Signing transactions anonymously with Identity Mixer in Hyperledger

Signing transactions anonymously with Identity Mixer in Hyperledger Idemix team: Jan Camenisch, Manu Drijvers, Maria Dubovitskaya Blockchain team: Elli Androulaki, Angelo De Caro, Andreas Kind, Alessandro Sorniotti IBM Research - Zurich

Identity Mixer for HL Fabric: Executive Summary • Identity Mixer is a Strong Privacy-Preserving Authentication solution – Better privacy than standard X. 509 or Open. ID – Protocols are verified by the scientific community • Perfect fit for the Blockchain scenario & requirements – Better scalability, simplicity, privacy, security, auditability – Use cases: privacy-preserving asset transfer, banking, trading shares, KYC. – GDPR compliance • A differentiator for HL Fabric (advanced privacy features) – Basis for Privacy-preserving asset transfer – Privacy-preserving & efficient hierarchical issuance of certificates is also possible (paper at CCS’ 17) • Status: Implemented in Go for HL Fabric – Merged: Crypto library, MSP implementation, tool to generate crypto material [1. 1 tech preview] – In Review: e 2 e demo [1. 1 tech preview] – In progress: Integration into java sdk (crypto library in review, integration in progress) [1. 1 tech preview] – Planned: fabric-ca, Node sdk integration, advanced functionalities, HSM support [see next slide] 2

Identity Mixer for HL roadmap (epics) • FAB-2005 Idemix MVP in Fabric [last CR in review][v 1. 1 Release (? )/Tech. Preview(? )] – Crypto library in Go [done] – MSP implementation, tool to generate crypto material [done] – e 2 e demo [CR in review] • FAB-6835 Idemix integration into Java SDK [target: Nov. 30] – Add amcl crypto lib to the central maven repo [working with Miracl (authors) on it] – Crypto library in java [done] – Integration with sdk [in progress] • FAB-6837 Idemix integration into Node. js SDK [target: Jan-Feb 2018] • FAB-6988 Idemix issuance via Fabric-CA and SDKs [target: Feb 2018][v 1. 2 Release] • FAB-5733 Idemix post MVP (advanced functionality) [target: Spring 2018][v 1. 2 Tech. Preview(? )] – Performance optimizations – Revocation – Auditing – Advanced Access Control policies • FAB-6989 HSM support for Identity Mixer MSP [target: Fall 2018 (? )][Future] 3

Identity Mixer • Attribute-based credentials • Strong authentication (signatures) • Privacy-preserving Access Control – Selective disclosure of attributes, predicates over attributes, full unlinkability • Auditability • Revocation – Preserving privacy and unlinkability Presentation Policy - Verification is done with the public key of the issuer only (prove Over 17 from ID issued by e. Gov) 4

Presentation Policy Fresh Nonce to prevent a replay attack Issuer’s public key reference Auditor’s public key reference and audit grounds Selective disclosure of attributes or predicates over attributes 5

Permissioned Blockchain Attr 1 Attr 2 Party A node Ledger Bank Ledger node Party C node Attr 1 Attr 2 node Ledger Party B Attr 1 Attr 2 6

Signing transactions with a single X. 509 TCertificate Authority (CA) X. 509 Attr 1 Attr 2 public key trust Attr 1 Attr 2 secret key Transaction B Transaction A Attr 1 Attr 2 - Full linkability - All attrs are disclosed CA’s public key Verifier 7

Multiple X. 509 Certs Certificate Authority (CA) X. 509 Attr 1 Attr 2 public key trust Attr 1 Attr 2 secret key Transaction B Attr 1 Attr 2 Transaction A Attr 1 Attr 2 ü CA’s public key Verifier 8

Membership management: privacy in v 0. 6 ECerts: (relatively) static enrollment certificates acquired via registration with an enrollment certificate authority (CA). TCerts: transaction certificates that faithfully but pseudonymously represent enrolled users, acquired via a transaction CA. Blockchain User B Certificate Authority (CA) Blockchain User A ü Ecert Tcert Membership U Tkey. B uses Requests invokes SC txn certificates (signed with Tkey. A, 1 x. Ecert, 1 x. Tcert (stored in wallet) encrypted with Tkey. A, Tkey. B…) shares public key U uses Application Tkey. A Tkey. B Application Accesses ledger Enrollment certificates (Ecerts) and Transaction certificates (Tcerts) can only be linked by CA and user sc Smart contract Tkey. B … deployed on every validating peer (signed with Ekey of origin, encrypted with validators’ key) Consensus Network 9

How Identity Mixer works Certificate Authority (CA) secret key public key Identity Mixer Attr 1 Attr 2 trust Presentation Policy 1 Attr 2 Presentation Policy 2 Attr 1 Attr 2 Transaction A Attr 1 Attr 2 CA’s public key Verifier ü Transaction B Attr 1 Attr 2 10

Identity Mixer vs. multiple X. 509 TCerts Certificate Authority (CA) X. 509 Attr 1 Attr 2 secret key public key Identity Mixer Attr 1 Attr 2 Attr 1 Attr 2 trust Attr 1 Attr 2 Transaction B Transaction C Transaction B ü CA’s public key Verifier ü Attr 1 Attr 2 Transaction A Presentation Policy 2 Presentation Policy 1 Transaction A Attr 1 Attr 2 Presentation Policy 1 Attr 2 Attr 1 Attr 2 11

Membership management with Identity Mixer ECerts: (relatively) static enrollment certificates acquired via registration with an enrollment certificate authority (CA). TCerts: Identity Mixer presentation proofs derived from ECert, without interaction with CA Blockchain User B Certificate Authority (CA) Blockchain User A ü Ecert Membership U Tkey. B uses Requests invokes SC txn certificates (signed with Tkey. A, 1 x. Ecert (stored in wallet) encrypted with Tkey. A, Tkey. B…) shares public key U uses Application Tkey. A Tkey. B Application Accesses ledger sc Smart contract Tkey. B … deployed on every validating peer (signed with Ekey of origin, encrypted with validators’ key) Consensus Network 12

Contribution Overview: MVP in Go (fabric only) Membership Service Provider [fabric/msp/idemixmsp. go] Sign (cli) Verify Transactions Peer Identity/Signing identity Produce MSP config files Sign/Verify (Generate/Verify Presentation Tokens) Key. Gen Presentation Issuance Verification Revocation Audit Identity Mixer crypto package [fabric/idemix] Generate CA keys Issue ECert Idemixgen tool [fabric/common/tools/idemixgen] 13

E 2 E demo: video/live 14

Identity Mixer for HL Fabric: Executive Summary • Identity Mixer is a Strong Privacy-Preserving Authentication solution – Better privacy than standard X. 509 or Open. ID – Protocols are verified by the scientific community • Perfect fit for the Blockchain scenario & requirements – Better scalability, simplicity, privacy, security, auditability – Use cases: privacy-preserving asset transfer, banking, trading shares, KYC. – GDPR compliance • A differentiator for HL Fabric (advanced privacy features) – Basis for Privacy-preserving asset transfer – Privacy-preserving & efficient hierarchical issuance of certificates is also possible (paper at CCS’ 17) • Status: Implemented in Go for HL Fabric – Merged: Crypto library, MSP implementation, tool to generate crypto material [1. 1 tech preview] – In Review: e 2 e demo [1. 1 tech preview] – In progress: Integration into java sdk (crypto library in review, integration in progress) [1. 1 tech preview] – Planned: fabric-ca, Node sdk integration, advanced functionalities, HSM support 15

Backup slides 16

Security & Privacy features Hyperledger v 1. 0 Hyperledger + TCerts Hyperledger + Idemix More Privacy, Simplicity and Efficiency with advanced cryptography ++ ++ User Anonymity Transaction Security ++ ++ ++ Transaction Confidentiality - ++ ++ Accountability ++ ++ ++ Access Control + + (only attribute disclosure) ++ (selective disclosure, predicates) Auditability ++ (but without privacy) + (TCA have to participate) ++ (TCA is not involved in the audit) Unlinkability - ++ (TCA cannot link transactions, only + (TCA can link all transactions) auditors) Simple Key Management ++ (but without privacy) - (key derivation is required) ++ (single secret key on the user side) TCA, Multiple TCAs N/A ++ (only one ECert, TCA cannot link - (TCA is a bottleneck to request fresh Tcerts, multiple TCAs is a problem) transactions, multiple TCAs is not a problem) Solution Simplicity ++ (but without privacy) - ++ Storage Efficiency ++ (but without privacy) - (TCerts and keys need to be ++ (only one ECert) stored) HSM & CSP support Revocation ++ (but without privacy) - (interface changes required to + + (only custom implementation of the signing implement key derivation) algorithms, no interface / flow changes) + (only ECert? Privacypreserving revocation of TCerts? ) ++ (privacy-preserving revocation of Ecerts) 17

Contribution Overview: MVP for Java SDK Sign Transactions User. java Identity/Signing. Identity. java Idemix. Sample. Store. java Sign/Verify (Generate/Verify Presentation Tokens) Key. Gen Presentation Issuance Verification Revocation Audit Identity Mixer crypto package Transaction. Context. java User Certificates Generate CA keys Issue ECert Idemixgen tool 18

Auditability (Inspection) Certificate Authority (CA) • Only Auditor can track the transactions • Auditor’s secret key can be shared between multiple parties to distribute the trust signing key public key Identity Mixer Attr 1 e. ID Auditor secret key public key Transaction A l ro en er Us Attr 1 Attr 2 D t I en lm Auditor’s CA’s public key Verifier ü 19

Revocation Certificate Authority (CA) • Certificates can be revoked at any time • Non-revocation proof is unlinkable: no loss of privacy for non-revoked users signing key public key Identity Mixer Attr 1 Rev. ID Revocation Authority (RA) Revocation Info signing key public key Transaction A Attr 1 Attr 2 Revocation Info CA’s public key Verifier ü 20