Off-line Digital Cash Schemes Providing Unlinkability, Anonymity and Change

Several ecash systems have been proposed in the last twenty years or so, each offering features similar to real cash. One feature which to date has not been provided is that of a payee giving change to a payer for an e-coin in an off-line setting. In this paper, we indicate how an off-line ecash system can solve the change-giving problem. In addition, our protocol provides the usual expected features of anonymity and unlinkability of the payer, but can reveal the identity of an individual who illegally tries to spend ecash twice

Authentication Protocols and Privacy Protection

Tato dizertační práce se zabývá kryptografickými prostředky pro autentizaci. Hlavním tématem však nejsou klasické autentizační protokoly, které nabízejí pouze ověření identity, ale tzv. atributové autentizační systémy, pomocí kterých mohou uživatelé prokazovat svoje osobní atributy. Tyto atributy pak mohou představovat jakékoliv osobní informace, např. věk, národnost či místo narození. Atributy mohou být prokazovány anonymně a s podporou mnoha funkcí na ochranu digitální identity. Mezi takové funkce patří např. nespojitelnost autentizačních relací, nesledovatelnost, možnost výběru prokazovaných atributů či efektivní revokace. Atributové autentizační systémy jsou již nyní považovány za nástupce současných systémů v oficiálních strategických plánech USA (NSTIC) či EU (ENISA). Část požadovaných funkcí je již podporována existujícími kryptografickými koncepty jako jsou U-Prove či idemix. V současné době však není známý systém, který by poskytoval všechny potřebné funkce na ochranu digitální identity a zároveň byl prakticky implementovatelný na zařízeních, jako jsou čipové karty. Mezi klíčové slabiny současných systémů patří především chybějící nespojitelnost relací a absence revokace. Není tak možné efektivně zneplatnit zaniklé uživatele, ztracené či ukradené autentizační karty či karty škodlivých uživatelů. Z těchto důvodů je v této práci navrženo kryptografické schéma, které řeší slabiny nalezené při analýze existujících řešení. Výsledné schéma, jehož návrh je založen na ověřených primitivech, jako jsou $\Sigma$-protokoly pro důkazy znalostí, kryptografické závazky či ověřitelné šifrování, pak podporuje všechny požadované vlastnosti pro ochranu soukromí a digitální identity. Zároveň je však návrh snadno implementovatelný v prostředí smart-karet. Tato práce obsahuje plný kryptografický návrh systému, formální ověření klíčových vlastností, matematický model schématu v programu Mathematica pro ověření funkčnosti a výsledky experimentální implementace v prostředí .NET smart-karet. I přesto, že navrhovaný systém obsahuje podporu všech funkcí na ochranu soukromí, včetně těch, které chybí u existujících systémů, jeho výpočetní složitost zůstává stejná či nižší, doba ověření uživatele je tedy kratší než u existujících systémů. Výsledkem je schéma, které může velmi znatelně zvýšit ochranu soukromí uživatelů při jejich ověřování, především při využití v elektronických dokladech, přístupových systémech či Internetových službách.This dissertation thesis deals with the cryptographic constructions for user authentication. Rather than classical authentication protocols which allow only the identity verification, the attribute authentication systems are the main topic of this thesis. The attribute authentication systems allow users to give proofs about the possession of personal attributes. These attributes can represent any personal information, for example age, nationality or birthplace. The attribute ownership can be proven anonymously and with the support of many features for digital identity protection. These features include, e.g., the unlinkability of verification sessions, untraceability, selective disclosure of attributes or efficient revocation. Currently, the attribute authentication systems are considered to be the successors of existing authentication systems by the official strategies of USA (NSTIC) and EU (ENISA). The necessary features are partially provided by existing cryptographic concepts like U-Prove and idemix. But at this moment, there is no system providing all privacy-enhancing features which is implementable on computationally restricted devices like smart-cards. Among all weaknesses of existing systems, the missing unlinkability of verification sessions and the absence of practical revocation are the most critical ones. Without these features, it is currently impossible to invalidate expired users, lost or stolen authentication cards and cards of malicious users. Therefore, a new cryptographic scheme is proposed in this thesis to fix the weaknesses of existing schemes. The resulting scheme, which is based on established primitives like $\Sigma$-protocols for proofs of knowledge, cryptographic commitments and verifiable encryption, supports all privacy-enhancing features. At the same time, the scheme is easily implementable on smart-cards. This thesis includes the full cryptographic specification, the formal verification of key properties, the mathematical model for functional verification in Mathematica software and the experimental implementation on .NET smart-cards. Although the scheme supports all privacy-enhancing features which are missing in related work, the computational complexity is the same or lower, thus the time of verification is shorter than in existing systems. With all these features and properties, the resulting scheme can significantly improve the privacy of users during their verification, especially when used in electronic ID systems, access systems or Internet services.

Nirvana: Instant and Anonymous Payment-Guarantees

Given the high transaction confirmation latencies in public blockchains, cryptocurrencies such as Bitcoin, Ethereum, etc. are not yet suitable to support real-time services such as transactions on retail markets. There are several solutions to address this latency problem, with layer-2 solutions being the most promising ones. Existing layer-2 solutions, however, suffer from privacy and/or collateral issues when applied to retail environments where customer-merchant relationships are usually ephemeral. In this paper, we propose Nirvana, that can be combined with existing cryptocurrencies to provide instant, anonymous and unlinkable payment guarantees. Nirvana does not require any trusted third party. It conceals the identities of honest participants, thus ensuring customer anonymity within the system while only relying on efficient Groth-Sahai proof systems. We introduce a novel randomness-reusable threshold encryption that mitigates double-spending by revealing the identities of malicious users. We formally prove how our scheme provides customer anonymity, unlinkability of transactions and payment guarantees to merchants. Our experiments demonstrate that Nirvana allows for fast (zero-confirmation) global payments in a retail setting with a delay of less than $1.7$ seconds

Unlinkable content playbacks in a multiparty DRM system

We present a solution to the problem of privacy invasion in a multiparty digital rights management scheme. (Roaming) users buy content licenses from a content provider and execute it at any nearby content distributor. Our approach, which does not need any trusted third party--in contrast to most related work on privacy-preserving DRM--is based on a re-encryption scheme that runs on any mobile Android device. Only a minor security-critical part needs to be performed on the device's smartcard which could, for instance, be a SIM card

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

To ensure the privacy of users in transport systems, researchers are working on new protocols providing the best security guarantees while respecting functional requirements of transport operators. In this paper, we design a secure NFC m-ticketing protocol for public transport that preserves users' anonymity and prevents transport operators from tracing their customers' trips. To this end, we introduce a new practical set-membership proof that does not require provers nor verifiers (but in a specific scenario for verifiers) to perform pairing computations. It is therefore particularly suitable for our (ticketing) setting where provers hold SIM/UICC cards that do not support such costly computations. We also propose several optimizations of Boneh-Boyen type signature schemes, which are of independent interest, increasing their performance and efficiency during NFC transactions. Our m-ticketing protocol offers greater flexibility compared to previous solutions as it enables the post-payment and the off-line validation of m-tickets. By implementing a prototype using a standard NFC SIM card, we show that it fulfils the stringent functional requirement imposed by transport operators whilst using strong security parameters. In particular, a validation can be completed in 184.25 ms when the mobile is switched on, and in 266.52 ms when the mobile is switched off or its battery is flat

Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. "Privacy-enhancing" communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high-level, or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable on-line identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework

A formal analysis of the mimblewimble cryptocurrency protocol with a security approach

A cryptocurrency is a digital currency that can be exchanged online for goods and services. Cryptocurrencies are deployed over public blockchains which have the transactions duplicated and distributed across the nodes of a computer network. This decentralized mechanism is devised in order to achieve reliability in a network consisting of unreliable nodes. Privacy, anonymity and security have become crucial in this context. For that reason, formal and mathematical approaches are gaining popularity in order to guarantee the correctness of the cryptocurrency implementations. Mimblewimble is a privacy-oriented cryptocurrency technology which provides security and scalability properties that distinguish it from other protocols of its kind. It was proposed by an anonymous developer, who posted a link to a text file on the IRC channel by the name Tom Elvis Jedusor (french name for Voldemort) in mid-2016. Mimblewimble’s cryptographic approach is based on Elliptic Curve Cryptography which allows to verify a transaction without revealing any information about the transactional amount or the parties involved. Mimblewimble combines Confidential transactions, CoinJoin and cut-through to achieve a higher level of privacy and security, as well as, scalability. In this thesis, we present and discuss these security properties and outline the basis of a model-driven verification approach to address the certification of the correctness of the protocol implementations. In particular, we propose an idealized model that is key in the described verification process. The main components of our idealized model are transactions, blocks and chain. Then, we identify and precisely state the conditions for our model to ensure the verification of relevant security properties of Mimblewimble. In addition, we analyze the Grin and Beam implementations of Mimblewimble in their current state of development. We present detailed connections between our model and their implementations regarding the Mimblewimble structure and its security properties

Reusable, Instant and Private Payment Guarantees for Cryptocurrencies

Despite offering numerous advantages, public decentralized cryptocurrencies such as Bitcoin suffer from scalability issues such as high transaction latency and low throughput. The vast array of so-called Layer-2 solutions tackling the scalability problem focus on throughput, and consider latency as a secondary objective. However, in the context of retail payments, instant finality of transactions is arguably a more pressing concern, besides the overarching concern for privacy. In this paper, we provide an overlay network that allows privacy-friendly low latency payments in a retail market. Our approach follows that of a recent work called Snappy, which achieved low latency but exposed identities of customers and their transaction histories. Our construction ensures this data is kept private, while providing merchants with protection against double-spending attacks. Although our system is still based upon customers registering with a collateral, crucially this collateral is reusable over time. The technical novelty of our work comes from randomness-reusable threshold encryption (RRTE), a cryptographic primitive we designed specifically for the following features: our construction provably guarantees payments to merchants, preserves the secret identity of honest customers and prevents their transactions from being linked. We also present an implementation of our construction, showing its capacity for fast global payments in a retail setting with a delay of less than 1 second

Unlinkable Divisible Digital Cash without Trusted Third Party

We present an efficient divisible digital cash scheme which is unlinkable and does not require Trusted Third Party. The size of the coin is proportional to the size of the primes we use, i.e., hundreds of bytes. The computational and communication complexity of the protocol is proportional to a polynomial of the size of the primes and polylogarithm of the maximum number of pieces to which a coin can be subdivided