IRMA/Idemix for Privacy-Preserving Vaccine Passports Jonathan Levin
2022–05–31
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
1
What would we like to do?
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
2
What would we like to do?
▶ Require Proof of Ownership of some credential (e.g., vaccination record) for entry into certain venues.
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
2
What would we like to do?
▶ Require Proof of Ownership of some credential (e.g., vaccination record) for entry into certain venues. ▶ Ensure that credentials are authentic and belong to the person presenting them.
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
2
What would we like to do?
▶ Require Proof of Ownership of some credential (e.g., vaccination record) for entry into certain venues. ▶ Ensure that credentials are authentic and belong to the person presenting them. ▶ Bonus: Protect individuals’ privacy
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
2
Problem: Yellow cards present a forgery risk1
1
https://www.taiwannews.com.tw/en/news/4517982
Problem: Yellow cards present a forgery risk1
1
https://www.taiwannews.com.tw/en/news/4517982
IRMA/Idemix – High level IRMA2 is a smartphone app and online service based on the Idemix protocol and developed by the Privacy By Design Foundation in Nijmegen, the Netherlands.
2
“I Reveal My Attributes” – https://irma.app
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
4
IRMA/Idemix – High level IRMA2 is a smartphone app and online service based on the Idemix protocol and developed by the Privacy By Design Foundation in Nijmegen, the Netherlands. ▶ Users obtain a signed credential from an issuer (e.g., Taiwan CDC, City government, etc.)
2
“I Reveal My Attributes” – https://irma.app
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
4
IRMA/Idemix – High level IRMA2 is a smartphone app and online service based on the Idemix protocol and developed by the Privacy By Design Foundation in Nijmegen, the Netherlands. ▶ Users obtain a signed credential from an issuer (e.g., Taiwan CDC, City government, etc.) ▶ Credential is a set of attributes (e.g., vaccination date, age ≥ 18, address, academic degree)
2
“I Reveal My Attributes” – https://irma.app
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
4
IRMA/Idemix – High level IRMA2 is a smartphone app and online service based on the Idemix protocol and developed by the Privacy By Design Foundation in Nijmegen, the Netherlands. ▶ Users obtain a signed credential from an issuer (e.g., Taiwan CDC, City government, etc.) ▶ Credential is a set of attributes (e.g., vaccination date, age ≥ 18, address, academic degree) ▶ Verifiers need to know certain attributes to provide service, but not others. Example: A night club bouncer should know my age and vaccine status suffice for entry, but not my name.
2
“I Reveal My Attributes” – https://irma.app
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
4
IRMA/Idemix – High level IRMA2 is a smartphone app and online service based on the Idemix protocol and developed by the Privacy By Design Foundation in Nijmegen, the Netherlands. ▶ Users obtain a signed credential from an issuer (e.g., Taiwan CDC, City government, etc.) ▶ Credential is a set of attributes (e.g., vaccination date, age ≥ 18, address, academic degree) ▶ Verifiers need to know certain attributes to provide service, but not others. Example: A night club bouncer should know my age and vaccine status suffice for entry, but not my name. ▶ User shows only the required attributes, and cryptographically proves possession of their authentic parent credential(s).
2
“I Reveal My Attributes” – https://irma.app
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
4
IRMA/Idemix – High level IRMA2 is a smartphone app and online service based on the Idemix protocol and developed by the Privacy By Design Foundation in Nijmegen, the Netherlands. ▶ Users obtain a signed credential from an issuer (e.g., Taiwan CDC, City government, etc.) ▶ Credential is a set of attributes (e.g., vaccination date, age ≥ 18, address, academic degree) ▶ Verifiers need to know certain attributes to provide service, but not others. Example: A night club bouncer should know my age and vaccine status suffice for entry, but not my name. ▶ User shows only the required attributes, and cryptographically proves possession of their authentic parent credential(s). ▶ Verifier learns only the revealed attributes but nothing about unrevealed ones. Additionally, sessions are anonymous, so verifiers and issuers cannot track users. 2
“I Reveal My Attributes” – https://irma.app
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
4
Demo 1/2 — Obtaining and verifying a valid vaccine record
Demo website: https://irma-tw.jlev.in IRMA APK: https://irma-tw.jlev.in/app.apk (Source available at https://github.com/ondesmartenot/irmamobile)
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
5
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Vaccination status verification w/IRMA3
3
Modified from https://irma.app/docs/what.is-irma
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
6
Demo 2/2 — Failed verification due to insufficient attributes
Demo website: https://irma-tw.jlev.in IRMA APK: https://irma-tw.jlev.in/app.apk (Source available at https://github.com/ondesmartenot/irmamobile)
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
7
IRMA/Idemix - Security Properties4
4
See full list at https://irma.app/docs/overview/#irma-security-properties
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
8
IRMA/Idemix - Security Properties4 ▶ Authenticity – Credentials are cryptographically signed, so verifier knows credential is valid if verification succeeds.
4
See full list at https://irma.app/docs/overview/#irma-security-properties
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
8
IRMA/Idemix - Security Properties4 ▶ Authenticity – Credentials are cryptographically signed, so verifier knows credential is valid if verification succeeds. ▶ Privacy – Verifiers and IRMA servers learn nothing about unrevealed attributes.
4
See full list at https://irma.app/docs/overview/#irma-security-properties
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
8
IRMA/Idemix - Security Properties4 ▶ Authenticity – Credentials are cryptographically signed, so verifier knows credential is valid if verification succeeds. ▶ Privacy – Verifiers and IRMA servers learn nothing about unrevealed attributes. ▶ Unlinkability – Signatures are blinded and zero-knowledge proofs are randomized, so verifiers and issuers cannot collude to track or identify users from their sessions.
4
See full list at https://irma.app/docs/overview/#irma-security-properties
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
8
IRMA/Idemix - Security Properties4 ▶ Authenticity – Credentials are cryptographically signed, so verifier knows credential is valid if verification succeeds. ▶ Privacy – Verifiers and IRMA servers learn nothing about unrevealed attributes. ▶ Unlinkability – Signatures are blinded and zero-knowledge proofs are randomized, so verifiers and issuers cannot collude to track or identify users from their sessions. ▶ Non-transferability – All credentials contain a user’s secret key as first attribute. This key is split between user’s device and a key-share server, and is bound to the device during issuance, so credentials cannot be transferred to other devices. The secret key cannot be revealed either.
4
See full list at https://irma.app/docs/overview/#irma-security-properties
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
8
Technical requirements Infrastructure: ▶ IRMA server with issuing permissions for vaccine records (run by TW-CDC) + website for credential issuance. ▶ Additional IRMA server(s) for verification ▶ Key-share server
Software: ▶ Smartphone app (IRMA fork) (https://github.com/privacybydesign/irmamobile) ▶ IRMA server, Key-share server, front-end, and back-end libraries available as out-of-the-box libraries. (https://github.com/privacybydesign/irmago) ▶ Frontend websites/apps for issuance and verification. Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
9
Thank you
Bonus: Cryptographic background Blind signatures5 A blind signature is a cryptographic signature on data that has been randomized, or blinded, before being signed. This prevents the signer from knowing what it is signing, but the owner of the signature can recover a valid signature on the original, unblinded message from the blind signature.
Example: Schoolbook RSA Blind message m with random blinding factor r and obtain a valid signature σ on m. m′ ≡ m · r e mod n Blinding the message m σ ′ ≡ m′(1/e)
σ ≡ σ ′ · r −1 ≡ m′(1/e) · r −1 ≡ m(1/e) · r · r −1 ≡ m(1/e) 5
Other party signs m′
mod n mod n
Unblinding
mod n
https://en.wikipedia.org/wiki/Blind_signature
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
11
Bonus: Cryptographic background Zero-Knowledge Proof A zero-knowledge proof is a protocol in which a proving party proves to a verifying party that some statement is true, without revealing any other information to the verifier.
Example: Interactive proof of knowledge of a discrete logarithm (Schnorr6 ) Let g generate the group Z∗q for prime q. Given an element y = g x , a prover P can prove knowledge of x to verifier V without revealing x as follows. 1. P picks random r ∈ Z∗q and computes s = g r . P sends s to V . 2. V picks random challenge c ∈ Z∗q and sends c to P. 3. P computes t ≡ r − cx mod (q − 1) and sends t to V . 4. V checks if s = g t y c . The equivalence holds because g t y c = g (r −cx) y c = g (r −cx) g cx = g r = s. 6
https://en.wikipedia.org/wiki/Proof_of_knowledge#Schnorr_protocol
Jonathan Levin
IRMA/Idemix for Privacy-Preserving Vaccine Passports
12
Bonus: Idemix7 – Credentials and Revealing Attributes
7
https://irma-tw.jlev.in/levin_irma_report_2020.pdf
Bonus: Idemix7 – Credentials and Revealing Attributes
▶ Setup is similar to RSA: Issuer generates two large primes p and q and computes their product n.
7
https://irma-tw.jlev.in/levin_irma_report_2020.pdf
Bonus: Idemix7 – Credentials and Revealing Attributes
▶ Setup is similar to RSA: Issuer generates two large primes p and q and computes their product n. ▶ For a credential with k + 1 attributes α0 , . . . , αk , the issuer generates random values Z , S, R0 , . . . , Rk ∈ QRn : the group of quadratic residues modulo n
7
https://irma-tw.jlev.in/levin_irma_report_2020.pdf
Bonus: Idemix7 – Credentials and Revealing Attributes
▶ Setup is similar to RSA: Issuer generates two large primes p and q and computes their product n. ▶ For a credential with k + 1 attributes α0 , . . . , αk , the issuer generates random values Z , S, R0 , . . . , Rk ∈ QRn : the group of quadratic residues modulo n ▶ A credential is actually a signature on α1 , . . . , αk of the form (A, e, v ), with e, v 1/e Z mod n. random, and A ≡ α α S v R 0 ...R k 0
7
k
https://irma-tw.jlev.in/levin_irma_report_2020.pdf
Bonus: Idemix7 – Credentials and Revealing Attributes
▶ Setup is similar to RSA: Issuer generates two large primes p and q and computes their product n. ▶ For a credential with k + 1 attributes α0 , . . . , αk , the issuer generates random values Z , S, R0 , . . . , Rk ∈ QRn : the group of quadratic residues modulo n ▶ A credential is actually a signature on α1 , . . . , αk of the form (A, e, v ), with e, v 1/e Z mod n. random, and A ≡ α α S v R 0 ...R k 0
k
?
▶ Verification is similar to verifying RSA signatures: Z ≡ Ae S v
k Y i=0
7
https://irma-tw.jlev.in/levin_irma_report_2020.pdf
Riαi mod n
Bonus: Idemix7 – Credentials and Revealing Attributes
▶ Setup is similar to RSA: Issuer generates two large primes p and q and computes their product n. ▶ For a credential with k + 1 attributes α0 , . . . , αk , the issuer generates random values Z , S, R0 , . . . , Rk ∈ QRn : the group of quadratic residues modulo n ▶ A credential is actually a signature on α1 , . . . , αk of the form (A, e, v ), with e, v 1/e Z mod n. random, and A ≡ α α S v R 0 ...R k 0
k
?
▶ Verification is similar to verifying RSA signatures: Z ≡ Ae S v
k Y
Riαi mod n
i=0
▶ User can generate a ZK-proof of knowledge of all attributes for credential n n o Y (A, e, v ), denoted PK (e, v , α0 , . . . , αk ) Z ≡ Ae S v Riαi (mod n) , i=0
7
https://irma-tw.jlev.in/levin_irma_report_2020.pdf
Bonus: Idemix7 – Credentials and Revealing Attributes
▶ Setup is similar to RSA: Issuer generates two large primes p and q and computes their product n. ▶ For a credential with k + 1 attributes α0 , . . . , αk , the issuer generates random values Z , S, R0 , . . . , Rk ∈ QRn : the group of quadratic residues modulo n ▶ A credential is actually a signature on α1 , . . . , αk of the form (A, e, v ), with e, v 1/e Z mod n. random, and A ≡ α α S v R 0 ...R k 0
k
?
▶ Verification is similar to verifying RSA signatures: Z ≡ Ae S v
k Y
Riαi mod n
i=0
▶ User can generate a ZK-proof of knowledge of all attributes for credential n n o Y (A, e, v ), denoted PK (e, v , α0 , . . . , αk ) Z ≡ Ae S v Riαi (mod n) , i=0
▶ or anset D of disclosed attributes of (A, e, v ): o Y −α Y α PK (e, v , (αi ) ∈ / D) Z · Ri i ≡ Ae S v Ri i (mod n) i∈D 7
i ∈D /
https://irma-tw.jlev.in/levin_irma_report_2020.pdf