Identification
Identification
Identification
Authentication
without Identification
L
et’s say our user, Alice, wants to read her favorite on- cret key corresponding to Alice’s ANNA
public key) by running the verify al- LYSYANSKAYA
line magazine. The magazine only allows users who gorithm. A digital signature scheme Brown
is secure if no one other than the University
have valid subscriptions to access its Web site. One signer herself can compute a signa-
ture on a new document that will
way to proceed would be for the magazine to first ask verify under her public key.
Suppose Alice gives the magazine
Alice who she is, have her prove it, and then check that she’s her public key, PK, when she starts her
subscription. The magazine stores
an authorized user. We call this ap- enough, but in general it isn’t. Even if (Alice, PK) in its list of subscribers, so
proach authentication by identifica- we don’t know a person’s real every time Alice attempts to access the
tion, and it solves the basic problem name—just a history of their past magazine, it will check that she’s on
of guaranteeing access only to au- transactions—this information could the list and then have her prove that
thorized users. However, as far as be sufficient to identify the person. she’s the owner of the PK. Can we
protecting Alice’s privacy is con- Alice might disclose her zip code to eliminate the need for the magazine to
cerned, this approach isn’t very get a weather report for her region store a (potentially very large) list of its
good: every transaction requires and her date of birth to read her horo- subscribers? Yes—if the magazine also
Alice to reveal her identity. scope. Her other habits could reveal has a signing key pair, then it doesn’t
Why is it a bad idea for Alice to her gender. If the same username have to store anything. When Alice
give away her identity during every links all these transactions together, subscribes, the magazine will sign her
transaction? For one thing, she has they’re sufficient to identify Alice. PK, resulting in a certificate, Cert.
absolutely no idea what the maga- What we need is a method for When Alice wants to access the mag-
zine will do with this information. Alice to convince the magazine that azine, she submits (PK, Cert) and then
Will it try to prove its popularity by she has a subscription without disclos- proves that she owns the PK. We thus
publishing who read what article? ing who she is: authentication without get authentication by identification.
Will it accidentally leak the transac- identification. Before we can examine Alice has many options to prove to
tion log? Suddenly, every person it in full detail, though, we must look the magazine that she owns the PK.
with a Web browser can discover more closely at how to implement au- The magazine can challenge Alice to
that Alice likes George Clooney and thentication by identification. sign a random message, for example.
is a Boston Red Sox fan. This might (There is a subtlety: how can we en-
seem harmless, but what if she’s Authentication by sure that Alice hasn’t forwarded the
looking for a job and an avid New identification challenge to Bob, asked Bob to an-
York Yankees fan happens to inter- Recall the fundamental, and by now swer it, and then claim she knows
view her? Alice would much rather classical, notion of a digital signature Bob’s secret key? I leave this issue for
read her magazine without leaving scheme. A signature scheme consists the reader to ponder.)
an electronic trail. Moreover, it isn’t of three algorithms: setup, sign, and
in the magazine’s best interest to be verify. First, Alice runs the setup al- Zero-knowledge proofs
liable if Alice doesn’t get the job with gorithm to generate a pair of keys, We can modify the approach I de-
the Yankees fan. Because the maga- her public key and her secret key. scribed earlier to help Alice convince
zine can’t reveal what it doesn’t She publishes the public key, and the magazine that she is indeed a valid
know, it’s much better off if it isn’t whenever she wants to sign a mes- subscriber without giving away any
aware of Alice’s reading habits. sage, she runs the sign algorithm information about her identity. In par-
What if Alice uses an anonymized using her secret key. Anybody can ticular, Alice shouldn’t reveal her pub-
username rather than her real name? check whether Alice signed a mes- lic key, PK, or her certificate, Cert.
In some situations, it might be good sage (or a person who knows the se- However, she needs to prove that she
PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY 69
Crypto Corner
our application, it would take Alice a vince the magazine that she knows the should she exceed the allotted limit,
very long time to convince the maga- corresponding secret key. Satisfied, she gets “caught.” This strikes a bal-
zine that she’s a subscriber. Reducing the magazine gives Alice a Cert for ance between privacy and account-
the instance at hand to an instance of her PK. During this process, the mag- ability: once a user breaks the rules, she
three-colorability isn’t recommended azine learns neither the PK nor the can be identified, but if she behaves
in practice. Instead, we need a digital Cert it made for Alice. She can properly, her privacy is protected.
signature scheme designed with our anonymously obtain credentials from
specific application in mind. It must various organizations, and, when
support efficient zero-knowledge needed, prove that she possesses them,
proofs of knowledge of a secret key, a
public key, and a certificate such that,
without revealing any other informa-
tion. Using state-of-the-art tech-
M any authentication transac-
tions performed today require
us to disclose more information than
one, the secret key corresponds to niques, the running time for these is strictly needed, just for verification
the public key, and two, the certifi- protocols is comparable to perform- purposes. Fortunately, modern
cate is the magazine’s signature on ing 10 to 20 RSA decryptions. cryptography provides us with a way
the public key. Additionally, anonymous creden- to solve the verification problem
Fortunately, the cryptographic re- tials can contain attributes (such as ex- without leaking unnecessary per-
search community has solved this piration dates), similar to standard sonal information. These techniques
problem and more. Not only can certificates. Alice can thus efficiently are fast, secure, and preserve privacy,
Alice gain access to the magazine demonstrate possession of a set of cre- so let’s use them!
without revealing her public key, she dentials whose attributes satisfy broad
Anna Lysyanskaya is an assistant pro-
can even obtain a certificate on her classes of relations—for example, she fessor of computer science at Brown Uni-
public key without revealing that key, can prove that her credentials haven’t versity. Her research interests include
or indeed anything about her identity! expired yet. Efficient techniques limit cryptography, theoretical computer sci-
Alice can present the magazine with a the number of times Alice can show ence, and computer security. Lysyan-
skaya has a PhD in computer science and
blinded version of her public key by her credential or how often she can electrical engineering from MIT. Contact
using a zero-knowledge proof to con- show it within a certain time period— her at [email protected].