Efficient Selective Disclosure on Smart Cards using Idemix*

Pim Vullers1**, and Gergely Alpár1,2***
1 Institute for Computing and Information Sciences,
Digital Security group, Radboud University Nijmegen, The Netherlands.
2 TNO Information and Communication Technology, The Netherlands.
In this paper we discuss an efficient implementation for selective disclosure of attribute-based credentials on smart cards. In this context we concentrate on the implementation of this core feature of IBM's Identity Mixer (Idemix) technology. Using the MULTOS platform we are the first to provide this feature on a smart card. We compare Idemix with Microsoft's U-Prove technology, as the latter also offers selective disclosure of attributes and has been implemented on a smart card [10].
selective disclosure, attribute-based credentials, smart card, attributes, Idemix, U-Prove, MULTOS
* The work described in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II.
** Sponsored by Trans Link Systems/Open Ticketing.
*** Partly supported by the research program Sentinels as project `Mobile IDM' (10522). Sentinels is being financed by Technology Foundation STW, the Netherlands Organisation for Scientific Research (NWO), and the Dutch Ministry of Economic Affairs.

1   Introduction

The world is moving into a digital era. Many people spend time on the internet, not just for fun or gathering information, but also for shopping and banking. Not only do our activities happen in the digital world, existing systems are also moving to digital alternatives. Train tickets are being replaced by electronic public transport cards, and identity documents, such as passports, are equipped with chips to hold digital copies of the identity data printed on the document, and sometimes even additional information such as fingerprints or other biometric data.

Unfortunately, most such systems use a simple approach to identify entities; they just attach a unique number to them. While this is convenient for bookkeeping, it also has a big drawback with respect to privacy. Using these unique identifiers, it is easy to trace the user. For example, not only might it be possible to track user activities on the world wide web, but real world actions could be traced through the use of public transport cards or digital identity documents.

These unique identifiers are used to identify entities, but actually in most use cases only authentication and/or authorisation is required. For instance, when you want to buy liquor, a merchant only needs to verify that you are of a certain age. The same holds when boarding a train; the system only needs to know whether or not you are allowed to do so, and there is no direct need for the system to know exactly who you are.

A more privacy-friendly approach is possible by using attribute-based credentials. Instead of providing lots of identity information to the service provider, the user can now just provide the required attributes, such that the service can be accessed without the user revealing his identity.

In this paper we use the Identity Mixer (Idemix) technology [7,8,9] developed by IBM Research to implement attribute-based credentials. This system allows the user to receive a signed list of attributes from a trusted party which can then be used to convince a service provider. A core feature of this technology, selective disclosure, enables a user to control which attributes from this list get revealed to the service provider.

Having public transport cards and identity documents in mind, we focus on smart card implementations. We use cards running the MULTOS platform that offers an API suitable for implementing cryptographic protocols. Our prototype achieves the best performance for Idemix on a smart card thus far, with running times which are acceptable for on-line, and certain off-line, use scenarios.

While others have implemented Idemix on a smart card [5,12], we are the first to provide the selective disclosure functionality. We compare our implementation against an implementation [10] of Microsoft's U-Prove system [6,11] which offers similar functionality, and currently provides the best smart card performance. The benefit of using Idemix is its multi-show unlinkability property, which allows a single credential to be used multiple times, whereas U-Prove only provides single-show unlinkability and hence requires multiple credentials to provide anonymity instead of just pseudonymity.

6   Final Remarks

In this paper we demonstrated that Idemix's selective disclosure can be efficiently implemented on a smart card. Although the running time of the issuing and verification protocols restricts the range of use cases, we can be optimistic already about these results.

Our implementation only offers a 1024 bits security level. We have chosen this modulus size since it is lowest acceptable level security wise, whereas it is the highest acceptable level performance wise. Mostowski and Vullers [10] already showed that using a 2048 bits modulus more than doubles the computation time for the primitive operations. This is not even taking the shortage of RAM, due to larger values, into account.

To the best of our knowledge the only other smart card implementation of attribute-based credentials besides what was already mentioned is by Batina et al.&nbap;[4] who implement Verheul's self-blindable credentials [15]. Their implementation is faster than our Idemix implementation and also offers multi-show unlinkability. However, their credentials only contain a single binary attribute as explained in Section 2.2, and hence do not provide selective disclosure similar to Idemix or U-Prove.

Due to the multi-show unlinkability feature of the Idemix protocol this implementation has been selected to be used in a pilot project. The goal of this project is to gain more experience in actually using these kinds of privacy-preserving technology and the usability of such technologies on a smart card.

Acknowledgements

We are re grateful to Patrik Bichsel, for making the necessary modifications to the Idemix library, to Wouter Lueks, for his help with the performance tests, and to Bart Jacobs, Jaap-Henk Hoepman and the anonymous reviewers for their valuable comments which helped to improve this work.

References

  1. ISO 7816-4 Identification cards -- Integrated circuit cards -- Part 4: Organization, security and commands for interchange. ISO, Geneva, Switzerland (2005)
  2. MULTOS implementation report. Tech. Rep. MAO-DOC-TEC-010 v2.4, MAOSCO Limited (2012)
  3. Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. IACR Cryptology ePrint Archive 2012, 298 (2012)
  4. Batina, L., Hoepman, J.H., Jacobs, B., Mostowski, W., Vullers, P.: Developing efficient blinded attribute certificates on smart cards via pairings. In: Gollmann, D., Lanet, J.L. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 209-222. Springer-Verlag (April 2010)
  5. Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard Java Card. In: CCS 2009. pp. 600-610. ACM (November 2009)
  6. Brands, S.A.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge, MA, USA (2000)
  7. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93-118. Springer Berlin / Heidelberg (2001)
  8. Camenisch, J., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Persiano, G., Galdi, C. (eds.) Security in Communication Networks. LNCS, vol. 2576, pp. 268-289. Springer Berlin / Heidelberg (2003)
  9. IBM Research Zürich Security Team: Specification of the Identity Mixer cryptographic library, version 2.3.4. Tech. rep., IBM Research, Zürich (Feb 2012)
  10. Mostowski, W., Vullers, P.: Efficient U-Prove implementation for anonymous credentials on smart cards. In: Kesidis, G., Wang, H. (eds.) SecureComm 2011. LNICST, vol. 96, pp. 243-260. Springer-Verlag (2012)
  11. Paquin, C.: U-Prove cryptographic specification v1.1. Tech. rep., Microsoft Corporation (February 2011)
  12. Sterckx, M., Gierlichs, B., Preneel, B., Verbauwhede, I.: Efficient implementation of anonymous credentials on Java Card smart cards. In: WIFS 2009. pp. 106-110. IEEE (September 2009)
  13. Tews, H., Jacobs, B.: Performance issues of selective disclosure and blinded issuing protocols on Java Card. In: Markowitch, O., Bilas, A., Hoepman, J.H., Mitchell, C., Quisquater, J.J. (eds.) WISTP 2009. LNCS, vol. 5746, pp. 95-111. Springer-Verlag (September 2009)
  14. Verheul, E.R.: Self-blindable credential certificates from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 533-550. Springer-Verlag (December 2001)