# September 29, 2009

## Extensions – Building Blocks for an Identity Management Framework

Anonymous authentication is just the basic feature provided by our technologies. Indeed, it is often not enough to learn that a person has the right to access a certain resource or service as anonymity can be abused. Therefore, the research challenge here is to design methods limit the abuse that dishonest parties and/or to be able to investigate cases of abuse after the fact. We were able to designed a number of way for this (A-C below). Apart from these extensions the team was also investigating better proof protocols for anonymous authentication, i.e., protocols that allow one to prove possession of a certificate and properties about the certificate (D below)

## A) Controlling information release

We invented the primitive of verifiable encryption which allows one to encrypt additional information under a third party’s public key and to define a condition under which the party is allows to decrypt this. The third party is only involved at the time of decryption. So for instance, this primitive could be used as follows: to access a document I prove that I was authorized by my company to do so (i.e., I own a certificate issued by my company that states this) and in addition provide an encryption of my identity for a trusted third party. Thus, the document provider does not learn who I am, but in case of misuse can ask the trusted third party for help in investigation.

- Jan Camenisch, Victor Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003
- Jan Camenisch, Ivan Damgård: Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes. ASIACRYPT 2000

## B) Limiting the use of anonymous credentials

While some certificates or credentials such as a driver’s license have no limitation on how many times they can be used, other such as electronic money should not be usable more than once. Also, in order to prevent misuse of, e.g., a subscription credentials, one might want to limit the number of times a credential can be used be given time period. With non-anonymous certificates or access control enforcing such limitations is trivial: one just keep track of the use of the individual certificates and then rejects request with certificates that have been over-used. With anonymous certificates, this is not possible as each individual use shall not be linkable to any other use. Nevertheless, we were able to design cryptographic protocols that implement such controls. Sounding paradoxical, the cryptography ensures that transactions are completely anonymous as long at the credential is not over-used and as soon as the credential is used once to much the identity of the abuser is revealed. The research papers listed below present different methods for different means to define what “over-use” means, e.g., in Compact E-Cash a credential can be used up to *n* times, while other paper consider more general rules that take into account different time periods or different communication partners (e.g, a credential can be used *n* times per hour with this group of service providers and k times with that group).

- Jan Camenisch, Susan Hohenberger, Anna Lysyanskaya: Compact E-Cash. EUROCRYPT 2005
- Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya, Mira Meyerovich: How to win the clonewars: efficient periodic n-times anonymous authentication. ACM Conference on Computer and Communications Security 2006
- Jan Camenisch, Susan Hohenberger, Anna Lysyanskaya: Balancing Accountability and Privacy Using E-Cash (Extended Abstract). SCN 2006
- Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya, Mira Meyerovich: How to win the clonewars: efficient periodic n-times anonymous authentication. ACM CCS 2006
- Jan Camenisch, Anna Lysyanskaya, Mira Meyerovich: Endorsed E-Cash. IEEE Symposium on Security and Privacy 2007

## C) Securing Certificate with Hardware

Being digital object, certificates can easily be shared among different users. With non-anonymous certificates such sharing might be detected if the certificate gets used too frequent and thus the certificate can be revoked based on this. In fact, the approach we describe about under point B) implements the same control for anonymous certificates. Another possibility is to use secure hardware devices such as Java Cards to store the certificates and to execute the proof protocols. We invented a method that allows one to bind anonymous certificate to the TPM chip such that a certificate can only be used together with given TPM chips. This not only prevents users from sharing their certificates put also protects the certificates from viruses and fishing attacks as they are just by themselves useless. Another means to protect certificates is by using a Java Card as in the smarter identity project.

- Jan Camenisch: Protecting (Anonymous) Credentials with the Trusted Computing Group’s TPM V1.2. SEC 2006: 135-147
- Patrik Bichsel, Jan Camenisch, Thomas Gross, Victor Shoup: Anonymous Credentials on a Standard Java Card. ACM Conference on Computer and Communications Security 2009

## D) Proof Protocols

As described above, efficient zero-knowledge proofs of knowledge are a main building block of anonymous credentials and making them as efficient as possible is key for practical solutions. In these area the team has made significant contributions as well.

- Endre Bangerter, Jan Camenisch, Ueli M. Maurer: Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order. Public Key Cryptography 2005
- Jan Camenisch, Aggelos Kiayias, Moti Yung: On the Portability of Generalized Schnorr Proofs. EUROCRYPT 2009

In an other line of work, the team developed protocol that allow one set-up the infrastructure of anonymous credential in a secure way.

- Jan Camenisch, Markus Michels: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes. EUROCRYPT 1999
- Joy Algesheimer, Jan Camenisch, Victor Shoup: Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products. CRYPTO 2002