A Simple Traceable Pseudonym Certificate System for RSA-based PKI

SCGroupJinhae Kim

Introduction

Digital certificate– an authorized assertion about a public key– Holder can prove the related ownership by

using a corresponding private key– The current PKI: privacy-intrusive

• Can be linked and traced

Pseudonym certificate– Identifiable by a pseudonym only– Digital certificate contains pseudonym as a

subject identifier– Can be used in anonymous transaction

Building Blocks

PKI RSA Pseudonym Blind signature Threshold cryptography X.509 certificate

Basic Model

Anonymous Issuer (AI)

BlindIssuer (BI)

Issuer (PI)

iv

. . .

UserCA

Site 1 Site n. . . iii

ii

i

1

2

5

6

3

4

Basic Model – cnt’d

I. User U holds a digital certificate issued by CA

Using a real identity

II. User can access service providers SP sIII. SP asks revocation of a certificate to PI

PI: pseudonym certificate issuer (AI and BI)

IV. AI and BI collaborate to link IDU and PNU

IDU: real identity of user U

PNU: pseudonym of user U

Traceable Pseudonym CertificatesVersion 3

SN

RSA

PI

*

*

*

Extensions

Version

Serial Number

Signature Algorithm ID

Issuer Name

Validity Period

Subject Name

Subject Public Key Info.

Extensions

Version 3

SN

RSA

PI

Validity Period

PN

ppkU, SIGPN

Extensions

Critical:

(Ci), *

Critical:

(C1, C2, … , Cm)

(a) x.509 v3 Certificate

(c) Traceable Pseudonym Certificate

(b) Pseudonym Certificate Skeleton

Basic Protocol - I

Basic Assumption– CA and PS’s authentic public keys are

respectively available.– User U holds a real identity certificate

denoted by {IDU, pkU}SIGCA

– RSA private exponent d of PI is split by d2 for AI and d1 for BI (In case of single BI)

AI can control and verify the contents of a pseudonym certificate

BI can verify the user’s real identity

Basic Protocol - II

1. U → AI: Skeleton Request Option: U can submit her basic information, so that AI can

choose an appropriate BI AI stores certificate skeleton with index SN

2. AI → U: Certificate Skeleton b ← <PNU, ppkU, SIGU>

M ← <b, (ci)> h = H(M) u = h re, r: random number

3. U → BI: {IDU, pkU}SIGCA ,{{u} SIGU

, ρ} ENCBI

1. BI verifies {IDU, pkU}SIGCA under pkCA asdf

2. Decrypt {{u} SIGU, ρ} ENCBI

verify u under pkU

3. Record < {u} ENCBI :IDU >

4. Compute w = ud1 mod N

Basic Protocol - III

4. BI → U: {w} ENCAIρ

U decrypts {w} ENCAI under ρ

Computes {{M}SIGPN, r, {w}ENCAI

}ENCAI

5. U → AI: {{M}SIGPN, r, {w}ENCAI

}ENCAI

Verify {M}SIGPN under ppkU and compare this with record

corresponding SN Compute z = wd2 mod N Check z r-1 mod N under <M, e, N> Record <PNU: {z}ENCAI

>

Send z

6. AI → U: z4. Compute z r-1 mod N to recover hd mod N5. Verify hd mod N under <M, e, N>6. Traceable pseudonym certificate: <M, hd mod N>

Pseudonym Revocation and Trace

SP asks revocation of a certain Pseudonym to AI– Submit the PNU to AI

AI retrieve <PNU: {z}ENCAI >

– Recover z and send it to BI

BI obtain a real identity IDU

– u = ze mod N

– From < {u} ENCBI :IDU > can find IDU

Revoke all pseudonyms of a user U’– BI retrieve all records < {u} ENCBI

:IDU’ >

– Send ud1 mod N to AI securely

– AI raises d2 to get z and retrieve all pseudonyms of U’

Extended Protocols

Threshold Schemes– In case of multiple BI’s– Apply an RSA (L, k)-threshold signature scheme

Re-blinding Variants– Disable the tracing ability (e.g., e-voting)

Selective Credential Show– User’s digital credential: <flag, ci, h(ci)>

• Flag: 0 – mandatory, 1 – selective

• h(ci) : hash value of credential ci

– PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1

Conclusion

Can be used on existing PKIs without requiring additional crypto modules

Fully compatible with X.509 certificates

Simple and efficient with versatile privacy-enhancing features

Choice from traceability and absolute anonymity

Threshold variants for more secure applications

References

Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI”

D. Chaum, “Security without identification: Transactions systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1035-1044

X.509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks,” ITU-T Recommendation X.509