A Security Model for Anonymous Credential Systems [chapter]

Andreas Pashalidis, Chris J. Mitchell
Information Security Management, Education and Privacy  
This paper proposes a formal model of the Bellare-Rogaway type [1] that enables one to prove the security of an anonymous credential system in a complexity theoretic framework. The model abstracts away from how a specific instance of anonymous credential system achieves its goals; instead it defines what these goals are. The notions of credential unforgeability, non-transferability, pseudonym unlinkability and pseudonym owner protection are formally defined and the relationships between them
more » ... explored. The model is a step towards a formal treatment of the level of privacy protection that anonymous credential systems can and should achieve, both in terms of pseudonym unlinkability and user anonymity. The author is sponsored by the State Scholarship Foundation of Greece. 1 metrics. It abstracts away from the particulars of how specific pseudonym system instances achieve their goals; instead it focuses on what these goals are. The model captures security properties for both organisations (credential unforgeability and non-transferability), and users, both in terms of 'traditional' security (pseudonym owner protection) and privacy (pseudonym unlinkability and user anonymity). The model makes a clear distinction between the different notions and allows the relationships between them to be analysed. Related work Pseudonym systems were first introduced by Chaum in the 1980s [4]. Since then, numerous pseudonym systems have been proposed, each with its own particular set of entities, underlying problems, assumptions and properties. Examples of such systems are given in [2, 3, 5, 6]. The most relevant work to this paper is probably the formal treatment of the anonymous credential system in [3] . There, security is defined based on the indistinguishability between the transcripts of protocols that occur in an 'ideal' world (where a universally trusted party guarantees security), and the 'real world' (where such a party does not exist). In that model, transactions between users and organisations correspond to well-defined events, and the adversary acts like an event scheduler; he can arbitrarily trigger events of his choice. In the model of [3] , however, the relationship between the different security notions that a pseudonym system should satisfy is somewhat hidden by the fact that the universally trusted party takes care of them. Also, in that model, the adversary is not allowed to corrupt players in an adaptive fashion. While our model retains the property that the adversary gets to specify the order of events in the system, he can also adaptively corrupt players. Further, the model allows a relatively easy analysis of the relationships between different notions. This is due to the fact that we abstract away from properties that do not lie at the same level of abstraction as that at which a pseudonym system operates.
doi:10.1007/1-4020-8145-6_16 dblp:conf/ifip11/PashalidisM04 fatcat:tqjikt32pncmfgokgqqyb6mq44