privacy Issue
No ID information should be leaked!
29 Oct 2018 7
?
??
Motivation
Decentralized Multi-authority Anonymous Authentication(DMA-A-AUTH)
• Anonymous protocol Not by pseudonym, but by unlinkable processes
8
?
?
Ano.Prot.
Ano.Prot. ?
MotivationWhat’s a problem? • The very anonymity causes potential drawback:Collusion Attack
9
?
?
Ano.Prot.
Ano.Prot.
?
MotivationSo, our challenging problem is:
• Construct DMA-A-AUTH
• For global digital ID So that authorities only have to generate a digital
signature on them
• Capable of preventing collusion attacks
10
?
? ?
Previous Work1. DMA-ABS• Decentralized Multi-authority
Attribute-Based Signature Scheme
• State-of-the-art work; for example;[1] “Decentralized Attribute-Based Signatures” Okamoto and Takashima, PKC 2013
But not for direct signing onglobal digital identifiers
11
Previous Work2. DMA-A-AUTH w. Interactive Protocol
• Some papers: [2] “Anonymous Authentication Scheme with Decentralized Multi-Authorities” Anada and Arita, BITS 2017[3] “Witness-Indistinguishable Arguments with ∑-Protocols for Bundled Witness Spaces and Its Application to Global Identities” Anada and Arita, ICICS 2018
• Three-move protocol
Needs on-line interaction 12
Msg 1
Msg 2
Msg 3
MotivationSo, our challenging problem is:
• Construct DMA-A-AUTH
• For global digital ID So that authorities only have to generate a digital
signature on them
• Non-interactive• Capable of preventing collusion attacks
13
?
? ?
=( , )CertificateAuthority
Part II. Construction
14
Approach Language
What is a language?• Language = a set of “statements”
• For ex., statement • For ex., statement • For ex., statement •
• Relation•• Finding of should be hard, but verifying membership:
“ ” should be easy• is called a “witness” of
15
: “public parameter”
NP language
Approach Language to capture our problem• “Bundled product” of a language
• Why can “Bundled product” capture our problem?• Because if we prove knowledge of such in WI way
statement means:“I’m not colluding cheaters, but a single legitimate person”
16
Approach Proof System for Language• What is a proof system for ?
•• P: a prover, V: a verifier• Under a statement , P tries to convince a verifier V that P
knows a witness of
• What are requirements for ?1. Completeness2. Soundness, or more strongly, Knowledge Soundness3. Zero-Knowledge, or more weakly,
Witness-Indistinguishability (WI):If has plural witnesses: , then V cannot decide the one used by P
17
Building blocks 1. Proof System for Our language
• Groth-Sahai Proof System [4]• Non-interactive• Perfectly witness-indistinguishable (GS-NIWI)• Using “bilinear groups”:
: cyclic groups, order
Bilinearity:
18
[4] “Efficient Non-interactive Proof Systems for Bilinear Groups”, Groth andSahai, Eurocrypt 2008
Building blocks2. Digital Signature Scheme
• For an authority to generate a signature on a global digital identity string of a user
gid, signature
19
= ( , )CertificateAuthority
= ( , )CertificateAuthority
= ( , )CertificateAuthority
Building blocksSignature Scheme for Our Case
• Structure-preserving signature scheme (SPS) [5]• A message is in one of the source groups ( )• A signature is also in the same
source groups ( )
• Suitable for GS-NIWI• Because can be a witness to be proved
20
[5] “Structure-Preserving Signatures and Commitments to Group Elements”, Abe, Fuchsbauer, Groth, Haralambiev and Ohkubo, Crypto 2010
=( , )CertificateAuthority
How to Compose Them (& our Ideas)Language
• A statement is the equation:(Symbols in the boxes are unknown variables)
• Intuitively;: “I know one of the solutions which satisfy the equations for all simultaneously”
21=( , )CertificateAuthority
How to Compose ThemSetup
• Setting-up Public Parameter Algorithm• Executed only once by a tentative central authority
• For example, by NIST
22
How to Compose ThemAuthKG
• Authority-Key Generator• Executed by an authority with an index
23
How to Compose ThemSKG
• Secret-Key Generator for a user w. global digital id• Executed by an authority with an index
to issue a private secret-key for the user
24
How to Compose Them (& our Ideas)Prover• Prover Algorithm• Executed by a user with secret keys for
25
How to Compose Them (& our Ideas)Verifier
• Verify Algorithm• Executed by authorities
26
Security AnalysisCollusion Attacks?
27
• From knowledge-soundness and• Binding Property of Commitment to
Security AnalysisAnonymity?
28
• From hiding property & WI under the mode
Conclusion
We proposed; • DMA-A-AUTH
• Decentralized Multi-authorityAnonymous Authentication Scheme
Our contribution is; • Authorities only have to generate digital signatures on
global digital ID• Non-interactive• Capable of preventing collusion attacks
29
?
? ?
=( , )CertificateAuthority
Thank you for your attention
Hiroaki Anada30
?
? ?
=( , )CertificateAuthority
Security AnalysisCollusion Attacks?
31
• Experiment captures;• Concurrent provers invoked by an adversarial A• Secret-Key Oracle (i.e. Collusion)
Security AnalysisAnonymity?
32
• Experiment captures;• Indistinguishability between two secret keys Indistinguishability between two identifiers