Anonymous Identification in Ad Hoc Groups

1
Anonymous Identification in Ad Hoc Groups
Yevgeniy Dodis, Antonio Nicolosi, Victor
Shoup dodis,nicolosi,shoup_at_cs.nyu.edu New York
University
Aggelos Kiayias aggelos_at_cse.uconn.edu University
of Connecticut
New York, NY, USA
April 6th, 2004
2
Enabling Privacy-Aware Access Control

• Want to control access to many objects
• Each with its own set of authorized users
• For privacy concerns, users wont reveal their
  identity when accessing an object
• Solution
• Have one ad hoc group for each object
• To access an object, users anonymously identify
  as members of corresponding group

3
Example Access-controlled Blog

• Alice is keeping a cool blog about her poems

• Since shes shy, she only wants her friends to
  access it

• But her friends are shy, too
• Maybe one of them is making too much reading

? Solution Ad Hoc Anonymous Identification scheme
4
Identification Schemes
5
Anonymous Identification
6
Anonymous Identification (contd)

• Alice cannot tell whom she is talking to
• Even in the case of two sessions with the same
  user (unlinkability)

7
Ad Hoc Groups

• Structured Groups vs.
• E.g. organizations
• Group Manager
• Users need a different key per group

• Ad Hoc Groups
• E.g. poetry clubs
• No central authority
• Can use same key for multiple groups

8
Ad Hoc Anonymous ID Syntax

• Setup system-wide initialization phase
• Register per-user initialization
• Each user picks a secret key/public key pair
• Run only once, regardless of groups user joins
• Make-GPK combines a set of PKs into one GPK
• Make-GSK combines a users SK with a set of PKs,
  yielding a single GSK
• Anon-ID protocol between a group member (holding
  GSK) and a verifier (holding GPK)

9
Ad Hoc Anonymous ID Syntax (contd)

• Make-GPK (running time / to group size)

• Make-GSK (running time / to group size)

• Anon-ID (constant running time)

10
Background One-Way Functions

• Family of functions easy to compute, but very
  hard to invert at a random point

easy
x
f(x)
HARD

• At the core of all modern Cryptography
• Several instances are widely accepted
• but nobody knows if they exist (in particular,
  cannot exist if P NP)

11
Background Accumulators

• Intuition Secure Dictionary ADT
• Element Insertion/Membership Testing
• Element Insertion
• Adding to a set yields a different, larger set

• Adding to an accumulator yields a different value
  of the same size a witness

12
Background Accumulators (contd)

• Membership Testing
• Sets are transparent anybody can inspect their
  content

• Accumulators are opaque
• Infeasible to check for membership

• unless the proper witness is known

• Hard to compute fake witness

13
Constructing Ad Hoc Anonymous ID

• Register sets SKrandom, PKf( SK )

• Make-GPK combines PKs by inserting them all into
  the accumulator

• Make-GSK runs as Make-GPK, but also keeps track
  of SK and of the witness for PK

• In the Anon-ID protocol, the user proves that
• he knows the SK corresponding to some PK
• PK has been added in the accumulator

14
Ad Hoc Anonymous ID Variations

• Identity Escrow
• To prevent abuse of anonymity, possible to amend
  the scheme so that user identity can be recovered
  by a trusted party

• Supporting large ad hoc groups
• If group changes, need to build new value of GPK
  from scratch with Make-GPK
• But if changes are just user additions, can
  compute new GPK (and GSK) efficiently

15
Summary
16
Thank you!

• Any questions?