Title: SYSTEM

Based of the presented basis system, IBM idemix supports a disclosure of selected personal data or their attributes, anonymous one-show credentials that are precisely valid for a one-show verification, the revocation of the pseudonymity or anonymity of the customer under certain conditions and the revocation of anonymous credentials.

Verification of Selected Personal Data 

A customer can determine himself which data of a credential is disclosed for the authentication with a credential towards a service provider. The disclosure of a certain assertion is also possible for him depending on the attested date. If a credential is, for example, a confirmation of the date of birth and the current age of the customer, e.g. date of birth = 19.02.1973 and age = 33, then the customer can decide whether he wishes to prove the assertion of age > 21. 

Anonymous One-Show Credentials 

IBM idemix supports the use of anonymous one-show credentials. An anonymous one-show credential is only valid for precisely one verification. If a anonymous one-show credential is used for the second time, this multiple use can be detected. For the detection of a multiple usage, IBM idemix uses an off-line test analogous to the tests for electronic coins (Chaum, Fiat and Naor, 1990), i.e. there is no communication between the service provider and the issuing certification authority on the verification of a multiple issuance. If a one-show credential is used for the second time, this results implicitly in a protocol note with which a de-anonymisation provider can disclose the pseudonym of the customer or the issue of this credential or his identity. A multiple usage is thus not prevented but subsequently detected and the customer concerned can be identified.

Revoking Anonymity of a Customer in Case of Fraud 

IBM idemix supports two mechanisms for revoking anonymity. Either the identity of a customer or his pseudonym he used for the issue of a credential can therefore be disclosed. The first case concerns all the customer’s transactions and reaches their accountability to the identity of the customer. It involves a global de-anonymisation. The second case refers to the use of a certain credential and the related transactions where this credential was used. Revoking the anonymity is locally related to these transactions.

Revoking a customer’s anonymity requires a further service provider, namely a de-anonymisation service provider DA. In order that the anonymity of customer U can be locally detected, the protocol on the verification of a credential credential(attributes, pseudonym(U,CA),CA) is changed as follows (see Figure 5.18): Customer U encrypts his pseudonym pseudonym(U,CA), which he has used for the issue of the credential, with the public key pkDA of the de-anonymisation service provider DA. This encryption is verifiable, i.e. the service provider SP receives proof through the encryption that the de-anonymisation service provider can decrypt and disclose encrypted pseudonym pseudonym(U,CA) with the notes of the protocol sequence between the customer U and the service provider SP.

Figure 5.18 Basic sequence of revoking customer’s anonymity.

Before the verification of an anonymous credential, customer U and the respective service provider agree on the conditions under which his anonymity is going to be disclosed. Should the anonymity be revoked, the respective service provider sends this agreement together with his notes of the protocol sequence to the de-anonymisation provider. The latter can decide on the basis of the protocol notes whether the conditions agreed between the customer and the service provider have been observed. If this is not the case, then the de-anonymisation provider reveals the pseudonym pseudonym(U,CA) of the customer and sends it to the service provider.

The global revocation of anonymity uses the same protocol variants. The idemix-PKI is extended by a certification authority that only issues credentials for a pseudonym for a person if it knows his identity. This certification authority for identities thus issues a type of digital personal identity card with an anonymous credential. The customer can also use this anonymous credential under various pseudonyms in order to receive further anonymous credentials.

Revoking an Anonymous Credential 

The revocation of an anonymous credential takes place in the idemix-PKI through the certification authority that issued this credential (Kohlweiss, 2003). Dynamic accumulators are used for the revocation of anonymous credentials (Camenisch and Lysyanskaya, 2002). A dynamic accumulator is a value that is sequentially calculated by all non-revoked anonymous credentials. The respective prime number e(U,CA) (Camenisch and Lysyanskaya, 2001) is used representative of the anonymous credential as exponent for the calculation of the accumulator according to the RSA procedure [Riv1978]. For the verification that an anonymous credential was not revoked and therefore entered into the calculation of the related accumulator, a witness value (witness) is used. A dynamic accumulator and the operations of add and delete are specified in (Camenisch and Lysyanskaya, 2002).

Applying