In a conventional accreditation system, a trusted organization issues certified accreditations for certain users, concerning one or more attributes of the user.
Such an organization may be, for example, city offices issuing certified accreditations in the form of identity cards which present certain attributes associated with the user such as the last name, first name, date of birth, address, etc. This organization can also be a university issuing certified accreditations in the form of student cards which present certain attributes associated with a student such as the last name, first name, student id number, fields of study, etc.
When wanting to access a service offered by a third party acting as a service provider, the user may then wish to use such certified accreditations anonymously, meaning while minimizing the information he provides to the service provider to obtain the desired service.
For example, access to certain specific services may be limited to city residents. In such cases, the user must then prove in a city-certified manner that he is indeed a resident of the city, but he may not want to reveal other attributes on his identity card, such as his name or exact address.
Similarly, a student may want to receive a discount on a service offered by the third party. The student must then prove that he possesses an accreditation issued by a university, but may not want to reveal other attributes concerning him on his student id card, such as his name or the courses he is taking.
To address this need for anonymity, it is possible to set up accreditation systems that use cryptographic techniques similar to group signatures or blind signatures.
For group signatures, during the accreditation creation phase the certifying organization signs the set of attributes associated with the user, producing only one signature. This signature must be such that the certifying organization cannot use this accreditation to pass itself off as the user, which is possible for example with techniques tied to group signature schemes. The trusted entity is the organization which issues the accreditations. In the examples presented above, the trusted entity is the city or the university.
Once the user possesses such an accreditation, he can reveal one or more of the attributers associated with him, depending on what is needed by the third party acting as service provider from which he is requesting a service, by generating, similarly to group signature techniques, proof on knowledge of unrevealed attributes and a signature for all attributes, whether revealed or not, without disclosing either the unrevealed attributes or the signature of the certifying organization. The user thus preserves his anonymity with the outside world.
In this case, it is necessary to use a signature scheme which allows signing multiple messages/attributes with a single signature and in which the person possessing the signature is able to prove that he knows the signature and the signed messages, without revealing either the signature or the set of these messages/attributes he wants to hide, while retaining the ability to provide in unencrypted form the attribute or attributes requested of him by the third party.
Such a signature scheme consumes computation time because it requires explicitly hiding non-revealed attributes. The size of the proof therefore depends on the number of attributes initially certified by the issuing entity. Also, its implementation requires using cryptographic data of significant size, such as the Idemix technology proposed by IBM.
In the case of blind signatures, the concept consists of having the certifying organization blindly sign the attributes. The use of such blind signatures makes the accreditation system more effective, at the cost, however, of increased user traceability. An example of this type of technique is applied in the UProve technology proposed by Microsoft.
The present invention has the object of overcoming the above disadvantages of prior art solutions, and proposing an alternative technique for anonymous accreditation which is potentially more efficient and less demanding of computation time and bandwidth, and which simplifies the procedures when a user needs to rely upon accreditations originating from different organizations.