Abstract
As centralized identity management solutions amass identity data, they increasingly become attractive targets for cyber attacks, which entail consequences for users that range from service disruptions to exposure of sensitive user data. Self-sovereign identity (SSI) strives to return the control over identity data to the users by building on decentralized architectures. However, the adoption of SSI systems is currently hampered by a lack of qualified identity data that satisfies the services’ requirements. Additionally, there is a gap w.r.t the user’s privacy: Intermediate components (e.g., importers or SSI network nodes) learn the users’ sensitive attributes during the derivation of eID data.
In this work, we present a decentralized eID derivation concept that preserves the users’ privacy while maintaining the data’s trustworthiness without revealing the plain data to any component outside the users’ control. Our proposed system also enables users to selectively disclose only relevant parts of the imported identity assertion according to the service’s requirements. We also implement and evaluate a proof-of-concept to demonstrate the feasibility and performance of our concept.
S. Ramacher—Work done while the author was with Graz University of Technology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
For example, \(\mathcal {E}\) would encode the attributes as SAML v2 identity assertion [27].
- 3.
- 4.
With the choice of BLS as multi-signature scheme, we follow Abraham et al. [2]. Thus, the validator nodes do not need a secure random number generator for signing.
- 5.
We slightly abuse notion and use \(A\) instead of always specifying the encoding \(\mathcal {E}\).
- 6.
Any design for Type-1 can be transformed into a Type-3 one [1] for efficiency.
- 7.
We slightly abuse notation and assume that \(\mathsf {Com} \) only returns the commitment.
References
Abe, M., Hoshino, F., Ohkubo, M.: Design in Type-I, run in Type-III: fast and scalable bilinear-type conversion using integer programming. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 387–415. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_14
Abraham, A., Theuermann, K., Kirchengast, E.: Qualified eID derivation into a distributed ledger based IdM system. In: TrustCom/BigDataSE, pp. 1406–1412. IEEE (2018)
Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8
Allen, C.: The Path to Self-Sovereign-Identity (2016). http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html. Accessed 15 Feb 2019
Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic
Aublin, P., Mokhtar, S.B., Quéma, V.: RBFT: redundant byzantine fault tolerance. In: ICDCS, pp. 297–306. IEEE Computer Society (2013)
Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Non-interactive anonymous credentials. ePrint 2007, 384 (2007)
Bernabe, J.B., Skarmeta, A., Notario, N., Bringer, J., David, M.: Towards a privacy-preserving reliable European identity ecosystem. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) APF 2017. LNCS, vol. 10518, pp. 19–33. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67280-9_2
Bertino, E., Takahashi, K.: Identity Management: Concepts, Technologies, and Systems. Artech House, Norwood (2010)
Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemix anonymous credential system. In: ACM CCS, pp. 21–30. ACM (2002)
Caro, A.D.: JPBC. http://gas.dia.unisa.it/projects/jpbc/index.html
Castro, M., Liskov, B.: Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20(4), 398–461 (2002)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: ACM CCS, pp. 1825–1842. ACM (2017)
Chase, M., Kohlweiss, M.: A new hash-and-sign approach and structure-preserving signatures from DLIN. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 131–148. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_8
Drijvers, M., Gorbunov, S., Neven, G., Wee, H.: Pixel: multi-signatures for consensus. ePrint 2019, 514 (2019)
Fuchsbauer, G., Pointcheval, D.: Proofs on encrypted values in bilinear groups and an application to anonymity of signatures. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 132–149. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_10
Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_6
Isaac, M., Frenkel, S.: Facebook security breach exposes accounts of 50 million users (2018). https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html. Accessed 04 June 2019
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: ACM CCS, pp. 525–537. ACM (2018)
Lenz, T., Alber, L.: Towards cross-domain eID by using agile mobile authentication. In: TrustCom/BigDataSE/ICESS, pp. 570–577. IEEE Computer Society (2017)
Mathews, L.: Equifax data breach impacts 143 million Americans (2017). https://www.forbes.com/sites/leemathews/2017/09/07/equifax-data-breach-impacts-143-million-americans/. Accessed 04 June 2019
Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 83–108. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61273-7_5
Mühle, A., Grüner, A., Gayvoronskaya, T., Meinel, C.: A survey on essential components of a self-sovereign identity. Comput. Sci. Rev. 30, 80–86 (2018)
NIST: SP 800-157. Guidelines for Derived Personal Identity Verification (PIV) Credentials (2014)
OASIS: SAML (security assertion markup language) specifications. http://saml.xml.org/saml-specifications. Accessed 13 Apr 2019
Paquin, C., Zaverucha, G.: U-prove cryptographic specification v1.1 (revision 3) (2013). https://www.microsoft.com/en-us/research/publication/u-prove-cryptographic-specification-v1-1-revision-3/
Reed, D., Sporny, M., Longley, D., Allen, C., Grant, R., Sabadello, M.: Decentralized Identifiers (DIDs) v0.9 (2018). https://w3c-ccg.github.io/did-spec/
Sovrin Foundation: Sovrin: A Protocol and Token for Self-Sovereign Identity and Decentralized Trust (2018). https://sovrin.org/wp-content/uploads/Sovrin-Protocol-and-Token-White-Paper.pdf
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Zwattendorfer, B., Zefferer, T., Stranacher, K.: An overview of cloud identity management-models. In: WEBIST (1), pp. 82–92. SciTePress (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Cryptographic Assumptions and Primitives
A Cryptographic Assumptions and Primitives
We recall the standard notion of digital signature schemes.
Definition 1 (Signature Scheme)
A signature scheme \(\varSigma \) is a triple \((\mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Verify})\) of PPT algorithms, which are defined as follows:
-
\(\mathsf {KeyGen} (1^\kappa ){:}\) This algorithm takes a security parameter \(\kappa \) as input and outputs a secret (signing) key \(\mathsf {sk}\) and a public (verification) key \(\mathsf {pk}\).
-
\(\mathsf {Sign} (\mathsf {sk}, m){:}\) This algorithm takes a secret key \(\mathsf {sk}\) and a message \(m\) as input and outputs a signature \(\sigma \).
-
\(\mathsf {Verify} (\mathsf {pk},m,\sigma ){:}\) This algorithm takes a public key \(\mathsf {pk}\), a message m and a signature \(\sigma \) as input and outputs a bit \(b \in \{0,1\}\).
We require a signature scheme to be correct and to provide existential unforgeability under adaptively chosen message attacks (EUF-CMA).
For the concrete instantiations we need bilinear groups, which are generated by \(\mathsf {BGGen}\) taking a security parameter \(1^\kappa \) as input and returning bilinear group description including groups \(\mathbb {G}\) and \(\mathbb {G}_T\) of prime order \(q\), a Type-1Footnote 6 pairing \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) and a generator \(g\) of \(\mathbb {G}\). The Waters’ signature scheme [31] is depicted in Scheme 1, which is secure under the computational Diffie-Hellman assumption (CDH).
Furthermore, we are interested in an extension of signature schemes to multi-signature schemes. In this case, signatures on the same message w.r.t. some public keys, can be aggregated into one compact signature which is valid w.r.t. an aggregated public key. We define such signatures following the definition of Drijvers et al. [17]:
Definition 2 (Multi-Signature Scheme)
A multi-signature scheme \(\varSigma _M \) extends a signature scheme with PPT algorithms \((\mathsf {APKs}, \mathsf {ASigs}, \mathsf {AVerify})\), which are defined as follows:
-
\(\mathsf {APKs} (\mathsf {pk}_1, \ldots , \mathsf {pk}_n){:}\) This algorithm takes n public keys \((\mathsf {pk}_i)_{i=1}^n\) as input and outputs an aggregated public key \(\mathsf {pk}_{M}\).
-
\(\mathsf {ASigs} ((\mathsf {pk}_1, \sigma _1), \ldots , (\mathsf {pk}_n, \sigma _n), m){:}\) This algorithm takes signatures \({(\sigma _{i})}_{i=1}^n\) on the message \(m\) and the corresponding public keys \({(\mathsf {pk}_{i})}_{i=1}^n\), and outputs an aggregated signature \(\sigma _M \) on the message \(m\) or \(\bot \) on error.
-
\(\mathsf {AVerify} (\mathsf {pk}_{M},m,\sigma _M){:}\) This algorithm takes an aggregated public key \(\mathsf {pk}_{M}\), a message \(m \in \mathcal {M}\) and an aggregated signature \(\sigma _M \) as input and outputs a bit \(b \in \{0,1\}\).
The BLS signature scheme [11] is a prominent example of a signature scheme that can be extended to a multi-signature [10].
Finally, we recall a standard definition of non-interactive zero-knowledge proof systems. Let \(L \subseteq \mathsf {X}\) be an \(\mathbf {NP}\)-language with associated witness relation \(R\) so that \(L = \{x ~|~ \exists w: R(x, w) = 1\}\).
Definition 3 (NIZK)
A non-interactive proof system \(\mathsf {\Pi }\) is a tuple of algorithms \((\mathsf {Setup}, \mathsf {Proof}, \mathsf {Verify})\), which are defined as follows:
-
\(\mathsf {Setup}(1^\kappa ){:}\) This algorithm takes a security parameter \(\kappa \) as input, and outputs a common reference string \(\mathsf {crs}\).
-
\(\mathsf {Proof}(\mathsf {crs}, x, w){:}\) This algorithm takes a common reference string \(\mathsf {crs}\), a statement x, and a witness w as input, and outputs a proof \(\pi \).
-
\(\mathsf {Verify}(\mathsf {crs}, x, \pi ){:}\) This algorithm takes a common reference string \(\mathsf {crs}\), a statement x, and a proof \(\pi \) as input, and outputs a bit \(b \in \{0,1\}\).
We require such proof system to be complete (all proofs for statements in the language verify), sound (a proof for a statement outside the language verifies only with negligible probability) and zero-knowledge (proof reveals no information on the witness). We are especially interested in proof systems for statements of the form \( F = \mathcal {F}(m_1 \Vert \ldots \Vert m_n) \wedge \bigwedge _{i=1}^n c_i = \mathsf {Com} (m_i; r_i) \) where \(\mathcal {F}\) is derived from the hash function \(H\) used in Waters’ signature scheme, i.e. \(H(m) = u_0 \cdot \mathcal {F}(m)\). Secondly, for commitments, i.e. \(\mathsf {Com} \),Footnote 7 we use Groth-Ostrovsky-Sahai commitments [19]. We can now define the relation \(R_{cF}\) as
and denote the corresponding proof system based on [18] as \(\mathsf {\Pi }_{cF}\), which is complete, sound and zero-knowledge.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Abraham, A., Hörandner, F., Omolola, O., Ramacher, S. (2020). Privacy-Preserving eID Derivation for Self-Sovereign Identity Systems. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-41579-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41578-5
Online ISBN: 978-3-030-41579-2
eBook Packages: Computer ScienceComputer Science (R0)