privacy-enhancing proxy signatures from non-interactive ... · non-interactive anonymous...
TRANSCRIPT
![Page 1: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/1.jpg)
Privacy-Enhancing Proxy Signatures fromNon-Interactive Anonymous Credentials
David Derler, Christian Hanser, and Daniel Slamanig{david.derler, christian.hanser, daniel.slamanig}@iaik.tugraz.at
Institute for Applied Information Processing andCommunications, Graz University of Technology
July 14, 2014
1 David Derler DBSec’2014
![Page 2: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/2.jpg)
Outline
� Privacy-enhancing proxy signatures
� Blank Digital Signatures [HSa]
� Warrant-Hiding Proxy Signatures [HSb]
� Applications
� Building blocks
� Anonymous credentials
� Brands’ credentials [Bra00]
� CL credentials [CLa]
� Non-interactive anonymous credentials
� Our BDS/WHPS constructions
� Conclusion
2 David Derler DBSec’2014
![Page 3: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/3.jpg)
Outline
� Privacy-enhancing proxy signatures
� Blank Digital Signatures [HSa]
� Warrant-Hiding Proxy Signatures [HSb]
� Applications
� Building blocks
� Anonymous credentials
� Brands’ credentials [Bra00]
� CL credentials [CLa]
� Non-interactive anonymous credentials
� Our BDS/WHPS constructions
� Conclusion
2 David Derler DBSec’2014
![Page 4: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/4.jpg)
Outline
� Privacy-enhancing proxy signatures
� Blank Digital Signatures [HSa]
� Warrant-Hiding Proxy Signatures [HSb]
� Applications
� Building blocks
� Anonymous credentials
� Brands’ credentials [Bra00]
� CL credentials [CLa]
� Non-interactive anonymous credentials
� Our BDS/WHPS constructions
� Conclusion
2 David Derler DBSec’2014
![Page 5: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/5.jpg)
Outline
� Privacy-enhancing proxy signatures
� Blank Digital Signatures [HSa]
� Warrant-Hiding Proxy Signatures [HSb]
� Applications
� Building blocks
� Anonymous credentials
� Brands’ credentials [Bra00]
� CL credentials [CLa]
� Non-interactive anonymous credentials
� Our BDS/WHPS constructions
� Conclusion
2 David Derler DBSec’2014
![Page 6: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/6.jpg)
Privacy-Enhancing Proxy Signatures
1. delegate
3. sign
M
M
M
Originator
Proxy
Verifier 4. verify
2. choose M
� Delegate signing rights for
� Message space M� Choose message M and sign
� Verify
� Integrity
� Authenticity
� M?∈M
� New: Privacy property� Hides M\M
3 David Derler DBSec’2014
![Page 7: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/7.jpg)
Privacy-Enhancing Proxy Signatures
1. delegate
2. sign
M
M
M
Originator
Proxy
Verifier 3. verify
2. choose M
� Delegate signing rights for
� Message space M
� Choose message M and sign
� Verify
� Integrity
� Authenticity
� M?∈M
� New: Privacy property� Hides M\M
3 David Derler DBSec’2014
![Page 8: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/8.jpg)
Privacy-Enhancing Proxy Signatures
1. delegate
3. sign
M
M
M
Originator
Proxy
Verifier 4. verify
2. choose M
� Delegate signing rights for
� Message space M� Choose message M and sign
� Verify
� Integrity
� Authenticity
� M?∈M
� New: Privacy property� Hides M\M
3 David Derler DBSec’2014
![Page 9: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/9.jpg)
Privacy-Enhancing Proxy Signatures
1. delegate
3. sign
M
M
M
Originator
Proxy
Verifier 4. verify
2. choose M
� Delegate signing rights for
� Message space M� Choose message M and sign
� Verify
� Integrity
� Authenticity
� M?∈M
� New: Privacy property� Hides M\M
3 David Derler DBSec’2014
![Page 10: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/10.jpg)
Privacy-Enhancing Proxy Signatures
1. delegate
3. sign
M
M
M
Originator
Proxy
Verifier 4. verify
2. choose M
� Delegate signing rights for
� Message space M� Choose message M and sign
� Verify
� Integrity
� Authenticity
� M?∈M
� New: Privacy property� Hides M\M
3 David Derler DBSec’2014
![Page 11: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/11.jpg)
Blank Digital Signatures
� Message space defined by Template
This is a demo-
templateinstance
template ∨
with
Create Template
ProxyOriginator
a checkbox.
Fixed element
Exchangeable element
4 David Derler DBSec’2014
![Page 12: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/12.jpg)
Blank Digital Signatures
� Message space defined by Template
This is a demo-
templateinstance
template ∨
with
This is a demo-
templateinstance
template ∨
with
Template SignatureBgAAAOMEAAAA
FQOqDON
Create Template Issue Signature (T )
ProxyOriginator
a checkbox. a checkbox.
4 David Derler DBSec’2014
![Page 13: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/13.jpg)
Blank Digital Signatures
� Message space defined by Template
This is a demo-
templateinstance
template ∨
with
This is a demo-
templateinstance
template ∨
with
Template SignatureBgAAAOMEAAAA
FQOqDON
This is a demo-
instance ∨
with
Template SignatureBgAAAOMEAAAA
FQOqDON
Create Template Issue Signature (T ) Choose values
ProxyOriginator
a checkbox. a checkbox. a checkbox.
4 David Derler DBSec’2014
![Page 14: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/14.jpg)
Blank Digital Signatures
� Message space defined by Template
This is a demo-
templateinstance
template ∨
with
This is a demo-
templateinstance
template ∨
with
Template SignatureBgAAAOMEAAAA
FQOqDON
This is a demo-
instance ∨
with
Template SignatureBgAAAOMEAAAA
FQOqDON
This is a demo-
instance
with
Instance Signatured/+tHlUWiAAAA
K1zAAAAAQMA
Create Template Issue Signature (T ) Choose values Issue signature (M)
ProxyOriginator
a checkbox. a checkbox. a checkbox. a checkbox.
4 David Derler DBSec’2014
![Page 15: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/15.jpg)
BDS Template/Message Representation
� Template T = (T1,T2, . . . ,Tn) with Ti = {Mi1 ,Mi2 , . . . ,Mik}
� |Ti | =
{> 1 for exchangeable elements
= 1 for fixed elements
� Message M = (Mi )ni=1
5 David Derler DBSec’2014
![Page 16: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/16.jpg)
BDS Template/Message Representation
� Template T = (T1,T2, . . . ,Tn) with Ti = {Mi1 ,Mi2 , . . . ,Mik}
� |Ti | =
{> 1 for exchangeable elements
= 1 for fixed elements
� Message M = (Mi )ni=1
5 David Derler DBSec’2014
![Page 17: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/17.jpg)
BDS Template/Message Representation
� Template T = (T1,T2, . . . ,Tn) with Ti = {Mi1 ,Mi2 , . . . ,Mik}
� |Ti | =
{> 1 for exchangeable elements
= 1 for fixed elements
� Message M = (Mi )ni=1
5 David Derler DBSec’2014
![Page 18: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/18.jpg)
BDS Security
� Correctness
� Unforgeability
� Without the knowledge of the respective secret keys it is intractable to(existentially) forge template or message signatures
� Immutability
� Similar to unforgeability
� Additional access to proxy’s keys and a template with correspondingsignature
Privacy
Verifier does not learn unused choices in the template
6 David Derler DBSec’2014
![Page 19: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/19.jpg)
BDS Security
� Correctness
� Unforgeability
� Without the knowledge of the respective secret keys it is intractable to(existentially) forge template or message signatures
� Immutability
� Similar to unforgeability
� Additional access to proxy’s keys and a template with correspondingsignature
Privacy
Verifier does not learn unused choices in the template
6 David Derler DBSec’2014
![Page 20: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/20.jpg)
BDS Security
� Correctness
� Unforgeability
� Without the knowledge of the respective secret keys it is intractable to(existentially) forge template or message signatures
� Immutability
� Similar to unforgeability
� Additional access to proxy’s keys and a template with correspondingsignature
Privacy
Verifier does not learn unused choices in the template
6 David Derler DBSec’2014
![Page 21: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/21.jpg)
BDS Security
� Correctness
� Unforgeability
� Without the knowledge of the respective secret keys it is intractable to(existentially) forge template or message signatures
� Immutability
� Similar to unforgeability
� Additional access to proxy’s keys and a template with correspondingsignature
Privacy
Verifier does not learn unused choices in the template
6 David Derler DBSec’2014
![Page 22: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/22.jpg)
Warrant-Hiding Proxy Signatures
� Message space defined by set of messages
message 1....
∨
Def. message space
ProxyOriginator
message 1
message n
Message space
7 David Derler DBSec’2014
![Page 23: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/23.jpg)
Warrant-Hiding Proxy Signatures
� Message space defined by set of messages
message 1....
∨
M.-space SignaturecP4Y53i4llaEpUA
XlrsXdj5AA
Def. message space Issue Signature
ProxyOriginator
message 1
message n
message 1....
∨message 1
message n
7 David Derler DBSec’2014
![Page 24: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/24.jpg)
Warrant-Hiding Proxy Signatures
� Message space defined by set of messages
message 1....
∨
M.-space SignaturecP4Y53i4llaEpUA
XlrsXdj5AA
M.-space Signature
Def. message space Issue Signature Choose message
ProxyOriginator
message 1
message n
message 1....
∨message 1
message n
∨message 4
cP4Y53i4llaEpUA
XlrsXdj5AA
7 David Derler DBSec’2014
![Page 25: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/25.jpg)
Warrant-Hiding Proxy Signatures
� Message space defined by set of messages
message 1....
∨
M.-space SignaturecP4Y53i4llaEpUA
XlrsXdj5AA
M.-space Signature Instance Signaturei+Zk1WQJJwAAA
BkWAAAAFMfhP
Def. message space Issue Signature Choose message Issue signature
ProxyOriginator
message 1
message n
message 1....
∨message 1
message n
∨message 4 message 4
cP4Y53i4llaEpUA
XlrsXdj5AA
7 David Derler DBSec’2014
![Page 26: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/26.jpg)
WHPS Message Space Representation
� Message Space M = {Mi}ni=1
� Message M = Mi , 1 ≤ i ≤ n
8 David Derler DBSec’2014
![Page 27: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/27.jpg)
WHPS Message Space Representation
� Message Space M = {Mi}ni=1
� Message M = Mi , 1 ≤ i ≤ n
8 David Derler DBSec’2014
![Page 28: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/28.jpg)
WHPS Security
� Correctness
� Unforgeability
� Without delegator’s secret key and the delegation key it is intractableto forge proxy signatures for messages inside/outside the warrant
Privacy
Verifier does not learn unrevealed messages in the warrant.
9 David Derler DBSec’2014
![Page 29: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/29.jpg)
WHPS Security
� Correctness
� Unforgeability
� Without delegator’s secret key and the delegation key it is intractableto forge proxy signatures for messages inside/outside the warrant
Privacy
Verifier does not learn unrevealed messages in the warrant.
9 David Derler DBSec’2014
![Page 30: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/30.jpg)
WHPS Security
� Correctness
� Unforgeability
� Without delegator’s secret key and the delegation key it is intractableto forge proxy signatures for messages inside/outside the warrant
Privacy
Verifier does not learn unrevealed messages in the warrant.
9 David Derler DBSec’2014
![Page 31: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/31.jpg)
Motivation
� Attorney makes business deal
� . . . on behalf of the client
� Privacy property
T =({”I , hereby , declare to pay ”},{”100$”, ”120$”, ”150$”},{”for this device.”})
� Governmental organizations publish forms
� . . . to be signed by any citizen
� Medical files
� Doctor creates template containing all data
� Patient can black-out critical parts
� Warrant-Hiding Proxy Signatures
� Subset of BDS use cases
10 David Derler DBSec’2014
![Page 32: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/32.jpg)
Motivation
� Attorney makes business deal
� . . . on behalf of the client
� Privacy property
T =({”I , hereby , declare to pay ”},{”100$”, ”120$”, ”150$”},{”for this device.”})
� Governmental organizations publish forms
� . . . to be signed by any citizen
� Medical files
� Doctor creates template containing all data
� Patient can black-out critical parts
� Warrant-Hiding Proxy Signatures
� Subset of BDS use cases
10 David Derler DBSec’2014
![Page 33: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/33.jpg)
Motivation
� Attorney makes business deal
� . . . on behalf of the client
� Privacy property
T =({”I , hereby , declare to pay ”},{”100$”, ”120$”, ”150$”},{”for this device.”})
� Governmental organizations publish forms
� . . . to be signed by any citizen
� Medical files
� Doctor creates template containing all data
� Patient can black-out critical parts
� Warrant-Hiding Proxy Signatures
� Subset of BDS use cases
10 David Derler DBSec’2014
![Page 34: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/34.jpg)
Motivation
� Attorney makes business deal
� . . . on behalf of the client
� Privacy property
T =({”I , hereby , declare to pay ”},{”100$”, ”120$”, ”150$”},{”for this device.”})
� Governmental organizations publish forms
� . . . to be signed by any citizen
� Medical files
� Doctor creates template containing all data
� Patient can black-out critical parts
� Warrant-Hiding Proxy Signatures
� Subset of BDS use cases
10 David Derler DBSec’2014
![Page 35: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/35.jpg)
Anonymous Credentials
� Parties: Oranization o, Users ui
� Organization issues credentials to users
� w.r.t. set of attributes from a certain domain
� Users can then anonymously demonstrate possession
� and, thereby, selectively disclose a subset of attributes
11 David Derler DBSec’2014
![Page 36: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/36.jpg)
Anonymous Credentials
� Parties: Oranization o, Users ui
� Organization issues credentials to users
� w.r.t. set of attributes from a certain domain
� Users can then anonymously demonstrate possession
� and, thereby, selectively disclose a subset of attributes
11 David Derler DBSec’2014
![Page 37: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/37.jpg)
Anonymous Credentials
� Parties: Oranization o, Users ui
� Organization issues credentials to users
� w.r.t. set of attributes from a certain domain
� Users can then anonymously demonstrate possession
� and, thereby, selectively disclose a subset of attributes
11 David Derler DBSec’2014
![Page 38: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/38.jpg)
Security of AC
� Correctness
� Unforgeability: The showing of a credential w.r.t. a set of attributesonly succeeds when such a credential was issued for the user
� Anonymity: No one should be able to find anything about the user
� Except for the fact that she owns a valid credential
Selective Disclosure� Verifier learns nothing about non-shown attributes
� Informal requirement of all AC systems
� All known AC systems employ proofs of knowledge
� Nothing beyond the shown attributes revealed by definition
12 David Derler DBSec’2014
![Page 39: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/39.jpg)
Security of AC
� Correctness
� Unforgeability: The showing of a credential w.r.t. a set of attributesonly succeeds when such a credential was issued for the user
� Anonymity: No one should be able to find anything about the user
� Except for the fact that she owns a valid credential
Selective Disclosure� Verifier learns nothing about non-shown attributes
� Informal requirement of all AC systems
� All known AC systems employ proofs of knowledge
� Nothing beyond the shown attributes revealed by definition
12 David Derler DBSec’2014
![Page 40: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/40.jpg)
Security of AC
� Correctness
� Unforgeability: The showing of a credential w.r.t. a set of attributesonly succeeds when such a credential was issued for the user
� Anonymity: No one should be able to find anything about the user
� Except for the fact that she owns a valid credential
Selective Disclosure� Verifier learns nothing about non-shown attributes
� Informal requirement of all AC systems
� All known AC systems employ proofs of knowledge
� Nothing beyond the shown attributes revealed by definition
12 David Derler DBSec’2014
![Page 41: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/41.jpg)
Security of AC
� Correctness
� Unforgeability: The showing of a credential w.r.t. a set of attributesonly succeeds when such a credential was issued for the user
� Anonymity: No one should be able to find anything about the user
� Except for the fact that she owns a valid credential
Selective Disclosure� Verifier learns nothing about non-shown attributes
� Informal requirement of all AC systems
� All known AC systems employ proofs of knowledge
� Nothing beyond the shown attributes revealed by definition
12 David Derler DBSec’2014
![Page 42: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/42.jpg)
Brands’ Credentials
� Group G of prime order p (additive notation)
� Generators (P1, . . . ,Pn) ∈ Gn
� discrete logarithms between Pi unknown to users
� Commit to attributes (a1, . . . , an) ∈ Znp using
� DLREP: H ←∑ni=1 aiPi
� Generalized Pedersen commitment with additional blinding
� Issue a variant of a blind signature on H
� Interpreted as credential
� Showing
� Verify blind signature� Prove knowledge of DLREP� Multiple showings are linkable
13 David Derler DBSec’2014
![Page 43: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/43.jpg)
Brands’ Credentials
� Group G of prime order p (additive notation)� Generators (P1, . . . ,Pn) ∈ Gn
� discrete logarithms between Pi unknown to users
� Commit to attributes (a1, . . . , an) ∈ Znp using
� DLREP: H ←∑ni=1 aiPi
� Generalized Pedersen commitment with additional blinding
� Issue a variant of a blind signature on H
� Interpreted as credential
� Showing
� Verify blind signature� Prove knowledge of DLREP� Multiple showings are linkable
13 David Derler DBSec’2014
![Page 44: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/44.jpg)
Brands’ Credentials
� Group G of prime order p (additive notation)� Generators (P1, . . . ,Pn) ∈ Gn
� discrete logarithms between Pi unknown to users
� Commit to attributes (a1, . . . , an) ∈ Znp using
� DLREP: H ←∑ni=1 aiPi
� Generalized Pedersen commitment with additional blinding
� Issue a variant of a blind signature on H
� Interpreted as credential
� Showing
� Verify blind signature� Prove knowledge of DLREP� Multiple showings are linkable
13 David Derler DBSec’2014
![Page 45: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/45.jpg)
Brands’ Credentials
� Group G of prime order p (additive notation)� Generators (P1, . . . ,Pn) ∈ Gn
� discrete logarithms between Pi unknown to users
� Commit to attributes (a1, . . . , an) ∈ Znp using
� DLREP: H ←∑ni=1 aiPi
� Generalized Pedersen commitment with additional blinding
� Issue a variant of a blind signature on H� Interpreted as credential
� Showing
� Verify blind signature� Prove knowledge of DLREP� Multiple showings are linkable
13 David Derler DBSec’2014
![Page 46: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/46.jpg)
Brands’ Credentials
� Group G of prime order p (additive notation)� Generators (P1, . . . ,Pn) ∈ Gn
� discrete logarithms between Pi unknown to users
� Commit to attributes (a1, . . . , an) ∈ Znp using
� DLREP: H ←∑ni=1 aiPi
� Generalized Pedersen commitment with additional blinding
� Issue a variant of a blind signature on H� Interpreted as credential
� Showing� Verify blind signature� Prove knowledge of DLREP� Multiple showings are linkable
13 David Derler DBSec’2014
![Page 47: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/47.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 48: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/48.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 49: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/49.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .
� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 50: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/50.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 51: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/51.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 52: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/52.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 53: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/53.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 54: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/54.jpg)
CL Credentials
� Based on the CL Signature Scheme� Signatures are re-randomizable
� Instantiations in the known- and hidden-order group setting
� Group G of prime order p with a bilinear map e : G×G→ GT .� A signature σ = (R,Ai ,B,Bi ,C ) is interpreted as credential:
� σ for a sequence of n + 1 attributes (a0, . . . , an) ∈ Zn+1p ,
� w.r.t. the secret key (x , y , z1, . . . zn) ∈ Zn+2p :
� RR← G, Ai ← ziR, B ← yR, Bi ← yAi ,
C ← (x + xya0)R +∑n
i=1 xyaiAi
� Showing� Verify re-randomized signature� Prove knowledge of attributes in C� Multiple showings unlinkable
� Not needed in our context
14 David Derler DBSec’2014
![Page 55: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/55.jpg)
Obtaining Non-interactive AC
� Honest-verifier zero-knowledge proofs used upon show
� e.g., demonstrate knowledge of x = logP Y to base P
� . . . only reveal that the prover knows x
� Non-interactive AC Versions
� Apply Fiat-Shamir transform [FS] to proofs
� Non-interactive Proof
� . . . together with proving knowledge of a secret key
� Secure digital signature in the random oracle model [CLb]
� Interpreted as the proxy’s signature
15 David Derler DBSec’2014
![Page 56: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/56.jpg)
Obtaining Non-interactive AC
� Honest-verifier zero-knowledge proofs used upon show
� e.g., demonstrate knowledge of x = logP Y to base P
� . . . only reveal that the prover knows x
� Non-interactive AC Versions
� Apply Fiat-Shamir transform [FS] to proofs
� Non-interactive Proof
� . . . together with proving knowledge of a secret key
� Secure digital signature in the random oracle model [CLb]
� Interpreted as the proxy’s signature
15 David Derler DBSec’2014
![Page 57: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/57.jpg)
Obtaining Non-interactive AC
� Honest-verifier zero-knowledge proofs used upon show
� e.g., demonstrate knowledge of x = logP Y to base P
� . . . only reveal that the prover knows x
� Non-interactive AC Versions
� Apply Fiat-Shamir transform [FS] to proofs
� Non-interactive Proof
� . . . together with proving knowledge of a secret key
� Secure digital signature in the random oracle model [CLb]
� Interpreted as the proxy’s signature
15 David Derler DBSec’2014
![Page 58: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/58.jpg)
Bringing it Together
� Credentials encode a finite set of attributes
� . . . and allow to disclose a subset of the attributes upon showing
� Why not use this for BDS/WHPS?
� Encode template elements/message space within attributes
� Provide non-interactive showings
� Reveal subset of the attributes
� Prove knowledge of secret key and remaining attributes
16 David Derler DBSec’2014
![Page 59: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/59.jpg)
Bringing it Together
� Credentials encode a finite set of attributes
� . . . and allow to disclose a subset of the attributes upon showing
� Why not use this for BDS/WHPS?
� Encode template elements/message space within attributes
� Provide non-interactive showings
� Reveal subset of the attributes
� Prove knowledge of secret key and remaining attributes
16 David Derler DBSec’2014
![Page 60: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/60.jpg)
Bringing it Together
� Credentials encode a finite set of attributes
� . . . and allow to disclose a subset of the attributes upon showing
� Why not use this for BDS/WHPS?
� Encode template elements/message space within attributes
� Provide non-interactive showings
� Reveal subset of the attributes
� Prove knowledge of secret key and remaining attributes
16 David Derler DBSec’2014
![Page 61: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/61.jpg)
Bringing it Together
� Credentials encode a finite set of attributes
� . . . and allow to disclose a subset of the attributes upon showing
� Why not use this for BDS/WHPS?
� Encode template elements/message space within attributes
� Provide non-interactive showings
� Reveal subset of the attributes
� Prove knowledge of secret key and remaining attributes
16 David Derler DBSec’2014
![Page 62: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/62.jpg)
BDS Encoding
� Template uniquely defined by its elements
� Fixed elements� Position i in the template� Corresponding message mi
� Exchangeable elements� Position i in the template� j messages mij
� Hashing them together
� Collision resistant hash function
� Mapping to the attribute domain
� Template element 7→ AC attribute
T = ({m11}, {m21 ,m22 ,m23})7→
T enc = (H(m11 ||1),H(m21 ||2),H(m22 ||2),H(m23 ||2))
17 David Derler DBSec’2014
![Page 63: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/63.jpg)
BDS Encoding
� Template uniquely defined by its elements
� Fixed elements� Position i in the template� Corresponding message mi
� Exchangeable elements� Position i in the template� j messages mij
� Hashing them together
� Collision resistant hash function
� Mapping to the attribute domain
� Template element 7→ AC attribute
T = ({m11}, {m21 ,m22 ,m23})7→
T enc = (H(m11 ||1),H(m21 ||2),H(m22 ||2),H(m23 ||2))
17 David Derler DBSec’2014
![Page 64: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/64.jpg)
BDS Encoding
� Template uniquely defined by its elements
� Fixed elements� Position i in the template� Corresponding message mi
� Exchangeable elements� Position i in the template� j messages mij
� Hashing them together
� Collision resistant hash function
� Mapping to the attribute domain
� Template element 7→ AC attribute
T = ({m11}, {m21 ,m22 ,m23})7→
T enc = (H(m11 ||1),H(m21 ||2),H(m22 ||2),H(m23 ||2))
17 David Derler DBSec’2014
![Page 65: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/65.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes� Template structure may leak
� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 66: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/66.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes
� Template structure may leak� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 67: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/67.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes� Template structure may leak
� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 68: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/68.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes� Template structure may leak
� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 69: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/69.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes� Template structure may leak
� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 70: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/70.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes� Template structure may leak
� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 71: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/71.jpg)
BDS Encoding (2)
� Template instantiation� M = (m11 ,m21 ) 7→ (H(m11 ||1),H(m21 ||2),�,�) =Menc
� Most credential systems implicitly assign order to attributes� Template structure may leak
� Last two attributes are not shown
� =⇒ exchangeable element has cardinality 3
� Thus apply a secret random permutation φ to T enc
� (H(m22 ||2),H(m21 ||2),H(m11 ||1),H(m23 ||2))
� . . . and the same permutation φ to Menc
� (�,H(m21 ||2),H(m11 ||1),�)
� Encode number of elements l into first attribute� Always opened
� Ensure that one attribute mij is shown for each 1 ≤ i ≤ l
18 David Derler DBSec’2014
![Page 72: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/72.jpg)
WHPS Encoding
� Message space M defined by contained messages mi
� Encoding a lot simpler
� No order of messages in the message space
� Random permutation not needed
� . . . no useful information leaks
� M = {m1, . . . ,mn} 7→ (H(m1), . . . ,H(mn))
� Instantiation: {�, . . . ,�, . . . ,H(mi ), . . . ,�}
19 David Derler DBSec’2014
![Page 73: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/73.jpg)
WHPS Encoding
� Message space M defined by contained messages mi
� Encoding a lot simpler
� No order of messages in the message space
� Random permutation not needed
� . . . no useful information leaks
� M = {m1, . . . ,mn} 7→ (H(m1), . . . ,H(mn))
� Instantiation: {�, . . . ,�, . . . ,H(mi ), . . . ,�}
19 David Derler DBSec’2014
![Page 74: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/74.jpg)
WHPS Encoding
� Message space M defined by contained messages mi
� Encoding a lot simpler
� No order of messages in the message space
� Random permutation not needed
� . . . no useful information leaks
� M = {m1, . . . ,mn} 7→ (H(m1), . . . ,H(mn))
� Instantiation: {�, . . . ,�, . . . ,H(mi ), . . . ,�}
19 David Derler DBSec’2014
![Page 75: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/75.jpg)
WHPS Encoding
� Message space M defined by contained messages mi
� Encoding a lot simpler
� No order of messages in the message space
� Random permutation not needed
� . . . no useful information leaks
� M = {m1, . . . ,mn} 7→ (H(m1), . . . ,H(mn))
� Instantiation: {�, . . . ,�, . . . ,H(mi ), . . . ,�}
19 David Derler DBSec’2014
![Page 76: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/76.jpg)
Modeling the Delegation
� Keys compatible with system parameters of used ACs
� Secret key sk ∈ Z∗p
� Public key pk = sk · P (P generates used group G)
� In addition to encoded attributes
� Incorporate sk as attribute without disclosing it
� . . . by using pk as public commitment
� Possible for Brands’ and CL credentials
� If not
� Incorporate public key as attribute
� Prove knowledge by providing a signature
20 David Derler DBSec’2014
![Page 77: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/77.jpg)
Modeling the Delegation
� Keys compatible with system parameters of used ACs
� Secret key sk ∈ Z∗p
� Public key pk = sk · P (P generates used group G)
� In addition to encoded attributes
� Incorporate sk as attribute without disclosing it
� . . . by using pk as public commitment
� Possible for Brands’ and CL credentials
� If not
� Incorporate public key as attribute
� Prove knowledge by providing a signature
20 David Derler DBSec’2014
![Page 78: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/78.jpg)
Modeling the Delegation
� Keys compatible with system parameters of used ACs
� Secret key sk ∈ Z∗p
� Public key pk = sk · P (P generates used group G)
� In addition to encoded attributes
� Incorporate sk as attribute without disclosing it
� . . . by using pk as public commitment
� Possible for Brands’ and CL credentials
� If not
� Incorporate public key as attribute
� Prove knowledge by providing a signature
20 David Derler DBSec’2014
![Page 79: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/79.jpg)
Modeling the Delegation
� Keys compatible with system parameters of used ACs
� Secret key sk ∈ Z∗p
� Public key pk = sk · P (P generates used group G)
� In addition to encoded attributes
� Incorporate sk as attribute without disclosing it
� . . . by using pk as public commitment
� Possible for Brands’ and CL credentials
� If not
� Incorporate public key as attribute
� Prove knowledge by providing a signature
20 David Derler DBSec’2014
![Page 80: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/80.jpg)
Security
� Although similar goals
� BDS and WHPS rely on different security models
� Correctness notions are compatible
� BDS
� AC .Unforgeability =⇒ BDS .Unforgeability
� AC .Unforgeability =⇒ BDS .Immutability
� AC .SelectiveDisclosure =⇒ BDS .Privacy
� WHPS
� AC .Unforgeability =⇒ WHPS .Unforgeability
� AC .SelectiveDisclosure =⇒ WHPS .Privacy
21 David Derler DBSec’2014
![Page 81: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/81.jpg)
Security
� Although similar goals
� BDS and WHPS rely on different security models
� Correctness notions are compatible
� BDS
� AC .Unforgeability =⇒ BDS .Unforgeability
� AC .Unforgeability =⇒ BDS .Immutability
� AC .SelectiveDisclosure =⇒ BDS .Privacy
� WHPS
� AC .Unforgeability =⇒ WHPS .Unforgeability
� AC .SelectiveDisclosure =⇒ WHPS .Privacy
21 David Derler DBSec’2014
![Page 82: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/82.jpg)
Security
� Although similar goals
� BDS and WHPS rely on different security models
� Correctness notions are compatible
� BDS
� AC .Unforgeability =⇒ BDS .Unforgeability
� AC .Unforgeability =⇒ BDS .Immutability
� AC .SelectiveDisclosure =⇒ BDS .Privacy
� WHPS
� AC .Unforgeability =⇒ WHPS .Unforgeability
� AC .SelectiveDisclosure =⇒ WHPS .Privacy
21 David Derler DBSec’2014
![Page 83: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/83.jpg)
Security
� Although similar goals
� BDS and WHPS rely on different security models
� Correctness notions are compatible
� BDS
� AC .Unforgeability =⇒ BDS .Unforgeability
� AC .Unforgeability =⇒ BDS .Immutability
� AC .SelectiveDisclosure =⇒ BDS .Privacy
� WHPS
� AC .Unforgeability =⇒ WHPS .Unforgeability
� AC .SelectiveDisclosure =⇒ WHPS .Privacy
21 David Derler DBSec’2014
![Page 84: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/84.jpg)
Conclusion
� Performance quite comparable
� Linear signature sizes in our constructions
� Templates quite small in most practical use cases
� Multiple implementations Brands’ and CL Credentials
� e.g. EU Project ABC4Trust
� Basis for practical implementations
� Flexibility regarding underlying constructions
� First approach to build special signature schemes from AC
� Inspiration for other constructions
� Proposed encoding might also be useful for AC
22 David Derler DBSec’2014
![Page 85: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/85.jpg)
Conclusion
� Performance quite comparable
� Linear signature sizes in our constructions
� Templates quite small in most practical use cases
� Multiple implementations Brands’ and CL Credentials
� e.g. EU Project ABC4Trust
� Basis for practical implementations
� Flexibility regarding underlying constructions
� First approach to build special signature schemes from AC
� Inspiration for other constructions
� Proposed encoding might also be useful for AC
22 David Derler DBSec’2014
![Page 86: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/86.jpg)
Conclusion
� Performance quite comparable
� Linear signature sizes in our constructions
� Templates quite small in most practical use cases
� Multiple implementations Brands’ and CL Credentials
� e.g. EU Project ABC4Trust
� Basis for practical implementations
� Flexibility regarding underlying constructions
� First approach to build special signature schemes from AC
� Inspiration for other constructions
� Proposed encoding might also be useful for AC
22 David Derler DBSec’2014
![Page 87: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/87.jpg)
Conclusion
� Performance quite comparable
� Linear signature sizes in our constructions
� Templates quite small in most practical use cases
� Multiple implementations Brands’ and CL Credentials
� e.g. EU Project ABC4Trust
� Basis for practical implementations
� Flexibility regarding underlying constructions
� First approach to build special signature schemes from AC
� Inspiration for other constructions
� Proposed encoding might also be useful for AC
22 David Derler DBSec’2014
![Page 88: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/88.jpg)
Conclusion
� Performance quite comparable
� Linear signature sizes in our constructions
� Templates quite small in most practical use cases
� Multiple implementations Brands’ and CL Credentials
� e.g. EU Project ABC4Trust
� Basis for practical implementations
� Flexibility regarding underlying constructions
� First approach to build special signature schemes from AC
� Inspiration for other constructions
� Proposed encoding might also be useful for AC
22 David Derler DBSec’2014
![Page 89: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/89.jpg)
Thank you.
Extended Version: http://eprint.iacr.org/2014/285
23 David Derler DBSec’2014
![Page 90: Privacy-Enhancing Proxy Signatures from Non-Interactive ... · Non-Interactive Anonymous Credentials David Derler, Christian Hanser, and Daniel Slamanig fdavid.derler, christian.hanser,](https://reader035.vdocuments.mx/reader035/viewer/2022081222/5f797ccbca12173bbd21f675/html5/thumbnails/90.jpg)
Stefan Brands.Rethinking Public-Key Infrastructures and Digital Certificates: Building in Privacy.MIT Press, 2000.
Jan Camenisch and Anna Lysyanskaya.Signature Schemes and Anonymous Credentials from Bilinear Maps.In CRYPTO’04, volume 3152 of LNCS, pages 56–72.
Melissa Chase and Anna Lysyanskaya.On Signatures of Knowledge.In CRYPTO’06, volume 4117 of LNCS, pages 78–96.
Amos Fiat and Adi Shamir.How to Prove Yourself: Practical Solutions to Identification and Signature Problems.In CRYPTO’87, volume 263 of LNCS, pages 186–194.
Christian Hanser and Daniel Slamanig.Blank Digital Signatures.In ACM ASIACCS’13, pages 95–106. ACM.ext.: IACR ePrint 2013/130.
Christian Hanser and Daniel Slamanig.Warrant-Hiding Delegation-by-Certificate Proxy Signature Schemes.In INDOCRYPT’13, volume 8250 of LNCS.ext.: IACR ePrint 2013/544.
24 David Derler DBSec’2014