a simple traceable pseudonym certificate system for rsa-based pki scgroup jinhae kim
TRANSCRIPT
A Simple Traceable Pseudonym Certificate System for RSA-based PKI
SCGroupJinhae Kim
Introduction
Digital certificate– an authorized assertion about a public key– Holder can prove the related ownership by
using a corresponding private key– The current PKI: privacy-intrusive
• Can be linked and traced
Pseudonym certificate– Identifiable by a pseudonym only– Digital certificate contains pseudonym as a
subject identifier– Can be used in anonymous transaction
Building Blocks
PKI RSA Pseudonym Blind signature Threshold cryptography X.509 certificate
Basic Model
Anonymous Issuer (AI)
BlindIssuer (BI)
Issuer (PI)
iv
. . .
UserCA
Site 1 Site n. . . iii
ii
i
1
2
5
6
3
4
Basic Model – cnt’d
I. User U holds a digital certificate issued by CA
Using a real identity
II. User can access service providers SP sIII. SP asks revocation of a certificate to PI
PI: pseudonym certificate issuer (AI and BI)
IV. AI and BI collaborate to link IDU and PNU
IDU: real identity of user U
PNU: pseudonym of user U
Traceable Pseudonym CertificatesVersion 3
SN
RSA
PI
*
*
*
Extensions
Version
Serial Number
Signature Algorithm ID
Issuer Name
Validity Period
Subject Name
Subject Public Key Info.
Extensions
Version 3
SN
RSA
PI
Validity Period
PN
ppkU, SIGPN
Extensions
Critical:
(Ci), *
Critical:
(C1, C2, … , Cm)
(a) x.509 v3 Certificate
(c) Traceable Pseudonym Certificate
(b) Pseudonym Certificate Skeleton
Basic Protocol - I
Basic Assumption– CA and PS’s authentic public keys are
respectively available.– User U holds a real identity certificate
denoted by {IDU, pkU}SIGCA
– RSA private exponent d of PI is split by d2 for AI and d1 for BI (In case of single BI)
AI can control and verify the contents of a pseudonym certificate
BI can verify the user’s real identity
Basic Protocol - II
1. U → AI: Skeleton Request Option: U can submit her basic information, so that AI can
choose an appropriate BI AI stores certificate skeleton with index SN
2. AI → U: Certificate Skeleton b ← <PNU, ppkU, SIGU>
M ← <b, (ci)> h = H(M) u = h re, r: random number
3. U → BI: {IDU, pkU}SIGCA ,{{u} SIGU
, ρ} ENCBI
1. BI verifies {IDU, pkU}SIGCA under pkCA asdf
2. Decrypt {{u} SIGU, ρ} ENCBI
verify u under pkU
3. Record < {u} ENCBI :IDU >
4. Compute w = ud1 mod N
Basic Protocol - III
4. BI → U: {w} ENCAIρ
U decrypts {w} ENCAI under ρ
Computes {{M}SIGPN, r, {w}ENCAI
}ENCAI
5. U → AI: {{M}SIGPN, r, {w}ENCAI
}ENCAI
Verify {M}SIGPN under ppkU and compare this with record
corresponding SN Compute z = wd2 mod N Check z r-1 mod N under <M, e, N> Record <PNU: {z}ENCAI
>
Send z
6. AI → U: z4. Compute z r-1 mod N to recover hd mod N5. Verify hd mod N under <M, e, N>6. Traceable pseudonym certificate: <M, hd mod N>
Pseudonym Revocation and Trace
SP asks revocation of a certain Pseudonym to AI– Submit the PNU to AI
AI retrieve <PNU: {z}ENCAI >
– Recover z and send it to BI
BI obtain a real identity IDU
– u = ze mod N
– From < {u} ENCBI :IDU > can find IDU
Revoke all pseudonyms of a user U’– BI retrieve all records < {u} ENCBI
:IDU’ >
– Send ud1 mod N to AI securely
– AI raises d2 to get z and retrieve all pseudonyms of U’
Extended Protocols
Threshold Schemes– In case of multiple BI’s– Apply an RSA (L, k)-threshold signature scheme
Re-blinding Variants– Disable the tracing ability (e.g., e-voting)
Selective Credential Show– User’s digital credential: <flag, ci, h(ci)>
• Flag: 0 – mandatory, 1 – selective
• h(ci) : hash value of credential ci
– PI should certify all semi-records of which flag is 0, but a hashed value only for flag is 1
Conclusion
Can be used on existing PKIs without requiring additional crypto modules
Fully compatible with X.509 certificates
Simple and efficient with versatile privacy-enhancing features
Choice from traceability and absolute anonymity
Threshold variants for more secure applications
References
Yongdae Kim, et al. “A Simple Traceable Pseudonym Certificate System for RSA-based PKI”
D. Chaum, “Security without identification: Transactions systems to make big brother obsolete,” Communications of the ACM, vol. 28, no. 10, pp. 1035-1044
X.509, “Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks,” ITU-T Recommendation X.509