Pros and Cons of U-Prove, Idemix
and Other Privacy-Enhancing
Technologies
Francisco Corella
Karen Lewison
Pomcor
1
7/11/2011
Pomcor
Outline

Levels of privacy (LOPs) of third-party
credentials








2
LOP 0: OpenID, OAuth
LOP 1: PKI certificates
LOP 2: U-Prove
LOP 3: Idemix, etc.
Selective disclosure
The revocation problem
Performance
Smart-card support
7/11/2011
Pomcor
Levels of Privacy (LOPs) of Third-Party Credentials
LOP 0

Online identity provider




3
Protocols: OpenID, OAuth
Providers: Facebook, Google, Yahoo, etc.
No privacy: identity provider is told how
you use your credential, because it
redirects user to the relying party
No anonymity if using Facebook or Google
7/11/2011
Pomcor
Levels of Privacy (LOPs) of Third-Party Credentials
LOP 1



Traditional PKI certificate
Certificate issuer is not told how you use it
Certificate issuer can find out how you use it by
sharing information with relying parties

Based on assertion made to relying parties that uniquely
identifies you


OR based on certificate serial number, public key or
issuer’s signature, even if assertion made to relying
parties does not uniquely identify you

4
THIS IS UNAVOIDABLE
AVOIDABLE WITH PRIVACY-ENHANCING TECHNOLOGIES
7/11/2011
Pomcor
Levels of Privacy (LOPs) of Third-Party Credentials
LOP 2

Credential issuer cannot find out how you
use your credential



5
…even if relying parties let the issuer see
their authentication logs
…unless assertion made to relying parties
uniquely identify you
Both U-Prove [1,2] and Idemix [3] provide
this feature
7/11/2011
Pomcor
Levels of Privacy (LOPs) of Third-Party Credentials
LOP 3

Relying parties cannot link multiple presentations
of the same credential



U-Prove does not provide this feature [1, §4.2].


6
…even if they share their authentication logs
…unless assertion made to relying parties uniquely
identify you
Same token public key and signature seen by all relying
parties
Idemix and more recent cryptosystems do provide
this feature
7/11/2011
Pomcor
Selective Disclosure

User discloses to relying party only a
subset of the attributes in a credential


User proves inequality relation involving
numeric attribute without disclosing the
attribute, e.g. birthdate < today – 21 years

7
Feature provided by U-Prove, Idemix, etc.
Feature provided by Idemix
7/11/2011
Pomcor
The Revocation Problem


If issuance and presentation cannot be linked,
the issuer cannot revoke the credential by
publishing a credential identifier in a revocation
list
Neither U-Prove nor Idemix credentials currently
provide revocation by issuer


8
Alternatives: on-demand or short-term credentials
Several revocation techniques have been
proposed, some of them are promising
7/11/2011
Pomcor
Performance



Privacy-enhancing technologies are
computationally intensive
Few performance figures available
U-Prove seems to be one order of
magnitude faster than Idemix

9
Based on smart card implementations
7/11/2011
Pomcor
Smart Card Implementations

Idemix Java card



Non-Microsoft U-Prove MULTOS card


0.55 seconds with 1024-bit modulus
Microsoft U-Prove card



10
Card must be tamperproof against user
10.5 seconds with 1536-bit modulus
Enables presentation
Most computations done by user’s computer
Revocable by downloading CRL increment to card
7/11/2011
Pomcor