Fast Keyed-Verification Anonymous Credentials on Standard Smart Cards

Cryptographic anonymous credential schemes allow users to prove their personal attributes, such as age, nationality, or the validity of a ticket or a pre-paid pass, while preserving their privacy, as such proofs are unlinkable and attributes can be selectively disclosed. Recently, Chase et al. (CCS 2014) observe that in such systems, a typical setup is that the credential issuer also serves as the verifier. They introduce keyed-verification credentials that are tailored to this setting. In this paper, we present a novel keyed-verification credential system designed for lightweight devices (primarily smart cards) and prove its security. By using a novel algebraic MAC based on Boneh-Boyen signatures, we achieve the most efficient proving protocol compared to existing schemes. To demonstrate the practicality of our scheme in real applications, including large-scale services such as public transportation or e-government, we present an implementation on a standard, off-the-shelf, Multos smart card. While using significantly higher security parameters than most existing implementations, we achieve performance that is more than 44 % better than the current state-of-the-art implementation

Orca: Blocklisting in Sender-Anonymous Messaging

Sender-anonymous end-to-end encrypted messaging allows sending messages to a recipient without revealing the sender’s identity to the messaging platform. Signal recently introduced a sender anonymity feature that includes an abuse mitigation mechanism meant to allow the platform to block malicious senders on behalf of a recipient. We explore the tension between sender anonymity and abuse mitigation. We start by showing limitations of Signal’s deployed mechanism, observing that it results in relatively weak anonymity properties and showing a new griefing attack that allows a malicious sender to drain a victim’s battery. We therefore design a new protocol, called Orca, that allows recipients to register a privacy-preserving blocklist with the platform. Without learning the sender’s identity, the platform can check that the sender is not on the blocklist and that the sender can be identified by the recipient. We construct Orca using a new type of group signature scheme, for which we give formal security notions. Our prototype implementation showcases Orca’s practicality

Cryptographic Protection of Digital Identity

Dizertační práce se zabývá kryptografickými schématy zvyšující ochranu soukromí uživatelů v systémech řízení přístupu a sběru dat. V současnosti jsou systémy fyzického řízení přístupu na bázi čipových karet využívány téměř dennodenně většinou z nás, například v zaměstnání, ve veřejné dopravě a v hotelech. Tyto systémy však stále neposkytují dostatečnou kryptografickou ochranu a tedy bezpečnost. Uživatelské identifikátory a klíče lze snadno odposlechnout a padělat. Funkce, které by zajišťovaly ochranu soukromí uživatele, téměř vždy chybí. Proto je zde reálné riziko možného sledovaní lidí, jejich pohybu a chovaní. Poskytovatelé služeb nebo případní útočníci, kteří odposlouchávají komunikaci, mohou vytvářet profily uživatelů, ví, co dělají, kde se pohybují a o co se zajímají. Za účelem zlepšení tohoto stavu jsme navrhli čtyři nová kryptografická schémata založená na efektivních důkazech s nulovou znalostí a kryptografii eliptických křivek. Konkrétně dizertační práce prezentuje tři nová autentizační schémata pro využití v systémech řízení přístupu a jedno nové schéma pro využití v systémech sběru dat. První schéma využívá distribuovaný autentizační přístup vyžadující spolupráci více RFID prvků v autentizačním procesu. Tato vlastnost je výhodná zvláště v případech řízení přístupu do nebezpečných prostor, kdy pro povolení přístupu uživatele je nezbytné, aby byl uživatel vybaven ochrannými pomůckami (se zabudovanými RFID prvky). Další dvě schémata jsou založena na atributovém způsobu ověření, tj. schémata umožňují anonymně prokázat vlastnictví atributů uživatele, jako je věk, občanství a pohlaví. Zatím co jedno schéma implementuje efektivní revokační a identifikační mechanismy, druhé schéma poskytuje nejrychlejší verifikaci držení uživatelských atributů ze všech současných řešení. Poslední, čtvrté schéma reprezentuje schéma krátkého skupinového podpisu pro scénář sběru dat. Schémata sběru dat se používají pro bezpečný a spolehlivý přenos dat ze vzdálených uzlů do řídící jednotky. S rostoucím významem chytrých měřičů v energetice, inteligentních zařízení v domácnostech a rozličných senzorových sítí, se potřeba bezpečných systémů sběru dat stává velmi naléhavou. Tato schémata musí podporovat nejen standardní bezpečnostní funkce, jako je důvěrnost a autentičnost přenášených dat, ale také funkce nové, jako je silná ochrana soukromí a identity uživatele či identifikace škodlivých uživatelů. Navržená schémata jsou prokazatelně bezpečná a nabízí celou řadu funkcí rozšiřující ochranu soukromí a identity uživatele, jmenovitě se pak jedná o zajištění anonymity, nesledovatelnosti a nespojitelnosti jednotlivých relací uživatele. Kromě úplné kryptografické specifikace a bezpečnostní analýzy navržených schémat, obsahuje tato práce také výsledky měření implementací jednotlivých schémat na v současnosti nejpoužívanějších zařízeních v oblasti řízení přístupu a sběru dat.The doctoral thesis deals with privacy-preserving cryptographic schemes in access control and data collection areas. Currently, card-based physical access control systems are used by most people on a daily basis, for example, at work, in public transportation and at hotels. However, these systems have often very poor cryptographic protection. For instance, user identifiers and keys can be easily eavesdropped and counterfeited. Furthermore, privacy-preserving features are almost missing and, therefore, user’s movement and behavior can by easily tracked. Service providers (and even eavesdroppers) can profile users, know what they do, where they go, and what they are interested in. In order to improve this state, we propose four novel cryptographic schemes based on efficient zero-knowledge proofs and elliptic curve cryptography. In particular, the thesis presents three novel privacy-friendly authentication schemes for access control and one for data collection application scenarios. The first scheme supports distributed multi-device authentication with multiple Radio-Frequency IDentification (RFID) user’s devices. This feature is particularly important in applications for controlling access to dangerous areas where the presence of protective equipment is checked during each access control session. The other two presented schemes use attribute-based approach to protect user’s privacy, i.e. these schemes allow users to anonymously prove the ownership of their attributes, such as age, citizenship, and gender. While one of our scheme brings efficient revocation and identification mechanisms, the other one provides the fastest authentication phase among the current state of the art solutions. The last (fourth) proposed scheme is a novel short group signature scheme for data collection scenarios. Data collection schemes are used for secure and reliable data transfer from multiple remote nodes to a central unit. With the increasing importance of smart meters in energy distribution, smart house installations and various sensor networks, the need for secure data collection schemes becomes very urgent. Such schemes must provide standard security features, such as confidentiality and authenticity of transferred data, as well as novel features, such as strong protection of user’s privacy and identification of malicious users. The proposed schemes are provably secure and provide the full set of privacy-enhancing features, namely anonymity, untraceability and unlinkability of users. Besides the full cryptographic specification and security analysis, we also show the results of our implementations on devices commonly used in access control and data collection applications.

Anonymous Attribute-Based Credentials in Collaborative Indoor Positioning Systems

Collaborative Indoor Positioning Systems have recently received considerable attention, mainly because they address some of the existing limitations of traditional Indoor Positioning System. In Collaborative Indoor Positioning Systems, Bluetooth Low Energy can be used to exchange positioning data and provide information (the Received Signal Strength Indicator) to establish the relative distance between the actors. The collaborative models exploit the position of actors and the relative position among them to allow positioning to external actors or improve the accuracy of the existing actors. However, the traditional protocols (e.g. iBeacon) are not yet ready for providing sufficient privacy protection. Therefore, this paper deals with privacy-enhancing technologies and their application in Collaborative Indoor Positioning System. In particular, we focus on cryptographic schemes which allow the verification of users without their identification, so-called Anonymous Attribute-Based Credentials schemes. As the main contribution, we present a cryptographic scheme that allows security and privacy-friendly sharing of location information sent through Bluetooth Low Energy advertising packets. In order to demonstrate the practicality of our scheme, we also present the results from our implementation and benchmarks on different devices

Proofs of discrete logarithm equality across groups

We provide a $\Sigma$-protocol for proving that two values committed in different groups are equal. We study our protocol in Lyubashevsky\u27s framework Fiat-Shamir with aborts (Asiacrypt’09) and offer concrete parameters for instantiating it. We explain how to use it to compose SNARKs with $\Sigma$-protocols, create efficient proofs of solvency on cryptocurrencies, and join of attributes across different anonymous credentials

WabiSabi: Centrally Coordinated CoinJoins with Variable Amounts

Bitcoin transfers value on a public ledger of transactions anyone can verify. Coin ownership is defined in terms of public keys. Despite potential use for private transfers, research has shown that users’ activity can often be traced in practice. Businesses have been built on dragnet surveillance of Bitcoin users because of this lack of strong privacy, which harms its fungibility, a basic property of functional money. Although the public nature of this design lacks strong guarantees for privacy, it does not rule it out. A number of methods have been proposed to strengthen privacy. Among these is CoinJoin, an approach based on multiparty transactions that can introduce ambiguity and break common assumptions that underlie heuristics used for deanonymization. Existing implementations of CoinJoin have several limitations which may partly explain the lack of their widespread adoption. This work introduces WabiSabi, a new protocol for centrally coordinated CoinJoin implementations utilizing keyed verification anonymous credentials and homomorphic value commitments. This improves earlier approaches which utilize blind signatures in both privacy and flexibility, enabling novel use cases and reduced overhead

Efficient Zero-Knowledge Proof of Algebraic and Non-Algebraic Statements with Applications to Privacy Preserving Credentials

Practical anonymous credential systems are generally built around sigma-protocol ZK proofs. This requires that credentials be based on specially formed signatures. Here we ask whether we can instead use a standard (say, RSA, or (EC)DSA) signature that includes formatting and hashing messages, as a credential, and still provide privacy. Existing techniques do not provide efficient solutions for proving knowledge of such a signature: On the one hand, ZK proofs based on garbled circuits (Jawurek et al. 2013) give efficient proofs for checking formatting of messages and evaluating hash functions. On the other hand they are expensive for checking algebraic relations such as RSA or discrete-log, which can be done efficiently with sigma protocols. We design new constructions obtaining the best of both worlds: combining the efficiency of the garbled circuit approach for non-algebraic statements and that of sigma protocols for algebraic ones. We then discuss how to use these as building-blocks to construct privacy-preserving credential systems based on standard RSA and (EC)DSA signatures. Other applications of our techniques include anonymous credentials with more complex policies, the ability to efficiently switch between commitments (and signatures) in different groups, and secure two-party computation on committed/signed inputs

Lox: Protecting the Social Graph in Bridge Distribution

Access to the open Internet, free from surveillance and censorship, is an important part of fulfilling the right to privacy. Despite this, in many regions of the world, censorship of the Internet is used to limit access to information, monitor the activity of Internet users and quash dissent. Where access to the Internet is heavily censored, anti-censorship proxies, or bridges, can offer a connection to journalists, dissidents and members of oppressed groups who seek access to the Internet beyond a censor's area of influence. Bridges are an anti-censorship tool that can provide users inside censored regions with a link to the open Internet. Using bridges as an anti-censorship tool is fraught with risks for users inside the censored region who may face persecution if they are discovered using or requesting bridges. Bridge distribution systems that are built for widespread public distribution of bridges face the inherently conflicting issues of extending bridges to unknown users when some of them may be malicious. If not designed with care, bridge distribution systems can be quickly compromised or overwhelmed by attacks from censors and their automated agents and leak user and usage data, undermining the integrity of the system and the safety of users. It is therefore crucial to prioritize protecting users when developing such systems. In this work, we take a holistic and realistic view of the bridge distribution problem. We analyze known threats to deployed bridge distribution systems, (i.e., The Tor Project's BridgeDB), and combine insights from prior work to create a new bridge distribution system. To this end, we propose Lox, a bridge distribution system that is open to anyone while also leveraging users' trust networks to distribute bridges. Lox protects the privacy of users and their social graphs and limits the malicious behaviour of censors. We use an updated unlinkable multi-show anonymous credential scheme, suitable for a single credential issuer and verifier, to protect bridge users and their social networks from being identified by malicious actors. We formalize a trust level scheme that is compatible with anonymous credentials and effectively limits malicious behaviour while maintaining user anonymity. Our work includes a full system design of Lox, as well as an implementation of each of Lox's protocols. We evaluate the efficiency of our Lox protocols and show that they have reasonable performance and latency for the expected user base of our system, thus demonstrating Lox as a practical bridge distribution system