## A general certification framework with applications to privacy-enhancing certificate infrastructures (2006)

Venue: | In International Information Security Conference. IFIP |

Citations: | 15 - 1 self |

### BibTeX

@INPROCEEDINGS{Camenisch06ageneral,

author = {Jan Camenisch and Dieter Sommer and Roger Zimmermann},

title = {A general certification framework with applications to privacy-enhancing certificate infrastructures},

booktitle = {In International Information Security Conference. IFIP},

year = {2006},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Interactions in electronic media require mutual trust to be established, preferably through the release of certified information. Disclosing certificates for provisioning the required information often leads to the disclosure of additional information not required for the purpose of the interaction. For instance ordinary certificates unnecessarily reveal their binary representation. We propose a certificate-based framework comprising protocol definitions and API specifications for controlled, i.e., well-specified, release of data. This includes controlled release during the certification of data and controlled release of certified data. The protocols are based on proofs of knowledge of certificates and relations over the attributes, ensuring that no side information but only the specified data is revealed. Furthermore, the protocols allow for releasing certified data in plain or encrypted form and allow one to prove general expressions over the data items. Our framework can be seen as a generalization of anonymous credential systems, group signature, traceable signature, and e-cash schemes. The framework encompasses a specification language that allows one to precisely specify what data to release and how to release them in the protocols. We show how our framework can be implemented cryptographically and how a privacy-enhanced PKI that integrates into today’s PKI on the Internet can be built using the framework. We consider our framework a central building block to achieve privacy on the Internet. 1

### Citations

2939 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...and encryptions. In addition to the privacy-enhancing signature protocols where the signer learns only a subset of the messages, our framework also supports conventional signature schemes such as RSA =-=[43]-=-, Schnorr [44], or DSA [37]. For these schemes the protocols become trivial in that they resemble classical signature creation and verification. However, they do not allow one to hide messages from th... |

1206 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ... make use of the full capabilities of our certification framework. Related Work. The research area our framework is positioned in was pioneered by Chaum who defined the concepts of credential systems =-=[18, 20, 21]-=-, group signature schemes [23], and electronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature sche... |

838 | How to prove yourself: practical solution to identi and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...em on top of it. We do this in Section 4. Also a group signature scheme can be easily constructed out of it by turning a proof protocol into a signature protocol by applying the Fiat-Shamir heuristic =-=[28, 40]-=-. The certificates issued by an issuer are the signature keys, the group of parties holding a certificate from the issuer are the group. The group manager is a dedicated party that provides an encrypt... |

585 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...s. In addition to the privacy-enhancing signature protocols where the signer learns only a subset of the messages, our framework also supports conventional signature schemes such as RSA [43], Schnorr =-=[44]-=-, or DSA [37]. For these schemes the protocols become trivial in that they resemble classical signature creation and verification. However, they do not allow one to hide messages from the issuer or th... |

494 |
Heyst. Group signatures
- Chaum, van
- 1991
(Show Context)
Citation Context ...our certification framework. Related Work. The research area our framework is positioned in was pioneered by Chaum who defined the concepts of credential systems [18, 20, 21], group signature schemes =-=[23]-=-, and electronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature schemes [32] and identity escrow s... |

422 | Security without identification: transaction systems to make big brother obsolete
- Chaum
- 1985
(Show Context)
Citation Context ... make use of the full capabilities of our certification framework. Related Work. The research area our framework is positioned in was pioneered by Chaum who defined the concepts of credential systems =-=[18, 20, 21]-=-, group signature schemes [23], and electronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature sche... |

377 |
Non-interactive and information-theoretic secure veri secret sharing.Advances
- Pedersen
- 1991
(Show Context)
Citation Context ...onjunction of any two of the previous [24]. That is, we can use these protocol to efficiently prove the statements we defined among messages that are 1) committed using the Pedersen commitment scheme =-=[39, 26]-=-, 2) encrypted using the Camenisch-Shoup encryption scheme, or 3) signed using the Camenisch-Lysyanskaya signature schemes [11, 12] without revealing the messages themselves. For obtaining concurrent ... |

301 |
Wallet Databases with Observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...arithms, such as (1) proof of knowledge of a discrete logarithm modulo a prime [44] or a composite [29, 26], (2) proof of knowledge of equality of representation modulo two (possibly different) prime =-=[22]-=- or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed values [13, 16, 5], (4) proof that a committed value lies in a given integer interval [17, 13, 13, ... |

270 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ... other committed values [13, 16, 5], (4) proof that a committed value lies in a given integer interval [17, 13, 13, 4], and also (5) proof of the disjunction or conjunction of any two of the previous =-=[24]-=-. That is, we can use these protocol to efficiently prove the statements we defined among messages that are 1) committed using the Pedersen commitment scheme [39, 26], 2) encrypted using the Camenisch... |

216 |
Rethinking public key infrastructures and digital certificates, MIT Press. UNCLASSIFIED 29 DSTO–TN–1035 UNCLASSIFIED
- Brands
- 2000
(Show Context)
Citation Context ...ndeed, our framework can be instantiated to obtain a generalized anonymous credential system, a group signature scheme, traceable signature scheme, or an e-cash scheme. The pseudonym system of Brands =-=[6]-=- also provides efficient techniques for proving relations among committed values, but his overall construction fell short of supporting multi-show unlinkability thus restricting its applicability. A c... |

209 | Security Proofs for Signature Schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...em on top of it. We do this in Section 4. Also a group signature scheme can be easily constructed out of it by turning a proof protocol into a signature protocol by applying the Fiat-Shamir heuristic =-=[28, 40]-=-. The certificates issued by an issuer are the signature keys, the group of parties holding a certificate from the issuer are the group. The group manager is a dedicated party that provides an encrypt... |

187 | An internet attribute certificate profile for authorization
- Farrell, Housley
- 2002
(Show Context)
Citation Context ...nature schemes [3], protocols for certificate management [1], and definition of certificate structures for public key certificates and certificate revocation lists [30] and for attribute certificates =-=[27]-=-. However, privacy is not considered here. Paper Outline. We first present our generalized framework for controlled data release in Section 2 including an interface specification for the protocols and... |

186 | Signature schemes and anonymous credentials from bilinear maps
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...signature scheme, but these constructions would not be practical due to the required computational effort. Two signature schemes with practical protocols, the SRSA-CL scheme [11] and the BL-CL scheme =-=[12]-=- are schemes that we use within our framework. These schemes allow proofs to be performed on the messages mi being signed. Furthermore, the schemes indeed allow that a signature be issued on messages ... |

169 | A.: Dynamic accumulators and application to efficient revocation of anonymous credentials
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...er would provide some piece of information that the verifier can look-up in the CRL. Luckily, the literature proposes ways to overcome this. The first one applies so-called cryptographic accumulators =-=[10]-=- that compress all valid certificates into a single value v and then allows a user to efficiently prove that her certificate is contained in that value. However, this approach also requires the user t... |

158 | A signature scheme with efficient protocols
- Camenisch, Lysyanskaya
- 2003
(Show Context)
Citation Context ...s can be obtained for any signature scheme, but these constructions would not be practical due to the required computational effort. Two signature schemes with practical protocols, the SRSA-CL scheme =-=[11]-=- and the BL-CL scheme [12] are schemes that we use within our framework. These schemes allow proofs to be performed on the messages mi being signed. Furthermore, the schemes indeed allow that a signat... |

153 | Efficient Proofs That a Committed Number Lies in an Interval
- Boudot
(Show Context)
Citation Context ...data item depending on whether the second element specifies known, commitment, random, or unknown, respectively. χ = {(cert[1], known, d1), (cert[2], committed, c1[1]), (cert[3], random, c2[1]), (cert=-=[4]-=-, unknown, d2)} The specification in Example (2) is for issuing a certificate on (d1, . . . , d4) where Dknown = {1}, Dcommitted = {2}, Drandom = {3}, and Dunknown = {4}. After successful protocol exe... |

142 | L.: Direct anonymous attestation
- Brickell, Camenisch, et al.
- 2004
(Show Context)
Citation Context ...edential systems [18, 20, 21], group signature schemes [23], and electronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes =-=[7]-=-, traceable signature schemes [32] and identity escrow schemes [33]. Indeed, our framework can be instantiated to obtain a generalized anonymous credential system, a group signature scheme, traceable ... |

138 | Practical verifiable encryption and decryption of discrete logarithms
- Camenisch, Shoup
- 2003
(Show Context)
Citation Context ...roved, in particular polynomial relations to data items of certificates, commitments, and other encryptions. The verifiable encryption schemes of Camenisch and Damg˚ard [9] and of Camenisch and Shoup =-=[15]-=- are applicable to our framework. The latter are particularly suitable as they integrate smoothly into the discrete logarithm based zero-knowledge proof protocols. Zero-knowledge Proofs of Knowledge. ... |

132 |
Statistical Zero Knowledge Protocols to Prove Modular
- Fujisaki, Okamoto
- 1997
(Show Context)
Citation Context ...mon parameters model, we build upon several known protocols for proving statements about discrete logarithms, such as (1) proof of knowledge of a discrete logarithm modulo a prime [44] or a composite =-=[29, 26]-=-, (2) proof of knowledge of equality of representation modulo two (possibly different) prime [22] or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed va... |

123 | Proving in Zero-Knowledge that a Number is the
- Camenisch, Michels
(Show Context)
Citation Context ... proof of knowledge of equality of representation modulo two (possibly different) prime [22] or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed values =-=[13, 16, 5]-=-, (4) proof that a committed value lies in a given integer interval [17, 13, 13, 4], and also (5) proof of the disjunction or conjunction of any two of the previous [24]. That is, we can use these pro... |

119 | Pseudonym systems
- Lysyanskaya, Rivest, et al.
- 2000
(Show Context)
Citation Context ...llow for certificate sharing. This master private key could, for example, be the user’s signature key. This approach for preventing certificate sharing follows the one put forth by Lysyanskaya et al. =-=[35]-=- for pseudonym systems. In addition to preventing certificate sharing, the master key is used in certificate proofs to link together PKCs and attribute certificates. Example (17) describes a master PK... |

102 |
Returned-Value Blind Signature Systems
- Chaum
(Show Context)
Citation Context ...ed Work. The research area our framework is positioned in was pioneered by Chaum who defined the concepts of credential systems [18, 20, 21], group signature schemes [23], and electronic cash systems =-=[19]-=-. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature schemes [32] and identity escrow schemes [33]. Indeed, our framework... |

84 | More flexible exponentiation with precomputation
- Lim, Lee
- 1994
(Show Context)
Citation Context ...l effort is distributed between a prover and a verifier. These performance figures have been obtained by using methods using similar ideas to the ones put forth by Brickell et al. [8] and Lim and Lee =-=[34]-=- requiring reasonable memory for maintaining precomputations for speeding up exponentiation. 4 Constructing a Privacy-Enhancing Certificate Infrastructure This section introduces a construction of a p... |

75 | Separability and efficiency for generic group signature schemes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ...1) proof of knowledge of a discrete logarithm modulo a prime [44] or a composite [29, 26], (2) proof of knowledge of equality of representation modulo two (possibly different) prime [22] or composite =-=[14]-=- 7smoduli, (3) proof that a commitment opens to the product of two other committed values [13, 16, 5], (4) proof that a committed value lies in a given integer interval [17, 13, 13, 4], and also (5) p... |

71 | Easy come - easy go divisible cash
- Chan, Frankel, et al.
- 1998
(Show Context)
Citation Context ...t) prime [22] or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed values [13, 16, 5], (4) proof that a committed value lies in a given integer interval =-=[17, 13, 13, 4]-=-, and also (5) proof of the disjunction or conjunction of any two of the previous [24]. That is, we can use these protocol to efficiently prove the statements we defined among messages that are 1) com... |

58 |
Group signature schemes and payment systems based on the discrete logarithm problem
- Camenisch
- 1252
(Show Context)
Citation Context ... proof of knowledge of equality of representation modulo two (possibly different) prime [22] or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed values =-=[13, 16, 5]-=-, (4) proof that a committed value lies in a given integer interval [17, 13, 13, 4], and also (5) proof of the disjunction or conjunction of any two of the previous [24]. That is, we can use these pro... |

52 | Verifiable encryption, group encryption, and their applications to separable group signatures and signature sharing schemes
- Camenisch, Damg˚ard
- 2000
(Show Context)
Citation Context ...that has been computed can be proved, in particular polynomial relations to data items of certificates, commitments, and other encryptions. The verifiable encryption schemes of Camenisch and Damg˚ard =-=[9]-=- and of Camenisch and Shoup [15] are applicable to our framework. The latter are particularly suitable as they integrate smoothly into the discrete logarithm based zero-knowledge proof protocols. Zero... |

51 |
A secure and privacy-protecting protocol for transmitting personal information between organizations
- Chaum, Evertse
- 1986
(Show Context)
Citation Context ... make use of the full capabilities of our certification framework. Related Work. The research area our framework is positioned in was pioneered by Chaum who defined the concepts of credential systems =-=[18, 20, 21]-=-, group signature schemes [23], and electronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature sche... |

51 | Traceable signatures
- Kiayias, Tsiounis, et al.
- 2004
(Show Context)
Citation Context ...oup signature schemes [23], and electronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature schemes =-=[32]-=- and identity escrow schemes [33]. Indeed, our framework can be instantiated to obtain a generalized anonymous credential system, a group signature scheme, traceable signature scheme, or an e-cash sch... |

41 |
Chaum and Eugène van Heyst. Group signatures
- David
- 1991
(Show Context)
Citation Context ...his release of data. Related Work. The research area our framework is positioned in was pioneered by Chaum who defined the concepts of credential systems, see for example [5], group signature schemes =-=[7]-=-, and electronic cash systems [6]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [3], traceable signature schemes [8] and identity escrow sch... |

40 | Algorithms and Identifiers for the Internet X.509 - Bassham, Polk, et al. - 2002 |

37 | Rapid demonstration of linear relations connected by boolean operators
- Brands
- 1997
(Show Context)
Citation Context ... proof of knowledge of equality of representation modulo two (possibly different) prime [22] or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed values =-=[13, 16, 5]-=-, (4) proof that a committed value lies in a given integer interval [17, 13, 13, 4], and also (5) proof of the disjunction or conjunction of any two of the previous [24]. That is, we can use these pro... |

27 | A cryptographic framework for the controlled release of certified data
- Bangerter, Camenisch
- 2004
(Show Context)
Citation Context ...he prover by the 〈 〉 language element. Thus one can think of it being correctly instantiated when referring to it in predicates. c1[1] = cert1[1] + cert2[1] 2 e1[1] = cert1[1] + cert2[1] 2 (9) (10) c1=-=[2]-=- = e1[1] + c1[4] (11) cert1[1] + cert1[2] = cert1[3] + c1[1] (12) Assume that in the example predicates (9) to (12) variables c1[1], e1[1], c1[2], and c1[1] are uninstantiated. In (9) c1[1] gets assig... |

21 |
Fast Exponentiation with Precomputation (Extended Abstract
- Brickell, Gordon, et al.
- 1993
(Show Context)
Citation Context ... 4. The computational effort is distributed between a prover and a verifier. These performance figures have been obtained by using methods using similar ideas to the ones put forth by Brickell et al. =-=[8]-=- and Lim and Lee [34] requiring reasonable memory for maintaining precomputations for speeding up exponentiation. 4 Constructing a Privacy-Enhancing Certificate Infrastructure This section introduces ... |

18 | Cryptographic protocol generation from CAPSL
- Millen, Muller
- 2001
(Show Context)
Citation Context ...in the field of compiler generated protocols includes the work of Tsoukalidis and Weis [45] for applying compilers to protocol generation for cryptographic protocols and the work of Millen and Muller =-=[36]-=- focusing on the automatic generation of authentication protocols from high-level protocol specifications. The current X.509-based Internet certificate infrastructure as defined by the IETF is mainly ... |

9 |
Yiannis Tsiounis, and Moti Yung. Traceable signatures
- Kiayias
(Show Context)
Citation Context ...group signature schemes [7], and electronic cash systems [6]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [3], traceable signature schemes =-=[8]-=- and identity escrow schemes [9]. Indeed, our framework can be instantiated to obtain a generalized anonymous credential system, a group signature scheme, traceable signature scheme, or an e-cash sche... |

5 |
Efficient Concurrent Zero-Knowledge in the Auxiliary String Model
- ˚ARD, I
- 2000
(Show Context)
Citation Context ...tion scheme, or 3) signed using the Camenisch-Lysyanskaya signature schemes [11, 12] without revealing the messages themselves. For obtaining concurrent zero-knowledge proofs, Damg˚ard’s construction =-=[25]-=- is applied. Non-interactive zero-knowledge proofs are obtained by using the Fiat-Shamir heuristic [28]. The latter in addition allows to create a group signature scheme of the protocol for proving ce... |

3 |
An integer commitment scheme based on groups with hidden order
- ˚ARD, I, et al.
- 2002
(Show Context)
Citation Context ...mon parameters model, we build upon several known protocols for proving statements about discrete logarithms, such as (1) proof of knowledge of a discrete logarithm modulo a prime [44] or a composite =-=[29, 26]-=-, (2) proof of knowledge of equality of representation modulo two (possibly different) prime [22] or composite [14] 7smoduli, (3) proof that a commitment opens to the product of two other committed va... |

3 |
Identity Escrow. Theory of Cryptography Library
- Kilian, Petrank
- 1997
(Show Context)
Citation Context ...lectronic cash systems [19]. Our framework can be seen as a generalization of these systems, as well as anonymous attestation schemes [7], traceable signature schemes [32] and identity escrow schemes =-=[33]-=-. Indeed, our framework can be instantiated to obtain a generalized anonymous credential system, a group signature scheme, traceable signature scheme, or an e-cash scheme. The pseudonym system of Bran... |

1 |
recommendation x.660 information technology - asn.1 encoding rules: Specification of basic encoding rules (ber), canonical encoding rules (cer) and distinguished encoding rules (der
- Itu-t
- 1997
(Show Context)
Citation Context ...signature schemes, or electronic cash systems. Mapping of Attributes. A property of X.509 certificates is that they consist of a hierarchic structure of typed fields, the types being defined in ASN.1 =-=[31]-=-. Through object identifiers further (arbitrary) attribute types can be defined. A certificate is represented using a tag-length-value structure. The X.509 profile definitions define names for the fie... |

1 |
Cryptographic protocol language. http://theory.lcs.mit.edu/˜cis/ cpl/index.html
- TSOUKALIDIS, WEIS
- 2004
(Show Context)
Citation Context ... compiler for generating zero-knowledge proof protocols from a given protocol specification input. Previous work in the field of compiler generated protocols includes the work of Tsoukalidis and Weis =-=[45]-=- for applying compilers to protocol generation for cryptographic protocols and the work of Millen and Muller [36] focusing on the automatic generation of authentication protocols from high-level proto... |