ABSTRACT
Secure identity tokens such as Electronic Identity (eID) cards are emerging everywhere. At the same time user-centric identity management gains acceptance. Anonymous credential schemes are the optimal realization of user-centricity. However, on inexpensive hardware platforms, typically used for eID cards, these schemes could not be made to meet the necessary requirements such as future-proof key lengths and transaction times on the order of 10 seconds. The reasons for this is the need for the hardware platform to be standardized and certified. Therefore an implementation is only possible as a Java Card applet. This results in severe restrictions: little memory (transient and persistent), an 8-bit CPU, and access to hardware acceleration for cryptographic operations only by defined interfaces such as RSA encryption operations.
Still, we present the first practical implementation of an anonymous credential system on a Java Card 2.2.1. We achieve transaction times that are orders of magnitudes faster than those of any prior attempt, while raising the bar in terms of key length and trust model. Our system is the first one to act completely autonomously on card and to maintain its properties in the face of an untrusted terminal. In addition, we provide a formal system specification and share our solution strategies and experiences gained and with the Java Card.
- M. H. Au, W. Susilo, and Y. Mu. Constant-size dynamic -TAA. In Security and Cryptography for Networks, vol. 4116 of LNCS, pages 111--125, Berlin, 2006. Springer. Google ScholarDigital Library
- J. M. Balasch Masoliver. Smart card implementation of anonymous credentials. Master's thesis, K. U. Leuven, Belgium, 2008.Google Scholar
- P. Bichsel. Theft and misuse protection for anonymous credentials. Master's thesis, ETH Zürich, Switzerland, November 2007.Google Scholar
- D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. K. Franklin, editor, CRYPTO'04, vol. 3152 of LNCS, pages 41--55. Springer, 2004.Google Scholar
- F. Boudot. Efficient proofs that a committed number lies in an interval. In B. Preneel, editor, EUROCRYPT'00, vol. 1807 of LNCS, pages 431--444. Springer, 2000. Google ScholarDigital Library
- S. Brands. Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, 2000. Google ScholarDigital Library
- E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In Proc. 11th ACM CCS, pages 225--234. ACM Press, 2004. Google ScholarDigital Library
- J. Camenisch and T. Groß. Efficient attributes for anonymous credentials. In Proc. 15th ACM CCS, pages 345--356. ACM Press, Nov. 2008. Google ScholarDigital Library
- J. Camenisch and A. Lysyanskaya. Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation. In B. Pfitzmann, editor, EUROCRYPT'01, vol. 2045 of LNCS, pages 93--118. Springer, 2001. Google ScholarDigital Library
- J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In M. K. Franklin, editor, CRYPTO'04, vol. 3152 of LNCS, pages 56--72. Springer, 2004.Google Scholar
- J. Camenisch and E. Van Herreweghen. Design and implementation of the idemix anonymous credential system. In Proc. 9th ACM CCS. ACM Press, 2002. Google ScholarDigital Library
- D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Comm. of the ACM, 28(10):1030--1044, Oct. 1985. Google ScholarDigital Library
- D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, CRYPTO'86, vol. 263 of LNCS, pages 118--167. Springer, 1987. Google ScholarDigital Library
- Common Criteria Portal. Common criteria for information technology security evaluation. {online;18 April 2009}. http://www.commoncriteriaportal.org/.Google Scholar
- I. Damgård and E. Fujisaki. An integer commitment scheme based on groups with hidden order. http://eprint.iacr.org/2001, 2001.Google Scholar
- L. Danes. Smart card integration in the pseudonym system Idemix. Master's thesis, University of Groningen, 2007.Google Scholar
- A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. M. Odlyzko, editor, CRYPTO'86, vol. 263 of LNCS, pages 186--194. Springer, 1987. Google ScholarDigital Library
- E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns. Addison-Wesley, 1995. Elements of reusable object-oriented software. Google ScholarDigital Library
- X. Huysmans. Privacy-friendly identity management in eGovernment. In The Future of Identity in the Information Society, vol. 262/2008 of IFIP International Federation for Information Processing, pages 245--258. IFIP, Springer, June 2008.Google Scholar
- IBM. JCOP -the IBM GlobalPlatform JavaCard TM implementation. {online;16 April 2009}, Feb. 2002. ftp://ftp.software.ibm.com/software/pervasive/info/JCOP_Family.pdf.Google Scholar
- IBM. Cryptographic protocols of the Identity Mixer library, v. 1. 0. IBM Research Report RZ3730, IBM Research, 2009. http://domino.research.ibm.com/library/cyberdig nsf/index.html.Google Scholar
- A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. In H. Heys and C. Adams, editors, Selected Areas in Cryptography, vol. 1758 of LNCS. Springer, 1999. Google ScholarDigital Library
- Philips. mifare proX P8RF5016. {online;18 April 2009}, May 2003. http://smartdata.usbid.com/datasheets/usbid/2005/2005-q2/sfs051814.pdf.Google Scholar
- M. O. Rabin and J. O. Shallit. Randomized algorithms in number theory. Communications in Pure and Applied Mathematics, 39:239--256, 1986.Google ScholarCross Ref
- R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. of the ACM, 21(2):120--126, Feb. 1978. Google ScholarDigital Library
- Sun Microsystems. Java card platform specification 2. 2. 1. {online;18 April 2009}, Oct. 2003. http://java.sun.com/javacard/specs.htmlGoogle Scholar
Index Terms
- Anonymous credentials on a standard java card
Recommendations
Efficient Attributes for Anonymous Credentials
Special Issue on Computer and Communications SecurityWe extend the Camenisch-Lysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear number of modular ...
Implementation of Revocable Keyed-Verification Anonymous Credentials on Java Card
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and SecurityJava Card stands out as a good choice for the development of smart card applications due to the high interoperability between different manufacturers, its security, and wide support of cryptographic algorithms. Despite extensive cryptographic support, ...
Anonymous credentials from (indexed) aggregate signatures
DIM '11: Proceedings of the 7th ACM workshop on Digital identity managementAnonymous credential systems allow users to obtain certified credentials (a driving license, a student card, etc.) from organizations and then later to prove the possession of one (or more) credential(s) to another party, while minimizing the ...
Comments