D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In CRYPTO '88, volume 263 of LNCS, pages 118-- 167. Springer-Verlag, 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....this paper, we propose a new e#cient anonymous credential system, considerably superior to previously proposed ones. The communication and computation costs of our solution are small, thus introducing almost no overhead to realizing privacy in a credential system. An anonymous credential system [Cha85, CE87, Che95, Dam90, LRSW99] consists of users and organizations. Organizations know the users only by pseudonyms. Di#erent pseudonyms of the # Extended version of what is to appear in: Advances in Cryptology EUROCRYPT 2001. same user cannot be linked. Yet, an organization can issue a credential to a pseudonym, and the ....

....The scheme should also provide user privacy. An organization cannot find out anything about a user, apart from the fact of the user s ownership of some set of credentials, even if it cooperates with other organizations. In particular, two pseudonyms belonging to the same user cannot be linked [Bra99, Cha85, CE87, Che95, Dam90, LRSW99]. Finally, it is desirable that the system be e#cient. Besides requiring that it be based on e#cient protocols, we also require that each interaction involve as few entities as possible, and the rounds and amount of communication be minimal. In particular, if a user has a multiple show credential ....

[Article contains additional citation context not shown here]

David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 118--167. Springer-Verlag, 1987. 22

.... and Implementation of the idemix Anonymous Credential System Jan Camenisch and Els Van Herreweghen IBM Research, Zurich Research Laboratory 8803 R uschlikon Switzerland jca,evh zurich.ibm.com ABSTRACT Anonymous credential systems [8, 9, 12, 24] allow anonymous yet authenticated and accountable transactions between users and service providers. As such, they represent a powerful technique for protecting users privacy when conducting Internet transactions. In this paper, we describe the design and implementation of an anonymous credential ....

....the transaction in which the certificate was issued can be linked to the transaction where it is used and thus, it the issuer and the verifier collude, the user can identified directly. These linkabilities can be avoided by using an anonymous credential system (also called pseudonym system) [8, 9, 12, 24]. In such a system, the organizations (service providers and credential issuers) know the users only by pseudonyms. Di#erent pseudonyms of the same user cannot be linked. Yet, an organization can issue a credential to a pseudonym, and the corresponding user can prove possession of this credential ....

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In CRYPTO '86, vol. 263 of LNCS, pp. 118--167. Springer-Verlag, 1987.

....published by the Scienti c American [53] the impact of his cryptographic inventions, blind signatures especially, on the pursuit of achieving electronic privacy. We present here the fundamental properties of the new notion of credential system, for which David Chaum and Jan Hendrik Evertse [54] proposed the rst practical solution in 1987. Credential systems Chaum introduced the matter of credential systems as follows [52] There are legitimate needs for individuals to show credentials in relationships with many organizations. Problems arise when unnecessary data are revealed in ....

....proposed in 1994 an ecient solution to the revocation of anonymity in the case of double spending, which allows in addition the prevention of double spending if the spender uses a tamper resistant device from the bank. 6.3. 4 Pseudonym systems The practical solution proposed by Chaum and Evertse [54] to Chaum s credential system [52] as well as some later schemes [73, 57] e ectively preserves the individual s privacy against colluding organizations, but does not protect the organizations against colluding individuals to share their credentials. The pseudonym system introduced by Anna ....

David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In A. M. Odlyzko, editor, Science No. 263. 146

....n is orders of magnitude smaller than the bit length of keys used in public key cryptography. Our scheme is useful when several distinct groups or organizations must interact and exchange information about individuals while protecting the individuals privacy. Credential transfer systems (CTS) [14, 15, 19, 17, 23, 9] are examples of such environments that can be built via group signature schemes [9, 3] Real world scenarios for the use of CTS include the health care industry, electronic voting, and transportation systems. In such cases, the added manageability and improved optimization opportunities permitted ....

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in CryptologyCRYPTO'86, pp. 118-167. Springer-Verlag, 1986.

....can infer nothing about who the user is other than that the user has the right credential. Additionally, an anonymous credential system allows the user to obtain a credential anonymously. Such systems were rst envisioned by David Chaum [Cha85] and have been further studied by Chaum and Evertse [CE87] Brands [Bra99] and Lysyanskaya, Rivest, Sahai, and Wolf [LRSW99] 14 Using general techniques of zero knowledge proofs and zero knowledge proofs of knowledge [GMR85, GMR89, GMW86, GMW87b, BG92] it is possible to prove statements such as I have a signature, without saying anything more than ....

....organizations that require that their customers have some credentials. An anonymous credential system is also necessary in such a case. Anonymous credential systems were suggested by David Chaum [Cha85] The rst proposed solution was a proof of concept and involved a semi trusted third party [CE87] Later, Damg ard [Dam90] and Chen [Che95] worked on the problem. Their solutions did not have a trusted third party, but the notion of user s identity was not well developed, and therefore it was not clear how their systems could function in case malicious users shared their credentials with ....

[Article contains additional citation context not shown here]

David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, Advances in Cryptology | CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 118-167. Springer-Verlag, 1987.

....privacy guarantee is not a new concept: today, when you spend a coin, cast a vote, or use a cinema ticket, you are anonymous. Conceptually, Digital Credentials borrow heavily from seminal work on electronic privacy by Chaum [21, 22, 23, 27, 29, 31] in the period 1982 1992. In particular, Chaum [19, 20, 24, 34] advocated the use of credentials, which he defined [24] as statements concerning an individual that are issued by organizations, and are in general shown to other organizations. Enabling individuals to build pseudonymous relations with organizations is just one specific application of Digital ....

David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In A.M. Odlyzko, editor, Advances in

....identity, providing unobservability against traffic analysis via anonymous communication network techniques. Other privacy enhancing techniques include: information protection within agents, protection of agent code from intentional or accidental damage, secure distributed logs, among others. In [4, 11, 20, 21, 29] several pseudonym techniques are proposed and developed. The primary goal of pseudonym techniques is to hide the user s identity using a pseudonym. Of course, pseudonym techniques have other advantages, e.g. authentication, abuse control, accountability, etc. Pseudonym techniques can be ....

....cannot combine their database to build up a dossier on the user. A user can obtain a credential from one organization using one of his pseudonyms, and demonstrate possession of the credential to another organization, without revealing his first pseudonym to the second organization. In [4, 11, 20, 21, 29] some models for pseudonym systems are developed. In these models, a certification authority (CA) is needed only to enable a user to prove to an organization that his pseudonym actually corresponds to a public key of a real user. As well, there must be some stake in the secrecy of the ....

D.Chaum and J.Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology CRYPTO 86, pages 118-167, Springer-Verlag, 1986.

....against traffic analysis using anonymous communication network techniques. Other privacy enhancing techniques include: information protection within agents, protection of agent code from intentional or accidental damage, secure distributed logs, among others. Pseudonym Techniques In [4, 11, 20, 21, 29] several pseudonym techniques are proposed and developed. The primary goal of pseudonym techniques is for the hiding of the user s identity in the application data, i.e. using pseudonym instead of identity. Of course, pseudonym techniques have other advantages, e.g. authentication, abuse control, ....

D.Chaum and J.Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology CRYPTO 86, pages 118-167, Springer-Verlag, 1986.

....to previously proposed ones. The communication and computation costs of our solution are small, thus introducing almost no overhead to realizing privacy in a credential system. Extended version of what is to appear in: Advances in Cryptology EUROCRYPT 2001. 1 An anonymous credential system [Cha85, CE87, Che95, Dam90, LRSW99] consists of users and organizations. Organizations know the users only by pseudonyms. Different pseudonyms of the same user cannot be linked. Yet, an organization can issue a credential to a pseudonym, and the corresponding user can prove possession of this credential to another organization (who ....

....The scheme should also provide user privacy. An organization cannot nd out anything about a user, apart from the fact of the user s ownership of some set of credentials, even if it cooperates with other organizations. In particular, two pseudonyms belonging to the same user cannot be linked [Bra99, Cha85, CE87, Che95, Dam90, LRSW99]. Finally, it is desirable that the system be ecient. Besides requiring that it be based on ecient protocols, we also require that each interaction involve as few entities as possible, and the rounds and amount of communication be minimal. In particular, if a user has a multiple show credential ....

[Article contains additional citation context not shown here]

David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, Advances in Cryptology | CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 118-167. Springer-Verlag, 1987.

....to the second organization. A certi cation 2 authority (CA) plays the important role of guaranteeing that the users in the system can be trusted to behave responsibly and that the credentials are transferred properly. Shortly after the notion of pseudonym systems was introduced, Chaum and Evertse[11] developed a model for pseudonym systems, and presented an RSA based implementation. The scenario they propose models the one in our motivating example, with one important di erence. In their scenario, a trusted center conducts the operation of transferring a user s credential from one ....

....model, as well as its numerous extensions, are realizable. On the other hand, we present a practical and easily implementable construction of the basic model under 3 reasonable number theoretic assumptions. 1.3. 1 Discussion of the model The main distinction of our model from its predecessors [11, 13, 15] is that the notion of a user is well de ned. We base our proposed scheme on the presumption that each user has a master public key whose corresponding master secret key the user is highly motivated to keep secret. This master public key might be registered as his legal digital signature key, so ....

[Article contains additional citation context not shown here]

David Chaum and Jan-Hendrik Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology|CRYPTO '86, pages 118-167. Springer-Verlag, 1986.

....cryptographic keys by an individual reflects the individual s position in a military style lattice of privilege groups, rather than an identity associated with the individual. Closer yet, a credentialing scheme with many of the properties that we desire has been proposed by Chaum and associates [CE86, Cha90] (distinct from their proposals for digital cash) The most interesting feature of these credentials is that they allow complete anonymity on the part of the presenter. For example, suppose the client has one Chaum style credential issued by the state driver s license facility, and a Chaum style ....

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology--- CRYPTO '86 Proceedings, pages 118--167, Berlin, 1986. Springer-Verlag.

....inversions of messages can be forged whenever the signatures of the individual messages are known. However, if a good one way hash function is used to scramble each message before raising to the RSA decryption key, then these types of forgeries are foiled; this idea is used by Chaum and Evertse [4] and discussed in detail by Damgard [6] In particular, the function h given by the Assumption affects the message space to prevent forgery based on the multiplicative homomorphism, while preserving the RSA homomorphism to allow blinded signatures 4 . Several secure hash functions have been ....

D. Chaum and J. Evertse, "A secure and privacy-protecting protocol for transmitting personal information between organizations," Crypto 86, pp. 118-167.

....gain authorization. We see the thrust of their work as complementary to ours: they have made policies easier to write and we have made the client s credential submission choices manageable. A credentialing scheme with many of the properties that we desire has been proposed by Chaum and associates [2,3] (distinct from their proposals for digital cash) The most interesting feature of these credentials is that they allow complete anonymity on the part of the presenter. For example, suppose the client has one Chaum style credential issued by the state driver s license facility, and a Chaum style ....

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology--CRYPTO '86 Proceedings, pages 118-167, Berlin, 1986. Springer-Verlag.

No context found.

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In CRYPTO '88, volume 263 of LNCS, pages 118-- 167. Springer-Verlag, 1988.

No context found.

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology-- CRYPTO'86, pp. 118-167. Springer-Verlag, 1986.

No context found.

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology--CRYPTO'86, pp. 118-167. Springer-Verlag, 1986.

No context found.

D. Chaum and J. Evertse. A Secure and Privacy-Protecting Protocol for Transmitting Personal Information Between Organizations. In CRYPTO'86, volume 263 of Lecture Notes in Computer Science. Springer, 1987.

No context found.

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology--CRYPTO'86, pp. 118-167. Springer-Verlag, 1986.

No context found.

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology: Proceedings of CRYPTO'86, volume 263 of Lecture Notes in Computer Science, pages 118--167. SpringerVerlag, 1987.

No context found.

Chaum, D., and Evertse, J.-H. A secure and privacy-protecting protocol for transmitting personal information between organizations. In CRYPTO - '86 (1985), pp. 118--167.

No context found.

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In A. M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, Santa Barbara, California, USA, 1986.

No context found.

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In A. M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, Santa Barbara, California, USA, 1986, Proceedings, number 263 in Lecture Notes in Computer Science, pages 118--167. Springer Verlag, Berlin, 1987.

No context found.

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology: Proceedings of CRYPTO'86, volume 263 of Lecture Notes in Computer Science, pages 118--167. SpringerVerlag, 1987.

No context found.

D. Chaum and J. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology--CRYPTO'86, pp. 118-167. Springer-Verlag, 1986.

No context found.

D. Chaum and J.-H. Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In M. Odlyzko, editor, Advances in Cryptology --- CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 118--167. Springer-Verlag, 1987.

No context found.

D.Chaum and J.Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology---CRYPTO '86, pages 118-167, Springer-Verlag, 1986.

No context found.

D.Chaum and J.Evertse. A secure and privacy-protecting protocol for transmitting personal information between organizations. In Advances in Cryptology---CRYPTO '86, pages 118-167, Springer-Verlag, 1986.

No context found.

David Chaum, "A secure and privacyprotecting protocol for transmitting personal information between organizations", Advances in Cryptology - CRYPTO '86. Springer Verlag, 1987.

No context found.

David Chaum, "A secure and privacy-protecting protocol for transmitting personal information between organizations", Advances in Cryptology - CRYPTO '86. Springer Verlag, 1987.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC