Virtual ID Cryptography

weyrharrasΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

69 εμφανίσεις

Virtual ID
Cryptography
Kaspar Etter
ETH Zurich
1.0
etterka@ethz.ch August 2012
Table of Contents
1.
Preface
3
1.1.
Abstract
3
1.2.
About this Document
3
1.3.
Acknowledgments
3
2.
Introduction
4
2.1.
Terminology
4

Cryptography

Encryption and Decryption

Authentication and Authorization

Secure Communication

Hash Function
2.1.
Symmetric-Key Cryptography
4

Setting

Notation

One-Time Pad

Block Ciphers
2.1.
Public-Key Cryptography
5

Motivation and Setup

Digital Signatures

Public Key Infrastructure
2.1.
Group Theory
5

Algebraic Structure

Group Axioms

Order and Subgroup

Lagrange’s Theorem

Modular Arithmetic

Euler’s Totient Function

Euler’s Theorem
2.1.
RSA Algorithm
6

Cryptosystems

Key Generation

Encryption/Verification

Decryption/Signing
2.1.
Anonymous Credential System
6

Motivation and Setup

Requirements

Commitment Schemes

Zero-Knowledge Proofs

Schnorr Signature

Camenisch and Lysyanskaya Credential

Verifiable Encryption
3.
Security
7
3.1.
Overview
7

Environment

Objectives

Communication
3.1.
Notation
7
3.2.
Parameters
7
4.
Keys
8
4.1.
Host
8

Private Key

Public Key

Liability

Certification

Key Rotation
4.1.
Client
8

Secret Key

Commitments

Liability

Key Rotation
5.
Encryption
9
5.1.
Procedure
9
5.2.
Implementation
9
5.3.
Forward Secrecy
9
6.
Signatures
10
6.1.
Format
10
6.2.
Host
10

Format

Signing

Verification
6.1.
Client
10

Format

Signing

Verification
7.
Credentials
11
7.1.
Content
11
7.2.
Issuance
11
7.3.
Usage
11

Unlinkable

Accountable

Signing

Verification
7.1.
Shortening
12

Roles

Certificates

2

Virtual ID
Chapter 0

C r y p t o g r a p h y
T a b l e o f C o n t e n t s
1.
Preface
1.1.
Abstract
Virtual ID
is a protocol that constitutes an open
identity layer
for the Internet and a
semantic alternative
to the World Wide Web.
It allows you to prove your
identity
towards others and to look up
attributes
of others in a decentralized manner. Being freely
extensible with
services
,
Virtual ID
aims to supersede proprietary platforms by establishing a framework of open standards.
1.2.
About this Document
This document specifies the cryptography of
Virtual ID
, whereas a separate document introduces its concepts – the italic terms.
1.3.
Acknowledgments
A special thank goes to
Jan Camenisch
, scientist at the IBM Zurich Research Laboratory, for his support in the adaptation of his
anonymous credential system (see
idemix.wordpress.com
) to the particular requirements of
Virtual ID
(see
www.virtualid.ch
).
Chapter 1
Virtual ID

3
Preface Cryptography
2.
Introduction
2.1.
Terminology
Cryptography
The original goal of cryptography (from the Ancient Greek
κρυπτός (“secret”) and γράφειν (“writing”)) is to accomplish
secure communication
in the presence of malicious parties.
Encryption has a long history, dating back to ancient times.
For a long time, however, it was rather an art than a science.
Modern cryptography is based on assumptions about the
computational hardness
of problems like the factorization
of integers or the discrete logarithm. A distinction is made
between computationally secure techniques, which are hard
to break, and information-theoretically secure ones, which
cannot be broken even with infinite computing power.
Encryption and Decryption
Encryption
denotes the process of converting plaintext into
unintelligible ciphertext.
Decryption
reverts this process by
recovering the plaintext from the ciphertext with the special
knowledge of some secret information called a
key
.
Authentication and Authorization
Authentication
is the process of confirming the identity of
an entity, whereas the
authorization
specifies its rights.
Secure Communication
The communication between two parties is called
secure
if
both the
confidentiality
and the
integrity
of their messages
is guaranteed, which is only meaningful with authentication.
Hash Function
A cryptographic
hash function
is a one-way function that
maps an arbitrary block of data to a fixed-sized
bit string
.
Such a function has to fulfill the following three properties:

Preimage resistance
: It is difficult to invert the function.

Second-preimage resistance
: It is difficult to find another
input that is mapped to the same value by the function.

Collision resistance
: It is difficult to find any two distinct
inputs that are mapped to the same hash by the function.
2.2.
Symmetric-Key Cryptography
Setting
In symmetric-key cryptography, the communicating parties
share
the same key
for encryption and decryption. This was
the only encryption method publicly known before the year
1976, when Whitfield Diffie and Martin Hellman proposed to
use different but mathematically related keys for encryption
and decryption (see section
2.3.
Public-Key Cryptography).
Notation
Symmetric encryption/decryption is usually written with the
key k as a
subscript
such that, for any given message m, the
following equation holds: Decryption
k
(Encryption
k
(m)) = m.
One-Time Pad
The so-called one-time pad is an encryption method that is
perfectly secure
but not practical in most cases since the
key needs to be as long as the message and may be used
only once. A message is encrypted by taking the bitwise
xor
operation

with

the

key,

which

flips

the

bits

in

those

positions
where the key is 1. Decryption works the same way by just
reapplying the key. Since the key is chosen at random, the
ciphertext is also random and contains no information at all
about the message. Thus, the one-time pad is unbreakable.
Block Ciphers
A

cipher

is

a

pair

of encryption and decryption algorithms. In
case of
block ciphers
, they take as input a block of plaintext
and a key, and output a block of ciphertext of the same size.
There are various possibilities for how to combine successive
blocks in a way that no patterns emerge. Examples of block
ciphers are the Data Encryption Standard (
DES
, 1977) and
the more secure Advanced Encryption Standard (
AES
, 2001).

4

Virtual ID
Chapter 2

C r y p t o g r a p h y
I n t r o d u c t i o n
2.3.
Public-Key Cryptography
Motivation and Setup
The main problem with symmetric-key cryptography is the
management of keys
since each pair of parties must share a
different key or rely on a trusted third party to distribute one
on demand. By using
a pair of related but distinct keys
, it is
possible to share the one for encryption while keeping the
one for decryption secret. The former is known as the
public
key
, the latter as the
private key
. In order to preserve the
confidentiality of messages, it has to be hard to compute the
private key from the public key (see the RSA method in
2.5.
).
Digital Signatures
The essential feature of signatures is that they are easy for
the author to produce but hard for others to forge. This is
achieved by using the private key for
signing
and the public
key for the
verification
of a signature, which anyone can do.
Public Key Infrastructure
Since it is not possible to authenticate someone you have
never met before, you need to trust a third party to confirm
their identity. This service is usually provided by
certificate
authorities (CAs)
that issue certificates on the public key of
registered users and thereby making them accountable.
2.4.
Group Theory
Algebraic Structure
A group is a structure that consists of a
set
and an
operation

which combines any two of its elements to form a third one.
The goal of algebra is to understand the properties of such
structures at the highest level of
generality
and
abstraction
.
Group Axioms
To qualify as a group, the set G and the operation ∙ must
satisfy the following conditions called
group axioms
:

Closure
:

a, b

G: a ∙ b

G (

means “for all”).

Associativity
:

a, b, c

G: (a ∙ b) ∙ c = a ∙ (b ∙ c).

Identity
:

e

G

a

G: e ∙ a = a ∙ e = a (

says “it exists”).

Invertibility
:

a

G

b

G: a ∙ b = b ∙ a = e.
Due to associativity,
parentheses
are usually omitted. There
exists only one identity element since
e

=

e



e’

=

e’. Moreover,
we write the
inverse
of an element a as
a
–1
and the repeated
application of the operation as
exponentiation
. Thus, the
following equations hold: a
m
∙ a
n
= a
m + n
, (a
m
)
n
= a
m ∙ n
, a
0
= e.
Order and Subgroup
The number of elements in a group is called its order. On the
other hand, the
order
of an element
a
is the least n ≥ 1 with
a
n
= e. In finite groups, every element a has a finite order
|a|
.
A
subgroup
is a group H contained within a bigger one G
so that the neutral element of G is contained in H, and if h
1

and h
2
are in H, then so are h
1
∙ h
2
and h
1
−1
.
Lagrange’s Theorem
Lagrange’s Theorem
states that for any finite group G, the
order of every subgroup H of G divides the order of G. This
can be shown according to the following
proof sketch
:

H ∙ a = {h ∙ a | h

H} for a

G is called the right coset of H.

The cosets of H form a partition of G: The union of cosets
is equal to G and two cosets are either equal or disjoint.

Two cosets H ∙ a and H ∙ b are equal iff

h

H: b = h ∙ a.

Define bijective mapping f: H ∙ a

H ∙ b as f(x) = x ∙ a
–1
∙ b.

Thus all cosets have the same order, namely |H| elements.
Modular Arithmetic
For a positive integer n, two integers a and b are said to be
congruent
modulo
n (written a


n

b) if a



b is a multiple of n.
If a

n
b and a, b ≥ 0, a/n and b/n have the same remainder.
This relation partitions integers into
congruence classes
:
a
1


n
b
1
and a
2


n
b
2


a
1
+ a
2


n
b
1
+ b
2
and a
1


a
2


n
b
1


b
2
.
Integers modulo a prime number n with multiplication as
the operation form a group if all multiples of n are excluded.
In such groups, it is assumed to be hard to compute x as the
discrete logarithm
of y (solving the equation y

n
g
x
for x).
Euler’s Totient Function
In case of multiplicative groups modulo n, only integers that
are
coprime
to n (i.e. their greatest common divisor with n is
1) have an inverse element and can therefore be an element.
The
totient function φ
of a positive integer n is the number
of positive integers less than n that are coprime to n, which
gives us the order of the multiplicative group modulo n.
Overall, cryptography is only interested in
two cases
:

Prime p:
φ(p)
= p – 1 (all positive integers smaller than p).

Product of primes p and q:
φ(p ∙ q)
= (p – 1) (q – 1) (count).
Euler’s Theorem
Euler’s Theorem
is widely used in cryptography and states
that
a
φ(n)


n
1
for any coprime integers n and a. It is proven
by applying the group theory that we have covered so far:

See a as an element of the multiplicative group modulo n.

The subgroup
x
a
y
= {e, a, a
2
, …, a
|a| – 1
} of G has order |a|.

By Lagrange’s Theorem: |a| divides |G| for every a

G.

Consequently, a
|G|
= e for every a

G and finite group G.

The order of the multiplicative group G is given by φ(n).
Chapter 2
Virtual ID

5
Introduction Cryptography
2.5.
RSA Algorithm
Cryptosystems
A
cryptosystem
refers to a suite of three algorithms:

Key Generation
: Generates a random pair of keys.

Encryption
: Transforms the plaintext into ciphertext.

Decryption
: Recovers the plaintext from the ciphertext.
These algorithms have to be
efficient
(requiring polynomial
time in terms of the key size) except for decryption, which
has to be
hard
(requiring exponential time in terms of the
key size) for all parties that do not possess the appropriate
private key. Given this
asymmetry
, we can compensate for
any performance improvements of modern computers by
increasing the key size. The most famous cryptosystem is
RSA
, published in 1977 by Rivest, Shamir and Adleman.
Key Generation

Choose two random primes
p
and
q
, compute
n
= p ∙ q.

Compute
φ(n)
= (p - 1) (q - 1), choose
e
w. gcd(e, φ(n)) = 1.

Determine the multiplicative inverse of e:
d


φ(n)
e
-1
, which
is done efficiently with the Extended Euclidean Algorithm.

Publish modulus n and exponent e, retain d as private key.
Encryption/Verification
Compute the ciphertext
c

n
m
e
(m being a group element).
Decryption/Signing
Compute
m

n
c
d


n
(m
e
)
d


n
m
1 + k ∙ φ(n)


n
m (m
φ(n)
)
k


n
m ∙ 1
k
,
using Euler’s Theorem and that d ∙ e – 1 = k ∙ φ(n) for some k.
2.6.
Anonymous Credential System
Motivation and Setup
As we have seen with RSA, classical public-key cryptography
requires the complete message for the verification of digital
signatures. In order to protect one’s
privacy
, it is desirable to
reveal the content of a certificate more selectively and
prove

nevertheless certain facts about
hidden
statements. This can
be used to show

certificates

anonymously

as

credentials

and
still provide evidence that they were issued to the same

user.
Requirements
An

anonymous

credential

system

has

the

following

features:

Anonymity
: Show credentials without telling the identity.

Unlinkability
:

Use

credentials

without

getting

traceable.

Unforgeability
: Only authorities can issue credentials.

Consistency
: Different credentials cannot be pooled.

Anonymity Revocation
: Users can still be held liable.
Commitment Schemes
The purpose of a
commitment scheme
is to bind a party to
a certain value that can be hidden from others and revealed
later on but no longer be changed. A commitment scheme
is either
perfectly

hiding
or
perfectly

binding
but not both.
The other property is thus only computationally secure.
Given a
group
G =
x
g
y
=
x
h
y
with prime order q, the first
scheme is perfectly hiding and the second perfectly binding:

Pedersen
: Choose r

{0, …, q – 1} and compute c = g
x

h
r
.

ElGamal
:
Choose r

{0, …, q – 1}, compute c = (g
x

h
r
, g
r
).
Zero-Knowledge Proofs
The goal of
zero-knowledge proofs
is to convince another
party of one’s knowledge without revealing any information.
Such proofs require a protocol between the
prover
and the
verifier
and is said to be zero-knowledge only if the verifier
can produce equivalent
transcripts
without any interaction
with the prover. Furthermore, it is only a proof of knowledge
if the secret information can be
extracted
from the prover
when given as a rewindable black box (see to the right).
In order to convince a verifier that you know the discrete
logarithm of some value y to base g denoted as x (i.e. y = g
x
),
you choose a random value
r
, compute
t
= g
r
and pass it to
the verifier. The verifier returns a random
c
(the challenge),
whereon you submit the value
s
= r – c

x. Finally, the verifier
accepts the proof iff t = g
s

y
c
(since g
r
= g
r – c ∙ x


(g
x
)
c
).
It is easy to see that this proof satisfy the two properties:

Zero-knowledge
: By first choosing random values c and s,
then computing
t = g
s

y
c
, the interaction is simulatable.
(To be precise, it is only honest-verifier zero-knowledge.)

Proof of knowledge
: By sending two distinct challenges c
and c’ on the same t (
g
s
y
c
=
g
s ‘
y
c’
), x is extractable:
s – s’
/
c’ – c
.
Several statements can be
combined
by choosing a random
value r per hidden value and computing t for each equation.
Schnorr Signature
To be a proof of knowledge, it is crucial that the challenge c
is chosen only after the value t is fixed. This dependency can
be established by a verifier but also by a cryptographic hash
function. This results in a
non-interactive version
of the just
mentioned proof, which can also be used to sign messages.
Camenisch and Lysyanskaya Credential
In order to obtain a certificate on its secret value that can be
shown unlinkably, the client commits to it in the
RSA group

of the authority:
c


n
g
x
h
r
. Subsequently, the authority signs
the commitment by choosing a random exponent
e
that is
coprime to the group order and by computing
b
 

n
 
(f
–s
 
c)
–1/e
,
where
s
is the hash of the statement being certified and the
values
n
,
f
,
g
and
h
constitute the authority’s public key. Due
to the fact that only the authority knows the group order, no
one else can compute the e
th
root to find b. The
credential
is
shown by proving f
s
 

n
 
b’
e
 
g
x
 
h
r – e ∙ r’
with b’
 

n
 
b
 

 
h
r’

(see
7.3.
).
Verifiable Encryption
In order to revoke the anonymity of a user, its identity can be
verifiably

encrypted

for

the

issuing

authority

(see

chapter

7
).

6

Virtual ID
Chapter 2

C r y p t o g r a p h y
I n t r o d u c t i o n
3.
Security
3.1.
Overview
Environment
The
actors



hosts
and
clients



communicate in the presence
of

an

active

attacker

as

given

by

the

Dolev-Yao

model
. Such
an attacker can overhear, intercept and insert any messages
on the network but has only limited computing power.
Objectives
Virtual ID
is designed to achieve
authentic
and
confidential

communication between uncorrupted actors. However, due
to the nature of the Internet and the above attacker model,
the
availability
of
services
cannot be guaranteed.
Since
clients
cannot be
framed
by
hosts
and actors cannot
repudiate
their actions (except in well-defined cases), they
can generally be hold
liable
. The protocol provides neither
forward secrecy
(see
5.3.
) nor
anonymity
on the network
layer, although the latter could still be added separately.
Communication
Connections are always established to
hosts
, which process
requests
and return
responses
. The data is sent as
packets

(see the description of the type
packet@virtualid.ch
), which
are usually
encrypted
(see
5.
) and can be
signed
(see
6.
).
3.2.
Notation
Each letter has a specific meaning for the rest of this paper:

a
(with subscripts): The bases for a
credential’s
arguments.

b
: A random value to blind the arguments of a
credential
.

c
: The certifying base of a
credential
(with e as exponent).

d
: RSA’s private exponent used for decryption/signing.

e
: RSA’s public exponent used for encryption/verification.

f
: The
client’s
commitment, which is fixed at the native
VID
.

g
: The generator of the group for verifiable encryption.

h
: The hash function, taking as argument a tuple or a list.

i
: The serial number of a
credential
, identifying it per
host
.

j
: The commitment to a serial number chosen by a
client
.

k
: The key used for the symmetric encryption of a packet.

l
(with subscripts): The bit-length of variables for security.

m
: The message (or its hash) to be encrypted and signed.

n
: The RSA modulus, defined as the product of p and q.

o
: The argument of a credential that is always exposed.

p
: The first (safe) prime factor of the RSA modulus n.

q
: The second (safe) prime factor of the RSA modulus n.

r
: A randomly chosen value for proofs and commitments.

s
: The solution to the challenge in zero-knowledge proofs.

t
: The hash of temporary values in zero-knowledge proofs.

u
: The
client’s
secret key (the “private key” of user agents).

v
: The hash of
restrictions
or the hash of the
VID

identifier
.

w
(with subscripts): The verifiable encryption of a value.

x
: The private key of the verifiable encryption scheme.

y
: The public key of the verifiable encryption scheme.

z
: The square root of the verifiable encryption modulus.
As in
XDF
,
tuples
are denoted as (…, …, …) and
lists
as […].
3.3.
Parameters
The

following

security

parameters

indicate

the

bit-lengths

of
the respective variables and are part of the protocol version:

l
p
,
l
q

=

1024,

l
n

=

2048: The bit-length of the RSA modulus.

l
h
,
l
u
,
l
i
,
l
v
,
l
o

=

256: Size of hash and all arguments except b.

l
r
,

l
s

=

512: Size of r (always positive) and s (also negative).

l
e
= 512: The length of a
credential’s
certifying exponent.

l
b
= 768: Length of the blinding value b, which is positive.

l
r
b
,
l
s
b
= 1024: Size of the values to prove knowledge of b.

l
z
= 1024: Length of the verifiable encryption modulus / 2.

l
k
= 256: Length of the hashed symmetric encryption key.
Chapter 3
Virtual ID

7
Security Cryptography
4.
Keys
4.1.
Host
Private Key
The
private key
of a
host
consists of

two safe primes
p
and
q
of lengths l
p
and l
q
, |p – q| > 2
3l
n
/8
,

a random value
d
with 2
l
n
/4
< d < φ(n) and gcd(d, φ(n)) = 1,

temporary values
u
,
i
,
v
and
o
being coprime to φ(n),

temporary values
r
u
,
r
i
,
r
v
and
r
o
between 1 and φ(n),

and a randomly chosen value
x
with 1 < x < (z – 1)
2
.
Public Key
The
public key
of a
host
consists of

the RSA modulus
n
= p ∙ q of length l
n
(or length l
n
– 1)
,

the encryption exponent
e
computed as e

φ(n)
d
–1
,

a
b
with 1 < a
b
< n, each a
b
2 (p – 1)
, a
b
2 (q – 1)
, a
b
(p – 1) (q – 1) / 2


n
1,

the values
a
u


n
a
b
u
,
a
i


n
a
b
i
,
a
v


n
a
b
v
and
a
o


n
a
b
o
,

the value
t
computed as t = h(a
b
r
u
, a
b
r
i
, a
b
r
v
, a
b
r
o
),

s
u
= r
u
– t
∙ u,
s
i
= r
i
– t
∙ i,
s
v
= r
v
– t
∙ v and
s
o
= r
o
– t
∙ o,

a random safe prime number
z
with a bit-length of l
z
,

a value
g
≠ z with 1 < g < z
2
, g
2 (z – 1)


z
2

1, g
(z



1) (z – 1) / 2


z
2

1,

and the verifiable encryption value
y
computed as y


z
2

g
x
.
When
retrieving
a public key, a client
verifies
that the bases
a
u
,

a
i
,

a
v

and

a
o

are

all

in

the

subgroup

generated

by

a
b
,

which
is the case if t

=

h(a
b
s
u

a
u
t
,

a
b
s
i

a
i
t
,

a
b
s
v

a
v
t
,

a
b
s
o

a
o
t
). This property
ensures

that

commitments

in

this

group

are

perfectly

hiding
.
The values’
correctness
can be verified after their expiration.
Liability
Hosts
respectively their
providers
are
liable
for messages
signed with their private keys
for two years
after signing.
They are also liable for the correct creation of their keys.
Certification
In order to know for sure that a public key belongs to a
host
,
a
public key infrastructure
is established on the
host
-level.
Since a public key is an
attribute
of a
host
, it can be
certified

in the same way as ordinary
attributes
. The hierarchy’s
root
is
the
type
itself, namely
public.key.host@virtualid.ch
. Thus, all
clients

need

to

be

delivered

with

the

public

key

of

virtualid.ch
.
Key Rotation
Cryptographic keys need to be replaced from time to time. It
is important, however, to ensure that all
clients
learn the new
public key of the root in advance because otherwise they

are
no longer able to verify any public keys. With the rules that a
public key can be
cached
for one year and that a
client
needs
to be started just once a year, the root’s public key has to be
announced
two years before becoming
valid
. At this point,
the next key is announced and the current one becomes in-
valid

after

another

two

years

but

stays

effective

for

two

more
years

due

to

its

liability.

Thus,

always

three

keys

are

published.
4.2.
Client
Secret Key
The
secret key
of a
client
is a randomly chosen value
u
with

a
bit-length of at most l
u
that is used in proofs of knowledge.
Commitments
At its native
VID
, the
client

commits
to the value
f
 

n
 a
u
u
and
authenticates
itself by proving knowledge of the value u (see
the Schnorr signature in
2.6.
) (this is not a real commitment).
Liability
The
liability
of a
client’s
secret key is limited to
one year
.
Key Rotation
A
client
changes its secret key by sending a corresponding
request
to its native
VID
. Due to the
relocation
of
VIDs
and
the rotation of
host
keys,
clients
need to indicate the
group

of their commitment in their signatures (see
6.3.
).

8

Virtual ID
Chapter 4
Cryptography Keys
5.
Encryption
5.1.
Procedure
Since requests are always sent to
hosts
, the randomly chosen
symmetric key
that is used to encrypt the message can itself
be encrypted with the
public key
of the receiving
host
. The
response is encrypted with the same symmetric key. Using
encryption is
mandatory
– only the
attributes
of
hosts
may
be requested in plain text (to retrieve the public key).
AES
is

used

for

symmetric and

RSA

for

asymmetric

encryption.
For better efficiency, symmetric keys and their encryption
with RSA can be
cached
and
reused
in successive requests
to the same
host
. The
replay of messages
can be prevented
by rejecting all requests that were not signed within the last
24 h and by requiring unique signature times per symmetric
key, which can only be checked once an upload is complete.
5.2.
Implementation
The
syntactic type
for encryption (
encryption@xdf.ch
) has the
following
format
: (host, time, key, text). The elements mean:

Host
: The
identifier
of the receiving
host
in plaintext, since
a server can run many
hosts
at the same network address.

Time
: Either the time of encryption to specify the applied
public key or empty if the message is not encrypted at all.

Key
: A random group element k encrypted with the
host’s

public exponent e as k
e
in requests, empty in

responses.

Text
: The ciphertext of the message m computed as m
h(k)

or the plaintext if no encryption is used (‘Time’ is empty).
5.3.
Forward Secrecy
In a key-agreement protocol,
forward secrecy
describes the
property that the key used to encrypt

a

session

between

two
parties will not be compromised if the attacker learns one of
their private keys in the future. Even though this property is
desirable, it is not supported for the following three reasons:

Key negotiation requires at least
one additional round
of
communication, adding more complexity to the protocol.

By not requiring any interaction to determine the session
key, messages can also be
encryped

offline
for later use.

Since
hosts
have to
log
all
requests
with an effect on the

state of a
VID
, forward secrecy is of little benefit anyway.
Chapter 5
Virtual ID

9
Encryption Cryptography
6.
Signatures
6.1.
Format
The
syntactic type
for signatures (
signature@xdf.ch
) has the
format
(content, host, client, credentials), where the content
is

either

signed

by

a

host
,

a

client
,

with

credentials

or

not

at

all:

Content
= (identifier, time, message): The content consists
of the
identifier
of the
VID
, about which a statement (often
a request or a response) is made, the time of signing (even
if no signature is attached) and the message itself.

Host
: The signature generated by a
host
(see
6.2.
).

Client
: The signature generated by a
client
(see
6.3.
).

Credentials
: The signature made with
credentials
(see
7.
).
6.2.
Host
Format
The signature of a
host
has the
format
(identifier,

value) with:

Identifier
: The
identifier
of the signing
VID
– being the
host

itself in case of responses and the authority for
certificates
.

Value
: The signing value computed as h(content)
d
.
Signing
In order to
sign
a message, the
host
raises the
hash
of the
content (
6.1.
) to its private exponent
d
(
4.1.
) with
RSA
(
2.5.
).
Verification
A signature can be
verified
by raising the
value
to the public
exponent
e
of the
identifier’s

host
and computing the hash.
6.3.
Client
Format
The signature of a
client
has the
format
(host, time, f, t, s):

Host
and
time
: Indicate the group of the commitment f.

f
: The commitment to the secret key computed as f 

n
 a
u
u
.

t
: The hash of the temporary value computed as t = h(a
u
r
).

s
: The solution to the challenge, s = r – (t 

 h(content)) 

 u.
Signing
Clients
only
sign

requests
to their native
VID
in this way, by

choosing randomly a positive value
r
with at most l
r
bits,

computing the value
t
in the group of their
accreditation
,

and computing the value
s
with the bitwise xor operation.
Verification
The receiving
host

authenticates
the
client
by
verifying
that

the equation t = h(a
u
s
 
∙ f


 h(content)
) holds (and that |s| ≤ l
s
).

10

Virtual ID
Chapter 6
Cryptography Signatures
7.
Credentials
7.1.
Content
Each
credential
includes the following values as
arguments
:

b
: A random value to blind a
credential’s
other arguments.

u
:
Client’s

secret

key,

which

is

never

revealed

or

escrowed.

i
: The serial number i is usually chosen by the issuing
host
.

v
: Either the hash of
restrictions
or the hash of an
identifier.

o
= h(issuer, time, authorization, role, attribute): Hash of:

Issuer
: The
identifier
of the

VID

that

issued

the

credential
.

Time
: The issuance time rounded to the last half-hour.

Authorization
: A randomized hash of the
authorization
.

Role
: The
role
for which the
client
has

the

authorization
.

Attribute
: The
attribute
for anonymous access control.
7.2.
Issuance
A
client
can
request
a
credential
for a certain
authorization
in
a certain
role
from its native
VID
by signing this request with
its secret key (see
6.3.
). The
host
checks whether this request
is valid, chooses a random exponent
e
of bit-length l
e
that is
coprime to the order

φ(n)

and

computes

c’
 

n
 
(f
 
a
i
i
 
a
v
v
 
a
o
–o
)
–1/e
.
It
returns
the values c’ and e together with an arbitrary serial
number i to the
client
,

which

knows

then

all

the

values,

as

v

is
the hash of its
restrictions
and the
attribute
in o is still empty.
The

secret

key

u

is

included

through

the

commitment

f
 

n
 
a
u
u
,
which requires that the
client

renews
it to the current group.
7.3.
Usage
Unlinkable
In

order

to

sign

with

a

credential
,

the

client

proves

knowledge
of

values

e,

u,

i

and

v

such

that

a
o
o
 

n
 
c’
e
 
a
u
u
 
a
i
i
 
a
v
v
.

The

problem
is that the base c’ has to be
revealed
(see
2.6.
), which

renders
the
credential

linkable
(o is exposed anyway). By choosing a
random value r of at most l
b
 – l
e
bits, c’ can be randomized to
c
 

n
 c’ 
∙ a
b
r
to prove
a
o
o
 

n
 
c
e
 a
b
b
 
a
u
u
 
a
i
i
 
a
v
v
with
b = b’ – r ∙ e
,
where b’ was now 0 (because
hosts
do not blind
credentials
).
The
issuance time
is rounded down to the last half-hour in
order that honest
hosts
accept requests for only two values
at any time, preventing them from becoming linkable on o.
Accountable
In

order

to

prevent

misuse,

it

is

important

that

the

anonymity
of a
client
respectively its user can be
revoked
under certain
conditions for certain requests. The mechanism required for
this purpose is called
verifiable encryption
, which allows to
escrow

one’s

identity

by

encrypting

a

value

for

a

third

party

in
such a way that a recipient can verify its
correctness
without
being able to decipher it. In
Virtual ID
, it is always the issuing
host
that takes the function of this third party.
Such

a

scheme

can

be

implemented

by

using

the

following
property
: For any number z,
(1 + z)
m
 

z
2
 1 + m ∙ z
, which can
be derived with the binomial formula.

A message m can thus
be encrypted for a
host
as
w
m
 

z
2
 
(y
r
 

 
(1
 
+
 
z)
m
,
 
g
r
)
with z, g and
y being part of its public key (
4.1.
) and r chosen randomly. In
order to
decrypt
w
m
 
=
 
(w
1
,
 
w
2
), the
host
computes the value
m
 

z
2
 
(w
1
 
/
 
w
2
x
 

 
1)
 
/
 
z
 

z
2
 
((g
x
)
r
 

 
(1
 
+
 
z)
m
 
/
 
(g
r
)
x
 

 
1)
 
/
 
z with y
 

z
2
 
g
x
.

(The
host
can even prove the correctness of this decryption.)
Accountability
can be achieved by requiring the
client
to
verifiably encrypt the values i and b for the
host
that issued
the
credential
. The serial number allows the
host
to link each
credential
to the other values and the
client
that requested it.
For holding a
client

liable
, it also needs to be ensured that
the
host
cannot act on its behalf by issuing
faked

credentials
.
Since
clients
never reveal their secret key,
hosts
cannot sign
with a
credential
unless they issue it on a different secret key.
If a
client

repudiates
a signature, the
host
needs to provide
the values o, e, b, i and v, and by computing a
u
r
u
 

n
 a
u
s
u
f
t
, it is
easy to check whether the value t has been derived correctly
(see the next section) or whether the
client
has been

framed
.
Chapter 7
Virtual ID

11
Credentials Cryptography
Signing
Due to the flexibility and the combination of
credentials
, the
format
of
credential
-based signatures is relatively complex:
(t, s
u
, v, s
v
, [(o, c, s
e
, s
b
, i, s
i
,
(
w
i
, s
wi
, w
b
, s
wb
)
)], f’, certificates).
After

randomizing

each

credential

(see

7.3.
)

and

computing
the encryptions
w
i
and

w
b

with

random

values

wi

and

wb

of
length

l
r
b
 

 
l
h
,

the

client

chooses randomly the values
r
u
and
r
v

of length l
r
, and per
credential
the values
r
e
and
r
i
of length l
r

and
r
b
,
r
wi
and
r
wb
of length l
r
b

(see

3.3.
).

Afterwards,

the

value
t
 = h
[(c
r
e
 a
b
r
b
 a
u
r
u
 a
i
r
i
 a
v
r
v

(
y
r
wi
 (1+
 
z)
r
i
, g
r
wi
, y
r
wb
 (1+
 
z)
r
b
, g
r
wb
)
)]
 

 

h(content), where the tuple in the list is computed for every
credential
. If
no verifiable encryption
is required, the part in
the bold parentheses can be omitted for all
credentials
. The
s-values are finally computed as
s
u
 
=
 
r
u
 

 
t
 

 
u and
s
v
 
=
 
r
v
 

 
t
 

 
v,
and for each credential
s
e
 
=
 
r
e
 

 
t
 

 
e,
s
b
 
=
 
r
b
 

 
t
 

 
b,
s
i
 
=
 
r
i
 

 
t
 

 
i,

s
wi
 
=
 
r
wi
 

 
t
 

 
wi and
s
wb
 
=
 
r
wb
 

 
t
 

 
wb.
The value
o
is added to the signature in its unhashed form
(
7.1.
). The same applies to
v
if the
restrictions
are
revealed
.

In
this case, s
v
is left empty and a
v
rv
is not a factor in

t

but

a
o
o

on
the left side of each
credential’s
equation is divided by a
v
v
.
In order to give
services
more possibilities, also the value
i

can be disclosed (with the same consequences as in case of
v). The idea is that clients can commit to a random value i as
j
 

n
 a
i
i
 a
b
b’
inside a request for a specific
credential
, which the
host then includes in the computation of c’ (see
7.2.
) without
learning i. Such
credentials
are useful in situations in which it
is desired that
clients
can make
anonymous
submissions but
only
once
(e.g. digital money and online surveys).
Last but not least, the value
f’
is needed in the
shortening

of
credentials
(see
7.4.
) and
certificates
can be appended for
combining
identity
- and
attribute
-based
authentication
.
Verification
The receiving
host

verifies
that the following equation

holds:
t = 
h(
[(c
s
e
 a
b
s
b
 a
u
s
u
 a
i
s
i
 a
v
s
v
 (a
o
o
)
t

(
y
s
wi
 (1+
 
z)
s
i
 w
i1
t
, g
s
wi
 w
i2
t
, y
s
wb
 (1+
 
z)
s
b
 w
b1
t
, g
r
wb
 w
b2
t
)
)])
 

 
h(content), with w
i1
and w
i2
being the
first and second element of w
i
(and for w
b
accordingly).
Additionally, the
host
needs to make sure that all s-values
except s
b
, s
wi
and s
wb
are
at most l
s
bits long (the others may
be up to l
s
b
bits long). The reason for this is that the

exponent
e of length l
e
may not fit into any other exponent but b, such
that the value c’ can only be blinded with the base a
b
.
As a final remark,
hosts
have to choose the exponent
e
at
random
in order to prevent the multiplication of
credentials
.
7.4.
Shortening
Roles
Before being able to make requests on behalf

of

another

VID

for which the native
VID
is
authorized
in a certain
role
, a
client

needs to obtain a
credential
from this other

VID

by

signing

an
appropriate

request

with

a

credential

from

the

native

VID
.

The
current
restrictions
have to be exposed in this process that is
called
shortening
such that the issuing
host
can check their
conformity
. The
client’s

authorization
is also checked and the
role
stated in the value o is reduced by one entry. Since
roles

can be
chained
,
credentials
have to be shortened recursively.
To

guarantee

that

the

validity

period

of

a

credential

cannot

be
extended

by

shortening,

the

same

time

value

has

to

be

used.
Such requests require that i and b are
verifiably encrypted
.
Certificates
The shortening of
certificates
works similarly, except that the
restrictions
are
replaced
with a randomized hash of the
VID’s

identifier
at the
authority
that issued the
certificate
. This step
is required to ensure that

clients

cannot

pool

credentials

from
various

VIDs

for

attribute
-based

access

control.

Furthermore,
the main
role
is dropped from the
credential
and the
certified

attribute
is added instead.
While shortening, the secret key
u
and the value
v
, which
is no longer disclosed further up the
certification
hierarchy,
need to be
transferred
to a new group (also in case of
roles
).
This is achieved by
committing
to them with
f’
 

n
 a
u
u
 a
v
v
 a
b
b’

and proving that the same values
and a random b’ are used.

12

Virtual ID
Chapter 7
Cryptography Credentials