games). Revocation of users is an effective measure. However, basic revocation methods need identity proof, so it causes the risk of tracking (i.e., privacy concerns). Privacy-friendly cryptographic scheme enabling revoking users without identifiers. Whether we should apply the above privacy-enhanced revocation capability to the Web or not. Background Challenge EPID: Enhanced Privacy ID Discussion 2
significant problem, including in the context of Web applications. To solve these problems, revoking malicious users is an excellent function to reduce fraud [2]. User Service Revoking users who have abused the service in the past × × ✓ [3] Screenshot of revocation (pokemon go) 3
is to use the user identifier strongly coupled to users' identity. However, they have privacy concerns. E.g., user tracking by services (i.e., National ID, Phone number, Credit Card) user α's histories Malicous Service B user α's histories Malicous Service A Tracking Recieving service + Identity prooving User α 4
User Service Users can numerously repeat malicious activities Services can track users. Services can block users who have conducted malicious activities in the past. Users are anonymous. (Services cannot track them.) × × ✓ OR AND Before After 5
while not being able to track users. The essential concept of EPID is the signature-based revocation that allows services to revoke users using their signature (without using the user's information). EPID is mainly used for attestation in Intel SGX [5]. Intel SGX is a widely available Trusted Execution Environment (TEE). Intel core i(>= 5) series supports hardware protection for EPID key. EPID is a privacy-friendly cryptographic protocol with user revocation [4] 6
GM*1 Verifier (Service) ②Join ④Verify *1 GM: Group Manager Security Requirements Req A. Revocability The service can block the user who is revoked by the service. Req B. Unforgeability Users cannot make valid signatures without a legitimate secret key. Req C. Unlinkability Verifier and GM cannot track users from the signatures. (In other words, they cannot know whether an identical signer produced the signatures.) Assumption β. Users do not have many identifiers. Trust × Trust Threat 2. Rogue verifier&GM attempt to track users with signatures. Threat 1. Rogue signer attempts to forge a signature or avoid revocation. Assumption α. GM does not provide multiple secret keys to a user. 7 ⑤Revoke
users produce a signature with a key from GM. Unlinkability: Ensures that the service cannot track the user using the user's signature. All signatures are verified with the same public key EPID ensures Unforgeability and Unlinkability in a cryptographic manner. (unlike the basic signature scheme, where each user has different public keys). Public key secret key 1 secret key 2 secret key N … Signature Sign Message Verify accept OR reject All signatures are verified with the same public key. → No one can track users using signatures Choose a key N-1 relatio- nship 8
× Verifier Signer Proof of knowledge of valid secret key × signature Public key secret key … r1 r2 rR Revocation List … Proof that r2 was not made from the secret key Proof that rR was not made from the secret key = signature EPID feature: Revocability EPID uses signature-based revocation. Signature-based revocation: Revoking malicious users using only signatures (not using the users' identity) Proving that the secret key has not been used for all signatures in the revocation list. 9
applications? In the context of the web, some services struggle to prevent abusive users because of the un-revocability of current systems (e.g., cheating in games). Additional concerns: (1) Legitimate users suffer low-quality service due to malicious users. (2) Legitimate users are forced to provide identifying information to let services identify and ban malicious users. We can improve this by using privacy-enhanced revocation methods. 10
but has privacy concerns (i.e., tracking) Need for both revocability and untracability at the same time. A cryptographic protocol that allows user revocation while protecting their privacy Uses signature-based revocation Should we apply EPID to the Web? Applying EPID provides benefits for both entities (i.e., users and services) Background EPID: Enhanced Privacy ID Discussion 11
akakou
tnagao7
manfredsteyer
monochromegane
thehaigo
christianliebel
sucitw
falcon8823
javiergs
hal_spidernight
kennethanceyer
naokihaba
cer
holman
philhawksworth
gr2m
notwaldorf
afnizarnur
wjessup
bcantrill
aarron
addyosmani
tammielis
phodgson
garrettdimon
![Background Malicious actions (e.g., cheating in games [1]) are a](https://files.speakerdeck.com/presentations/5a2f164a86824bbfbd6f01e062a96a91/slide_2.jpg){kind=link}
![References [1] Report: Cheating Is Becoming A Big Problem In](https://files.speakerdeck.com/presentations/5a2f164a86824bbfbd6f01e062a96a91/slide_11.jpg){kind=link}