Crypto Corner

Editors: Peter Gutmann, pgut001@cs.auckland.ac.nz

David Naccache, david.naccache@ens.fr
Charles C. Palmer, ccpalmer@us.ibm.com

Authentication
without Identification

L
et’s say our user, Alice, wants to read her favorite on- cret key corresponding to Alice’s ANNA
public key) by running the verify al- LYSYANSKAYA
line magazine. The magazine only allows users who gorithm. A digital signature scheme Brown
is secure if no one other than the University
have valid subscriptions to access its Web site. One signer herself can compute a signa-
ture on a new document that will
way to proceed would be for the magazine to first ask verify under her public key.
Suppose Alice gives the magazine
Alice who she is, have her prove it, and then check that she’s her public key, PK, when she starts her
subscription. The magazine stores
an authorized user. We call this ap- enough, but in general it isn’t. Even if (Alice, PK) in its list of subscribers, so
proach authentication by identifica- we don’t know a person’s real every time Alice attempts to access the
tion, and it solves the basic problem name—just a history of their past magazine, it will check that she’s on
of guaranteeing access only to au- transactions—this information could the list and then have her prove that
thorized users. However, as far as be sufficient to identify the person. she’s the owner of the PK. Can we
protecting Alice’s privacy is con- Alice might disclose her zip code to eliminate the need for the magazine to
cerned, this approach isn’t very get a weather report for her region store a (potentially very large) list of its
good: every transaction requires and her date of birth to read her horo- subscribers? Yes—if the magazine also
Alice to reveal her identity. scope. Her other habits could reveal has a signing key pair, then it doesn’t
Why is it a bad idea for Alice to her gender. If the same username have to store anything. When Alice
give away her identity during every links all these transactions together, subscribes, the magazine will sign her
transaction? For one thing, she has they’re sufficient to identify Alice. PK, resulting in a certificate, Cert.
absolutely no idea what the maga- What we need is a method for When Alice wants to access the mag-
zine will do with this information. Alice to convince the magazine that azine, she submits (PK, Cert) and then
Will it try to prove its popularity by she has a subscription without disclos- proves that she owns the PK. We thus
publishing who read what article? ing who she is: authentication without get authentication by identification.
Will it accidentally leak the transac- identification. Before we can examine Alice has many options to prove to
tion log? Suddenly, every person it in full detail, though, we must look the magazine that she owns the PK.
with a Web browser can discover more closely at how to implement au- The magazine can challenge Alice to
that Alice likes George Clooney and thentication by identification. sign a random message, for example.
is a Boston Red Sox fan. This might (There is a subtlety: how can we en-
seem harmless, but what if she’s Authentication by sure that Alice hasn’t forwarded the
looking for a job and an avid New identification challenge to Bob, asked Bob to an-
York Yankees fan happens to inter- Recall the fundamental, and by now swer it, and then claim she knows
view her? Alice would much rather classical, notion of a digital signature Bob’s secret key? I leave this issue for
read her magazine without leaving scheme. A signature scheme consists the reader to ponder.)
an electronic trail. Moreover, it isn’t of three algorithms: setup, sign, and
in the magazine’s best interest to be verify. First, Alice runs the setup al- Zero-knowledge proofs
liable if Alice doesn’t get the job with gorithm to generate a pair of keys, We can modify the approach I de-
the Yankees fan. Because the maga- her public key and her secret key. scribed earlier to help Alice convince
zine can’t reveal what it doesn’t She publishes the public key, and the magazine that she is indeed a valid
know, it’s much better off if it isn’t whenever she wants to sign a mes- subscriber without giving away any
aware of Alice’s reading habits. sage, she runs the sign algorithm information about her identity. In par-
What if Alice uses an anonymized using her secret key. Anybody can ticular, Alice shouldn’t reveal her pub-
username rather than her real name? check whether Alice signed a mes- lic key, PK, or her certificate, Cert.
In some situations, it might be good sage (or a person who knows the se- However, she needs to prove that she

PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY 69
 Crypto Corner

all the vertices. The prover has six

Background information options for how to three-color the
graph: one is the original three-col-
n a series of papers, David Chaum1 initiated oring, and the other five are derived
I the study of anonymous credentials. Stefan
Brands2 gave a general suite of techniques for
2. S. Brands, Rethinking Public-Key Infrastructures
and Digital Certificates: Building in Privacy, MIT
Press, 2000.
by permuting the colors. The prover
chooses a random one of the six op-
obtaining anonymous credentials with 3. L. Sweeney, “Uniqueness of Simple Demograph- tions, colors the graph accordingly,
attributes and showing that attributes satisfy ics in the US Population,” Carnegie Mellon Univ., and then hides the vertices under-
certain broad classes of relations. However, School of Computer Science, Data Privacy Lab neath paper cups. Now the verifier
each credential could only be unlinkably White Paper Series LIDAP-WP4, 2000. enters the room: he chooses any two
shown once. Latanya Sweeney3 demonstrated 4. O. Goldreich, S. Micali, and A. Wigderson, “Proofs adjacent vertices and removes the
that 87 percent of the US population is likely to that Yield Nothing but Their Validity and a cups. If the vertices are the same
be uniquely identifiable by zip code, gender, Methodology of Cryptographic Protocol Design,” color, then the verifier knows the
and birth date, so being able to link trans- Proc. IEEE Foundations of Computer Science, IEEE prover is lying; otherwise, the veri-
actions completely destroys anonymity. Even CS Press, 1986, pp. 174–187. fier is satisfied.
after the initial feasibility results were obtained 5. A. Lysyanskaya et al., “Pseudonym Systems,” Proc. If the prover knows a three-col-
by using the GMW protocol4 along the lines Selected Areas in Cryptography 1999, LNCS 1758, oring of the graph, then the verifier
described in the main text,5 efficient algo- Springer-Verlag, 1999, pp. 184–199. will always be satisfied. But if the
rithms were still lacking. In a series of papers, 6. J. Camenisch and A. Lysyanskaya, “An Efficient Sys- graph isn’t three-colorable, the veri-
Jan Camenisch and Anna Lysyanskaya6,7 gave tem for Non-Transferable Anonymous Credentials,” fier has a chance to catch the prover.
an efficient solution to anonymous credentials; Proc. Eurocrypt 2001, LNCS 2045, Springer-Verlag, The verifier and prover can repeat
in particular, they exhibited a signature 2001, pp. 93–118. the protocol many times. In each
scheme with efficient protocols. These pro- 7. J. Camenisch and A. Lysyanskaya, “A Signature repetition, the prover must first
tocols have since been implemented by IBM Scheme with Efficient Protocols,” Proc. Security in choose a random way to three-color
Zurich; the resulting system, called Idemix,8 is Comm. Networks 2002, LNCS 2576, Springer- the graph from the six known possi-
slated for open source release. Verlag, 2002, pp. 268–289. bilities. If the prover is lying, the ver-
8. J. Camenisch and E. van Herreweghen, “Design ifier is extremely likely to catch her
References and Implementation of the Idemix Anonymous in one of the repetitions, thus this
1. D. Chaum, “Security without Identification: Trans- Credential System,” Proc. ACM Conf. on Com- protocol is a convincing proof.
action Systems to Make Big Brother Obsolete,” puter and Comm. Security, ACM Press, 2002, pp. The reason why this protocol is a
Comm. ACM, vol. 28, no. 10, 1985, pp. 1030–1044. 21–30. zero-knowledge proof is that the ver-
ifier learns no information about the
graph’s three-coloring. Because the
knows a PK such that, one, this PK is our situation, Alice uses a zero- prover has six permutations of colors
signed by the magazine with a Cert, knowledge proof to convince the to choose from every time, the two
and two, she also knows the corre- magazine that she knows a piece of colors that the verifier sees are chosen
sponding secret key. To do this, we use data with certain properties (here, a uniformly at random from the set of
a powerful and beautiful cryptographic PK, its corresponding secret key, and a {red, green, blue}. Once the verifier
tool known as a zero-knowledge certificate on the PK) without reveal- knows which vertices he wants to
proof. It lets a prover convince a verifier ing any information about this data. examine, he might as well have
that a statement is true, without reveal- Let us go over the GMW proto- picked the colors himself.
ing any information besides the fact col. Suppose a prover wants to con- Recall that determining whether a
that the statement is true. vince a verifier that she knows how to graph is three-colorable is an NP-
Oded Goldreich, Silvio Micali, three-color a particular graph, and complete problem, so any NP state-
and Avi Wigderson proved that every that she can paint every vertex red, ment can be represented as an instance
NP statement can be proved in zero green, or blue so that no two vertices of graph three-colorability. Because
knowledge (see the “Background of the same color are adjacent. In this we can prove graph three-colorability
information” sidebar). If a prover version of the protocol, the prover using a zero-knowledge proof, we can
knows a satisfying assignment to a uses physical materials—paper, col- prove any statement in NP using a
Boolean formula , for example, ored pens, and paper cups. This is a zero-knowledge proof. Specifically,
then he or she can convince the veri- simplification for the sake of exposi- we can prove statements about public
fier that  is satisfiable without reveal- tion—the actual GMW protocol uses keys and digital certificates.
ing the input values on which  cryptographic constructs instead.
evaluates to TRUE. This is known as In private, the prover draws the From theory to practice
the GMW protocol. Applying this to graph on a piece of paper and colors If we just plug the GMW result into

70 IEEE SECURITY & PRIVACY ■ MAY/JUNE 2007


our application, it would take Alice a
very long time to convince the maga-
zine that she’s a subscriber. Reducing
the instance at hand to an instance of
three-colorability isn’t recommended
in practice. Instead, we need a digital
signature scheme designed with our
specific application in mind. It must
support efficient zero-knowledge
proofs of knowledge of a secret key, a
public key, and a certificate such that,
one, the secret key corresponds to
the public key, and two, the certifi-
cate is the magazine’s signature on
the public key.
Fortunately, the cryptographic re-
search community has solved this
problem and more. Not only can
Alice gain access to the magazine
without revealing her public key, she
can even obtain a certificate on her
public key without revealing that key,
or indeed anything about her identity!
Alice can present the magazine with a
blinded version of her public key by
using a zero-knowledge proof to con-
vince the magazine that she knows the
corresponding secret key. Satisfied,
the magazine gives Alice a Cert for
her PK. During this process, the mag-
azine learns neither the PK nor the
Cert it made for Alice. She can
anonymously obtain credentials from
various organizations, and, when
needed, prove that she possesses them,
without revealing any other informa-
tion. Using state-of-the-art tech-
niques, the running time for these
protocols is comparable to perform-
ing 10 to 20 RSA decryptions.
Additionally, anonymous creden-
tials can contain attributes (such as ex-
piration dates), similar to standard
certificates. Alice can thus efficiently
demonstrate possession of a set of cre-
dentials whose attributes satisfy broad
classes of relations—for example, she
can prove that her credentials haven’t
expired yet. Efficient techniques limit
the number of times Alice can show
her credential or how often she can
show it within a certain time period—
www.computer.org/security/
Crypto Corner
should she exceed the allotted limit,
she gets “caught.” This strikes a bal-
ance between privacy and account-
ability: once a user breaks the rules, she
can be identified, but if she behaves
properly, her privacy is protected.
M any authentication transac-
tions performed today require
us to disclose more information than
is strictly needed, just for verification
purposes. Fortunately, modern
cryptography provides us with a way
to solve the verification problem
without leaking unnecessary per-
sonal information. These techniques
are fast, secure, and preserve privacy,
so let’s use them!
Anna Lysyanskaya is an assistant pro-
fessor of computer science at Brown Uni-
versity. Her research interests include
cryptography, theoretical computer sci-
ence, and computer security. Lysyan-
skaya has a PhD in computer science and
electrical engineering from MIT. Contact
her at anna@cs.brown.edu.
■ IEEE SECURITY & PRIVACY 71