anonymous identification in ad hoc groups new york, ny, usaapril 6 th, 2004 yevgeniy dodis, antonio...
Post on 30-Dec-2015
223 Views
Preview:
TRANSCRIPT
Anonymous Identification in Ad Hoc Groups
New York, NY, USAApril 6th, 2004
Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup{dodis,nicolosi,shoup}@cs.nyu.edu
New York University
Aggelos Kiayiasaggelos@cse.uconn.edu
University of Connecticut
April 6, 2004 Antonio Nicolosi — NYU 2
Enabling Privacy-Aware Access Control
• Want to control access to many objects– Each with its own set of authorized users
• For privacy concerns, users won’t reveal their identity when accessing an object
• Solution: – Have one ad hoc group for each object– To access an object, users anonymously
identify as members of corresponding group
April 6, 2004 Antonio Nicolosi — NYU 3
Example: Access-controlled Blog
• Alice is keeping a cool blog about her poems• Since she’s shy, she only wants her friends to
access it• But her friends are shy, too: • Maybe one of them is making too much
reading …
Solution: Ad Hoc Anonymous Identification scheme
April 6, 2004 Antonio Nicolosi — NYU 6
Anonymous Identification (cont’d)
• Alice cannot tell whom she is talking to– Even in the case of two sessions with
the same user (unlinkability)
April 6, 2004 Antonio Nicolosi — NYU 7
Ad Hoc Groups
“Structured” Groups vs.
• E.g. organizations
• Group Manager
• Users need a different key per group
Ad Hoc Groups
• E.g. poetry clubs
• No central authority
• Can use same key for multiple groups
April 6, 2004 Antonio Nicolosi — NYU 8
Ad Hoc Anonymous ID: Syntax
• Setup: system-wide initialization phase
• Register: per-user initialization– Each user picks a secret key/public key pair– Run only once, regardless of # groups user joins
• Make-GPK: combines a set of PKs into one GPK
• Make-GSK: combines a user’s SK with a set of PKs, yielding a single GSK
• Anon-ID: protocol between a group member (holding GSK) and a verifier (holding GPK)
April 6, 2004 Antonio Nicolosi — NYU 9
Ad Hoc Anonymous ID: Syntax (cont’d)
• Make-GPK (running time / to group size)
• Make-GSK (running time / to group size)
• Anon-ID (constant running time)
April 6, 2004 Antonio Nicolosi — NYU 10
Background: One-Way Functions
• At the core of all modern Cryptography– Several instances are widely accepted …– … but nobody knows if they exist (in
particular, cannot exist if P = NP)
• Family of functions easy to compute, but very hard to invert at a random point
x f(x)
easy
HARD
April 6, 2004 Antonio Nicolosi — NYU 11
Background: Accumulators
• Intuition: Secure Dictionary ADT– Element Insertion/Membership Testing
• Element Insertion– Adding to a set yields a different, larger set
– Adding to an accumulator yields a different value of the same size + a witness
April 6, 2004 Antonio Nicolosi — NYU 12
Background: Accumulators (cont’d)
• Membership Testing– Sets are transparent: anybody can
inspect their content
• … unless the proper witness is known
– Accumulators are opaque:• Infeasible to check for membership …
• Hard to compute “fake witness’’
April 6, 2004 Antonio Nicolosi — NYU 13
Constructing Ad Hoc Anonymous ID
• Make-GPK combines PKs by inserting them all into the accumulator
• Make-GSK runs as Make-GPK, but also keeps track of SK and of the witness for PK • In the Anon-ID protocol, the user proves that1. he knows the SK corresponding to
some PK2. PK has been added in the accumulator
• Register sets SK=random, PK=f( SK )
April 6, 2004 Antonio Nicolosi — NYU 14
Ad Hoc Anonymous ID: Variations
• Identity Escrow– To prevent abuse of anonymity,
possible to amend the scheme so that user identity can be recovered by a trusted party
• Supporting large ad hoc groups– If group changes, need to build new
value of GPK from scratch with Make-GPK
– But if changes are just user additions, can compute new GPK (and GSK) efficiently
April 6, 2004 Antonio Nicolosi — NYU 15
Summary• We propose a novel
cryptographic functionality (Ad Hoc Anonymous ID) enabling flexible, privacy-aware access control
• We discuss possible variations to handle identity escrow and growing ad hoc groups
• We design an instance based on a new tool (One-Way Accumulators), efficiently constructible based on standard assumptions
top related