Virtual ID

Cryptography

Kaspar Etter

ETH Zurich

1.0

etterka@ethz.ch August 2012

Table of Contents

1.

Preface

3

1.1.

Abstract

3

1.2.

About this Document

3

1.3.

Acknowledgments

3

2.

Introduction

4

2.1.

Terminology

4

–

Cryptography

–

Encryption and Decryption

–

Authentication and Authorization

–

Secure Communication

–

Hash Function

2.1.

Symmetric-Key Cryptography

4

–

Setting

–

Notation

–

One-Time Pad

–

Block Ciphers

2.1.

Public-Key Cryptography

5

–

Motivation and Setup

–

Digital Signatures

–

Public Key Infrastructure

2.1.

Group Theory

5

–

Algebraic Structure

–

Group Axioms

–

Order and Subgroup

–

Lagrange’s Theorem

–

Modular Arithmetic

–

Euler’s Totient Function

–

Euler’s Theorem

2.1.

RSA Algorithm

6

–

Cryptosystems

–

Key Generation

–

Encryption/Veriﬁcation

–

Decryption/Signing

2.1.

Anonymous Credential System

6

–

Motivation and Setup

–

Requirements

–

Commitment Schemes

–

Zero-Knowledge Proofs

–

Schnorr Signature

–

Camenisch and Lysyanskaya Credential

–

Veriﬁable Encryption

3.

Security

7

3.1.

Overview

7

–

Environment

–

Objectives

–

Communication

3.1.

Notation

7

3.2.

Parameters

7

4.

Keys

8

4.1.

Host

8

–

Private Key

–

Public Key

–

Liability

–

Certiﬁcation

–

Key Rotation

4.1.

Client

8

–

Secret Key

–

Commitments

–

Liability

–

Key Rotation

5.

Encryption

9

5.1.

Procedure

9

5.2.

Implementation

9

5.3.

Forward Secrecy

9

6.

Signatures

10

6.1.

Format

10

6.2.

Host

10

–

Format

–

Signing

–

Veriﬁcation

6.1.

Client

10

–

Format

–

Signing

–

Veriﬁcation

7.

Credentials

11

7.1.

Content

11

7.2.

Issuance

11

7.3.

Usage

11

–

Unlinkable

–

Accountable

–

Signing

–

Veriﬁcation

7.1.

Shortening

12

–

Roles

–

Certiﬁcates

2

Virtual ID

Chapter 0

C r y p t o g r a p h y

T a b l e o f C o n t e n t s

1.

Preface

1.1.

Abstract

Virtual ID

is a protocol that constitutes an open

identity layer

for the Internet and a

semantic alternative

to the World Wide Web.

It allows you to prove your

identity

towards others and to look up

attributes

of others in a decentralized manner. Being freely

extensible with

services

,

Virtual ID

aims to supersede proprietary platforms by establishing a framework of open standards.

1.2.

About this Document

This document speciﬁes the cryptography of

Virtual ID

, whereas a separate document introduces its concepts – the italic terms.

1.3.

Acknowledgments

A special thank goes to

Jan Camenisch

, scientist at the IBM Zurich Research Laboratory, for his support in the adaptation of his

anonymous credential system (see

idemix.wordpress.com

) to the particular requirements of

Virtual ID

(see

www.virtualid.ch

).

Chapter 1

Virtual ID

3

Preface Cryptography

2.

Introduction

2.1.

Terminology

Cryptography

The original goal of cryptography (from the Ancient Greek

κρυπτός (“secret”) and γράφειν (“writing”)) is to accomplish

secure communication

in the presence of malicious parties.

Encryption has a long history, dating back to ancient times.

For a long time, however, it was rather an art than a science.

Modern cryptography is based on assumptions about the

computational hardness

of problems like the factorization

of integers or the discrete logarithm. A distinction is made

between computationally secure techniques, which are hard

to break, and information-theoretically secure ones, which

cannot be broken even with inﬁnite computing power.

Encryption and Decryption

Encryption

denotes the process of converting plaintext into

unintelligible ciphertext.

Decryption

reverts this process by

recovering the plaintext from the ciphertext with the special

knowledge of some secret information called a

key

.

Authentication and Authorization

Authentication

is the process of conﬁrming the identity of

an entity, whereas the

authorization

speciﬁes its rights.

Secure Communication

The communication between two parties is called

secure

if

both the

conﬁdentiality

and the

integrity

of their messages

is guaranteed, which is only meaningful with authentication.

Hash Function

A cryptographic

hash function

is a one-way function that

maps an arbitrary block of data to a ﬁxed-sized

bit string

.

Such a function has to fulﬁll the following three properties:

–

Preimage resistance

: It is diﬃcult to invert the function.

–

Second-preimage resistance

: It is diﬃcult to ﬁnd another

input that is mapped to the same value by the function.

–

Collision resistance

: It is diﬃcult to ﬁnd any two distinct

inputs that are mapped to the same hash by the function.

2.2.

Symmetric-Key Cryptography

Setting

In symmetric-key cryptography, the communicating parties

share

the same key

for encryption and decryption. This was

the only encryption method publicly known before the year

1976, when Whitﬁeld Diﬃe and Martin Hellman proposed to

use diﬀerent but mathematically related keys for encryption

and decryption (see section

2.3.

Public-Key Cryptography).

Notation

Symmetric encryption/decryption is usually written with the

key k as a

subscript

such that, for any given message m, the

following equation holds: Decryption

k

(Encryption

k

(m)) = m.

One-Time Pad

The so-called one-time pad is an encryption method that is

perfectly secure

but not practical in most cases since the

key needs to be as long as the message and may be used

only once. A message is encrypted by taking the bitwise

xor

operation

with

the

key,

which

ﬂips

the

bits

in

those

positions

where the key is 1. Decryption works the same way by just

reapplying the key. Since the key is chosen at random, the

ciphertext is also random and contains no information at all

about the message. Thus, the one-time pad is unbreakable.

Block Ciphers

A

cipher

is

a

pair

of encryption and decryption algorithms. In

case of

block ciphers

, they take as input a block of plaintext

and a key, and output a block of ciphertext of the same size.

There are various possibilities for how to combine successive

blocks in a way that no patterns emerge. Examples of block

ciphers are the Data Encryption Standard (

DES

, 1977) and

the more secure Advanced Encryption Standard (

AES

, 2001).

4

Virtual ID

Chapter 2

C r y p t o g r a p h y

I n t r o d u c t i o n

2.3.

Public-Key Cryptography

Motivation and Setup

The main problem with symmetric-key cryptography is the

management of keys

since each pair of parties must share a

diﬀerent key or rely on a trusted third party to distribute one

on demand. By using

a pair of related but distinct keys

, it is

possible to share the one for encryption while keeping the

one for decryption secret. The former is known as the

public

key

, the latter as the

private key

. In order to preserve the

conﬁdentiality of messages, it has to be hard to compute the

private key from the public key (see the RSA method in

2.5.

).

Digital Signatures

The essential feature of signatures is that they are easy for

the author to produce but hard for others to forge. This is

achieved by using the private key for

signing

and the public

key for the

veriﬁcation

of a signature, which anyone can do.

Public Key Infrastructure

Since it is not possible to authenticate someone you have

never met before, you need to trust a third party to conﬁrm

their identity. This service is usually provided by

certiﬁcate

authorities (CAs)

that issue certiﬁcates on the public key of

registered users and thereby making them accountable.

2.4.

Group Theory

Algebraic Structure

A group is a structure that consists of a

set

and an

operation

which combines any two of its elements to form a third one.

The goal of algebra is to understand the properties of such

structures at the highest level of

generality

and

abstraction

.

Group Axioms

To qualify as a group, the set G and the operation ∙ must

satisfy the following conditions called

group axioms

:

–

Closure

:

∀

a, b

∈

G: a ∙ b

∈

G (

∀

means “for all”).

–

Associativity

:

∀

a, b, c

∈

G: (a ∙ b) ∙ c = a ∙ (b ∙ c).

–

Identity

:

∃

e

∈

G

∀

a

∈

G: e ∙ a = a ∙ e = a (

∃

says “it exists”).

–

Invertibility

:

∀

a

∈

G

∃

b

∈

G: a ∙ b = b ∙ a = e.

Due to associativity,

parentheses

are usually omitted. There

exists only one identity element since

e

=

e

∙

e’

=

e’. Moreover,

we write the

inverse

of an element a as

a

–1

and the repeated

application of the operation as

exponentiation

. Thus, the

following equations hold: a

m

∙ a

n

= a

m + n

, (a

m

)

n

= a

m ∙ n

, a

0

= e.

Order and Subgroup

The number of elements in a group is called its order. On the

other hand, the

order

of an element

a

is the least n ≥ 1 with

a

n

= e. In ﬁnite groups, every element a has a ﬁnite order

|a|

.

A

subgroup

is a group H contained within a bigger one G

so that the neutral element of G is contained in H, and if h

1

and h

2

are in H, then so are h

1

∙ h

2

and h

1

−1

.

Lagrange’s Theorem

Lagrange’s Theorem

states that for any ﬁnite group G, the

order of every subgroup H of G divides the order of G. This

can be shown according to the following

proof sketch

:

–

H ∙ a = {h ∙ a | h

∈

H} for a

∈

G is called the right coset of H.

–

The cosets of H form a partition of G: The union of cosets

is equal to G and two cosets are either equal or disjoint.

–

Two cosets H ∙ a and H ∙ b are equal iﬀ

∃

h

∈

H: b = h ∙ a.

–

Deﬁne bijective mapping f: H ∙ a

→

H ∙ b as f(x) = x ∙ a

–1

∙ b.

–

Thus all cosets have the same order, namely |H| elements.

Modular Arithmetic

For a positive integer n, two integers a and b are said to be

congruent

modulo

n (written a

≡

n

b) if a

–

b is a multiple of n.

If a

≡

n

b and a, b ≥ 0, a/n and b/n have the same remainder.

This relation partitions integers into

congruence classes

:

a

1

≡

n

b

1

and a

2

≡

n

b

2

ﱺ

a

1

+ a

2

≡

n

b

1

+ b

2

and a

1

∙

a

2

≡

n

b

1

∙

b

2

.

Integers modulo a prime number n with multiplication as

the operation form a group if all multiples of n are excluded.

In such groups, it is assumed to be hard to compute x as the

discrete logarithm

of y (solving the equation y

≡

n

g

x

for x).

Euler’s Totient Function

In case of multiplicative groups modulo n, only integers that

are

coprime

to n (i.e. their greatest common divisor with n is

1) have an inverse element and can therefore be an element.

The

totient function φ

of a positive integer n is the number

of positive integers less than n that are coprime to n, which

gives us the order of the multiplicative group modulo n.

Overall, cryptography is only interested in

two cases

:

–

Prime p:

φ(p)

= p – 1 (all positive integers smaller than p).

–

Product of primes p and q:

φ(p ∙ q)

= (p – 1) (q – 1) (count).

Euler’s Theorem

Euler’s Theorem

is widely used in cryptography and states

that

a

φ(n)

≡

n

1

for any coprime integers n and a. It is proven

by applying the group theory that we have covered so far:

–

See a as an element of the multiplicative group modulo n.

–

The subgroup

x

a

y

= {e, a, a

2

, …, a

|a| – 1

} of G has order |a|.

–

By Lagrange’s Theorem: |a| divides |G| for every a

∈

G.

–

Consequently, a

|G|

= e for every a

∈

G and ﬁnite group G.

–

The order of the multiplicative group G is given by φ(n).

Chapter 2

Virtual ID

5

Introduction Cryptography

2.5.

RSA Algorithm

Cryptosystems

A

cryptosystem

refers to a suite of three algorithms:

–

Key Generation

: Generates a random pair of keys.

–

Encryption

: Transforms the plaintext into ciphertext.

–

Decryption

: Recovers the plaintext from the ciphertext.

These algorithms have to be

eﬃcient

(requiring polynomial

time in terms of the key size) except for decryption, which

has to be

hard

(requiring exponential time in terms of the

key size) for all parties that do not possess the appropriate

private key. Given this

asymmetry

, we can compensate for

any performance improvements of modern computers by

increasing the key size. The most famous cryptosystem is

RSA

, published in 1977 by Rivest, Shamir and Adleman.

Key Generation

–

Choose two random primes

p

and

q

, compute

n

= p ∙ q.

–

Compute

φ(n)

= (p - 1) (q - 1), choose

e

w. gcd(e, φ(n)) = 1.

–

Determine the multiplicative inverse of e:

d

≡

φ(n)

e

-1

, which

is done eﬃciently with the Extended Euclidean Algorithm.

–

Publish modulus n and exponent e, retain d as private key.

Encryption/Veriﬁcation

Compute the ciphertext

c

≡

n

m

e

(m being a group element).

Decryption/Signing

Compute

m

≡

n

c

d

≡

n

(m

e

)

d

≡

n

m

1 + k ∙ φ(n)

≡

n

m (m

φ(n)

)

k

≡

n

m ∙ 1

k

,

using Euler’s Theorem and that d ∙ e – 1 = k ∙ φ(n) for some k.

2.6.

Anonymous Credential System

Motivation and Setup

As we have seen with RSA, classical public-key cryptography

requires the complete message for the veriﬁcation of digital

signatures. In order to protect one’s

privacy

, it is desirable to

reveal the content of a certiﬁcate more selectively and

prove

nevertheless certain facts about

hidden

statements. This can

be used to show

certiﬁcates

anonymously

as

credentials

and

still provide evidence that they were issued to the same

user.

Requirements

An

anonymous

credential

system

has

the

following

features:

–

Anonymity

: Show credentials without telling the identity.

–

Unlinkability

:

Use

credentials

without

getting

traceable.

–

Unforgeability

: Only authorities can issue credentials.

–

Consistency

: Diﬀerent credentials cannot be pooled.

–

Anonymity Revocation

: Users can still be held liable.

Commitment Schemes

The purpose of a

commitment scheme

is to bind a party to

a certain value that can be hidden from others and revealed

later on but no longer be changed. A commitment scheme

is either

perfectly

hiding

or

perfectly

binding

but not both.

The other property is thus only computationally secure.

Given a

group

G =

x

g

y

=

x

h

y

with prime order q, the ﬁrst

scheme is perfectly hiding and the second perfectly binding:

–

Pedersen

: Choose r

∈

{0, …, q – 1} and compute c = g

x

h

r

.

–

ElGamal

:

Choose r

∈

{0, …, q – 1}, compute c = (g

x

h

r

, g

r

).

Zero-Knowledge Proofs

The goal of

zero-knowledge proofs

is to convince another

party of one’s knowledge without revealing any information.

Such proofs require a protocol between the

prover

and the

veriﬁer

and is said to be zero-knowledge only if the veriﬁer

can produce equivalent

transcripts

without any interaction

with the prover. Furthermore, it is only a proof of knowledge

if the secret information can be

extracted

from the prover

when given as a rewindable black box (see to the right).

In order to convince a veriﬁer that you know the discrete

logarithm of some value y to base g denoted as x (i.e. y = g

x

),

you choose a random value

r

, compute

t

= g

r

and pass it to

the veriﬁer. The veriﬁer returns a random

c

(the challenge),

whereon you submit the value

s

= r – c

∙

x. Finally, the veriﬁer

accepts the proof iﬀ t = g

s

y

c

(since g

r

= g

r – c ∙ x

∙

(g

x

)

c

).

It is easy to see that this proof satisfy the two properties:

–

Zero-knowledge

: By ﬁrst choosing random values c and s,

then computing

t = g

s

y

c

, the interaction is simulatable.

(To be precise, it is only honest-veriﬁer zero-knowledge.)

–

Proof of knowledge

: By sending two distinct challenges c

and c’ on the same t (

g

s

y

c

=

g

s ‘

y

c’

), x is extractable:

s – s’

/

c’ – c

.

Several statements can be

combined

by choosing a random

value r per hidden value and computing t for each equation.

Schnorr Signature

To be a proof of knowledge, it is crucial that the challenge c

is chosen only after the value t is ﬁxed. This dependency can

be established by a veriﬁer but also by a cryptographic hash

function. This results in a

non-interactive version

of the just

mentioned proof, which can also be used to sign messages.

Camenisch and Lysyanskaya Credential

In order to obtain a certiﬁcate on its secret value that can be

shown unlinkably, the client commits to it in the

RSA group

of the authority:

c

≡

n

g

x

h

r

. Subsequently, the authority signs

the commitment by choosing a random exponent

e

that is

coprime to the group order and by computing

b

≡

n

(f

–s

c)

–1/e

,

where

s

is the hash of the statement being certiﬁed and the

values

n

,

f

,

g

and

h

constitute the authority’s public key. Due

to the fact that only the authority knows the group order, no

one else can compute the e

th

root to ﬁnd b. The

credential

is

shown by proving f

s

≡

n

b’

e

g

x

h

r – e ∙ r’

with b’

≡

n

b

∙

h

r’

(see

7.3.

).

Veriﬁable Encryption

In order to revoke the anonymity of a user, its identity can be

veriﬁably

encrypted

for

the

issuing

authority

(see

chapter

7

).

6

Virtual ID

Chapter 2

C r y p t o g r a p h y

I n t r o d u c t i o n

3.

Security

3.1.

Overview

Environment

The

actors

–

hosts

and

clients

–

communicate in the presence

of

an

active

attacker

as

given

by

the

Dolev-Yao

model

. Such

an attacker can overhear, intercept and insert any messages

on the network but has only limited computing power.

Objectives

Virtual ID

is designed to achieve

authentic

and

conﬁdential

communication between uncorrupted actors. However, due

to the nature of the Internet and the above attacker model,

the

availability

of

services

cannot be guaranteed.

Since

clients

cannot be

framed

by

hosts

and actors cannot

repudiate

their actions (except in well-deﬁned cases), they

can generally be hold

liable

. The protocol provides neither

forward secrecy

(see

5.3.

) nor

anonymity

on the network

layer, although the latter could still be added separately.

Communication

Connections are always established to

hosts

, which process

requests

and return

responses

. The data is sent as

packets

(see the description of the type

packet@virtualid.ch

), which

are usually

encrypted

(see

5.

) and can be

signed

(see

6.

).

3.2.

Notation

Each letter has a speciﬁc meaning for the rest of this paper:

–

a

(with subscripts): The bases for a

credential’s

arguments.

–

b

: A random value to blind the arguments of a

credential

.

–

c

: The certifying base of a

credential

(with e as exponent).

–

d

: RSA’s private exponent used for decryption/signing.

–

e

: RSA’s public exponent used for encryption/veriﬁcation.

–

f

: The

client’s

commitment, which is ﬁxed at the native

VID

.

–

g

: The generator of the group for veriﬁable encryption.

–

h

: The hash function, taking as argument a tuple or a list.

–

i

: The serial number of a

credential

, identifying it per

host

.

–

j

: The commitment to a serial number chosen by a

client

.

–

k

: The key used for the symmetric encryption of a packet.

–

l

(with subscripts): The bit-length of variables for security.

–

m

: The message (or its hash) to be encrypted and signed.

–

n

: The RSA modulus, deﬁned as the product of p and q.

–

o

: The argument of a credential that is always exposed.

–

p

: The ﬁrst (safe) prime factor of the RSA modulus n.

–

q

: The second (safe) prime factor of the RSA modulus n.

–

r

: A randomly chosen value for proofs and commitments.

–

s

: The solution to the challenge in zero-knowledge proofs.

–

t

: The hash of temporary values in zero-knowledge proofs.

–

u

: The

client’s

secret key (the “private key” of user agents).

–

v

: The hash of

restrictions

or the hash of the

VID

identiﬁer

.

–

w

(with subscripts): The veriﬁable encryption of a value.

–

x

: The private key of the veriﬁable encryption scheme.

–

y

: The public key of the veriﬁable encryption scheme.

–

z

: The square root of the veriﬁable encryption modulus.

As in

XDF

,

tuples

are denoted as (…, …, …) and

lists

as […].

3.3.

Parameters

The

following

security

parameters

indicate

the

bit-lengths

of

the respective variables and are part of the protocol version:

–

l

p

,

l

q

=

1024,

l

n

=

2048: The bit-length of the RSA modulus.

–

l

h

,

l

u

,

l

i

,

l

v

,

l

o

=

256: Size of hash and all arguments except b.

–

l

r

,

l

s

=

512: Size of r (always positive) and s (also negative).

–

l

e

= 512: The length of a

credential’s

certifying exponent.

–

l

b

= 768: Length of the blinding value b, which is positive.

–

l

r

b

,

l

s

b

= 1024: Size of the values to prove knowledge of b.

–

l

z

= 1024: Length of the veriﬁable encryption modulus / 2.

–

l

k

= 256: Length of the hashed symmetric encryption key.

Chapter 3

Virtual ID

7

Security Cryptography

4.

Keys

4.1.

Host

Private Key

The

private key

of a

host

consists of

–

two safe primes

p

and

q

of lengths l

p

and l

q

, |p – q| > 2

3l

n

/8

,

–

a random value

d

with 2

l

n

/4

< d < φ(n) and gcd(d, φ(n)) = 1,

–

temporary values

u

,

i

,

v

and

o

being coprime to φ(n),

–

temporary values

r

u

,

r

i

,

r

v

and

r

o

between 1 and φ(n),

–

and a randomly chosen value

x

with 1 < x < (z – 1)

2

.

Public Key

The

public key

of a

host

consists of

–

the RSA modulus

n

= p ∙ q of length l

n

(or length l

n

– 1)

,

–

the encryption exponent

e

computed as e

≡

φ(n)

d

–1

,

–

a

b

with 1 < a

b

< n, each a

b

2 (p – 1)

, a

b

2 (q – 1)

, a

b

(p – 1) (q – 1) / 2

≢

n

1,

–

the values

a

u

≡

n

a

b

u

,

a

i

≡

n

a

b

i

,

a

v

≡

n

a

b

v

and

a

o

≡

n

a

b

o

,

–

the value

t

computed as t = h(a

b

r

u

, a

b

r

i

, a

b

r

v

, a

b

r

o

),

–

s

u

= r

u

– t

∙ u,

s

i

= r

i

– t

∙ i,

s

v

= r

v

– t

∙ v and

s

o

= r

o

– t

∙ o,

–

a random safe prime number

z

with a bit-length of l

z

,

–

a value

g

≠ z with 1 < g < z

2

, g

2 (z – 1)

≢

z

2

1, g

(z

–

1) (z – 1) / 2

≢

z

2

1,

–

and the veriﬁable encryption value

y

computed as y

≡

z

2

g

x

.

When

retrieving

a public key, a client

veriﬁes

that the bases

a

u

,

a

i

,

a

v

and

a

o

are

all

in

the

subgroup

generated

by

a

b

,

which

is the case if t

=

h(a

b

s

u

a

u

t

,

a

b

s

i

a

i

t

,

a

b

s

v

a

v

t

,

a

b

s

o

a

o

t

). This property

ensures

that

commitments

in

this

group

are

perfectly

hiding

.

The values’

correctness

can be veriﬁed after their expiration.

Liability

Hosts

respectively their

providers

are

liable

for messages

signed with their private keys

for two years

after signing.

They are also liable for the correct creation of their keys.

Certiﬁcation

In order to know for sure that a public key belongs to a

host

,

a

public key infrastructure

is established on the

host

-level.

Since a public key is an

attribute

of a

host

, it can be

certiﬁed

in the same way as ordinary

attributes

. The hierarchy’s

root

is

the

type

itself, namely

public.key.host@virtualid.ch

. Thus, all

clients

need

to

be

delivered

with

the

public

key

of

virtualid.ch

.

Key Rotation

Cryptographic keys need to be replaced from time to time. It

is important, however, to ensure that all

clients

learn the new

public key of the root in advance because otherwise they

are

no longer able to verify any public keys. With the rules that a

public key can be

cached

for one year and that a

client

needs

to be started just once a year, the root’s public key has to be

announced

two years before becoming

valid

. At this point,

the next key is announced and the current one becomes in-

valid

after

another

two

years

but

stays

eﬀective

for

two

more

years

due

to

its

liability.

Thus,

always

three

keys

are

published.

4.2.

Client

Secret Key

The

secret key

of a

client

is a randomly chosen value

u

with

a

bit-length of at most l

u

that is used in proofs of knowledge.

Commitments

At its native

VID

, the

client

commits

to the value

f

≡

n

a

u

u

and

authenticates

itself by proving knowledge of the value u (see

the Schnorr signature in

2.6.

) (this is not a real commitment).

Liability

The

liability

of a

client’s

secret key is limited to

one year

.

Key Rotation

A

client

changes its secret key by sending a corresponding

request

to its native

VID

. Due to the

relocation

of

VIDs

and

the rotation of

host

keys,

clients

need to indicate the

group

of their commitment in their signatures (see

6.3.

).

8

Virtual ID

Chapter 4

Cryptography Keys

5.

Encryption

5.1.

Procedure

Since requests are always sent to

hosts

, the randomly chosen

symmetric key

that is used to encrypt the message can itself

be encrypted with the

public key

of the receiving

host

. The

response is encrypted with the same symmetric key. Using

encryption is

mandatory

– only the

attributes

of

hosts

may

be requested in plain text (to retrieve the public key).

AES

is

used

for

symmetric and

RSA

for

asymmetric

encryption.

For better eﬃciency, symmetric keys and their encryption

with RSA can be

cached

and

reused

in successive requests

to the same

host

. The

replay of messages

can be prevented

by rejecting all requests that were not signed within the last

24 h and by requiring unique signature times per symmetric

key, which can only be checked once an upload is complete.

5.2.

Implementation

The

syntactic type

for encryption (

encryption@xdf.ch

) has the

following

format

: (host, time, key, text). The elements mean:

–

Host

: The

identiﬁer

of the receiving

host

in plaintext, since

a server can run many

hosts

at the same network address.

–

Time

: Either the time of encryption to specify the applied

public key or empty if the message is not encrypted at all.

–

Key

: A random group element k encrypted with the

host’s

public exponent e as k

e

in requests, empty in

responses.

–

Text

: The ciphertext of the message m computed as m

h(k)

or the plaintext if no encryption is used (‘Time’ is empty).

5.3.

Forward Secrecy

In a key-agreement protocol,

forward secrecy

describes the

property that the key used to encrypt

a

session

between

two

parties will not be compromised if the attacker learns one of

their private keys in the future. Even though this property is

desirable, it is not supported for the following three reasons:

–

Key negotiation requires at least

one additional round

of

communication, adding more complexity to the protocol.

–

By not requiring any interaction to determine the session

key, messages can also be

encryped

oﬄine

for later use.

–

Since

hosts

have to

log

all

requests

with an eﬀect on the

state of a

VID

, forward secrecy is of little beneﬁt anyway.

Chapter 5

Virtual ID

9

Encryption Cryptography

6.

Signatures

6.1.

Format

The

syntactic type

for signatures (

signature@xdf.ch

) has the

format

(content, host, client, credentials), where the content

is

either

signed

by

a

host

,

a

client

,

with

credentials

or

not

at

all:

–

Content

= (identiﬁer, time, message): The content consists

of the

identiﬁer

of the

VID

, about which a statement (often

a request or a response) is made, the time of signing (even

if no signature is attached) and the message itself.

–

Host

: The signature generated by a

host

(see

6.2.

).

–

Client

: The signature generated by a

client

(see

6.3.

).

–

Credentials

: The signature made with

credentials

(see

7.

).

6.2.

Host

Format

The signature of a

host

has the

format

(identiﬁer,

value) with:

–

Identiﬁer

: The

identiﬁer

of the signing

VID

– being the

host

itself in case of responses and the authority for

certiﬁcates

.

–

Value

: The signing value computed as h(content)

d

.

Signing

In order to

sign

a message, the

host

raises the

hash

of the

content (

6.1.

) to its private exponent

d

(

4.1.

) with

RSA

(

2.5.

).

Veriﬁcation

A signature can be

veriﬁed

by raising the

value

to the public

exponent

e

of the

identiﬁer’s

host

and computing the hash.

6.3.

Client

Format

The signature of a

client

has the

format

(host, time, f, t, s):

–

Host

and

time

: Indicate the group of the commitment f.

–

f

: The commitment to the secret key computed as f

≡

n

a

u

u

.

–

t

: The hash of the temporary value computed as t = h(a

u

r

).

–

s

: The solution to the challenge, s = r – (t

⊕

h(content))

∙

u.

Signing

Clients

only

sign

requests

to their native

VID

in this way, by

–

choosing randomly a positive value

r

with at most l

r

bits,

–

computing the value

t

in the group of their

accreditation

,

–

and computing the value

s

with the bitwise xor operation.

Veriﬁcation

The receiving

host

authenticates

the

client

by

verifying

that

–

the equation t = h(a

u

s

∙ f

t

⊕

h(content)

) holds (and that |s| ≤ l

s

).

10

Virtual ID

Chapter 6

Cryptography Signatures

7.

Credentials

7.1.

Content

Each

credential

includes the following values as

arguments

:

–

b

: A random value to blind a

credential’s

other arguments.

–

u

:

Client’s

secret

key,

which

is

never

revealed

or

escrowed.

–

i

: The serial number i is usually chosen by the issuing

host

.

–

v

: Either the hash of

restrictions

or the hash of an

identiﬁer.

–

o

= h(issuer, time, authorization, role, attribute): Hash of:

–

Issuer

: The

identiﬁer

of the

VID

that

issued

the

credential

.

–

Time

: The issuance time rounded to the last half-hour.

–

Authorization

: A randomized hash of the

authorization

.

–

Role

: The

role

for which the

client

has

the

authorization

.

–

Attribute

: The

attribute

for anonymous access control.

7.2.

Issuance

A

client

can

request

a

credential

for a certain

authorization

in

a certain

role

from its native

VID

by signing this request with

its secret key (see

6.3.

). The

host

checks whether this request

is valid, chooses a random exponent

e

of bit-length l

e

that is

coprime to the order

φ(n)

and

computes

c’

≡

n

(f

a

i

i

a

v

v

a

o

–o

)

–1/e

.

It

returns

the values c’ and e together with an arbitrary serial

number i to the

client

,

which

knows

then

all

the

values,

as

v

is

the hash of its

restrictions

and the

attribute

in o is still empty.

The

secret

key

u

is

included

through

the

commitment

f

≡

n

a

u

u

,

which requires that the

client

renews

it to the current group.

7.3.

Usage

Unlinkable

In

order

to

sign

with

a

credential

,

the

client

proves

knowledge

of

values

e,

u,

i

and

v

such

that

a

o

o

≡

n

c’

e

a

u

u

a

i

i

a

v

v

.

The

problem

is that the base c’ has to be

revealed

(see

2.6.

), which

renders

the

credential

linkable

(o is exposed anyway). By choosing a

random value r of at most l

b

– l

e

bits, c’ can be randomized to

c

≡

n

c’

∙ a

b

r

to prove

a

o

o

≡

n

c

e

a

b

b

a

u

u

a

i

i

a

v

v

with

b = b’ – r ∙ e

,

where b’ was now 0 (because

hosts

do not blind

credentials

).

The

issuance time

is rounded down to the last half-hour in

order that honest

hosts

accept requests for only two values

at any time, preventing them from becoming linkable on o.

Accountable

In

order

to

prevent

misuse,

it

is

important

that

the

anonymity

of a

client

respectively its user can be

revoked

under certain

conditions for certain requests. The mechanism required for

this purpose is called

veriﬁable encryption

, which allows to

escrow

one’s

identity

by

encrypting

a

value

for

a

third

party

in

such a way that a recipient can verify its

correctness

without

being able to decipher it. In

Virtual ID

, it is always the issuing

host

that takes the function of this third party.

Such

a

scheme

can

be

implemented

by

using

the

following

property

: For any number z,

(1 + z)

m

≡

z

2

1 + m ∙ z

, which can

be derived with the binomial formula.

A message m can thus

be encrypted for a

host

as

w

m

≡

z

2

(y

r

∙

(1

+

z)

m

,

g

r

)

with z, g and

y being part of its public key (

4.1.

) and r chosen randomly. In

order to

decrypt

w

m

=

(w

1

,

w

2

), the

host

computes the value

m

≡

z

2

(w

1

/

w

2

x

–

1)

/

z

≡

z

2

((g

x

)

r

∙

(1

+

z)

m

/

(g

r

)

x

–

1)

/

z with y

≡

z

2

g

x

.

(The

host

can even prove the correctness of this decryption.)

Accountability

can be achieved by requiring the

client

to

veriﬁably encrypt the values i and b for the

host

that issued

the

credential

. The serial number allows the

host

to link each

credential

to the other values and the

client

that requested it.

For holding a

client

liable

, it also needs to be ensured that

the

host

cannot act on its behalf by issuing

faked

credentials

.

Since

clients

never reveal their secret key,

hosts

cannot sign

with a

credential

unless they issue it on a diﬀerent secret key.

If a

client

repudiates

a signature, the

host

needs to provide

the values o, e, b, i and v, and by computing a

u

r

u

≡

n

a

u

s

u

f

t

, it is

easy to check whether the value t has been derived correctly

(see the next section) or whether the

client

has been

framed

.

Chapter 7

Virtual ID

11

Credentials Cryptography

Signing

Due to the ﬂexibility and the combination of

credentials

, the

format

of

credential

-based signatures is relatively complex:

(t, s

u

, v, s

v

, [(o, c, s

e

, s

b

, i, s

i

,

(

w

i

, s

wi

, w

b

, s

wb

)

)], f’, certiﬁcates).

After

randomizing

each

credential

(see

7.3.

)

and

computing

the encryptions

w

i

and

w

b

with

random

values

wi

and

wb

of

length

l

r

b

–

l

h

,

the

client

chooses randomly the values

r

u

and

r

v

of length l

r

, and per

credential

the values

r

e

and

r

i

of length l

r

and

r

b

,

r

wi

and

r

wb

of length l

r

b

(see

3.3.

).

Afterwards,

the

value

t

= h

[(c

r

e

a

b

r

b

a

u

r

u

a

i

r

i

a

v

r

v

,

(

y

r

wi

(1+

z)

r

i

, g

r

wi

, y

r

wb

(1+

z)

r

b

, g

r

wb

)

)]

⊕

…

h(content), where the tuple in the list is computed for every

credential

. If

no veriﬁable encryption

is required, the part in

the bold parentheses can be omitted for all

credentials

. The

s-values are ﬁnally computed as

s

u

=

r

u

–

t

∙

u and

s

v

=

r

v

–

t

∙

v,

and for each credential

s

e

=

r

e

–

t

∙

e,

s

b

=

r

b

–

t

∙

b,

s

i

=

r

i

–

t

∙

i,

s

wi

=

r

wi

–

t

∙

wi and

s

wb

=

r

wb

–

t

∙

wb.

The value

o

is added to the signature in its unhashed form

(

7.1.

). The same applies to

v

if the

restrictions

are

revealed

.

In

this case, s

v

is left empty and a

v

rv

is not a factor in

t

but

a

o

o

on

the left side of each

credential’s

equation is divided by a

v

v

.

In order to give

services

more possibilities, also the value

i

can be disclosed (with the same consequences as in case of

v). The idea is that clients can commit to a random value i as

j

≡

n

a

i

i

a

b

b’

inside a request for a speciﬁc

credential

, which the

host then includes in the computation of c’ (see

7.2.

) without

learning i. Such

credentials

are useful in situations in which it

is desired that

clients

can make

anonymous

submissions but

only

once

(e.g. digital money and online surveys).

Last but not least, the value

f’

is needed in the

shortening

of

credentials

(see

7.4.

) and

certiﬁcates

can be appended for

combining

identity

- and

attribute

-based

authentication

.

Veriﬁcation

The receiving

host

veriﬁes

that the following equation

holds:

t =

h(

[(c

s

e

a

b

s

b

a

u

s

u

a

i

s

i

a

v

s

v

(a

o

o

)

t

,

(

y

s

wi

(1+

z)

s

i

w

i1

t

, g

s

wi

w

i2

t

, y

s

wb

(1+

z)

s

b

w

b1

t

, g

r

wb

w

b2

t

)

)])

⊕

h(content), with w

i1

and w

i2

being the

ﬁrst and second element of w

i

(and for w

b

accordingly).

Additionally, the

host

needs to make sure that all s-values

except s

b

, s

wi

and s

wb

are

at most l

s

bits long (the others may

be up to l

s

b

bits long). The reason for this is that the

exponent

e of length l

e

may not ﬁt into any other exponent but b, such

that the value c’ can only be blinded with the base a

b

.

As a ﬁnal remark,

hosts

have to choose the exponent

e

at

random

in order to prevent the multiplication of

credentials

.

7.4.

Shortening

Roles

Before being able to make requests on behalf

of

another

VID

for which the native

VID

is

authorized

in a certain

role

, a

client

needs to obtain a

credential

from this other

VID

by

signing

an

appropriate

request

with

a

credential

from

the

native

VID

.

The

current

restrictions

have to be exposed in this process that is

called

shortening

such that the issuing

host

can check their

conformity

. The

client’s

authorization

is also checked and the

role

stated in the value o is reduced by one entry. Since

roles

can be

chained

,

credentials

have to be shortened recursively.

To

guarantee

that

the

validity

period

of

a

credential

cannot

be

extended

by

shortening,

the

same

time

value

has

to

be

used.

Such requests require that i and b are

veriﬁably encrypted

.

Certiﬁcates

The shortening of

certiﬁcates

works similarly, except that the

restrictions

are

replaced

with a randomized hash of the

VID’s

identiﬁer

at the

authority

that issued the

certiﬁcate

. This step

is required to ensure that

clients

cannot

pool

credentials

from

various

VIDs

for

attribute

-based

access

control.

Furthermore,

the main

role

is dropped from the

credential

and the

certiﬁed

attribute

is added instead.

While shortening, the secret key

u

and the value

v

, which

is no longer disclosed further up the

certiﬁcation

hierarchy,

need to be

transferred

to a new group (also in case of

roles

).

This is achieved by

committing

to them with

f’

≡

n

a

u

u

a

v

v

a

b

b’

and proving that the same values

and a random b’ are used.

12

Virtual ID

Chapter 7

Cryptography Credentials

## Comments 0

Log in to post a comment