Digital credential
Digital credentials are meant to be the digital aquivalent of paper based credentials. Just as an example a paper based credential could be a passport, a Driver's license, a membership certificate or some kind of ticket to obtain some service, like a cinema ticket or a public transport ticket. A credential is a proof of qualification, competence, or clearance that is attached to a person. Similarly digital credentials prove something about their owner.
Because of the still evolving and sometimes conflicting terminologies used in the fields of computer science, computer security, and cryptography, the term credential is used quite confusingly in these fields. Sometimes passwords or other means of authentication are referred to as credentials. In operation system design credentials are the properties of a process (such as its effective UID) that are used for determining its access rights. On other occations certificates and associated key material such as those stored in PKCS#12 and PKCS#15 are referred to as credentials.
Often however digital credentials, like digital cash, are only associated with anonymous digital credentials. Such credentials, while still making an assertion about some property, status, or right of their owner, do not reveal the owners identity.
Real world, digital world analogy
Real world credentials are a diverse social phenomenon, and as such are difficult to define. As with digital signatures it is misleading to assume a direct correspondance between the real-world and the digital concept. This holds even if defining criteria for credentials in the digital world could be agreed on.
Let us look at the lot of digital signatures. On the one hand the success of digital signatures as a replacement for paper based signatures has lagged behind expectations. On the other hand many unexpected uses of digital signatures were discoverd by recent cryptographic research. A related insight that can be learned from digital signatures is that the cryptographic mechanism need not be confused with overall process that turns a digital signature into something that has more or less the same properties as a paper based signature. Electronic signatures such as paper signatures send by fax may have legal meaning, while secure cryptographic signatures may serve completely different purposes. We need to distinguish the algorithm from the process.
Digital cash and digital credentials
How come is it that digital cash is associated with digital credentials, while paper or metal coins are usually not considered to be genuin real world credentials? Money is usually not seen as a qualification that is attached to a specific person. Token money is taken to have a value on it's own. We now consider a specific property of digital assets. They are easily copied. Consequently digital cash protocols have to make an extra effort to avoid the double spending of coins. Remember that credentials are a proof of qualification that is attached to a person. Digital cash uses the following technique. E-Coins are given to individuals, who cannot pass them on to other, but can only spend them with merchants. As long as they spend a coin only once, they are anonymous, but should they spend a coin twice, they become identifiable and appropriate actions can be taken by the bank. This commonality, the binding to an individual, is why digital cash and digital credentials share many commonalities. In fact most implementations of anonymous digital credential also realice digital cash.
Anonymous digital credentials
The main idea behind anonymous digital credentials is that giving users cryptographic credentials which allow them to prove statements about their relationships with public and private organizations anonymously is a more privacy friendly alternative to keeping large centralized user records. Paper world analogues of such credentials are passports, driving licenses, and money. Further examples include, credit cards, health insurance cards, cinema and public transport tickets, club membership cards, and game-arcade tokens. Credentials are issued by organizations that ascertain the authenticity of the information and can be provided to verifying entities on demand.
In order to investigate certain privacy specific properties of credentials, we take a more detailed look at two kind of 'credentials', physical money and credit cards. Without doubt both of them provide adequate information to conduct payment transactions, but the amount and quality of the information disclosed varies. Money is protected from forgery by its physical properties. Beyond that, only very little information is revealed: Coins feature an engrained value and the year of coining; in addition bank notes contain a unique serial number in order to provide the traceability required by law enforcement.
On the other hand the use of a credit card, whose main purpose is similar to money, allows for the creation of highly detailed records about the card owner. The main advantage of money is that its users can remain anonymous.
Credentials used in a national identification system are also especially privacy relevant. Such an ID, be it a passport, a driver's license, or some other type of card usually contains essential personal information. In certain situations it may be advantageous to reveal only parts of the information contained on the ID, e.g., some lower limit for the person's age or the fact that the person is capable of driving a car.
Anonymous digital credentials and pseudonyms
The original anonymous credential system proposed by Chaum [1] is sometimes also referred to as a pseudonym system [2]. This stems from the fact that the credentials of such a system are obtained from and shown to organizations using different pseudonyms which cannot be linked.
The introduction of pseudonyms [1] is a useful extension to anonymity. Pseudonyms allow users to choose a different name with each organization. While pseudonyms allow organizations to associate users with accounts, organizations cannot determine the real identities of their customers. Nevertheless using an anonymous credential certain statements about the relationship of a user with one organization, under a pseudonym, can be proven to another organization that knows the user only under a different pseudonym.
History of anonymous digital credentials
As already mentioned anonymous credential systems are related to the concept of untraceable or anonymous payments as introduced by Chaum in [3]. In this important work, Chaum presents a new cryptographic primitive, blind signature protocols. In such a scheme the signer neither learns the message he signs, nor the signature the recipient obtains for his message. Blind signatures are an important building block of many privacy-sensitive applications, such as anonymous payments, voting, and credentials. The original idea for an anonymous credential system [1] was derived from blind signatures, but relied on a trusted party for credential transfer---the translation from one pseudonym to another.
The blind signature scheme introduced by Chaum was based on RSA signatures. Blind signature schemes based on the discrete logarithm problem can also be used for constructiong anonymous credential systems. Stefan Brands is an important researcher of this type of credentials[4].
While blind signatures are highly relevant for electronic cash and one-show credentials, a new cryptographic primitive, called group signature, opened new possibilities for the construction of privacy enhancing protocols. Group signatures were introduced by David Chaum and Eugène van Heyst in [5]. As is observed in their article, group signatures bear a resemblance to Chaum's concept of credential systems [1].
Using a group signature scheme, the members of a group can sign a message with their respective secret keys. The resulting signature can be verified by everyone who knows the common public key, but the signature does not reveal any information about the signer except that she is a member of the group. Usually there exists another entity called the group manager, who can reveal the exact identity of the signer, and handles the adding of users to and the removal of users from the group---usually by issuing or revoking group membership certificates.
The anonymity, unlinkability, and anonymity revocation provided by group signatures lends itself for a variety of privacy sensitive applications like voting, bidding, anonymous payment, and anonymous credentials
In fact the most efficient constructions known for group signatures [6] and anonymous credential systems [7]---the latter is essentially a low profile version of idemix---are based on similar ideas [8]. This is particularly true for credential systems that provide efficient means for implementing anonymous multi-show credentials with credential revocation [9].
Both schemes are based on new techniques for doing proofs of knowledge [10] [11]. Proofs of knowledge relying on the discrete logarithm problem for groups of known order and on the special RSA problem for groups of hidden order form the basis for most of todays group signature and anonymous credential systems [4] [12] [6] [7]. Moreover direct anonymous attestation a protocol for authenticating trusted platform modules is based on the same techniques. Direct anonymous attestation can be seen as the first commercial application of anonymous digital credentials, even though in this case credentials are not attached to persons, but to chips and consequently computer platforms.
References
- ^ a b c d David Chaum, Security without identification: transaction systems to make big brother obsolete, Communications of the ACM 28 (1985), no. 10
- ^ Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan Wolf, Pseudonym systems, Selected Areas in Cryptography (Howard M. Heys and Carlisle M. Adams, eds.), Lecture Notes in Computer Science, vol. 1758, Springer, 2000
- ^ David Chaum, Blind signatures for untraceable payments, Advances in Cryptology, Proceedings of CRYPTO '82 (David Chaum, Ronald L. Rivest, and Alan T. Sherman, eds.), Plenum Press, 1983
- ^ a b Stefan A. Brands, Rethinking public key infrastructures and digital certificates, MIT Press, 2000
- ^ David Chaum and Eugene van Heyst, Group signatures, EUROCRYPT (Donald W. Davies, ed.), Lecture Notes in Computer Science, vol. 547, Springer, 1991, pp.
- ^ a b Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene Tsudik, A practical and provably secure coalition-resistant group signature scheme, in Mihir Bellare (ed.), Advances in cryptology - crypto 2000, 20th annual international cryptology conference, santa barbara, california, usa, august 20-24, 2000, proceedings, Lecture Notes in Computer Science, vol. 1880, Springer, 2000
- ^ a b Jan Camenisch and Anna Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, EUROCRYPT (Birgit Pfitzmann, ed.), Lecture Notes in Computer Science, vol. 2045, Springer, 2001
- ^ Jan Camenisch and Anna Lysyanskaya, A signature scheme with efficient protocols, SCN (Stelvio Cimato, Clemente Galdi, and Giuseppe Persiano, eds.), Lecture Notes in Computer Science, vol. 2576, Springer, 2003
- ^ Jan Camenisch and Anna Lysyanskaya, Dynamic accumulators and application to efficient revocation of anonymous credentials, CRYPTO (Moti Yung, ed.), Lecture Notes in Computer Science, vol. 2442, Springer, 2002
- ^ Mihir Bellare and Oded Goldreich, On defining proofs of knowledge, CRYPTO (Ernest F. Brickell, ed.), Lecture Notes in Computer Science, vol. 740, Springer, 1993
- ^ C.-P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology: the journal of the International Association for Cryptologic Research 4 (1991), no. 3
- ^ Jan Camenisch and Markus Michels, A group signature scheme with improved efficiency, ASIACRYPT (Kazuo Ohta and Dingyi Pei, eds.), Lecture Notes in Computer Science, vol. 1514, Springer, 1998