privacy enhancing technologiesjhh/secsem/2015/pets-introduction.pdf · jaap-henk hoepman // radboud...
TRANSCRIPT
![Page 1: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/1.jpg)
Jaap-Henk Hoepman
Digital Security (DS)Radboud University Nijmegen, the Netherlands
@xotoxot // [email protected] // www.cs.ru.nl/~jhh
Privacy Enhancing TechnologiesAn Introduction
![Page 2: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/2.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Schedule
14-2-2014 // Privacy: an overview 2
![Page 3: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/3.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Agenda
Properties
● Anonymity
● Untraceability
● Unlinkability
Strategies & patterns
PETs
● Remailers
● Blind signatures
● Group signatures
● Zero knowledge protocols
● Credentials/pseudonyms
28-02-2014 // Privacy Enhancing Technologies 3
![Page 4: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/4.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Properties
Anonimity (vs pseudonymity)
● K-anonimity
Untraceability
Unlinkability
28-02-2014 // Privacy Enhancing Technologies 4
![Page 5: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/5.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Privacy design strategies
28-02-2014 // Privacy Enhancing Technologies 5
![Page 6: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/6.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Software development cycle
28-02-2014 // Privacy Enhancing Technologies 6
ConceptDevelopment
Implemen-tation
Privacy enhancing technologies
![Page 7: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/7.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Levels of abstraction
Design strategy
● “A basic method to achieve a particular design
goal” – that has certain properties that allow it to
be distinguished from other basic design strategies
Design pattern
● “Commonly recurring structure to solve a general
design problem within a particular context”
(Privacy enhancing) technology
● “A coherent set of ICT measures that protects
privacy” – implemented using concrete technology
28-02-2014 // Privacy Enhancing Technologies 7
![Page 8: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/8.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Data protection law
Core principles
● Data minimisation
● Purpose limitation
● Proportionality
● Subsidiarity
● Data subject rights: consent, (re)view
● Adequate protection
● (Provable) Compliance
28-02-2014 // Privacy Enhancing Technologies 8
![Page 9: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/9.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
ag
gre
gate
minimise
se
para
te
hide
inform control
enforcedemonstrate
28-02-2014 // Privacy Enhancing Technologies 9
![Page 10: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/10.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
8 privacy design strategies
Minimise
● The amount of PII should be minimal
Separate
● Process PII in a distributed fashion
Aggregate
● Process PII in the least possible detail
Hide
● PII should not be stored in plain view
Enforce
● A privacy policy should be in place and be enforced
Inform
● Subjects should be informed when PII is processed
Control
● Subjects should have control over when/how PII is processed
Demonstrate
● Compliance to policies and legal requirements must be demonstrated
28-02-2014 // Privacy Enhancing Technologies 10
![Page 11: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/11.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
What about design patterns?
28-02-2014 // Privacy Enhancing Technologies 11
Strategy Patterns Coverage
Minimise Select before you collect,
anonymisation, ….
Separate Distribute, sector-specific pseudonyms
Aggregate Data fuzzing; coarse-grained location
Hide Encryption, onion routing, …..
Enforce Access control, privacy licenses
Inform P3P (?)
Control Informed consent (?)
Demonstrate Privacy management system, logging
![Page 12: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/12.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Preventing traffic analysis
28-02-2014 // Privacy Enhancing Technologies 12
![Page 13: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/13.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Traffic analysis
What does adversary control?
● Entry point
● Exit point
● Intermediate nodes
● Intermediate links
28-02-2014 // Privacy Enhancing Technologies 13
![Page 14: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/14.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Simple remailing
Type 0
● Anon.penet.fi
Type I (= encrypt mail; then type 0)
● Cypherpunks
Type II
● Mixmaster
28-02-2014 // Privacy Enhancing Technologies 14
![Page 15: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/15.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 15
![Page 16: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/16.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 16
![Page 17: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/17.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 17
![Page 18: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/18.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Attacks
28-02-2014 // Privacy Enhancing Technologies 18
![Page 19: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/19.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Attacks
Trace long messages
● Packet counting
Saturate network to detect messages
● Traffic shaping
Statistical attacks
● Latency attack
● Clogging attack:
is C on a route to E?
28-02-2014 // Privacy Enhancing Technologies 19
![Page 20: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/20.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Dining cryptographers
28-02-2014 // Privacy Enhancing Technologies 20
![Page 21: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/21.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Setup
28-02-2014 // Privacy Enhancing Technologies 21
0 1
1
![Page 22: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/22.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Sending a 1
28-02-2014 // Privacy Enhancing Technologies 22
0 1
1
1
𝑣𝑎𝑙𝑢𝑒 ⊕ (𝑙𝑒𝑓𝑡 ⊕ 𝑟𝑖𝑔ℎ𝑡)
1 = 1⊕ (1⊕ 1)1 = 0⊕ 1
1 = 0⊕ 1
𝑣𝑎𝑙𝑢𝑒 = ⨁𝑖𝑏𝑖𝑡𝑖 = 1⊕ 1⊕ 1 = 1
![Page 23: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/23.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Questions
Why does this work?
● Because each left or right bit happens twice in the
final sum and is cancelled out using the xor
What can go wrong?
● Collisions
● Last broadcaster can force value
28-02-2014 // Privacy Enhancing Technologies 23
![Page 24: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/24.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Blind signatures & anonymous e-cash
28-02-2014 // Privacy Enhancing Technologies 24
![Page 25: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/25.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 25
Blind signatures: Digicash
issuer acquirer
mo
ney
flo
at
clearing & settlement
![Page 26: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/26.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Blind signature
28-02-2014 // Privacy Enhancing Technologies 26
![Page 27: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/27.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 27
DigiCash offline coin
jan jansen
blind signature
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
01001001.. 10100011..
zdd 01001001.. + 10100011.. = Jan Jansen
![Page 28: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/28.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 28
Coin deposit
jan jansen
blind signature
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
random
L,R,R,R,L,L, ..
merchant bank
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
![Page 29: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/29.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 29
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
Same coin deposit
jan jansen
blind signature
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
random
L,R,L,R,L,L, ..
merchant bank
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
jan jansen
coin number
1 $
jan jansen
jan jansen
jan jansen
privacy revoked!
![Page 30: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/30.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Zero-knowledge protocols
28-02-2014 // Privacy Enhancing Technologies 30
![Page 31: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/31.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Zero knowledge
The cave of Ali Baba
28-02-2014 // Privacy Enhancing Technologies 31
![Page 32: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/32.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Proofs of knowledge
Completeness
● Verifier accepts the proof if the assertion is true
● Assumption: the parties follow the protocol
Soundness
● If the fact is false, the verifier rejects the proof
● Assumption: the parties follow the protocol
Zero knowledge
● No information about the prover’s private input is revealed to the verifier
● The verifier cannot convince a third party of the correctness of the assertion
28-02-2014 // Privacy Enhancing Technologies 32
![Page 33: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/33.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Schnorr protocol
Cyclic group G with generator g
28-02-2014 // Privacy Enhancing Technologies 33
![Page 34: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/34.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Completeness?
Soundness?
Zero knowledge?
28-02-2014 // Privacy Enhancing Technologies 34
![Page 35: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/35.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Questions?
28-02-2014 // Privacy Enhancing Technologies
[email protected], [email protected] , www.cs.ru.nl/~jhh
35
![Page 36: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/36.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Private handshaking
28-02-2014 // Privacy Enhancing Technologies 36
![Page 37: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/37.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 37
Spot the Fed
![Page 38: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/38.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 38
Private handshake
![Page 39: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/39.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Requirements
28-02-2014 // Privacy Enhancing Technologies 39
![Page 40: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/40.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Protocol
28-02-2014 // Privacy Enhancing Technologies 40
![Page 41: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/41.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Attribute based credentials
28-02-2014// Privacy Enhancing Technologies 41
![Page 42: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/42.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 42
![Page 43: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/43.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Typical system
28-02-2014 // Privacy Enhancing Technologies 43
Credential Issuers
User Relying Parties
Scheme Authority
Token Provider
Token
Unforgeability
Non transferability
Unlinkability
Revocatability
![Page 44: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/44.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
How to implement a credential?
Anonymous credentials: 3 techniques
● Use a different one each time
Uprove (Microsoft)
● Prove knowledge of credential
Idemix (IBM)
● Randomise credential each time
Self-blindable (RU)
28-02-2014 // Privacy Enhancing Technologies 44
![Page 45: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/45.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Self blindable credentials
28-02-2014 // Privacy Enhancing Technologies
Credential Authority (CA)
User (P) Merchant (V)
> 18
45
![Page 46: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/46.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Self blindable credentials
28-02-2014 // Privacy Enhancing Technologies
User (P) Merchant (V)
> 18> 18> 18
46
![Page 47: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/47.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Cryptographic implementation
Elliptic curve cryptography
● Points 𝑃 on a curve 𝐸.
● 𝑥𝑃 : multiplying point 𝑃 with scalar 𝑥 ∈ ℤ𝑝.
● CDH assumption: given 𝑥𝑃 and 𝑃 it is hard to compute
𝑥. (Note: division by 𝑥 is easy!).
Pairing / bilinear map e: 𝐺1 × 𝐺2 → 𝐺𝑇● 𝑒 𝑥𝑃, 𝑦𝑄 = 𝑒(𝑃, 𝑄)𝑥𝑦
● DDH now is easy: 𝑒 𝑥𝑃, 𝑦𝑃 = 𝑒 𝑃, 𝑧𝑃 ?
● Type 3: no computably homomorphism 𝜙:𝐺2 → 𝐺1
Public system parameters
● 𝑃 ∈ 𝐸[𝐹𝑝], 𝑄 ∈ 𝐸[𝐹𝑝𝑘], 𝑒
28-02-2014 // Privacy Enhancing Technologies 47
![Page 48: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/48.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Schnorr
Zero knowledge proof of DL of 𝑋 = 𝑥𝑃
● Prover commits to 𝑅 = 𝑟𝑃 for random 𝑟 ∈ 𝐹𝑝
● Verifier sends random challenge 𝑐 < 𝑝
● Prover sends 𝑠 = 𝑟 + 𝑥𝑐; Verifier checks 𝑅 = 𝑠𝑃 − 𝑐𝑋
Signature on message 𝑚
● Signer commits to 𝑅 = 𝑟𝑃 for random 𝑟 ∈ 𝐹𝑝
● Signer computes 𝑐 = 𝐻(𝑅|𝑚) and 𝑠 = 𝑟 + 𝑥𝑐
● Signature 𝜎 = 𝑅, 𝑐, 𝑠
● To verify, take 𝑅 and 𝑚 to compute 𝑐. Then check 𝑅 = 𝑠𝑃 − 𝑐𝑋
28-02-2014 // Privacy Enhancing Technologies 48
![Page 49: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/49.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Keys and certificates
28-02-2014 // Privacy Enhancing Technologies
Issuer Prover
Private key 𝒂 𝒌
Public key 𝐴 = 𝑎𝑄 𝐾 = 𝑘𝑃
Certificate 𝐶 = 𝑎𝐾
49
![Page 50: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/50.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Basic protocol
28-02-2014 // Privacy Enhancing Technologies 50
![Page 51: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/51.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Basic protocol
28-02-2014 // Privacy Enhancing Technologies 51
![Page 52: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/52.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen //
Problems with basic protocol
Smart card must be highly secure
● Compromise of a single card (or private key 𝑘𝑖)
allows one to create credentials for everyone
No known way to revoke cards
● Published protocols are insecure because they
make users traceable
28-02-2014 // Privacy Enhancing Technologies
𝐶𝑗 = 𝑘𝑗 (𝐶𝑖𝑘𝑖)
52
![Page 53: Privacy Enhancing Technologiesjhh/secsem/2015/PETs-introduction.pdf · Jaap-Henk Hoepman // Radboud University Nijmegen // 8 privacy design strategies Minimise The amount of PII should](https://reader034.vdocument.in/reader034/viewer/2022051511/6020b6fb01603554fd093ceb/html5/thumbnails/53.jpg)
Jaap-Henk Hoepman // Radboud University Nijmegen // 28-02-2014 // Privacy Enhancing Technologies 53
twitter: @xotoxot blog.xot.nl [email protected] www.cs.ru.nl/~jhh