1 00:00:01,280 --> 00:00:12,559 [Music] 2 00:00:14,960 --> 00:00:16,800 hello everyone good to see you you're 3 00:00:16,800 --> 00:00:17,840 all here 4 00:00:17,840 --> 00:00:20,400 so today we'll talk about airmass edimix 5 00:00:20,400 --> 00:00:21,840 core 6 00:00:21,840 --> 00:00:25,039 so edemix is a set of cryptographic 7 00:00:25,039 --> 00:00:27,119 protocols and the irma is an 8 00:00:27,119 --> 00:00:30,080 implementation of edemix 9 00:00:30,080 --> 00:00:32,558 of our itemix i should say 10 00:00:32,558 --> 00:00:34,719 and today we'll explain to you how item 11 00:00:34,719 --> 00:00:37,760 x works what what its goals are and so 12 00:00:37,760 --> 00:00:40,559 and how it achieves those goals in 13 00:00:40,559 --> 00:00:43,120 particular we'll focus on the selective 14 00:00:43,120 --> 00:00:46,640 and unlinkable attribute disclosure 15 00:00:46,640 --> 00:00:49,440 so who are we to talk about that 16 00:00:49,440 --> 00:00:52,079 well this is maya reisner she's a 17 00:00:52,079 --> 00:00:55,520 software developer at sidn 18 00:00:55,520 --> 00:00:57,360 and i'm sids ringers 19 00:00:57,360 --> 00:00:59,680 am the architect of irma also at sidn 20 00:00:59,680 --> 00:01:01,920 and together we work on 21 00:01:01,920 --> 00:01:04,640 on irma 22 00:01:05,920 --> 00:01:09,280 yeah so the airma is now developed at 23 00:01:09,280 --> 00:01:11,760 sidn previously it was developed at the 24 00:01:11,760 --> 00:01:14,000 privacy by design foundation 25 00:01:14,000 --> 00:01:16,080 uh but since 26 00:01:16,080 --> 00:01:18,320 the beginning of the previous year the 27 00:01:18,320 --> 00:01:22,159 development moved over to sidn 28 00:01:22,159 --> 00:01:24,880 so we do hope you have some familiarity 29 00:01:24,880 --> 00:01:25,840 with 30 00:01:25,840 --> 00:01:27,600 with irma itself 31 00:01:27,600 --> 00:01:29,680 perhaps you've already seen it and some 32 00:01:29,680 --> 00:01:33,280 familiarity with basic cryptography may 33 00:01:33,280 --> 00:01:34,880 would also help 34 00:01:34,880 --> 00:01:37,040 but but we'll see how you know we'll 35 00:01:37,040 --> 00:01:40,159 will guide you through everything 36 00:01:40,159 --> 00:01:41,759 all right 37 00:01:41,759 --> 00:01:43,759 so irma is an implementation of a 38 00:01:43,759 --> 00:01:48,320 self-suffering identity system right 39 00:01:48,880 --> 00:01:51,360 so in in 40 00:01:51,360 --> 00:01:53,600 in a self-sovereign identity system such 41 00:01:53,600 --> 00:01:56,479 as irma in the center there is the user 42 00:01:56,479 --> 00:01:58,560 you know this is not visible right the 43 00:01:58,560 --> 00:02:00,560 pointer 44 00:02:00,560 --> 00:02:01,520 sort of 45 00:02:01,520 --> 00:02:04,000 okay right so in the center of things 46 00:02:04,000 --> 00:02:06,479 there is the user right and the user 47 00:02:06,479 --> 00:02:09,679 wants to authenticate herself as some 48 00:02:09,679 --> 00:02:12,160 verifier perhaps it's a web shop it but 49 00:02:12,160 --> 00:02:13,599 it could be a 50 00:02:13,599 --> 00:02:15,120 physical as well like here it could be 51 00:02:15,120 --> 00:02:16,879 basically anything 52 00:02:16,879 --> 00:02:19,120 um so the the user wants to authenticate 53 00:02:19,120 --> 00:02:22,080 herself at uh at the verifier perhaps to 54 00:02:22,080 --> 00:02:24,560 to convince the verifier that uh that 55 00:02:24,560 --> 00:02:26,400 she has a diploma of sorts it could be 56 00:02:26,400 --> 00:02:27,680 anything 57 00:02:27,680 --> 00:02:29,840 so there's the user there's the verifier 58 00:02:29,840 --> 00:02:31,519 and then on the other hand there is the 59 00:02:31,519 --> 00:02:32,720 issuer 60 00:02:32,720 --> 00:02:35,840 um an issuer can can be basically a any 61 00:02:35,840 --> 00:02:38,160 trusted institute such as for a local 62 00:02:38,160 --> 00:02:40,720 government you know who knows my my name 63 00:02:40,720 --> 00:02:43,280 and age and my social security number 64 00:02:43,280 --> 00:02:46,000 or it could be a university say that 65 00:02:46,000 --> 00:02:48,160 knows that i obtained a diploma at some 66 00:02:48,160 --> 00:02:50,560 sort 67 00:02:50,959 --> 00:02:52,720 and then they are trusted issuers 68 00:02:52,720 --> 00:02:54,879 because they are generally trusted by 69 00:02:54,879 --> 00:02:58,400 other uh by other parties within society 70 00:02:58,400 --> 00:03:00,080 and what we want a system like this to 71 00:03:00,080 --> 00:03:00,879 do 72 00:03:00,879 --> 00:03:01,920 is that 73 00:03:01,920 --> 00:03:05,200 as an issuer it issues to you a 74 00:03:05,200 --> 00:03:07,840 credential so a piece of data that that 75 00:03:07,840 --> 00:03:10,239 you then have in your app that you 76 00:03:10,239 --> 00:03:11,519 control 77 00:03:11,519 --> 00:03:13,760 um so you store it in in your app your 78 00:03:13,760 --> 00:03:14,959 irma app 79 00:03:14,959 --> 00:03:16,879 and then at some later stage you can 80 00:03:16,879 --> 00:03:19,680 disclose that you can use that 81 00:03:19,680 --> 00:03:22,080 credential to authenticate yourself 82 00:03:22,080 --> 00:03:24,319 towards such a verifier probably a web 83 00:03:24,319 --> 00:03:27,040 shop or something as i said 84 00:03:27,040 --> 00:03:30,480 and within that verification transaction 85 00:03:30,480 --> 00:03:33,840 the issuer is not explicitly involved so 86 00:03:33,840 --> 00:03:35,440 it gives you the credential but after 87 00:03:35,440 --> 00:03:38,879 that it's it's roles done so to say 88 00:03:38,879 --> 00:03:40,159 right 89 00:03:40,159 --> 00:03:41,360 so 90 00:03:41,360 --> 00:03:43,280 you use that credential towards the 91 00:03:43,280 --> 00:03:44,640 verifier 92 00:03:44,640 --> 00:03:46,640 and since there is a trust relationship 93 00:03:46,640 --> 00:03:49,280 between the verifier and the issuer you 94 00:03:49,280 --> 00:03:51,519 know the the verifier is going to trust 95 00:03:51,519 --> 00:03:53,760 the the dutch government to say truthful 96 00:03:53,760 --> 00:03:56,239 things about me or you 97 00:03:56,239 --> 00:03:58,879 um it works right so then the verifier 98 00:03:58,879 --> 00:04:00,799 decides you're authenticated and that 99 00:04:00,799 --> 00:04:03,680 thing can go ahead 100 00:04:04,080 --> 00:04:06,080 so there's this there's the holder in 101 00:04:06,080 --> 00:04:07,680 the middle um there's and there's the 102 00:04:07,680 --> 00:04:09,599 disclosure part there's also issuance 103 00:04:09,599 --> 00:04:11,439 but in this talk we're mainly going to 104 00:04:11,439 --> 00:04:13,599 focus on the verification part because 105 00:04:13,599 --> 00:04:15,439 it's well it's the most important part 106 00:04:15,439 --> 00:04:18,320 of itemics and irma and it's also the 107 00:04:18,320 --> 00:04:21,120 most interesting part 108 00:04:21,120 --> 00:04:23,280 okay 109 00:04:23,280 --> 00:04:26,240 so let's see a little how just to get a 110 00:04:26,240 --> 00:04:28,160 feeling of things let's first see in 111 00:04:28,160 --> 00:04:30,160 this introduction how authentication 112 00:04:30,160 --> 00:04:32,000 might work offline you know in the in 113 00:04:32,000 --> 00:04:34,479 the more traditional sense uh 114 00:04:34,479 --> 00:04:36,880 so here here's a sort of representation 115 00:04:36,880 --> 00:04:40,320 of a diploma that i uh obtained in some 116 00:04:40,320 --> 00:04:42,880 back in 2016 at the university of 117 00:04:42,880 --> 00:04:44,240 groningen 118 00:04:44,240 --> 00:04:46,800 right and now let's so this is uh for 119 00:04:46,800 --> 00:04:48,560 now this represents an actual paper 120 00:04:48,560 --> 00:04:50,400 diploma i have it at home it's a huge 121 00:04:50,400 --> 00:04:54,080 thing and it has this this this red 122 00:04:54,080 --> 00:04:55,840 signature stamp on it that's that's 123 00:04:55,840 --> 00:05:00,080 supposed to signify its authenticity 124 00:05:00,160 --> 00:05:02,320 and suppose now that i would want to use 125 00:05:02,320 --> 00:05:05,280 this diploma to apply for a job 126 00:05:05,280 --> 00:05:07,039 someplace perhaps it's a job that 127 00:05:07,039 --> 00:05:10,320 requires that i have a phd 128 00:05:10,320 --> 00:05:12,000 so 129 00:05:12,000 --> 00:05:14,320 this use case by the way we will use in 130 00:05:14,320 --> 00:05:15,840 in various 131 00:05:15,840 --> 00:05:18,240 formats and ways throughout the talk so 132 00:05:18,240 --> 00:05:19,840 we'll see this coming back as we go 133 00:05:19,840 --> 00:05:21,840 along through the talk 134 00:05:21,840 --> 00:05:22,639 right 135 00:05:22,639 --> 00:05:24,800 so okay if i have such a diploma well 136 00:05:24,800 --> 00:05:26,400 the i guess the easiest thing that i 137 00:05:26,400 --> 00:05:28,240 could do would would be i can just take 138 00:05:28,240 --> 00:05:29,919 it with me when i apply for that job 139 00:05:29,919 --> 00:05:32,320 right and i show it to my uh prospective 140 00:05:32,320 --> 00:05:34,479 employer and then he is convinced that i 141 00:05:34,479 --> 00:05:37,280 have a phd and it's fine so that's that 142 00:05:37,280 --> 00:05:38,880 works 143 00:05:38,880 --> 00:05:40,720 we can go slightly further we can do 144 00:05:40,720 --> 00:05:42,960 more things which such a paper uh 145 00:05:42,960 --> 00:05:44,720 diploma that might that might be cool 146 00:05:44,720 --> 00:05:47,039 right what we could do is we might we 147 00:05:47,039 --> 00:05:49,120 could make a paper a copy of it just 148 00:05:49,120 --> 00:05:50,479 using a copy machine you know the 149 00:05:50,479 --> 00:05:52,479 old-fashioned things and then scratch 150 00:05:52,479 --> 00:05:54,639 out some of these things right because 151 00:05:54,639 --> 00:05:56,240 perhaps for the job that i applied to 152 00:05:56,240 --> 00:05:58,160 it's not particularly important 153 00:05:58,160 --> 00:06:00,479 what my exact name is it's just 154 00:06:00,479 --> 00:06:04,720 important that i have a phd right so 155 00:06:04,720 --> 00:06:07,280 using a copy a paper copy of an actual 156 00:06:07,280 --> 00:06:09,360 diploma allows you to do what we call 157 00:06:09,360 --> 00:06:11,919 selective disclosure of the attributes 158 00:06:11,919 --> 00:06:14,880 on your diploma so the bold stuff here 159 00:06:14,880 --> 00:06:16,000 is here 160 00:06:16,000 --> 00:06:19,199 as it is and and here we call attributes 161 00:06:19,199 --> 00:06:21,120 basic small pieces of data about 162 00:06:21,120 --> 00:06:23,120 yourself 163 00:06:23,120 --> 00:06:25,039 so on your copy you can scratch some of 164 00:06:25,039 --> 00:06:27,039 them out and then 165 00:06:27,039 --> 00:06:29,360 the the one that i show it to 166 00:06:29,360 --> 00:06:31,120 knows just the important parts for the 167 00:06:31,120 --> 00:06:33,440 for the particular thing i want to do 168 00:06:33,440 --> 00:06:34,880 so that's a cool 169 00:06:34,880 --> 00:06:36,479 cool feature to have right in our 170 00:06:36,479 --> 00:06:39,520 credentials system 171 00:06:39,520 --> 00:06:40,400 so 172 00:06:40,400 --> 00:06:42,160 i guess it works but it also doesn't 173 00:06:42,160 --> 00:06:43,680 really because 174 00:06:43,680 --> 00:06:46,880 if i if i make a paper copy 175 00:06:46,880 --> 00:06:48,880 of my own diploma and i scratch out some 176 00:06:48,880 --> 00:06:51,199 fields and i would give that to you as 177 00:06:51,199 --> 00:06:53,120 my prospective employer 178 00:06:53,120 --> 00:06:54,960 then you have that 179 00:06:54,960 --> 00:06:57,840 that copy and then you could use it to 180 00:06:57,840 --> 00:06:59,840 try to convince others that you in fact 181 00:06:59,840 --> 00:07:01,199 have a phd 182 00:07:01,199 --> 00:07:03,520 so we have a problem of replay attacks 183 00:07:03,520 --> 00:07:04,400 here 184 00:07:04,400 --> 00:07:06,560 right so we don't want that in our 185 00:07:06,560 --> 00:07:08,800 system so that's the issue we'll have to 186 00:07:08,800 --> 00:07:11,039 try and solve 187 00:07:11,039 --> 00:07:12,880 right 188 00:07:12,880 --> 00:07:15,360 so we have a feature now that we want in 189 00:07:15,360 --> 00:07:16,800 a problem that we want and there is an 190 00:07:16,800 --> 00:07:18,560 additional feature that's kind of cool 191 00:07:18,560 --> 00:07:20,400 in this offline setting 192 00:07:20,400 --> 00:07:22,960 um there is sort of unlinkability 193 00:07:22,960 --> 00:07:25,360 that means if i in this case if i make a 194 00:07:25,360 --> 00:07:27,520 second copy of 195 00:07:27,520 --> 00:07:30,080 i make a second paper copy of my diploma 196 00:07:30,080 --> 00:07:32,000 and then again i scratch out some of 197 00:07:32,000 --> 00:07:34,240 those fields but just in a different way 198 00:07:34,240 --> 00:07:35,840 with different scratches and a different 199 00:07:35,840 --> 00:07:38,560 pen or whatever so the new copy doesn't 200 00:07:38,560 --> 00:07:41,360 look anymore like the old copy 201 00:07:41,360 --> 00:07:43,360 it looks different because i scratched 202 00:07:43,360 --> 00:07:45,520 it differently so that means it's no 203 00:07:45,520 --> 00:07:48,000 longer it it's no longer visible that 204 00:07:48,000 --> 00:07:50,639 it's it's a copy of the same underlying 205 00:07:50,639 --> 00:07:54,479 actual diploma or credential so the ones 206 00:07:54,479 --> 00:07:57,039 that i give these copies to they cannot 207 00:07:57,039 --> 00:07:59,280 in fact see that those two copies both 208 00:07:59,280 --> 00:08:01,120 belonged to me 209 00:08:01,120 --> 00:08:02,879 so this is a feature that's called that 210 00:08:02,879 --> 00:08:05,440 we call unlinkability and this too would 211 00:08:05,440 --> 00:08:08,319 be a very nice feature to have 212 00:08:08,319 --> 00:08:10,000 right 213 00:08:10,000 --> 00:08:11,919 so these are some some features that we 214 00:08:11,919 --> 00:08:13,199 that we might want to have in our 215 00:08:13,199 --> 00:08:16,000 credentials scheme 216 00:08:16,479 --> 00:08:18,000 okay 217 00:08:18,000 --> 00:08:19,520 so now we want to do all of this but in 218 00:08:19,520 --> 00:08:22,319 the digital domain it's easy 219 00:08:22,319 --> 00:08:23,680 right so the 220 00:08:23,680 --> 00:08:25,440 the goal of this talk is basically to be 221 00:08:25,440 --> 00:08:28,479 able to understand this piece of code 222 00:08:28,479 --> 00:08:30,560 this code comes from a software 223 00:08:30,560 --> 00:08:32,479 repository called gabi which you can 224 00:08:32,479 --> 00:08:34,958 find on github and gabi is our actual 225 00:08:34,958 --> 00:08:37,519 idmix implementation this particular 226 00:08:37,519 --> 00:08:40,958 piece of code verifies a signature on an 227 00:08:40,958 --> 00:08:44,000 irma credential 228 00:08:45,200 --> 00:08:47,360 so actually what it verifies is that 229 00:08:47,360 --> 00:08:49,839 this particular equation holds 230 00:08:49,839 --> 00:08:52,320 this is a ver the verification equation 231 00:08:52,320 --> 00:08:55,920 of uh often irma or itemx credential so 232 00:08:55,920 --> 00:08:57,519 that means that we're going to explain 233 00:08:57,519 --> 00:08:59,440 all of the the different ingredients of 234 00:08:59,440 --> 00:09:01,519 this formula later on 235 00:09:01,519 --> 00:09:02,959 we'll see this formula throughout the 236 00:09:02,959 --> 00:09:05,760 talk but but what it means is that 237 00:09:05,760 --> 00:09:08,320 if your credential and its signature on 238 00:09:08,320 --> 00:09:11,360 it satisfy that formula then it is valid 239 00:09:11,360 --> 00:09:13,600 that is what this piece of code 240 00:09:13,600 --> 00:09:16,800 establishes checks 241 00:09:17,440 --> 00:09:19,519 so a small table of contents for the 242 00:09:19,519 --> 00:09:22,160 remainder of this talk 243 00:09:22,160 --> 00:09:23,920 first we'll talk about a selective 244 00:09:23,920 --> 00:09:26,399 disclosure that i mentioned just now 245 00:09:26,399 --> 00:09:28,000 um and 246 00:09:28,000 --> 00:09:29,600 we'll we'll 247 00:09:29,600 --> 00:09:31,600 to to see how you can achieve that we'll 248 00:09:31,600 --> 00:09:33,519 first look at how you can distinguish 249 00:09:33,519 --> 00:09:36,080 the various attributes within that 250 00:09:36,080 --> 00:09:37,839 formula and within the code from each 251 00:09:37,839 --> 00:09:39,519 other 252 00:09:39,519 --> 00:09:41,440 then we'll show you once you have done 253 00:09:41,440 --> 00:09:44,800 that how you can hide the the 254 00:09:44,800 --> 00:09:46,560 attributes that are not relevant to a 255 00:09:46,560 --> 00:09:48,640 particular transaction to actually 256 00:09:48,640 --> 00:09:51,920 achieve the selective disclosure 257 00:09:51,920 --> 00:09:54,000 next we'll talk about ownership of the 258 00:09:54,000 --> 00:09:56,320 credential so how you can really bind it 259 00:09:56,320 --> 00:09:58,240 to the person about which it states 260 00:09:58,240 --> 00:10:00,560 things 261 00:10:00,560 --> 00:10:03,360 then we will talk about unlinkability so 262 00:10:03,360 --> 00:10:05,519 how you can how we can transfer that pay 263 00:10:05,519 --> 00:10:07,680 that property that we saw earlier in the 264 00:10:07,680 --> 00:10:11,279 paper case to our digital setting 265 00:10:11,279 --> 00:10:12,880 and finally we'll 266 00:10:12,880 --> 00:10:14,640 we'll talk about how you can combine all 267 00:10:14,640 --> 00:10:16,560 of that to achieve disclosure of 268 00:10:16,560 --> 00:10:18,399 multiple credentials 269 00:10:18,399 --> 00:10:22,079 out of your irma wallet 270 00:10:22,480 --> 00:10:26,079 and with that i give the word to maya 271 00:10:26,079 --> 00:10:28,239 thank 272 00:10:31,120 --> 00:10:32,959 thank you for being here can you hear me 273 00:10:32,959 --> 00:10:35,279 now nice thank you 274 00:10:35,279 --> 00:10:37,600 um i'm very happy that you're here 275 00:10:37,600 --> 00:10:40,240 because this is so much a nice stuff and 276 00:10:40,240 --> 00:10:42,160 i'm just also amazed that so many people 277 00:10:42,160 --> 00:10:44,240 want to know how it works 278 00:10:44,240 --> 00:10:45,839 you have a little handout 279 00:10:45,839 --> 00:10:47,920 it is meant to help you eventually don't 280 00:10:47,920 --> 00:10:49,360 worry about it yet if you don't 281 00:10:49,360 --> 00:10:51,440 understand it yet that's why we have the 282 00:10:51,440 --> 00:10:53,279 session 283 00:10:53,279 --> 00:10:55,519 so we will um 284 00:10:55,519 --> 00:10:57,920 start very basic we will start with just 285 00:10:57,920 --> 00:10:59,920 digital signatures and have a look at 286 00:10:59,920 --> 00:11:01,519 how they work 287 00:11:01,519 --> 00:11:03,360 on the right hand side you will see our 288 00:11:03,360 --> 00:11:05,600 example that we will talk about all of 289 00:11:05,600 --> 00:11:08,000 the time in this time it's the diploma 290 00:11:08,000 --> 00:11:10,480 again with a little bit less information 291 00:11:10,480 --> 00:11:12,959 than we saw before it's the names it's 292 00:11:12,959 --> 00:11:15,600 and a bit of a text and a phd with a 293 00:11:15,600 --> 00:11:16,560 stamp 294 00:11:16,560 --> 00:11:18,959 so how would this digitally look like 295 00:11:18,959 --> 00:11:21,279 well the complete data of the diploma 296 00:11:21,279 --> 00:11:24,880 would be represented by just a number m 297 00:11:24,880 --> 00:11:27,680 in this case and if m 298 00:11:27,680 --> 00:11:30,320 if the scientist at the university who 299 00:11:30,320 --> 00:11:32,720 will issue this diploma can then take 300 00:11:32,720 --> 00:11:35,120 this number m to the power of a secret 301 00:11:35,120 --> 00:11:36,320 value d 302 00:11:36,320 --> 00:11:39,519 modulus n and it will result in the 303 00:11:39,519 --> 00:11:41,680 signature a 304 00:11:41,680 --> 00:11:43,839 this is textbook rsa and i will not 305 00:11:43,839 --> 00:11:45,839 cover this any further you can just look 306 00:11:45,839 --> 00:11:46,800 it up 307 00:11:46,800 --> 00:11:48,720 and if you don't know it in details it's 308 00:11:48,720 --> 00:11:51,120 okay you should still be able to follow 309 00:11:51,120 --> 00:11:54,320 the talk to some degree 310 00:11:54,320 --> 00:11:56,720 the verifier and later on can take the 311 00:11:56,720 --> 00:11:59,440 signature take it to the power of the 312 00:11:59,440 --> 00:12:02,079 public value e and it should result 313 00:12:02,079 --> 00:12:04,959 again in this signature number m modulus 314 00:12:04,959 --> 00:12:06,880 m 315 00:12:06,880 --> 00:12:07,600 so 316 00:12:07,600 --> 00:12:10,399 zita already talked about selective 317 00:12:10,399 --> 00:12:12,560 disclosure and if we want to get there 318 00:12:12,560 --> 00:12:14,800 we want to hide data this is currently 319 00:12:14,800 --> 00:12:17,040 not possible with this system because if 320 00:12:17,040 --> 00:12:19,279 we change anything in the diploma data 321 00:12:19,279 --> 00:12:22,000 we will change the number m and 322 00:12:22,000 --> 00:12:23,839 the signature will not hold anymore the 323 00:12:23,839 --> 00:12:27,040 equation so uh we need to find a means 324 00:12:27,040 --> 00:12:30,160 to differentiate uh first between the 325 00:12:30,160 --> 00:12:33,040 different uh things that we might may or 326 00:12:33,040 --> 00:12:35,519 may not want to 327 00:12:35,519 --> 00:12:36,480 show 328 00:12:36,480 --> 00:12:39,120 and we can do this as follows 329 00:12:39,120 --> 00:12:40,880 please focus on the right hand side 330 00:12:40,880 --> 00:12:42,079 first 331 00:12:42,079 --> 00:12:44,880 we can first split the diploma into 332 00:12:44,880 --> 00:12:46,639 different attributes so it's not a blob 333 00:12:46,639 --> 00:12:48,639 of text anymore but it's different 334 00:12:48,639 --> 00:12:50,959 attributes with attributes types in this 335 00:12:50,959 --> 00:12:53,519 case name and title and the values 336 00:12:53,519 --> 00:12:57,920 singers and a phd 337 00:12:58,480 --> 00:13:00,079 please don't panic about the formula we 338 00:13:00,079 --> 00:13:01,760 will go into detail with all of the 339 00:13:01,760 --> 00:13:02,800 stuff here 340 00:13:02,800 --> 00:13:06,959 please now focus only on the little a's 341 00:13:06,959 --> 00:13:08,880 the values on the right hand side seed 342 00:13:08,880 --> 00:13:12,160 syringes and the phd are represented as 343 00:13:12,160 --> 00:13:14,720 two numbers a1 which you see telling us 344 00:13:14,720 --> 00:13:17,839 and a2 which is the phd 345 00:13:17,839 --> 00:13:19,360 the 346 00:13:19,360 --> 00:13:21,839 attribute types that is the name and the 347 00:13:21,839 --> 00:13:23,760 title will be represented in this 348 00:13:23,760 --> 00:13:27,839 equation by r1 and r2 349 00:13:27,839 --> 00:13:29,200 um 350 00:13:29,200 --> 00:13:32,079 z will be used for forgibility reasons s 351 00:13:32,079 --> 00:13:35,680 will be used by the power of this v 352 00:13:35,680 --> 00:13:37,760 later on for unlinkability but don't 353 00:13:37,760 --> 00:13:40,639 worry about it yet just see that we now 354 00:13:40,639 --> 00:13:42,880 have a formula 355 00:13:42,880 --> 00:13:44,560 where we can differentiate between these 356 00:13:44,560 --> 00:13:45,680 values 357 00:13:45,680 --> 00:13:47,839 all the capital letters are constants 358 00:13:47,839 --> 00:13:50,639 and public values and now we just accept 359 00:13:50,639 --> 00:13:52,160 that it's there 360 00:13:52,160 --> 00:13:55,519 don't worry about it yet and replace 361 00:13:55,519 --> 00:13:58,079 our m in the formula above 362 00:13:58,079 --> 00:13:59,839 this will 363 00:13:59,839 --> 00:14:02,480 look like as follows we get a to the 364 00:14:02,480 --> 00:14:04,399 power of e this will stay the same 365 00:14:04,399 --> 00:14:06,320 replace m 366 00:14:06,320 --> 00:14:09,120 and we have an equation 367 00:14:09,120 --> 00:14:10,959 this equation 368 00:14:10,959 --> 00:14:13,040 is part of the so-called comanis 369 00:14:13,040 --> 00:14:15,600 lizianskaia signature scheme 370 00:14:15,600 --> 00:14:17,920 and this signature scheme is uh used in 371 00:14:17,920 --> 00:14:20,880 edemics and also in emr so we will focus 372 00:14:20,880 --> 00:14:23,519 on this for quite like almost the whole 373 00:14:23,519 --> 00:14:24,560 talk 374 00:14:24,560 --> 00:14:26,000 um 375 00:14:26,000 --> 00:14:27,760 we will only do the verification and the 376 00:14:27,760 --> 00:14:31,440 verification is this equation 377 00:14:31,440 --> 00:14:33,440 i told you already that those 378 00:14:33,440 --> 00:14:35,839 capital letters are constants there's an 379 00:14:35,839 --> 00:14:38,320 e and v that actually become part of the 380 00:14:38,320 --> 00:14:40,000 signature you can already see that on 381 00:14:40,000 --> 00:14:41,920 the right hand side here and we will go 382 00:14:41,920 --> 00:14:43,760 into details 383 00:14:43,760 --> 00:14:45,279 actually now 384 00:14:45,279 --> 00:14:48,079 we do have we will now have a little 385 00:14:48,079 --> 00:14:51,040 detour to our diploma example and i'll 386 00:14:51,040 --> 00:14:52,959 just say a couple more words on the 387 00:14:52,959 --> 00:14:54,959 signature scheme so you have a bit more 388 00:14:54,959 --> 00:14:57,600 context on it 389 00:14:57,600 --> 00:14:58,880 um 390 00:14:58,880 --> 00:15:00,480 the communist lesions guys signature 391 00:15:00,480 --> 00:15:02,639 scheme is quite a 392 00:15:02,639 --> 00:15:04,720 mouthful that's why most people just 393 00:15:04,720 --> 00:15:07,680 abbreviated um abbreviated with cl 394 00:15:07,680 --> 00:15:10,000 signature scheme so you may have heard 395 00:15:10,000 --> 00:15:12,160 that before 396 00:15:12,160 --> 00:15:14,320 if we now just have a bit of a look at 397 00:15:14,320 --> 00:15:16,480 issuance setup and issuance 398 00:15:16,480 --> 00:15:18,240 then you have a bit more context and we 399 00:15:18,240 --> 00:15:21,279 will see that it's somewhat rsa-like 400 00:15:21,279 --> 00:15:24,720 similar to rsa we will begin by choosing 401 00:15:24,720 --> 00:15:26,880 the private key with two prime numbers p 402 00:15:26,880 --> 00:15:29,120 and q which if you multiply them with 403 00:15:29,120 --> 00:15:31,440 each other will result in n a public 404 00:15:31,440 --> 00:15:33,120 value 405 00:15:33,120 --> 00:15:34,959 then you will also choose a couple of 406 00:15:34,959 --> 00:15:37,360 constants that the issuer just use 407 00:15:37,360 --> 00:15:39,199 as set up so the university does this 408 00:15:39,199 --> 00:15:41,759 once and they will all become part of 409 00:15:41,759 --> 00:15:43,199 the public key 410 00:15:43,199 --> 00:15:45,920 for each attribute type you will choose 411 00:15:45,920 --> 00:15:47,680 a different 412 00:15:47,680 --> 00:15:50,959 constant r so it's r one two three four 413 00:15:50,959 --> 00:15:54,240 as many attribute types as you have 414 00:15:54,240 --> 00:15:56,240 then later on when you actually issue 415 00:15:56,240 --> 00:15:57,759 the diploma 416 00:15:57,759 --> 00:16:00,160 so it's really each time a credential is 417 00:16:00,160 --> 00:16:02,639 issued 418 00:16:02,639 --> 00:16:06,240 the two numbers e and v are chosen 419 00:16:06,240 --> 00:16:09,920 and then the issue calculates the number 420 00:16:09,920 --> 00:16:12,320 a by actually doing the same as it would 421 00:16:12,320 --> 00:16:13,360 do with 422 00:16:13,360 --> 00:16:17,759 rsa but then replace um the 423 00:16:17,759 --> 00:16:19,279 m again 424 00:16:19,279 --> 00:16:21,519 it will result in a signature that is a 425 00:16:21,519 --> 00:16:23,680 triple because each time the credential 426 00:16:23,680 --> 00:16:26,639 is issued a different e and v are chosen 427 00:16:26,639 --> 00:16:28,240 so that's different 428 00:16:28,240 --> 00:16:29,199 from 429 00:16:29,199 --> 00:16:31,680 rs a2 for this whole signature scheme 430 00:16:31,680 --> 00:16:34,800 the strong rsa assumption holds 431 00:16:34,800 --> 00:16:36,880 okay but we want to focus on that we 432 00:16:36,880 --> 00:16:38,639 will focus on the right hand side just 433 00:16:38,639 --> 00:16:40,639 on the verification equation 434 00:16:40,639 --> 00:16:43,040 and what were we doing so far we had a 435 00:16:43,040 --> 00:16:45,519 look at the diploma we want to hide data 436 00:16:45,519 --> 00:16:48,000 we can't hide data yet we only can 437 00:16:48,000 --> 00:16:49,680 differentiate between data in the 438 00:16:49,680 --> 00:16:51,839 diploma and we will now have a look at 439 00:16:51,839 --> 00:16:54,480 the hiding part 440 00:16:54,480 --> 00:16:57,279 going back to our example we now want to 441 00:16:57,279 --> 00:16:58,560 hide the name 442 00:16:58,560 --> 00:17:02,959 and if we have a look at this formula 443 00:17:02,959 --> 00:17:04,640 because of the discrete logarithm 444 00:17:04,640 --> 00:17:07,520 problem which states that 445 00:17:07,520 --> 00:17:10,400 the exponent is infeasible to find if 446 00:17:10,400 --> 00:17:12,559 you only know the result and the basis 447 00:17:12,559 --> 00:17:16,000 of an exponentiation we can actually 448 00:17:16,000 --> 00:17:18,959 hide already this attribute value 449 00:17:18,959 --> 00:17:22,720 avon just by not sharing a one with the 450 00:17:22,720 --> 00:17:24,799 verifier but the result of the 451 00:17:24,799 --> 00:17:28,400 calculation so just sharing h 452 00:17:28,400 --> 00:17:31,600 all other things will stay the same so 453 00:17:31,600 --> 00:17:34,320 hiding itself is quite easy but we're 454 00:17:34,320 --> 00:17:35,679 not there yet 455 00:17:35,679 --> 00:17:37,840 the signature scheme does more than that 456 00:17:37,840 --> 00:17:40,559 if this would be the only thing we would 457 00:17:40,559 --> 00:17:41,760 actually be 458 00:17:41,760 --> 00:17:44,400 vulnerable to forgeability attacks and 459 00:17:44,400 --> 00:17:47,360 we will have now an example first to see 460 00:17:47,360 --> 00:17:49,520 how this would look like 461 00:17:49,520 --> 00:17:51,280 again lots of changes 462 00:17:51,280 --> 00:17:53,360 we will focus on the left-hand side 463 00:17:53,360 --> 00:17:54,559 first 464 00:17:54,559 --> 00:17:56,720 and the example of the diploma changed a 465 00:17:56,720 --> 00:17:58,480 bit because i think it's easier to 466 00:17:58,480 --> 00:18:01,679 follow the example having a number and 467 00:18:01,679 --> 00:18:02,559 not 468 00:18:02,559 --> 00:18:06,400 a string in mind so in my new example i 469 00:18:06,400 --> 00:18:08,720 still have a name that i will hide but 470 00:18:08,720 --> 00:18:12,240 the second attribute will be age 17 471 00:18:12,240 --> 00:18:14,240 and in my uh 472 00:18:14,240 --> 00:18:16,400 forgery example 473 00:18:16,400 --> 00:18:19,760 i could forge my eight my age to 18 as 474 00:18:19,760 --> 00:18:21,120 follows 475 00:18:21,120 --> 00:18:24,400 i could just claim that my age is 18 476 00:18:24,400 --> 00:18:26,880 and then i would not share my name but i 477 00:18:26,880 --> 00:18:29,120 would share a number again because i am 478 00:18:29,120 --> 00:18:31,840 hiding my name in the number if i would 479 00:18:31,840 --> 00:18:34,960 now not calculate this number as shown 480 00:18:34,960 --> 00:18:36,720 above but 481 00:18:36,720 --> 00:18:39,520 just accept that i would calculate it by 482 00:18:39,520 --> 00:18:42,400 taking this number times r two to the 483 00:18:42,400 --> 00:18:44,080 power of minus one 484 00:18:44,080 --> 00:18:46,320 we would um still 485 00:18:46,320 --> 00:18:48,799 cl the claim would hold in the equation 486 00:18:48,799 --> 00:18:50,400 of verification 487 00:18:50,400 --> 00:18:53,919 that uh my age is 18 although the issuer 488 00:18:53,919 --> 00:18:56,240 never issued it so the verifier would 489 00:18:56,240 --> 00:18:58,559 then check if the equation holds using 490 00:18:58,559 --> 00:19:00,240 the wrong number but you can't 491 00:19:00,240 --> 00:19:03,039 differentiate it from the usual h 492 00:19:03,039 --> 00:19:04,720 which 493 00:19:04,720 --> 00:19:07,120 makes the equation still hold because h 494 00:19:07,120 --> 00:19:10,400 prime is the same as h time r2 to the 495 00:19:10,400 --> 00:19:13,120 power of minus 1 and if you rewrite it 496 00:19:13,120 --> 00:19:14,080 you get 497 00:19:14,080 --> 00:19:18,160 eventually r2 to the power of a2 minus 1 498 00:19:18,160 --> 00:19:21,360 and our a2 was chosen as 18 minus 1 is 499 00:19:21,360 --> 00:19:22,720 17 500 00:19:22,720 --> 00:19:25,120 which holds an equation because this was 501 00:19:25,120 --> 00:19:27,918 actually issued 502 00:19:28,799 --> 00:19:31,120 this is not what happens because the 503 00:19:31,120 --> 00:19:34,400 signature scheme takes care of that 504 00:19:34,400 --> 00:19:38,320 how do we do that we actually have to 505 00:19:38,320 --> 00:19:40,640 prove that we know the number a that we 506 00:19:40,640 --> 00:19:42,799 know this attribute value without 507 00:19:42,799 --> 00:19:44,240 disclosing it 508 00:19:44,240 --> 00:19:46,080 and there's now some real crew math 509 00:19:46,080 --> 00:19:48,080 coming where i really can't imagine how 510 00:19:48,080 --> 00:19:49,840 people think of that but it works and 511 00:19:49,840 --> 00:19:52,320 it's beautiful 512 00:19:52,320 --> 00:19:54,320 the communication sky signature scheme 513 00:19:54,320 --> 00:19:57,600 uses a schnorr zero knowledge protocol 514 00:19:57,600 --> 00:20:00,400 it's a protocol from the 90s and 515 00:20:00,400 --> 00:20:02,400 it's a three steps protocol that we will 516 00:20:02,400 --> 00:20:04,320 now have a look at 517 00:20:04,320 --> 00:20:06,960 for simplicity i removed all the indices 518 00:20:06,960 --> 00:20:09,039 the indices are used for 519 00:20:09,039 --> 00:20:11,440 indicating which attribute was talking 520 00:20:11,440 --> 00:20:14,000 about but it becomes messy so i skipped 521 00:20:14,000 --> 00:20:15,120 them 522 00:20:15,120 --> 00:20:18,320 we start by the given thing that we have 523 00:20:18,320 --> 00:20:20,880 this aged which we publicly can share 524 00:20:20,880 --> 00:20:23,200 because it doesn't say anything about 525 00:20:23,200 --> 00:20:25,840 the the the value of a already and it's 526 00:20:25,840 --> 00:20:28,159 defined by r to the power of a 527 00:20:28,159 --> 00:20:30,880 now on the left hand side we have um 528 00:20:30,880 --> 00:20:32,640 we the proven and on the right hand side 529 00:20:32,640 --> 00:20:34,400 we have to verify 530 00:20:34,400 --> 00:20:36,880 it starts by choosing 531 00:20:36,880 --> 00:20:39,840 a random value t which is really big 532 00:20:39,840 --> 00:20:42,400 then we calculate u as 533 00:20:42,400 --> 00:20:46,559 r to the power of t modulus n and send u 534 00:20:46,559 --> 00:20:49,120 just over to the verifier this is called 535 00:20:49,120 --> 00:20:50,880 the commitment phase 536 00:20:50,880 --> 00:20:52,640 then in the next phase the challenge 537 00:20:52,640 --> 00:20:53,600 phase 538 00:20:53,600 --> 00:20:58,159 the um verifier chooses a random value l 539 00:20:58,159 --> 00:21:01,520 c the challenge and sends it over 540 00:21:01,520 --> 00:21:02,880 to 541 00:21:02,880 --> 00:21:04,320 to us again 542 00:21:04,320 --> 00:21:06,080 now we calculate the response which is 543 00:21:06,080 --> 00:21:08,960 this huge value t plus the challenge 544 00:21:08,960 --> 00:21:12,080 times the attribute value um t thereby 545 00:21:12,080 --> 00:21:14,240 masks the attribute value because it's 546 00:21:14,240 --> 00:21:16,720 so big you can't really see a anymore 547 00:21:16,720 --> 00:21:20,000 and sends across r 548 00:21:20,000 --> 00:21:21,840 this is the response 549 00:21:21,840 --> 00:21:23,440 phase and 550 00:21:23,440 --> 00:21:25,840 eventually the verifier just checks if 551 00:21:25,840 --> 00:21:26,960 this 552 00:21:26,960 --> 00:21:29,520 equation holds and if this equation 553 00:21:29,520 --> 00:21:30,400 holds 554 00:21:30,400 --> 00:21:32,080 it's actually a proof 555 00:21:32,080 --> 00:21:32,880 that 556 00:21:32,880 --> 00:21:34,640 we know the number 557 00:21:34,640 --> 00:21:36,960 without having shared the number 558 00:21:36,960 --> 00:21:38,799 so this is a bit of magic 559 00:21:38,799 --> 00:21:40,640 but it's actually the proof is not that 560 00:21:40,640 --> 00:21:43,440 difficult um once you see it it's 561 00:21:43,440 --> 00:21:44,880 difficult just to make it up but i 562 00:21:44,880 --> 00:21:46,559 didn't so that's fine 563 00:21:46,559 --> 00:21:48,799 um 564 00:21:50,320 --> 00:21:53,039 i will go through this very quickly 565 00:21:53,039 --> 00:21:55,600 it's just meant to show you that you can 566 00:21:55,600 --> 00:21:57,679 understand this and you can look it up 567 00:21:57,679 --> 00:22:00,480 and it's not rocket science 568 00:22:00,480 --> 00:22:02,640 so here on the left hand side we start 569 00:22:02,640 --> 00:22:04,240 um just what we have on the left hand 570 00:22:04,240 --> 00:22:06,960 side and we want to end up on 571 00:22:06,960 --> 00:22:08,880 u on the right hand side 572 00:22:08,880 --> 00:22:10,960 first we can write this 573 00:22:10,960 --> 00:22:13,840 this small letter r as what it is t plus 574 00:22:13,840 --> 00:22:16,480 c a then we can split those because it's 575 00:22:16,480 --> 00:22:18,640 a product of both this it's really just 576 00:22:18,640 --> 00:22:20,480 school math on the right hand side we 577 00:22:20,480 --> 00:22:23,039 can replace our h with r to the power of 578 00:22:23,039 --> 00:22:25,600 a because we defined that earlier 579 00:22:25,600 --> 00:22:27,679 exponentiation by exponentiation is the 580 00:22:27,679 --> 00:22:30,960 same as multiplying the exponents 581 00:22:30,960 --> 00:22:32,559 then we can see that they actually 582 00:22:32,559 --> 00:22:35,440 cancel out the to the power of c a and 583 00:22:35,440 --> 00:22:37,280 to the power of minus c a they just 584 00:22:37,280 --> 00:22:39,360 cancel each other out which leaves us 585 00:22:39,360 --> 00:22:41,760 with r to the power of t which is by 586 00:22:41,760 --> 00:22:46,480 definition here above the same as u 587 00:22:47,120 --> 00:22:49,200 again this was a bit of a 588 00:22:49,200 --> 00:22:51,280 side thing in your mind but what we now 589 00:22:51,280 --> 00:22:53,360 have is actually that we have our 590 00:22:53,360 --> 00:22:54,480 diploma 591 00:22:54,480 --> 00:22:56,559 where we have different attributes and 592 00:22:56,559 --> 00:23:00,480 we can hide an attribute by using this 593 00:23:00,480 --> 00:23:01,280 age 594 00:23:01,280 --> 00:23:04,240 discrete logarithm thing plus 595 00:23:04,240 --> 00:23:05,520 we 596 00:23:05,520 --> 00:23:09,840 prove that we know the value 597 00:23:10,159 --> 00:23:11,760 there's actually a second feature that 598 00:23:11,760 --> 00:23:13,840 is interesting in the snore protocol and 599 00:23:13,840 --> 00:23:16,240 we'll have a look at that now 600 00:23:16,240 --> 00:23:17,600 you may have already noticed that 601 00:23:17,600 --> 00:23:19,200 there's a challenge and a response in 602 00:23:19,200 --> 00:23:20,640 there in the name 603 00:23:20,640 --> 00:23:22,880 and city already mentioned earlier with 604 00:23:22,880 --> 00:23:26,080 the paper diploma that um well we may 605 00:23:26,080 --> 00:23:28,000 have replay attacks 606 00:23:28,000 --> 00:23:30,080 um challenge response 607 00:23:30,080 --> 00:23:31,919 mechanisms are used to prevent replay 608 00:23:31,919 --> 00:23:33,760 attacks so let's have a look at if this 609 00:23:33,760 --> 00:23:35,360 already works 610 00:23:35,360 --> 00:23:37,840 again back to the example 611 00:23:37,840 --> 00:23:39,679 cetera would now share 612 00:23:39,679 --> 00:23:41,840 his data with me he would do the 613 00:23:41,840 --> 00:23:44,240 challenge response with me i would not 614 00:23:44,240 --> 00:23:45,840 see the name but he would just prove 615 00:23:45,840 --> 00:23:47,279 knowledge of it and i would have the 616 00:23:47,279 --> 00:23:50,400 diploma so i have all the data now can i 617 00:23:50,400 --> 00:23:52,080 do a replay attack 618 00:23:52,080 --> 00:23:55,360 well actually yes i can because if i now 619 00:23:55,360 --> 00:23:57,600 prove to anyone of you that i have this 620 00:23:57,600 --> 00:24:00,159 diploma without the name in it i could 621 00:24:00,159 --> 00:24:02,400 well do a commitment you sent me a 622 00:24:02,400 --> 00:24:03,600 challenge 623 00:24:03,600 --> 00:24:05,120 he didn't send it to me but i know he 624 00:24:05,120 --> 00:24:08,799 sees his name so at that moment i 625 00:24:08,799 --> 00:24:09,840 know 626 00:24:09,840 --> 00:24:12,000 i can still calculate r 627 00:24:12,000 --> 00:24:14,240 uh the prove that the freshness proof is 628 00:24:14,240 --> 00:24:15,919 still valid and i could send the 629 00:24:15,919 --> 00:24:17,039 response 630 00:24:17,039 --> 00:24:18,880 so in order to 631 00:24:18,880 --> 00:24:21,600 prevent that we cannot use any attribute 632 00:24:21,600 --> 00:24:23,200 type that 633 00:24:23,200 --> 00:24:25,679 you will ever share it must be a secret 634 00:24:25,679 --> 00:24:27,679 one so 635 00:24:27,679 --> 00:24:30,240 we can now add an extra attribute which 636 00:24:30,240 --> 00:24:32,559 we give the index zero and this is a 637 00:24:32,559 --> 00:24:35,120 secret value that ct will never share so 638 00:24:35,120 --> 00:24:37,760 i can never 639 00:24:37,760 --> 00:24:41,440 do a replay on tech on that 640 00:24:42,400 --> 00:24:45,520 okay did i miss something 641 00:24:45,520 --> 00:24:46,480 oh yeah 642 00:24:46,480 --> 00:24:49,360 little little remark um it's a signature 643 00:24:49,360 --> 00:24:51,760 scheme and by using this secret value we 644 00:24:51,760 --> 00:24:53,279 can actually use it as a credential 645 00:24:53,279 --> 00:24:54,320 scheme 646 00:24:54,320 --> 00:24:56,320 and that's what we're doing 647 00:24:56,320 --> 00:24:59,120 okay let's go on 648 00:24:59,120 --> 00:25:01,120 um 649 00:25:01,120 --> 00:25:03,520 we now know how to hide data we know 650 00:25:03,520 --> 00:25:05,440 ownership of a credential do we have 651 00:25:05,440 --> 00:25:07,520 unlinkability yet 652 00:25:07,520 --> 00:25:09,120 well if we look at the right-hand side 653 00:25:09,120 --> 00:25:12,559 it it seems so because well we have 654 00:25:12,559 --> 00:25:14,720 hidden data which just looks different 655 00:25:14,720 --> 00:25:16,640 every time and we have this phd which is 656 00:25:16,640 --> 00:25:19,039 not really relatable to the person 657 00:25:19,039 --> 00:25:21,120 however there's still a signature the 658 00:25:21,120 --> 00:25:23,120 signature consists of those three 659 00:25:23,120 --> 00:25:25,039 numbers and as we see them here they're 660 00:25:25,039 --> 00:25:27,520 currently still the same 661 00:25:27,520 --> 00:25:29,120 this is not what happens in the 662 00:25:29,120 --> 00:25:30,559 signature scheme 663 00:25:30,559 --> 00:25:32,480 let's have a look how we can hide this 664 00:25:32,480 --> 00:25:34,240 data 665 00:25:34,240 --> 00:25:37,200 well for e and v it's actually not that 666 00:25:37,200 --> 00:25:39,120 difficult to hide the data because 667 00:25:39,120 --> 00:25:40,799 they're also used in the exponents in 668 00:25:40,799 --> 00:25:43,360 the equation so we can use the same 669 00:25:43,360 --> 00:25:46,720 mechanism as we already used for hiding 670 00:25:46,720 --> 00:25:49,200 other data in our diploma we can just 671 00:25:49,200 --> 00:25:51,440 use that for e and v2 and that would be 672 00:25:51,440 --> 00:25:52,720 fine 673 00:25:52,720 --> 00:25:57,840 however however there is still a left 674 00:25:58,080 --> 00:26:00,559 we can't just hide uh a with this 675 00:26:00,559 --> 00:26:02,080 discrete logarithm because it's not in 676 00:26:02,080 --> 00:26:03,919 the exponent and 677 00:26:03,919 --> 00:26:05,039 well 678 00:26:05,039 --> 00:26:08,080 if we now want to change that we can't 679 00:26:08,080 --> 00:26:09,679 we must change something on the left 680 00:26:09,679 --> 00:26:11,600 hand side and on the right hand side of 681 00:26:11,600 --> 00:26:14,159 the verification equation otherwise it 682 00:26:14,159 --> 00:26:16,320 won't verify anymore 683 00:26:16,320 --> 00:26:18,400 and this is possible and it's possible 684 00:26:18,400 --> 00:26:20,559 as follows 685 00:26:20,559 --> 00:26:23,039 we're making a unlinkable by choosing a 686 00:26:23,039 --> 00:26:25,760 random number r 687 00:26:25,760 --> 00:26:28,480 and then we define 688 00:26:28,480 --> 00:26:29,520 something 689 00:26:29,520 --> 00:26:31,440 with what we will replace a we will 690 00:26:31,440 --> 00:26:34,480 replace a by a tilde which we define as 691 00:26:34,480 --> 00:26:37,919 a times s to the power of r modulus n 692 00:26:37,919 --> 00:26:40,480 and on the right hand side we replace v 693 00:26:40,480 --> 00:26:42,159 with v tilde 694 00:26:42,159 --> 00:26:45,600 which is defined as v minus e r 695 00:26:45,600 --> 00:26:49,039 so why does this work well that's why 696 00:26:49,039 --> 00:26:51,039 if we now replace it 697 00:26:51,039 --> 00:26:53,200 a tilde is the same as what we just 698 00:26:53,200 --> 00:26:55,039 defined it as then we have it to the 699 00:26:55,039 --> 00:26:57,600 power of e so we can put that e into 700 00:26:57,600 --> 00:27:01,360 both of the the bases we can replace the 701 00:27:01,360 --> 00:27:04,000 complete a to the power of e 702 00:27:04,000 --> 00:27:06,720 with the right hand side of the equation 703 00:27:06,720 --> 00:27:09,679 then we have twice this number s to the 704 00:27:09,679 --> 00:27:11,279 power of something which we can put 705 00:27:11,279 --> 00:27:13,760 together so we get s to the power of v 706 00:27:13,760 --> 00:27:16,880 minus e r in here and v minus c r is our 707 00:27:16,880 --> 00:27:19,200 definition of v tilde 708 00:27:19,200 --> 00:27:20,799 again don't worry if you don't really 709 00:27:20,799 --> 00:27:22,480 follow this now because you can look it 710 00:27:22,480 --> 00:27:25,200 up but it's it's correct it works it's 711 00:27:25,200 --> 00:27:27,200 mathematically um 712 00:27:27,200 --> 00:27:29,760 it works 713 00:27:29,760 --> 00:27:32,240 what does this mean well this actually 714 00:27:32,240 --> 00:27:33,520 is 715 00:27:33,520 --> 00:27:35,919 it means it technically works 716 00:27:35,919 --> 00:27:38,080 and just when you imagine how this 717 00:27:38,080 --> 00:27:40,880 really works in practice 718 00:27:40,880 --> 00:27:42,399 it would be as if you had this paper 719 00:27:42,399 --> 00:27:44,480 diploma you have a signature you hide 720 00:27:44,480 --> 00:27:46,240 lots of data you hide even parts of the 721 00:27:46,240 --> 00:27:48,240 signature and then before showing it 722 00:27:48,240 --> 00:27:50,640 each time before showing it you just 723 00:27:50,640 --> 00:27:52,480 change it a bit and then you show it and 724 00:27:52,480 --> 00:27:54,240 it's still valid so i think this this is 725 00:27:54,240 --> 00:27:56,880 a really awesome mechanism 726 00:27:56,880 --> 00:28:00,960 and it's really fun to to work with it 727 00:28:01,279 --> 00:28:03,360 we now have actually all those single 728 00:28:03,360 --> 00:28:06,320 features that we wanted to have and um 729 00:28:06,320 --> 00:28:08,799 sits will now continue in putting this 730 00:28:08,799 --> 00:28:11,840 to a complete picture so more math 731 00:28:11,840 --> 00:28:12,799 go ahead 732 00:28:12,799 --> 00:28:14,640 thank you 733 00:28:14,640 --> 00:28:17,200 all right so let's first have a little 734 00:28:17,200 --> 00:28:18,960 short summary of what we've seen so far 735 00:28:18,960 --> 00:28:21,520 because it was a lot right so we started 736 00:28:21,520 --> 00:28:24,960 with just rsa where where the letter m 737 00:28:24,960 --> 00:28:27,440 there contains the entire diploma just 738 00:28:27,440 --> 00:28:29,360 as a big blob 739 00:28:29,360 --> 00:28:32,480 then into m we distinguished each of the 740 00:28:32,480 --> 00:28:33,840 attributes 741 00:28:33,840 --> 00:28:35,520 resulting in the formula there at the 742 00:28:35,520 --> 00:28:36,559 bottom 743 00:28:36,559 --> 00:28:37,360 right 744 00:28:37,360 --> 00:28:39,600 next we obtained a way to hide 745 00:28:39,600 --> 00:28:41,679 irrelevant attributes using zero 746 00:28:41,679 --> 00:28:44,399 knowledge proofs where we proved that we 747 00:28:44,399 --> 00:28:46,720 know the attributes without actually 748 00:28:46,720 --> 00:28:49,120 showing them 749 00:28:49,120 --> 00:28:52,080 we bonded it through the user um 750 00:28:52,080 --> 00:28:54,159 using the secret 751 00:28:54,159 --> 00:28:55,760 the secret over there 752 00:28:55,760 --> 00:28:58,880 which is a zero in the formula here 753 00:28:58,880 --> 00:29:01,120 and finally we even gained unlinkability 754 00:29:01,120 --> 00:29:04,320 uh by uh by high either hiding all of 755 00:29:04,320 --> 00:29:05,440 the expo 756 00:29:05,440 --> 00:29:08,240 exponents in the zero knowledge proof or 757 00:29:08,240 --> 00:29:09,600 modifying 758 00:29:09,600 --> 00:29:11,919 the the big letter a each time before 759 00:29:11,919 --> 00:29:12,880 you 760 00:29:12,880 --> 00:29:15,279 before you use it 761 00:29:15,279 --> 00:29:17,760 right so let's having having seen all 762 00:29:17,760 --> 00:29:19,760 that let's now look at how all of that 763 00:29:19,760 --> 00:29:21,760 works uh together in an actual 764 00:29:21,760 --> 00:29:24,320 disclosure in this in this following 765 00:29:24,320 --> 00:29:27,200 slide so this slide shows you the the 766 00:29:27,200 --> 00:29:29,520 the disclosure protocol 767 00:29:29,520 --> 00:29:31,279 of itemix um 768 00:29:31,279 --> 00:29:34,640 for for a single credential all right 769 00:29:34,640 --> 00:29:36,480 so let's suppose that we want to 770 00:29:36,480 --> 00:29:38,559 disclose the attribute number two the 771 00:29:38,559 --> 00:29:40,720 the phd attribute the one on the bottom 772 00:29:40,720 --> 00:29:42,960 there right so that way we want to show 773 00:29:42,960 --> 00:29:44,159 and then 774 00:29:44,159 --> 00:29:47,120 the other ones we will hide 775 00:29:47,120 --> 00:29:49,279 okay so the first thing we do is what 776 00:29:49,279 --> 00:29:53,039 maya just explained uh we we modify our 777 00:29:53,039 --> 00:29:56,720 a into our into a a tilde using the 778 00:29:56,720 --> 00:29:58,240 random number r 779 00:29:58,240 --> 00:30:00,320 and similarly we we 780 00:30:00,320 --> 00:30:03,840 randomize our v into a v tilde 781 00:30:03,840 --> 00:30:06,840 using again the value 782 00:30:06,840 --> 00:30:10,480 r um and then for 783 00:30:10,480 --> 00:30:13,279 for these uh for for these ingredients 784 00:30:13,279 --> 00:30:15,039 the verification equation that we've 785 00:30:15,039 --> 00:30:17,919 seen so far it still holds as my hope 786 00:30:17,919 --> 00:30:19,520 just convinced you 787 00:30:19,520 --> 00:30:20,799 so 788 00:30:20,799 --> 00:30:22,880 for our a-tilde and v-tilde and all of 789 00:30:22,880 --> 00:30:25,120 the other ingredients this holds 790 00:30:25,120 --> 00:30:26,240 and next 791 00:30:26,240 --> 00:30:28,320 let me take the same equation but 792 00:30:28,320 --> 00:30:30,399 slightly rearranged so it's it looks a 793 00:30:30,399 --> 00:30:32,240 bit different but it's actually the same 794 00:30:32,240 --> 00:30:33,360 statement 795 00:30:33,360 --> 00:30:36,960 what i'm going to do is i'm going to 796 00:30:36,960 --> 00:30:39,679 modify it into this 797 00:30:39,679 --> 00:30:41,919 so now we have 798 00:30:41,919 --> 00:30:44,080 all of the exponents that we want to 799 00:30:44,080 --> 00:30:46,159 hide using the xero knowledge proof we 800 00:30:46,159 --> 00:30:48,399 have that on the right hand side 801 00:30:48,399 --> 00:30:50,080 and all of the known stuff that's on the 802 00:30:50,080 --> 00:30:52,320 left hand side 803 00:30:52,320 --> 00:30:54,080 so you can get from the upper equation 804 00:30:54,080 --> 00:30:56,000 to the bottom equation by multiplying 805 00:30:56,000 --> 00:30:58,159 both sides by 806 00:30:58,159 --> 00:30:59,360 uh 807 00:30:59,360 --> 00:31:00,080 as 808 00:31:00,080 --> 00:31:03,200 sv tilde and and these parts and then 809 00:31:03,200 --> 00:31:05,039 you get exactly this 810 00:31:05,039 --> 00:31:07,039 so it's the same statement it just looks 811 00:31:07,039 --> 00:31:09,679 a little different 812 00:31:09,679 --> 00:31:11,600 and now let's call this thing h again 813 00:31:11,600 --> 00:31:13,840 just to have a name to refer to in what 814 00:31:13,840 --> 00:31:15,440 in what follows 815 00:31:15,440 --> 00:31:16,480 okay 816 00:31:16,480 --> 00:31:18,640 so for this thing in particular for the 817 00:31:18,640 --> 00:31:20,480 exponents on the right-hand side we now 818 00:31:20,480 --> 00:31:22,799 want to prove knowledge right so what 819 00:31:22,799 --> 00:31:24,960 we're going to do now is we are going to 820 00:31:24,960 --> 00:31:26,960 execute a single proof of knowledge 821 00:31:26,960 --> 00:31:29,039 protocol that simultaneously 822 00:31:29,039 --> 00:31:31,360 simultaneously proves knowledge of all 823 00:31:31,360 --> 00:31:34,480 four of those exponents 824 00:31:34,480 --> 00:31:36,080 so what does that look like it looks 825 00:31:36,080 --> 00:31:38,399 basically the same as as maya showed you 826 00:31:38,399 --> 00:31:40,480 earlier just some of the steps times 827 00:31:40,480 --> 00:31:41,519 four 828 00:31:41,519 --> 00:31:43,279 so the first thing we do is we choose 829 00:31:43,279 --> 00:31:45,679 four random numbers 830 00:31:45,679 --> 00:31:47,440 for each of the numbers that we want to 831 00:31:47,440 --> 00:31:50,720 hide so there's a t e a t v tilde a t 832 00:31:50,720 --> 00:31:54,799 zero and a t one big random numbers 833 00:31:54,799 --> 00:31:56,559 and then we perform the following 834 00:31:56,559 --> 00:31:59,440 protocol with the verifier 835 00:31:59,440 --> 00:32:01,919 this protocol here so just as before we 836 00:32:01,919 --> 00:32:04,880 first compute our commitment the u 837 00:32:04,880 --> 00:32:07,120 which is this expression basically the 838 00:32:07,120 --> 00:32:08,799 same equation as this but with the 839 00:32:08,799 --> 00:32:11,918 random numbers in it 840 00:32:12,000 --> 00:32:14,320 and then we send our a tilde and you 841 00:32:14,320 --> 00:32:16,720 over to the verifier 842 00:32:16,720 --> 00:32:18,640 the verifier then responds with a random 843 00:32:18,640 --> 00:32:20,880 number c called a challenge it sends it 844 00:32:20,880 --> 00:32:22,320 back to us 845 00:32:22,320 --> 00:32:24,720 and then using that challenge we compute 846 00:32:24,720 --> 00:32:27,760 our responses the the letters are which 847 00:32:27,760 --> 00:32:29,519 are always of the form the the big 848 00:32:29,519 --> 00:32:31,600 random number plus the challenge times 849 00:32:31,600 --> 00:32:33,760 the secret that we want to hide so it's 850 00:32:33,760 --> 00:32:35,279 that for each of the numbers that we 851 00:32:35,279 --> 00:32:37,760 want to hide and it looks like this 852 00:32:37,760 --> 00:32:40,480 so these four responses we send over to 853 00:32:40,480 --> 00:32:43,200 the verifier the verifier plugs them 854 00:32:43,200 --> 00:32:45,440 into that verification equation that 855 00:32:45,440 --> 00:32:47,360 we've also seen earlier it's now just 856 00:32:47,360 --> 00:32:48,640 slightly bigger 857 00:32:48,640 --> 00:32:51,519 and if that holds then the verifier is 858 00:32:51,519 --> 00:32:53,600 convinced that we know the attributes 859 00:32:53,600 --> 00:32:55,200 and that all of the attributes are very 860 00:32:55,200 --> 00:32:56,960 validly signed 861 00:32:56,960 --> 00:32:59,919 by the issuer 862 00:32:59,919 --> 00:33:01,519 so this is an 863 00:33:01,519 --> 00:33:04,320 itemix disclosure in a single slide out 864 00:33:04,320 --> 00:33:06,080 of a single credential this is what 865 00:33:06,080 --> 00:33:07,679 happens when you disclose an attribute 866 00:33:07,679 --> 00:33:10,640 out of irma 867 00:33:10,640 --> 00:33:13,120 under the water 868 00:33:13,120 --> 00:33:15,679 but we don't want just one credential we 869 00:33:15,679 --> 00:33:18,000 want to have we we want to have a wallet 870 00:33:18,000 --> 00:33:20,240 of credentials right because you can 871 00:33:20,240 --> 00:33:21,279 have 872 00:33:21,279 --> 00:33:22,960 lots of different credentials containing 873 00:33:22,960 --> 00:33:24,640 lots of different attributes from 874 00:33:24,640 --> 00:33:27,039 distinct issuers and you want to have 875 00:33:27,039 --> 00:33:28,960 all of them within your one wallet and 876 00:33:28,960 --> 00:33:30,960 then you want the ability to combine 877 00:33:30,960 --> 00:33:32,320 attributes out of all of your 878 00:33:32,320 --> 00:33:35,279 credentials as suits the purpose 879 00:33:35,279 --> 00:33:37,120 so we're going to have to do one final 880 00:33:37,120 --> 00:33:39,279 step to go from the right hand side to 881 00:33:39,279 --> 00:33:41,360 the left hand side here 882 00:33:41,360 --> 00:33:44,480 so this is a screenshot of the irma app 883 00:33:44,480 --> 00:33:48,720 showing a number of credentials 884 00:33:48,880 --> 00:33:50,720 and i might want to add by the way that 885 00:33:50,720 --> 00:33:52,720 this this particular look is subject to 886 00:33:52,720 --> 00:33:54,720 change but you'll see that in the in the 887 00:33:54,720 --> 00:33:56,559 coming time 888 00:33:56,559 --> 00:33:57,760 right 889 00:33:57,760 --> 00:34:00,880 so we have to do uh one final step to 890 00:34:00,880 --> 00:34:02,880 get to where we are 891 00:34:02,880 --> 00:34:05,120 uh okay 892 00:34:05,120 --> 00:34:06,480 so 893 00:34:06,480 --> 00:34:08,159 because there is a thing that we have to 894 00:34:08,159 --> 00:34:09,280 solve still 895 00:34:09,280 --> 00:34:12,399 um if we just naively combine um the the 896 00:34:12,399 --> 00:34:14,159 the the you the 897 00:34:14,159 --> 00:34:15,679 multiple credentials on top of each 898 00:34:15,679 --> 00:34:18,000 other using the disclosure protocol that 899 00:34:18,000 --> 00:34:20,320 i showed you earlier we we introduce a 900 00:34:20,320 --> 00:34:22,480 problem that we have to solve 901 00:34:22,480 --> 00:34:24,320 because there the issue is 902 00:34:24,320 --> 00:34:26,320 suppose okay fine suppose i have my air 903 00:34:26,320 --> 00:34:28,879 my app and it contains a credential that 904 00:34:28,879 --> 00:34:30,960 states that i have a phd right but 905 00:34:30,960 --> 00:34:32,960 suppose i'm careless and i leave my 906 00:34:32,960 --> 00:34:35,119 phone just lying over there and maya 907 00:34:35,119 --> 00:34:37,440 picks it up you know 908 00:34:37,440 --> 00:34:39,679 if she has then control over her wallet 909 00:34:39,679 --> 00:34:42,159 as well as mine so she has control over 910 00:34:42,159 --> 00:34:44,560 my credentials as well as hers can she 911 00:34:44,560 --> 00:34:46,320 then combine the two 912 00:34:46,320 --> 00:34:48,239 for example to prove uh to 913 00:34:48,239 --> 00:34:50,480 simultaneously disclose her own email 914 00:34:50,480 --> 00:34:53,839 address and my phd attribute right so 915 00:34:53,839 --> 00:34:56,239 that would sort of imply that if if she 916 00:34:56,239 --> 00:34:58,160 would be able to disclose those two 917 00:34:58,160 --> 00:35:00,720 attributes simultaneously that would 918 00:35:00,720 --> 00:35:03,440 imply that she would have the phd 919 00:35:03,440 --> 00:35:06,000 while in fact she does not as far as i 920 00:35:06,000 --> 00:35:07,920 know anyway 921 00:35:07,920 --> 00:35:10,320 so we don't want our system to allow you 922 00:35:10,320 --> 00:35:11,839 to prove statements that are not 923 00:35:11,839 --> 00:35:14,400 factually true 924 00:35:14,400 --> 00:35:17,839 so we'll have to solve this issue 925 00:35:17,839 --> 00:35:20,480 and the way we do that is as follows 926 00:35:20,480 --> 00:35:23,200 we've already seen the secret um that 927 00:35:23,200 --> 00:35:25,680 this the secret attributes that each 928 00:35:25,680 --> 00:35:27,280 credential has 929 00:35:27,280 --> 00:35:29,440 and the thing that we do is we we make 930 00:35:29,440 --> 00:35:31,040 the issuance protocol of these 931 00:35:31,040 --> 00:35:34,560 credentials such that if i get issued a 932 00:35:34,560 --> 00:35:36,720 new credential to my wallet 933 00:35:36,720 --> 00:35:39,119 then the issuance protocol ensures that 934 00:35:39,119 --> 00:35:41,440 the secret of the new protocol 935 00:35:41,440 --> 00:35:44,880 gets the the same value as the seek 936 00:35:44,880 --> 00:35:47,520 as the secret of my other credentials 937 00:35:47,520 --> 00:35:49,359 so the issuance protocol is such that 938 00:35:49,359 --> 00:35:51,839 all of the credentials in my wallet they 939 00:35:51,839 --> 00:35:54,480 share the same secret value 940 00:35:54,480 --> 00:35:56,400 so there's one secret which is in all of 941 00:35:56,400 --> 00:35:59,200 my credentials 942 00:35:59,200 --> 00:36:02,240 that means that maya's wallet will uh 943 00:36:02,240 --> 00:36:04,480 who which also credence could contains 944 00:36:04,480 --> 00:36:07,440 credentials which also contain secrets 945 00:36:07,440 --> 00:36:09,200 though that secret will have a different 946 00:36:09,200 --> 00:36:12,560 value so my my secret may be one two 947 00:36:12,560 --> 00:36:14,160 three and then her secret is going to be 948 00:36:14,160 --> 00:36:16,720 four five six actually it's a lot bigger 949 00:36:16,720 --> 00:36:19,200 but you get the idea 950 00:36:19,200 --> 00:36:20,160 okay 951 00:36:20,160 --> 00:36:22,560 and then once we have that we modify the 952 00:36:22,560 --> 00:36:24,320 the disclosure protocol that we've seen 953 00:36:24,320 --> 00:36:27,359 earlier in in such a way that not only 954 00:36:27,359 --> 00:36:29,359 do i when i disclose my attributes 955 00:36:29,359 --> 00:36:31,760 coming out of multiple credentials 956 00:36:31,760 --> 00:36:34,320 not only do i prove that 957 00:36:34,320 --> 00:36:36,240 i know the attributes that i don't 958 00:36:36,240 --> 00:36:37,359 disclose 959 00:36:37,359 --> 00:36:39,440 and all of the attributes are validly 960 00:36:39,440 --> 00:36:42,720 signed but i also prove that the secret 961 00:36:42,720 --> 00:36:44,400 out of which all of those attributes are 962 00:36:44,400 --> 00:36:46,880 coming that that secret has the same 963 00:36:46,880 --> 00:36:49,280 value across all of the credentials out 964 00:36:49,280 --> 00:36:51,040 of which i disclose 965 00:36:51,040 --> 00:36:53,359 attributes 966 00:36:53,359 --> 00:36:55,599 so i can do that because all of the 967 00:36:55,599 --> 00:36:58,000 credentials of my wallet actually do 968 00:36:58,000 --> 00:37:00,000 have the same secrets and that will 969 00:37:00,000 --> 00:37:01,760 prevent the the attack that i just 970 00:37:01,760 --> 00:37:04,720 mentioned because um the credentials in 971 00:37:04,720 --> 00:37:06,640 maya's wallet will not have the same 972 00:37:06,640 --> 00:37:08,079 secret value as those from my 973 00:37:08,079 --> 00:37:09,280 credentials 974 00:37:09,280 --> 00:37:11,359 so she cannot prove that that is so 975 00:37:11,359 --> 00:37:14,160 because it's not 976 00:37:14,400 --> 00:37:16,640 that's the idea 977 00:37:16,640 --> 00:37:18,079 so the final step is to go into a little 978 00:37:18,079 --> 00:37:20,079 more detail about how we actually do 979 00:37:20,079 --> 00:37:21,040 that 980 00:37:21,040 --> 00:37:22,720 so here again is the 981 00:37:22,720 --> 00:37:24,320 is the the proof of knowledge protocol 982 00:37:24,320 --> 00:37:26,640 that we've seen earlier for a single 983 00:37:26,640 --> 00:37:28,800 credential right 984 00:37:28,800 --> 00:37:31,280 so let's simplify that a bit to to show 985 00:37:31,280 --> 00:37:33,119 just the details that matter to us right 986 00:37:33,119 --> 00:37:34,400 now 987 00:37:34,400 --> 00:37:36,720 so we first compute some u and then we 988 00:37:36,720 --> 00:37:39,599 we send over eight uh a tilde and u 989 00:37:39,599 --> 00:37:41,280 next we get a challenge 990 00:37:41,280 --> 00:37:43,040 and then we compute a bunch of responses 991 00:37:43,040 --> 00:37:44,960 of this form right and then we send that 992 00:37:44,960 --> 00:37:46,800 back over 993 00:37:46,800 --> 00:37:48,320 so that's what that looks like for a 994 00:37:48,320 --> 00:37:50,720 single credential 995 00:37:50,720 --> 00:37:51,440 so 996 00:37:51,440 --> 00:37:53,599 the naive combination to expand that to 997 00:37:53,599 --> 00:37:55,280 multiple credentials would be basically 998 00:37:55,280 --> 00:37:57,119 just like this 999 00:37:57,119 --> 00:37:58,960 we do the same thing but for more 1000 00:37:58,960 --> 00:38:00,400 credentials 1001 00:38:00,400 --> 00:38:02,480 where where now i use red and blue to 1002 00:38:02,480 --> 00:38:04,079 distinguish the ingredients of the 1003 00:38:04,079 --> 00:38:06,640 different credentials right so suppose 1004 00:38:06,640 --> 00:38:08,240 in this particular example that i want 1005 00:38:08,240 --> 00:38:09,599 to disclose 1006 00:38:09,599 --> 00:38:10,320 my 1007 00:38:10,320 --> 00:38:13,200 my own phd title and actually my own 1008 00:38:13,200 --> 00:38:14,640 email address right because it's my 1009 00:38:14,640 --> 00:38:16,839 email address so i should be able to do 1010 00:38:16,839 --> 00:38:20,560 that so how do we do it 1011 00:38:20,560 --> 00:38:22,960 in particular these responses here are 1012 00:38:22,960 --> 00:38:25,680 are what we're going to to use and for 1013 00:38:25,680 --> 00:38:27,520 for the secret that we've already seen 1014 00:38:27,520 --> 00:38:30,000 which was labeled by xero 1015 00:38:30,000 --> 00:38:31,599 that's this right 1016 00:38:31,599 --> 00:38:33,760 so these would be the responses for the 1017 00:38:33,760 --> 00:38:35,839 two secrets of the credentials out of 1018 00:38:35,839 --> 00:38:39,279 which i disclose attributes 1019 00:38:39,599 --> 00:38:40,560 well 1020 00:38:40,560 --> 00:38:42,640 uh what we do is actually simple we make 1021 00:38:42,640 --> 00:38:44,240 we ensure that during the issuance 1022 00:38:44,240 --> 00:38:48,079 protocol that the the two a zeros that 1023 00:38:48,079 --> 00:38:50,400 they have the same value right i got 1024 00:38:50,400 --> 00:38:52,720 just called it one two three for example 1025 00:38:52,720 --> 00:38:55,119 so there's just one a zero 1026 00:38:55,119 --> 00:38:57,119 so let's make it black again because 1027 00:38:57,119 --> 00:38:58,960 there's just one 1028 00:38:58,960 --> 00:39:00,880 so there's um 1029 00:39:00,880 --> 00:39:02,480 one a zero 1030 00:39:02,480 --> 00:39:05,440 for both of my credentials there is one 1031 00:39:05,440 --> 00:39:07,440 challenge because there is just one 1032 00:39:07,440 --> 00:39:09,920 within the protocol that we've shown you 1033 00:39:09,920 --> 00:39:12,240 and the final step that we need is that 1034 00:39:12,240 --> 00:39:15,119 during the disclosure protocol um the 1035 00:39:15,119 --> 00:39:15,920 the 1036 00:39:15,920 --> 00:39:18,640 the holder the approver or the user um 1037 00:39:18,640 --> 00:39:21,839 it uses the say one t zero one random 1038 00:39:21,839 --> 00:39:24,720 value for all of these secrets 1039 00:39:24,720 --> 00:39:27,040 so it just chooses the one secret and 1040 00:39:27,040 --> 00:39:29,440 then the one random value is a t zero 1041 00:39:29,440 --> 00:39:31,760 and then it uses that one 1042 00:39:31,760 --> 00:39:33,760 t zero for all of the 1043 00:39:33,760 --> 00:39:36,560 uh for all of the credentials 1044 00:39:36,560 --> 00:39:39,599 for all of the secrets 1045 00:39:39,680 --> 00:39:41,680 so that means that since all of the 1046 00:39:41,680 --> 00:39:44,320 ingredients in this particular formula 1047 00:39:44,320 --> 00:39:45,920 are now the same for all of the my 1048 00:39:45,920 --> 00:39:48,320 credentials this response too is going 1049 00:39:48,320 --> 00:39:50,640 to be have the same value for every 1050 00:39:50,640 --> 00:39:52,640 single credential out of which i 1051 00:39:52,640 --> 00:39:54,880 disclose my attributes so there may be 1052 00:39:54,880 --> 00:39:56,560 more multiple credentials 1053 00:39:56,560 --> 00:39:58,960 but there was the r0 the response for 1054 00:39:58,960 --> 00:40:00,640 the each of the secrets is going to have 1055 00:40:00,640 --> 00:40:02,480 the same value for all of those 1056 00:40:02,480 --> 00:40:04,160 credentials 1057 00:40:04,160 --> 00:40:06,480 and once we have that we can just make 1058 00:40:06,480 --> 00:40:07,839 the verifier 1059 00:40:07,839 --> 00:40:11,040 enforce that this value r0 always has 1060 00:40:11,040 --> 00:40:12,560 that one value 1061 00:40:12,560 --> 00:40:14,720 so the verifier henceforth this allows 1062 00:40:14,720 --> 00:40:16,480 the user to send 1063 00:40:16,480 --> 00:40:19,520 distinct values of r0 it enforces that 1064 00:40:19,520 --> 00:40:21,599 the user always 1065 00:40:21,599 --> 00:40:24,560 has one r0 of for all of his credentials 1066 00:40:24,560 --> 00:40:27,359 and if the user does not then 1067 00:40:27,359 --> 00:40:31,598 the disclosure is rejected as invalid 1068 00:40:31,920 --> 00:40:34,560 well that solves the issue because as i 1069 00:40:34,560 --> 00:40:35,920 explained to you 1070 00:40:35,920 --> 00:40:37,839 my secret is going to have the same 1071 00:40:37,839 --> 00:40:40,240 value for all of my credentials 1072 00:40:40,240 --> 00:40:42,720 but my ass will not 1073 00:40:42,720 --> 00:40:44,640 that means that this rs 1074 00:40:44,640 --> 00:40:46,240 if she were to combine it to try the 1075 00:40:46,240 --> 00:40:48,240 attack that we just mentioned combining 1076 00:40:48,240 --> 00:40:49,359 multiple 1077 00:40:49,359 --> 00:40:52,000 credentials out of multiple wallets then 1078 00:40:52,000 --> 00:40:54,319 those are zero values in her case are 1079 00:40:54,319 --> 00:40:55,920 going to differ 1080 00:40:55,920 --> 00:40:58,560 because the the a0 values do 1081 00:40:58,560 --> 00:41:01,599 then the verifier will notice and abort 1082 00:41:01,599 --> 00:41:05,040 so in fact this this this secret a0 by 1083 00:41:05,040 --> 00:41:06,800 enforcing it to have the same value 1084 00:41:06,800 --> 00:41:08,560 across all of my credentials it sort of 1085 00:41:08,560 --> 00:41:10,640 acts as a key ring that really binds all 1086 00:41:10,640 --> 00:41:13,040 of my credentials together in one big 1087 00:41:13,040 --> 00:41:16,240 key ring or wallet 1088 00:41:16,319 --> 00:41:19,200 so that is our story that is 1089 00:41:19,200 --> 00:41:21,839 what the disclosure protocol of uh of 1090 00:41:21,839 --> 00:41:24,160 idmx looks like this is what happens 1091 00:41:24,160 --> 00:41:26,880 when you do an air matte disclosure 1092 00:41:26,880 --> 00:41:29,200 so going back to our initial picture we 1093 00:41:29,200 --> 00:41:31,280 have now seen how the verification part 1094 00:41:31,280 --> 00:41:33,599 of this diagram works 1095 00:41:33,599 --> 00:41:35,359 right 1096 00:41:35,359 --> 00:41:38,000 um and by using all of this mechanism 1097 00:41:38,000 --> 00:41:39,920 itemix allows you to have a wallet 1098 00:41:39,920 --> 00:41:41,680 containing lots of credit 1099 00:41:41,680 --> 00:41:42,960 credentials 1100 00:41:42,960 --> 00:41:44,560 which may contain lots of attributes 1101 00:41:44,560 --> 00:41:47,040 that you can disclose 1102 00:41:47,040 --> 00:41:49,599 and you can even do so selectively and 1103 00:41:49,599 --> 00:41:51,839 unlinkably which is really awesome i 1104 00:41:51,839 --> 00:41:53,359 think 1105 00:41:53,359 --> 00:41:55,119 there's lots of more stuff going on here 1106 00:41:55,119 --> 00:41:57,760 because as i said we've just 1107 00:41:57,760 --> 00:41:59,599 discussed that verification error over 1108 00:41:59,599 --> 00:42:02,000 here we have not discussed irma schemes 1109 00:42:02,000 --> 00:42:04,160 which which facilitates the upper arrow 1110 00:42:04,160 --> 00:42:06,160 the trust relationship we have not 1111 00:42:06,160 --> 00:42:08,480 discussed the the issuance part then 1112 00:42:08,480 --> 00:42:09,599 there are still more we have not 1113 00:42:09,599 --> 00:42:12,480 discussed the armakeisha surfer or 1114 00:42:12,480 --> 00:42:14,960 or the revocation of attributes ones 1115 00:42:14,960 --> 00:42:18,160 that their value to it ceases to be true 1116 00:42:18,160 --> 00:42:20,240 um all of that irma implements as well 1117 00:42:20,240 --> 00:42:22,000 but you know we can't fit everything 1118 00:42:22,000 --> 00:42:23,520 into a single talk 1119 00:42:23,520 --> 00:42:25,760 uh so if you want to know details about 1120 00:42:25,760 --> 00:42:28,640 that come look us up this evening or in 1121 00:42:28,640 --> 00:42:30,480 the coming days 1122 00:42:30,480 --> 00:42:31,760 and with that 1123 00:42:31,760 --> 00:42:32,960 i think there's still a little more a 1124 00:42:32,960 --> 00:42:34,720 little more time for questions thank you 1125 00:42:34,720 --> 00:42:37,040 very much 1126 00:42:41,920 --> 00:42:43,280 thank you very much 1127 00:42:43,280 --> 00:42:45,280 uh since maya 1128 00:42:45,280 --> 00:42:47,119 we still have five minutes for questions 1129 00:42:47,119 --> 00:42:49,440 i see a lineup already 1130 00:42:49,440 --> 00:42:51,119 um 1131 00:42:51,119 --> 00:42:52,560 otherwise you could have explained the 1132 00:42:52,560 --> 00:42:54,319 rest also what we have first first 1133 00:42:54,319 --> 00:42:58,599 question over there yeah 1134 00:43:06,720 --> 00:43:08,079 is there any 1135 00:43:08,079 --> 00:43:10,960 thought in the system given to how 1136 00:43:10,960 --> 00:43:14,640 um to prevent attributes being sort of 1137 00:43:14,640 --> 00:43:17,119 used misused so for example 1138 00:43:17,119 --> 00:43:20,000 um okay going to if i'm actually getting 1139 00:43:20,000 --> 00:43:21,680 a job it's not much it's not too 1140 00:43:21,680 --> 00:43:23,200 difficult it's kind of annoying that i 1141 00:43:23,200 --> 00:43:25,200 have like emailed my phd to lots of 1142 00:43:25,200 --> 00:43:27,280 people but that you know everybody's 1143 00:43:27,280 --> 00:43:30,480 done this but um so okay it would be 1144 00:43:30,480 --> 00:43:32,160 kind of cool to be able to send 1145 00:43:32,160 --> 00:43:33,599 something you know 1146 00:43:33,599 --> 00:43:35,599 somewhat more redacted or whatever but 1147 00:43:35,599 --> 00:43:38,240 but anyway um is there is there a is 1148 00:43:38,240 --> 00:43:40,400 there any thought to like um so one of 1149 00:43:40,400 --> 00:43:42,400 the things that's in the the verified 1150 00:43:42,400 --> 00:43:44,720 like the verif the old verifiable claims 1151 00:43:44,720 --> 00:43:47,920 use cases document from the w3c is they 1152 00:43:47,920 --> 00:43:50,160 wanted that um 1153 00:43:50,160 --> 00:43:52,240 it to be used for 1154 00:43:52,240 --> 00:43:54,880 um like to prove you had a job to a bank 1155 00:43:54,880 --> 00:43:56,160 but of course you don't open a bank 1156 00:43:56,160 --> 00:43:57,760 account every day it wouldn't be that 1157 00:43:57,760 --> 00:43:59,359 much trouble to get a new letter from 1158 00:43:59,359 --> 00:44:02,400 your thing but what happens if um if if 1159 00:44:02,400 --> 00:44:04,720 i just have this wallet what happens if 1160 00:44:04,720 --> 00:44:07,599 now some other parties start asking 1161 00:44:07,599 --> 00:44:09,359 for this prove you have a job so for 1162 00:44:09,359 --> 00:44:12,720 example if uh hr departments want me to 1163 00:44:12,720 --> 00:44:14,880 prove that i have a job when i apply for 1164 00:44:14,880 --> 00:44:16,800 a job and then they can start binning 1165 00:44:16,800 --> 00:44:19,040 resumes and and for most of the 1166 00:44:19,040 --> 00:44:21,520 verifiable claims use cases there's 1167 00:44:21,520 --> 00:44:23,520 actually this malicious use it's very 1168 00:44:23,520 --> 00:44:26,160 easy to find these malicious uses yeah 1169 00:44:26,160 --> 00:44:29,040 that's a very good question thank you um 1170 00:44:29,040 --> 00:44:31,119 well the the first answer i think is 1171 00:44:31,119 --> 00:44:33,520 that um if you're asked to to to 1172 00:44:33,520 --> 00:44:35,680 disclose from attributes to whoever is 1173 00:44:35,680 --> 00:44:38,160 asking for them the irma app also always 1174 00:44:38,160 --> 00:44:40,160 gives you the ability to just refuse 1175 00:44:40,160 --> 00:44:42,160 there's a big no button right 1176 00:44:42,160 --> 00:44:44,000 um so there is that but i don't think 1177 00:44:44,000 --> 00:44:45,920 that answers your question not not not 1178 00:44:45,920 --> 00:44:48,640 entirely um i think 1179 00:44:48,640 --> 00:44:50,720 there is a definitely a risk that a 1180 00:44:50,720 --> 00:44:52,960 system like this makes it much too easy 1181 00:44:52,960 --> 00:44:55,280 for potential verifiers to enforce that 1182 00:44:55,280 --> 00:44:57,599 you authenticate with them right using 1183 00:44:57,599 --> 00:44:59,680 perhaps too much attributes 1184 00:44:59,680 --> 00:45:01,200 um 1185 00:45:01,200 --> 00:45:02,880 so that's something that we'll have to 1186 00:45:02,880 --> 00:45:05,440 be very careful about and we're aware of 1187 00:45:05,440 --> 00:45:07,280 it we have a couple of ideas that might 1188 00:45:07,280 --> 00:45:10,800 help there um for example 1189 00:45:10,800 --> 00:45:12,960 i think that we might still do is is 1190 00:45:12,960 --> 00:45:15,040 implement a button in the irma app that 1191 00:45:15,040 --> 00:45:16,640 when it's asking you 1192 00:45:16,640 --> 00:45:19,440 some attributes and and you think that 1193 00:45:19,440 --> 00:45:21,040 it's too much attributes or not 1194 00:45:21,040 --> 00:45:23,440 appropriate to the situation or that you 1195 00:45:23,440 --> 00:45:26,160 can then uh report it to the dutch 1196 00:45:26,160 --> 00:45:28,160 authority personal havens the authority 1197 00:45:28,160 --> 00:45:30,319 personal data or to the police i don't 1198 00:45:30,319 --> 00:45:32,720 know or to us so that then something 1199 00:45:32,720 --> 00:45:34,480 might be done about it 1200 00:45:34,480 --> 00:45:36,560 um yeah so there's not i mean why 1201 00:45:36,560 --> 00:45:38,000 involve the user i would like to add 1202 00:45:38,000 --> 00:45:40,800 something first here uh very shortly we 1203 00:45:40,800 --> 00:45:42,640 were now only talking about the 1204 00:45:42,640 --> 00:45:45,280 technical stuff so it was really just 1205 00:45:45,280 --> 00:45:47,440 why it works so you get some insights 1206 00:45:47,440 --> 00:45:50,079 why we claim it is how it is so how so 1207 00:45:50,079 --> 00:45:51,839 you can see that there are lots of 1208 00:45:51,839 --> 00:45:54,640 advantages and lots of disadvantages for 1209 00:45:54,640 --> 00:45:57,040 the complete system to use 1210 00:45:57,040 --> 00:45:58,880 this was not what we were talking about 1211 00:45:58,880 --> 00:46:01,920 but it might be a nice future talk yeah 1212 00:46:01,920 --> 00:46:03,680 but my main question 1213 00:46:03,680 --> 00:46:05,680 the implication is was why involve the 1214 00:46:05,680 --> 00:46:08,000 user at all why not just have why not 1215 00:46:08,000 --> 00:46:09,359 just have this certificate for the 1216 00:46:09,359 --> 00:46:11,119 person they're identifying it for say 1217 00:46:11,119 --> 00:46:12,880 what they're allowed to ask can we take 1218 00:46:12,880 --> 00:46:15,440 this question offline uh discuss it 1219 00:46:15,440 --> 00:46:18,000 later with them give other people a 1220 00:46:18,000 --> 00:46:20,079 different question thank you thanks 1221 00:46:20,079 --> 00:46:21,520 okay cool talk 1222 00:46:21,520 --> 00:46:22,319 how 1223 00:46:22,319 --> 00:46:24,560 um or do you provide your secret key to 1224 00:46:24,560 --> 00:46:25,760 the issuer 1225 00:46:25,760 --> 00:46:28,400 and do you have different secrets for 1226 00:46:28,400 --> 00:46:29,839 different issuers 1227 00:46:29,839 --> 00:46:31,280 otherwise can you combine your 1228 00:46:31,280 --> 00:46:32,720 attributes if they're from different 1229 00:46:32,720 --> 00:46:35,520 issuers no there's one secret 1230 00:46:35,520 --> 00:46:36,880 which is reused across all of your 1231 00:46:36,880 --> 00:46:38,800 credentials even if they are from 1232 00:46:38,800 --> 00:46:41,680 different issuers and that that means 1233 00:46:41,680 --> 00:46:44,480 that you do have the ability to combine 1234 00:46:44,480 --> 00:46:46,000 different attributes from different 1235 00:46:46,000 --> 00:46:48,480 issuers but that's a feature 1236 00:46:48,480 --> 00:46:50,880 so then the issuer knows your secret 1237 00:46:50,880 --> 00:46:52,480 no no the issue does not get to the 1238 00:46:52,480 --> 00:46:53,760 issuance ah that's that's a good 1239 00:46:53,760 --> 00:46:55,680 question the issuance protocol which we 1240 00:46:55,680 --> 00:46:58,720 have not discussed is such that um the 1241 00:46:58,720 --> 00:47:00,880 issuer it does ensure that you get the 1242 00:47:00,880 --> 00:47:03,280 same secret as your earlier credentials 1243 00:47:03,280 --> 00:47:05,200 there too you have to prove knowledge of 1244 00:47:05,200 --> 00:47:07,440 it but it doesn't get to see the actual 1245 00:47:07,440 --> 00:47:08,800 value 1246 00:47:08,800 --> 00:47:10,480 of that secret 1247 00:47:10,480 --> 00:47:12,000 um and that too is achieved by zero 1248 00:47:12,000 --> 00:47:14,640 knowledge proofs okay awesome 1249 00:47:14,640 --> 00:47:16,240 so it's actually a double blind 1250 00:47:16,240 --> 00:47:18,000 signature scheme and we just really did 1251 00:47:18,000 --> 00:47:21,119 not talk about this at all um 1252 00:47:21,119 --> 00:47:24,640 the issuer themselves they have private 1253 00:47:24,640 --> 00:47:26,559 keys that they don't not share they only 1254 00:47:26,559 --> 00:47:28,559 share the public keys and the secret 1255 00:47:28,559 --> 00:47:30,160 value from 1256 00:47:30,160 --> 00:47:32,960 the app user will never be shared 1257 00:47:32,960 --> 00:47:38,200 anywhere just proven that you know it 1258 00:47:39,520 --> 00:47:41,839 um i was just wondering how the 1259 00:47:41,839 --> 00:47:44,400 attribute values are encoded because i 1260 00:47:44,400 --> 00:47:46,559 can imagine it results in a bunch of 1261 00:47:46,559 --> 00:47:48,480 large numbers that you have to do maths 1262 00:47:48,480 --> 00:47:50,160 with so 1263 00:47:50,160 --> 00:47:51,680 can you repeat the question a little 1264 00:47:51,680 --> 00:47:53,119 louder there's 1265 00:47:53,119 --> 00:47:56,160 oh sorry um i was just wondering how the 1266 00:47:56,160 --> 00:47:58,880 attribute values are encoded because i 1267 00:47:58,880 --> 00:48:00,319 can imagine it 1268 00:48:00,319 --> 00:48:01,680 results in a 1269 00:48:01,680 --> 00:48:04,000 bunch of big numbers that you have to do 1270 00:48:04,000 --> 00:48:06,880 a lot of maths with so are 1271 00:48:06,880 --> 00:48:09,520 is the size limited or is it arbitrary 1272 00:48:09,520 --> 00:48:12,800 and are there any performance issues 1273 00:48:12,800 --> 00:48:15,359 it's basically arbitrary 1274 00:48:15,359 --> 00:48:18,000 currently the the you just use string 1275 00:48:18,000 --> 00:48:20,400 encoding so an attribute is some string 1276 00:48:20,400 --> 00:48:22,800 and you just take the utf-8 encoding of 1277 00:48:22,800 --> 00:48:25,280 that and then europe you could you 1278 00:48:25,280 --> 00:48:27,200 interpret that as a big number and 1279 00:48:27,200 --> 00:48:30,079 that's it and there is a boundary um the 1280 00:48:30,079 --> 00:48:32,000 attributes are by idemix they are not 1281 00:48:32,000 --> 00:48:33,839 allowed to exceed 1282 00:48:33,839 --> 00:48:36,160 bits but that we solve by just hashing 1283 00:48:36,160 --> 00:48:38,559 it using sha 256 if it does and then 1284 00:48:38,559 --> 00:48:40,319 you're below it again 1285 00:48:40,319 --> 00:48:42,319 so that means that attributes can have 1286 00:48:42,319 --> 00:48:44,400 basically any size or content you know 1287 00:48:44,400 --> 00:48:45,920 it's not necessarily practical if you 1288 00:48:45,920 --> 00:48:47,280 have this giant 1289 00:48:47,280 --> 00:48:50,079 protocol attributes because it would 1290 00:48:50,079 --> 00:48:52,160 um it would look weird in your app right 1291 00:48:52,160 --> 00:48:54,960 but that's another issue 1292 00:48:54,960 --> 00:48:57,359 okay we have time for one small question 1293 00:48:57,359 --> 00:48:58,319 with 1294 00:48:58,319 --> 00:49:00,079 okay keep it small it's going to be a 1295 00:49:00,079 --> 00:49:02,720 big question i'll try okay 1296 00:49:02,720 --> 00:49:04,880 okay okay 1297 00:49:04,880 --> 00:49:05,760 so 1298 00:49:05,760 --> 00:49:07,760 how are key reflocations handled can you 1299 00:49:07,760 --> 00:49:10,240 get a bit closer how are the revocations 1300 00:49:10,240 --> 00:49:11,040 of 1301 00:49:11,040 --> 00:49:14,480 the keys of the issues handled 1302 00:49:14,839 --> 00:49:16,480 relocation 1303 00:49:16,480 --> 00:49:18,800 so actually there are two papers on that 1304 00:49:18,800 --> 00:49:20,079 and you can all read it on the 1305 00:49:20,079 --> 00:49:22,800 documentation on emma.app 1306 00:49:22,800 --> 00:49:25,200 docs sidsa wrote that down in great 1307 00:49:25,200 --> 00:49:27,920 detail so i could understand it so 1308 00:49:27,920 --> 00:49:28,839 you will 1309 00:49:28,839 --> 00:49:30,480 understand 1310 00:49:30,480 --> 00:49:32,480 but the two papers published also by 1311 00:49:32,480 --> 00:49:35,280 kamenish i guess and uh we have an 1312 00:49:35,280 --> 00:49:37,280 implementation of that 1313 00:49:37,280 --> 00:49:41,520 i will not go into detail sorry thanks 1314 00:49:42,319 --> 00:49:44,400 thank you very much i see the same uh 1315 00:49:44,400 --> 00:49:46,079 kuk dude 1316 00:49:46,079 --> 00:49:48,160 offline thank you very much uh on the 1317 00:49:48,160 --> 00:49:50,559 sides are qr codes to the github 1318 00:49:50,559 --> 00:49:53,520 repository of airbag uh i would like to 1319 00:49:53,520 --> 00:49:56,160 actually the slides so if i'm sorry the 1320 00:49:56,160 --> 00:49:58,720 slides uh it's a it's a github 1321 00:49:58,720 --> 00:50:02,000 repository filled with slides uh no code 1322 00:50:02,000 --> 00:50:04,160 because it's open source 1323 00:50:04,160 --> 00:50:05,760 there's also code okay thank you very 1324 00:50:05,760 --> 00:50:07,920 much 1325 00:50:09,040 --> 00:50:10,880 okay thank you very much uh thank you 1326 00:50:10,880 --> 00:50:12,160 very much for your 1327 00:50:12,160 --> 00:50:14,640 enlightenment uh this evening uh 1328 00:50:14,640 --> 00:50:15,680 maya 1329 00:50:15,680 --> 00:50:17,920 one final big round of applause thank 1330 00:50:17,920 --> 00:50:18,920 you 1331 00:50:18,920 --> 00:50:28,409 [Applause] 1332 00:50:32,160 --> 00:50:34,240 you