ICS Theory Group

ICS 269, Winter 2004: Theory Seminar

23 Jan 2004:
Anonymous Credentials with Biometrically-Enforced Non-Transferability
Sara Miner More, UCSD

Often, to gain access to a resource, an individual must present some sort of credential. If the credential includes identifying information about the individual, the organization controlling the resource can collect information about his actions. In the digital world in particular, this collection requires very little effort. The compiled information can then be shared with or even sold to another organization, without the individual's knowledge or consent.

To protect an individual's privacy in the digital world, cryptographers have suggested anonymous credentials, which allow an individual to prove that he possesses a particular right without revealing his identity. However, anonymous credentials based on cryptography alone are inherently transferable -- an individual can simply give a copy of his cryptographic key to a friend. In applications where non-transferability is important, biometric data, such as a fingerprint or retina scan, can be used to link a credential with a particular individual, but often at the cost of anonymity. For example, if the individual's fingerprint is included as part of his credential, the organization controlling a resource may identify him when he requests access.

Perhaps surprisingly, it is possible to design non-transferable credentials which retain anonymity. In this talk, we describe a model and protocol for secure digital credentials which have both of these properties. Our model uses tamper-resistant hardware to combine cryptographic techniques with biometric-based credentials. Specifically, a user can prove that he is in fact an individual to whom a credential was issued, without revealing any additional information. Furthermore, two instances of credential displays by the same individual are unlinkable. Additionally, we will describe a mechanism which allows such credentials to be revoked by the issuing party, and discuss potential extensions to the system.

This talk describes joint work with Russell Impagliazzo (UCSD) which appeared in the 2003 ACM Workshop on Privacy in the Electronic Society.