ccs’09: smart identity card - thomas gross
DESCRIPTION
How to realize an anonymous credential system on a standard Java Card, with strong key sizes (e.g., 1536 RSA) and online transaction time < 3s.TRANSCRIPT
IBM Research Zurich
11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Anonymous Credentialson a Standard Java Card
Thomas Gross
Patrik Bichsel Jan Camenisch Victor Shoup
IBMrsquos BlueZ Group for Strong Authenticationjoint work withsupported by
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation2
Overview
Introduction
Camenisch-Lysyanskaya Signatures
Problem Statement
Key Ideas
Results
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Policy
Have an EID card AND
Be older than 18
3
Example Age Proof with Strong Privacy
Authorities
Proof
ldquoI‟ve an EID card AND
I‟m older than 18rdquo
Citizen
Identity Mixer CertificateAddress
DoB = 19801201
Nr = 123456hellip offline
Service
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to
public key-CP (only
standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
5
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
6
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation2
Overview
Introduction
Camenisch-Lysyanskaya Signatures
Problem Statement
Key Ideas
Results
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Policy
Have an EID card AND
Be older than 18
3
Example Age Proof with Strong Privacy
Authorities
Proof
ldquoI‟ve an EID card AND
I‟m older than 18rdquo
Citizen
Identity Mixer CertificateAddress
DoB = 19801201
Nr = 123456hellip offline
Service
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to
public key-CP (only
standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
5
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
6
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Policy
Have an EID card AND
Be older than 18
3
Example Age Proof with Strong Privacy
Authorities
Proof
ldquoI‟ve an EID card AND
I‟m older than 18rdquo
Citizen
Identity Mixer CertificateAddress
DoB = 19801201
Nr = 123456hellip offline
Service
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to
public key-CP (only
standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
5
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
6
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation4
Java CardLimitations
8-bit CPU (357 MHz)
Limited access to
public key-CP (only
standard RSA DSA)
Limited RAM (2K)
JCOP 41v22
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
5
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
6
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
5
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
6
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Theorem Signature scheme is secure against adaptively chosen
message attacks under SRSA assumption
Basis Camenisch-Lysyanskaya Signatures
[SRSA Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97]
6
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature of L attributes m1 mL Є 01ℓ (ces)
For random prime e gt 2ℓand integer s asymp n compute c such that
d = a1
m1 aL
mL bs ce mod n
[Camenisch amp Lysyanskaya ‟01]
Basis Camenisch-Lysyanskaya Signatures
Abstractly requires computation of
A1
x1 Ai
xi AL
xLmod n
where xi correspond to attributes in the certificatesand potentially |xi| gt |n|
7
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
[Independent result Sterckx Gierlichs Preneel Verbauwhede bdquo09]
9
Problem Statement
Run anonymous credential system autonomously and securely on a standard off-the-shelf Java Card
Autonomy
All data on card
Malicious terminal
[Balasch ‟02 Bichsel ‟07 Danes bdquo07]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation10
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation11
Java CardStructure
Card-Specific Operating System
Card
Manager
Java Card API
Java Card VM
8-bit CPU 3DES CP Public Key CP
IDMX Applet
interfaceBasic Ops
Source Prof Wolfgang Reif ndash chip cards
Transient RSA
RSA Enc()
modExp()
Adapt key in RAM
RSAEnc()
modExp()
RSAEnc()
in EEPROM
RSAEnc()
wo padding
memod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation12
(Ab-)Using Standard RSA Interface
Recall RSA Encryption memod n (Limited size of e)
ModExp() with Big Exponents Split exponents
A1x1 A
2x2
= A1x11 + x122k A
2x21 + x222k
mod n
= A1x11
(A12k
) x12 A
2x21
(A2
2k)x22
mod n
= A1x11 Arsquo
1x12 A
2x21Arsquo
2x22
mod n
ModMultiply() RSA interface can only do exponentiation
Reduce multiply to modExp() by binomial formula
A B = ((A+B)2
- A2- B2
)2 mod n
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation13
Execution Times Full Proof (Including Communication)
Modulus 1280 bit 1536 bit 1984 bitPrecomputation 5203 ms 7828 ms 13250 ms
Compute A‟ 2125 ms 2906 ms 5000 ms
Compute T1 3078 ms 4922 ms 8250 ms
Policy-
dependent
2234 ms 2625 ms 3298 ms
Compute 1
Response
562 ms 656 ms 828 ms
Total 7437 ms 10453 ms 16548 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Results
Anonymous credential system
on standard Java Card
bull JCOP 41v22
bull Future Java Card 30 standard
Attributes Focus on proof of possession
bull rely on hardware tamper resistance for statement and
bull detect revoke broken cards
Autonomous secure in face of untrusted terminal
Efficient 10 sec (at 1536 bits)
75 sec pre-computation 25 sec on-line
14
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
I‟m happy to answer questionshellip
Identity Mixer Community Site
idemixwordpresscom See what‟s going onhellip
Look at the spechellip
Download the libraryhellip
15
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation16
BACKUP
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation17
Detailed Performance Analysis Modulus 1536 bitAmortized Estimates over 1000 Ops Upper Bound on Parameter Length Percent Rounded Down
Function Time Ops PercentMultiplication 4rsquo653 ms 9 Ops 39
Addition 2988 ms 36 Ops 25
ModSquare 243 ms 27 Ops 2
ModExp 4rsquo308 ms 10 Ops 36
SRNG 1rsquo088 ms 16 Ops 9
TRNG 815 ms 1 Op 6
Addition 581 ms 7 Ops 4
Digest 220 ms 10 Ops 1
Total 11rsquo665 ms
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Recall The Strong RSA Assumption
Flexible RSA Problem Given RSA modulus n and z Є QRn
find
integers e and u such that
ue = z mod n
(Recall QRn = x exist y st y2 = x mod n )
Introduced by Barić amp Pfitzmann 97 and Fujisaki amp Okamoto 97
Hard in generic algorithm model [Damgaringrd amp Koprowski 01]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA I
Public key of signer RSA modulus n and ai b d Є QRn
Secret key factors of n
To sign k messages m1 mk Є 01ℓ
choose random prime e gt 2ℓand integer s asymp n
compute c such that
d = a1
m1 ak
mk bs ce mod n
signature is (ces)
[Camenisch amp Lysyanskaya bdquo02]
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Signature Scheme based on the SRSA II
A signature (ces) on messages m1 mk is valid iff
m1 mk Є 01ℓ
e gt 2ℓ
d = a1
m1 ak
mk bs ce mod n
Theorem Signature scheme is secure against adaptively chosen message attacks under SRSA assumption
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Observe
Let c = c bsmod n with random s
then d = clsquo e a1
m1 ak
mk bs (mod n) with s = s-esrsquo
ie (ce s) is a also a valid signature
Therefore to prove knowledge of signature on some m
provide c
PK(e m1 mk s) d = ce a1
m1 ak
mk b s
mi Є 01ℓ e Є 2ℓ+1
plusmn 01ℓ
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s
IBM Research Zurich
Anonymous Credentials on a Standard Java Card | 11122009 | ACM CCS 2009 copy 2009 IBM Corporation
Proof of Knowledge of a Signature
Using second Commitment
assume second group n ai b n
2nd commitment C = a1
sk b s
To prove knowledge of signature on some mprovide c
PK(e m1 mk ss )
C = a1
m1b s d = clsquo e a1
m1 ak
mk b s