Selective Disclosure Credential Sets Jason E. Holt ([email protected]) Kent E. Seamons ([email protected]) ¤ Internet Security Research Lab Brigham Young University http://isrl.byu.edu/ Abstract We describe a credential system similar to the electronic cash system described by Chaum, Fiat and Naor. Our system uses bit commitments to create selective disclosure credentials which limit what portions of a credential the holder must reveal. We show how credentials from separate issuers can be linked to the same person in order to prevent users from pooling credentials to obtain services no one user could obtain alone. We also describe how to use a blinding technique described by Laurie which may not violate the patents on blind signatures. Keywords: digital credentials, selective disclosure, credential pooling, blind signatures. 1 Overview signed by the same issuer, and the documents in each column all share a common credential ID which Alice Alice wishes to obtain a service from Steve, a server. will use to prove to Steve that the documents in the Steve will only provide the service if Alice can demon- matrix belong together. To prove that she's honest, strate certain attributes about herself as attested by Alice includes information about certain columns of credential issuing authorities. Alice is willing to prove the matrix and sends the Credential Set Request to these attributes, but doesn't want Steve to get any each of the issuers of her credentials. Each issuer in- additional information about her, even if Steve works spects the request then blindly signs the unrevealed together with the credential issuers. Steve wants to columns of his row in the matrix. Alice then removes make sure that the attributes Alice displays all be- the blinding factors, leaving her with a valid set of long to the same person, and weren't accumulated by credentials (where each row constitutes an individual Alice and Bob pooling their credentials. credential). To this end, Alice ¯rst creates a Credential Set Re- Credentials in credential sets are built from selective- quest, which contains a matrix of blinded documents. disclosure certi¯cates. These are certi¯cates in which Each row of the matrix contains documents to be the normal attribute values have been replaced with a bit commitment of the true value. If Alice doesn't ¤With thanks to Adam Back, Stefan Brands, Ben Lau- choose to reveal the value of a selective disclosure rie, Hilarie Orman, Rich Schroeppel, Robert Sherwood, Mike ¯eld, Steve doesn't learn anything about that value. Stay, Ting Yu, sci.crypt and the Cypherpunks. This research But if she does choose to reveal such a ¯eld, Steve was supported by DARPA through AFRL contract number F33615-01-C-0336 and through Space and Naval Warfare Sys- can verify that she isn't lying about its value. tems Center San Diego grant number N66001-01-18908. 1 When Alice shows some subset of the credentials to server and issuer, and can transfer credentials is- Steve, Steve checks that all the IDs match, ensuring sued under one pseudonym to other pseudonyms they that all the credentials were in fact issued to the same hold. In his system, the exponent used in signing a person. Alice also reveals the preimages of the selec- pseudonym de¯nes the type and value of the creden- tive disclosure attributes in each credential which she tial. His system allows demonstration of mathemat- wishes to show to Steve. ical relationships between attributes (such as AND, OR and GREATER THAN). One awkward require- If Alice later shows credentials from the same set to ment of Chaum's proposal is that a trusted author- someone else, that person could collude with Steve ity is needed to facilitate the relationship between and determine that they both were dealing with issuers, users and servers. A particular server and is- the same person. Thus for maximum privacy Alice suer would have to establish a relationship with this should obtain many instances of her credential set, authority before users could even obtain credentials and use each instance in only one transaction. from the issuer to show to the server. Revocable anonynimity can optionally be obtained Brands[1, 2] presented a system with a raft of fea- by including a uniquely identifying document in the tures. His book describes how to use his credentials certi¯cate which can only be decrypted by the coop- to satisfy boolean expressions as in Chaum's system, eration of a quorum of auditing authorities. discourage lending of credentials, limit the number of times a credential may be shown, renew creden- tial certi¯cation anonymously, implement revocable 2 Related work anonymity, etc. Pages 193 and 210 describe a feature of his credentials which might allow an implementa- tion of pooling prevention as we describe. Brands Several types of credential schemes have been de- obtained several patents on his system. scribed in the literature. Some of them are, like our system, designed as equivalents to traditional creden- Camenisch and Lysyanskaya[3] proposed a system al- tials like driver's licences. Some are designed to al- lowing a credential to be shown multiple times with- low users to develop digital pseudonyms online, while out allowing showing instances to be linked. Their many others are aimed at providing the digital equiv- system focuses on limiting the information revealed alent of cash. to servers during the showing protocol rather than restricting what information the issuer gets during In 1988, Chaum, Fiat and Naor[5] developed a digital the signing process. Revocable anonymity is possi- cash system which uses blind signatures and the cut ble along with several other desirable features. Their and choose protocol in almost exactly the way our system provides many of the features of previous sys- system does, and de¯nes a matrix of values almost tems without using blinding a la Chaum, but relies identical to the certi¯cate matrix described in section heavily on proofs of knowledge like Brands' system. 4.1. Our credential sets could be considered a vari- Credentials are issued to a user relative to their pub- ant of their system accomodating selective disclosure lic key, so their system could also be used to prevent credentials, associating them with a single identity, users from pooling credentials. and optionally using a di®erent blinding technique. Chaum's blind signature techniques[7, 8] made it pos- sible to obtain a certi¯ed value from an issuer and show it to a server without the possibility of the 3 Preliminaries server and issuer correlating the issuing and show- ing events. In 1985, Chaum presented a credential This section establishes the primitives necessary to system based on blind signatures[6] in which users implement our system. Blind signatures and cut and establish a di®erent pseudonym with each potential choose are well known techniques. Laurie's blinding 2 technique and the form of selective disclosure cre- to do this is with the help of collision-resistant one- dentials presented here are relatively obscure, while way functions. Alice's commitment c is the output of noninteractive cut and choose is completely new, as a one-way function oneway() operating on her secret far as the authors are aware. value s and a random string r: 3.1 Credentials and Certi¯cates c = commit(s) = oneway(s : r) Our de¯nition of a certi¯cate is a document contain- (: denotes concatenation). Alice ¯rst sends c to Vic- ing various attributes and their values. Certi¯cates tor the veri¯er. If she chooses not to reveal the value, are issued by issuers (often called certi¯cate author- Victor can't determine what the value was. If she ities) to users (often called subjects). X.509v3 cer- does choose to reveal her secret, she sends Victor s ti¯cates have a number of standard ¯elds such as the and r, who runs them through oneway() and checks issuer and subject names, and \extensions" which can that the result equals c. If oneway() is collision- specify arbitrary other kinds of information about the resistant, Alice can't easily ¯nd any other values for user. s and r which will produce c as output. Brands[2] A user typically creates a certi¯cate to be signed, mentions this technique on pages 27 and 184 of his called a certi¯cate request, and sends it to the issuer. book. The issuer signs the request by hashing the document A normal certi¯cate can easily be made into a se- with a collision-resistant one-way function and sign- lective disclosure certi¯cate by replacing actual at- ing the hash with his private key. Later the user can tribute values with commitments to those values. show the signed certi¯cate to a veri¯er, who veri¯es Victor can verify that the certi¯cate is valid in the that the certi¯cate is valid. In an \on-line" system, usual way, but gains no information about the selec- this veri¯cation takes place with the help of a cen- tive disclosure values unless Alice reveals the value tral authority. In an \o®-line" system, the server can and random string used in the commitment function. verify a certi¯cate (or more generally, a credential) Selective disclosure credentials are even more power- without outside help. ful when used in conjunction with blind signatures. We use the term \credential" when we wish to speak If Izzy (a credential issuer) blindly signs a creden- of attribute demonstrating information in general. A tial for Alice, she can show it to Steve (a server who credential is something which establishes one or more provides a service after verifying a credential) with- attributes of its owner.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages13 Page
-
File Size-