September 29, 2009


Posted in Publications tagged at 17:19 by Thomas Groß

Based on the Identity Mixer technology, one industry standard has evolved: Direct Anonymous Attestation (DAA).

DAA allows a user to convince a verifier that she uses a platform that has embedded a certified hardware module. The protocol protects the user’s privacy: if she talks to the same verifier twice, the verifier is not able to tell whether or not he communicates with the same user as before or with a different one.

This scenario arose in the context of the Trusted Computing Group (TCG). TCG is an industry standardization body that aims to develop and promote an open industry standard for trusted computing hardware and software building blocks to enable more secure data storage, online business practices, and online commerce transactions while protecting privacy and individual rights.

We have worked with TCG and various privacy groups on the requirements of such a scheme and have developed an efficient protocol, called direct anonymous attestation protocol. The scenario is reminiscent of group signatures schemes. In fact, our protocol is based on the-state-of the art group signature scheme. However, a number of research questions had still to be solved for the protocol to be applied in practice. Direct anonymous attestation relies on the Decisional Diffie-Hellman assumption the user’s privacy and on the Strong RSA assumption for security. The protocol has been standardized in the TCG’s TPM version 1.2.

Defining a Framework for Anonymous Authentication

Posted in Publications tagged , at 17:17 by Thomas Groß

The team has also published a number of papers that describe how the different cryptographic protocols can be used to realize privacy-enhancing identity management in practise. While still being research papers, they not primarily solve long standing open problems but rather show how different use scenarios can be addressed.

  1. Endre Bangerter, Jan Camenisch, Anna Lysyanskaya: A Cryptographic Framework for the Controlled Release of Certified Data. Security Protocols Workshop 2004
  2. Abhilasha Bhargav-Spantzel, Jan Camenisch, Thomas Groß, Dieter Sommer: User centricity: A taxonomy and open issues. Journal of Computer Security 15(5) 2007
  3. Jan Camenisch, Dieter Sommer, Simone Fischer-Hübner et al. Privacy and identity management for everyone
  4. Marit Hansen, Peter Berlich, Jan Camenisch, Sebastian Clauß, Andreas Pfitzmann, and Michael Waidner:Privacy-enhancing identity management
  5. Jan Camenisch, Abhi Shelat, Dieter Sommer, Simone Fischer-Hübner, Marit Hansen, Henry Krasemann, Gérard Lacoste, Ronald Leenes, Jimmy C. Tseng: Privacy and identity management for everyone. Digital Identity Management 2005
  6. Jan Camenisch, Dieter Sommer, Roger Zimmermann: A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures 2006
  7. Michael Backes, Jan Camenisch, Dieter Sommer: Anonymous yet accountable access control. WPES 2005: 40-46
  8. Jan Camenisch, Thomas Groß, Dieter Sommer: Enhancing privacy of federated identity management protocols: anonymous credentials in WS-security. WPES 2006: 67-72
  9. Jan Camenisch, Abhi Shelat, Dieter Sommer, Roger Zimmermann: Securing user inputs for the web. Digital Identity Management 2006: 33-44
  10. Jan Camenisch, Thomas Groß, Thomas S. Heydt-Benjamin: Rethinking accountable privacy supporting services: extended abstract. Digital Identity Management 2008: 1-8

Extensions – Building Blocks for an Identity Management Framework

Posted in Publications tagged , , , , at 17:13 by Thomas Groß

Anonymous authentication is just the basic feature provided by our technologies. Indeed, it is often not enough to learn that a person has the right to access a certain resource or service as anonymity can be abused. Therefore, the research challenge here is to design methods limit the abuse that dishonest parties and/or to be able to investigate cases of abuse after the fact. We were able to designed a number of way for this (A-C below). Apart from these extensions the team was also investigating better proof protocols for anonymous authentication, i.e., protocols that allow one to prove possession of a certificate and properties about the certificate (D below)

A) Controlling information release

We invented the primitive of verifiable encryption which allows one to encrypt additional information under a third party’s public key and to define a condition under which the party is allows to decrypt this. The third party is only involved at the time of decryption. So for instance, this primitive could be used as follows: to access a document I prove that I was authorized by my company to do so (i.e., I own a certificate issued by my company that states this) and in addition provide an encryption of my identity for a trusted third party. Thus, the document provider does not learn who I am, but in case of misuse can ask the trusted third party for help in investigation.

  1. Jan Camenisch, Victor Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003
  2. Jan Camenisch, Ivan Damgård: Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes. ASIACRYPT 2000

B) Limiting the use of anonymous credentials

While some certificates or credentials such as a driver’s license have no limitation on how many times they can be used, other such as electronic money should not be usable more than once. Also, in order to prevent misuse of, e.g., a subscription credentials, one might want to limit the number of times a credential can be used be given time period. With non-anonymous certificates or access control enforcing such limitations is trivial: one just keep track of the use of the individual certificates and then rejects request with certificates that have been over-used. With anonymous certificates, this is not possible as each individual use shall not be linkable to any other use. Nevertheless, we were able to design cryptographic protocols that implement such controls. Sounding paradoxical, the cryptography ensures that transactions are completely anonymous as long at the credential is not over-used and as soon as the credential is used once to much the identity of the abuser is revealed. The research papers listed below present different methods for different means to define what “over-use” means, e.g., in Compact E-Cash a credential can be used up to n times, while other paper consider more general rules that take into account different time periods or different communication partners (e.g, a credential can be used n times per hour with this group of service providers and k times with that group).

  1. Jan Camenisch, Susan Hohenberger, Anna Lysyanskaya: Compact E-Cash. EUROCRYPT 2005
  2. Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya, Mira Meyerovich: How to win the clonewars: efficient periodic n-times anonymous authentication. ACM Conference on Computer and Communications Security 2006
  3. Jan Camenisch, Susan Hohenberger, Anna Lysyanskaya: Balancing Accountability and Privacy Using E-Cash (Extended Abstract). SCN 2006
  4. Jan Camenisch, Susan Hohenberger, Markulf Kohlweiss, Anna Lysyanskaya, Mira Meyerovich: How to win the clonewars: efficient periodic n-times anonymous authentication. ACM CCS 2006
  5. Jan Camenisch, Anna Lysyanskaya, Mira Meyerovich: Endorsed E-Cash. IEEE Symposium on Security and Privacy 2007

C) Securing Certificate with Hardware

Being digital object, certificates can easily be shared among different users. With non-anonymous certificates such sharing might be detected if the certificate gets used too frequent and thus the certificate can be revoked based on this. In fact, the approach we describe about under point B) implements the same control for anonymous certificates. Another possibility is to use secure hardware devices such as Java Cards to store the certificates and to execute the proof protocols. We invented a method that allows one to bind anonymous certificate to the TPM chip such that a certificate can only be used together with given TPM chips. This not only prevents users from sharing their certificates put also protects the certificates from viruses and fishing attacks as they are just by themselves useless. Another means to protect certificates is by using a Java Card as in the smarter identity project.

  1. Jan Camenisch: Protecting (Anonymous) Credentials with the Trusted Computing Group’s TPM V1.2. SEC 2006: 135-147
  2. Patrik Bichsel, Jan Camenisch, Thomas Gross, Victor Shoup: Anonymous Credentials on a Standard Java Card. ACM Conference on Computer and Communications Security 2009

D) Proof Protocols

As described above, efficient zero-knowledge proofs of knowledge are a main building block of anonymous credentials and making them as efficient as possible is key for practical solutions. In these area the team has made significant contributions as well.

  1. Endre Bangerter, Jan Camenisch, Ueli M. Maurer: Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order. Public Key Cryptography 2005
  2. Jan Camenisch, Aggelos Kiayias, Moti Yung: On the Portability of Generalized Schnorr Proofs. EUROCRYPT 2009

In an other line of work, the team developed protocol that allow one set-up the infrastructure of anonymous credential in a secure way.

  1. Jan Camenisch, Markus Michels: Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes. EUROCRYPT 1999
  2. Joy Algesheimer, Jan Camenisch, Victor Shoup: Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products. CRYPTO 2002

Prototypes and Demonstrators

Posted in Publications tagged , at 17:07 by Thomas Groß

We are committed to prove that the cryptographic protocols developed are indeed practical. It has thus implemented the anonymous credential system and made that implementation available to interested parties. Such parties typically are universities interested in building applications requiring anonymous authentication. Everyone is now able to download the implementation freely, made available via the PRIME project ( Furthermore, the team has also shown that the technology can indeed be used to realize privacy-protecting electronic identity cards by implementing the protocols also on a standard Java Card. For the latter work, the team was awarded the 2009 prize of the german computer scientist society (GI).

  1. Jan Camenisch, Els Van Herreweghen: Design and implementation of the idemix anonymous credential system. ACM Conference on Computer and Communications Security 2000
  2. Patrik Bichsel, Jan Camenisch, Thomas Gross, Victor Shoup: Anonymous Credentials on a Standard Java Card. ACM Conference on Computer and Communications Security 2009

From Basic Research to Standards to Chips into Everyone’s Computer (DAA)

Posted in Publications tagged , at 17:02 by Thomas Groß

While there is a large body of cryptographic research, there are only a few cryptographic algorithms that are used in practice and indeed almost all cryptographic research results have no impact in practice. One exceptions is the so-called Direct Anonymous Attestation (DAA) protocol that the team has developed together with Intel and HP in the context of the Trusted Computing Group. That group was faced with the problem that the so-called Trusted Platform Module (TPM) that is embedded in many PCs needs to authenticate itself as a valid chip to third parties. This is because the chip monitoring the computer’s function is able to attest whether or not the OS is in a pristine state or full of viruses. Thus is a third party wants to know whether its communication partner is in a good state, it can ask that party’s TPM. Now, if one would use traditional non-private anonymous authentication for this, all transactions by our computers could be linked together. The Direct Anonymous Attestation protocol is basically a light-weight version of the identity mixer anonymous credential protocol adapted to the requirements of the Trusted Computing Group. All the chips produced according to the TPM V1.2 specification implement the protocol and are used on today’s PC.

    1. Ernest F. Brickell, Jan Camenisch, Liqun Chen: Direct anonymous attestation. ACM Conference on Computer and Communications Security 2004
    2. TCG TPM V1.2 specification
    3. Jan Camenisch: Better Privacy for Trusted Computing Platforms: (Extended Abstract). ESORICS 2004: 73-88

      Efficient Attributes

      Posted in Publications tagged , , , at 16:55 by Thomas Groß

      Considering the use of anonymous credentials for government issued identities, one finds that the number of attributes certified is quite large. The original scheme,  however, would loose efficiency with the number of attributes becoming larger. Also, consider the case of a certificate stating the date of birth. If one now would want to prove that one is between 12 and 16 years old, the known method to do so is not practical on computationally challenged devices such as smart cards which would be the target platform for electronic identity cards.

      1. Jan Camenisch, Thomas Groß: Efficient attributes for anonymous credentials. ACM CCS 2008, got invited as a selected paper for the TISSEC journal.
      2. Jan Camenisch, Rafik Chaabouni, Abhi Shelat: Efficient Protocols for Set Membership and Range Proofs. ASIACRYPT 2008

      The Problem of Revocation

      Posted in Publications tagged , , at 16:52 by Thomas Groß

      When using anonymous authentication in the real world, there are additional requirements that have to be met. One of these requirements is the one to revoke
      certificates. The typical approach of publishing a list of serial numbers of revoked certificates does unfortunately not work as this would compromise privacy.
      In 2002 Camenisch and Lysyanskaya solved the problem of revocation for anonymous credentials for the first time, although the concept of anonymous credentials
      was first proposed about ten years earlier.

      1. Jan Camenisch, Anna Lysyanskaya: Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. CRYPTO 2002. [PDF]
      2. Jan Camenisch, Markulf Kohlweiss, Claudio Soriente: An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials. PKC 2009

      Anonymous Credentials

      Posted in Publications tagged , , at 16:50 by Thomas Groß

      The core research challenge for getting privacy preserving authentication is to find a signature scheme to issue certificates such that later-on one can efficiently prove by some sort of zero-knowledge protocols that one got issued a signature by some party on a message which, e.g., contains a birth date proving that one is indeed between 12 and 16 years old. In theory, this can be done with any signature scheme as any (mathematical) statement can be proven to be true in zero-knowledge. If, however, one is looking for a system that is practical, standard digital signatures cannot be used as then the proof would be far to inefficient.

      A core innovation was a new signature scheme and zero-knowledge protocol that allow one to do this very efficiently. The first seed of this technology laid in 1998, and then over the years, the schemes were improved until they became really practical (2001). Later on the team also came up with alternatives that are based on different cryptographic assumptions and settings (2004 – bi-linear maps/elliptic curves). Depending on the implementation requirements, these alternative are preferable to the earlier proposals.

      1. Jan Camenisch, Markus Stadler: Efficient Group Signatures Schemes for Large Groups, CRYPTO 1997. [PDF]
      2. Jan Camenisch, Markus Michels: Separability and Efficiency for Generic Group Signature Schemes. CRYPTO 1999. [PDF]
      3. Giuseppe Ateniese, Jan Camenisch, Marc Joye, Gene Tsudik: A Practical and Provably Secure Coalition-Resistant Group Signature Scheme. CRYPTO 2000. [PDF]
      4. Jan Camenisch, Anna Lysyanskaya: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. EUROCRYPT 2001. [Full Paper]
      5. Jan Camenisch, Anna Lysyanskaya: A Signature Scheme with Efficient Protocols. SCN 2002. [PDF]
      6. Jan Camenisch, Jens Groth: Group Signatures: Better Efficiency and New Theoretical Aspects. SCN 2004. [PDF]
      7. Jan Camenisch, Anna Lysyanskaya: Signature Schemes and Anonymous Credentials from Bilinear Maps. CRYPTO 2004. [PDF]