Data minimisation in communication protocols: a formal analysis framework and application to identity management

Abstract

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. “Privacy-enhancing” communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently, there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high level or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable online identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework.

Appendices

Appendix A: Trace validity

In this appendix, we introduce “trace validity” as a way of verifying that all knowledge required for a trace has been modelled. Our framework takes as input a trace, together with the initial knowledge of the actors. However, there are no guarantees that the trace and initial knowledge provided by the analyst are correctly specified. This is fundamental for the analysis, because the initial knowledge also determines whether an actor can link the information he has observed to information he already has. The concept of “trace validity” checks whether the initial knowledge and trace correspond to a valid scenario (i.e. a scenario in that can actually occur) and hence serves as a “sanity check” for the model.

To define trace validity, we need to model whether a context item has occurred in communication before. When an actor \(a\) initiates a protocol instance \(\pi \) in state \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\), no communication in the protocol instance has taken place yet, so the state does not contain context items with domain \(\pi \). Hence, to check whether \(a\) can send message \(\mathsf {m}|^{\pi }_{}\), we cannot just verify if \(\mathcal {C}_a\vdash \mathsf {m}|^{\pi }_{}\). Instead, we need to model that the actor “instantiates” the context items in \(\mathsf {m}|^{\pi }_{}\) by items from other domains. On the other hand, if actor \(b\) wants to reply to message \(\mathsf {m}|^{\pi }_{}\), then he no longer has this freedom to instantiate context items because contents of the context items from \(\mathsf {m}|^{\pi }_{}\) he uses in his reply should corresponds to their contents in \(\mathsf {m}|^{\pi }_{}\) itself. In the former case, we call the context items undetermined; in the latter case, we call them determined:

Definition 13

Let \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\) be a state. We say that \(\mathsf {p}\in \mathsf {P}^c\) is determined in \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\) if, for some \(a\in \mathcal {A}\) and \(\mathsf {m}\in \mathcal {C}_a\), \(\mathsf {p}\) occurs in \(\mathsf {m}\); or if \(\mathsf {p}\) is a property \(\psi _i(\mathsf {q})\) of some \(\mathsf {q}\) occurring in \(\mathsf {m}\). Otherwise, \(\mathsf {p}\) is undetermined.

We now formalise when an actor has sufficient knowledge in a certain state to send a certain message \(\mathsf {m}|^{\pi }_{}\). The actor can instantiate any undetermined items in \(\mathsf {m}|^{\pi }_{}\), but needs to respect the existing instantiation of determined items in \(\mathsf {m}|^{\pi }_{}\). We capture this by requiring that the actor can derive a message \(\mathsf {n}\) that is equal to \(\mathsf {m}\), except that undetermined items are replaced by items of his choice. Intuitively, the actor having sufficient knowledge to send \(\mathsf {m}|^{\pi }_{}\) means that, when the message \(\mathsf {m}\) is added to his knowledge base, he does not gain any new knowledge from this. For instance, if the actor can associate personal information from message \(\mathsf {m}|^{\pi }_{}\) to information in his knowledge base, then he should be able to make the same associations using the corresponding item in \(\mathsf {n}\). The restrictions on \(\mathsf {n}\) in the definition below guarantee that this is indeed the case:

Definition 14

Let \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\) be a state, and \(a\in \mathcal {A}\) an actor. Context message \(\mathsf {m}\) is determinable by \(a\) in \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\) if there exists a context message \(\mathsf {n}\equiv \mathsf {m}\) such that \(\mathcal {C}_a\vdash \mathsf {n}\), and the following conditions hold:

1. 1.

   Whenever \(\mathsf {m}@z\) is determined, then \(\mathsf {m}@z=\mathsf {n}@z\);

2. 2.

   Whenever \(\mathsf {m}@z_1=\mathsf {m}@z_2\), then \(\mathsf {n}@z_1=\mathsf {n}@z_2\);

3. 3.

   If \(\mathsf {m}@z=d|^{\kappa }_{k}\) (\(k\ne \cdot \)) and some \(e|^{\eta }_{k}\in \mathsf {I}^c\cup \mathsf {D}^c\) is determined, then \(\mathsf {n}@z \leftrightarrow _{a} e|^{\eta }_{k}\);

4. 4.

   If \(\mathsf {m}@z_1=d|^{\kappa }_{k}\), \(\mathsf {m}@z_2=d'|^{\kappa }_{k}\) (\(k\ne \cdot \)), and no \(e|^{\eta }_{k}\in \mathsf {I}^c\cup \mathsf {D}^c\) is determined, then \(\mathsf {n}@z_1 \leftrightarrow _{a} \mathsf {n}@z_2\).

Condition 1 states that the actor cannot replace determined items; condition 2 states that he should replace items consistently. Conditions 3 and 4 make sure that actors cannot learn new associations by using \(\mathsf {n}\) as \(\mathsf {m}\): condition 3 applies to contexts already used in previous communication, and condition 4 applies to previously unused contexts. For determined messages, determinability and detectability coincide.

The following example demonstrates determinability:

Example 11

Consider the state \(\{\mathcal {C}^0_x\}_{x\in \mathcal {A}}\) from Example 10. The client’s message \(\mathsf {m}=E'_{shkey|^{}_{\cdot }}(id|^{}_{su})|^{\pi }_{}\) is determinable by \(cli\) in this state. Namely, take \(\mathsf {n}=E'_{skey|^{\cdot }_{\cdot }}(id|^{ab}_{4})\). Then \(\mathsf {m}\equiv \mathsf {n}\), and this message trivially satisfies conditions 1–4 of the definition.

Also, the server’s reply to this message is determinable. Namely, consider the state \(\{\mathcal {C}^1_x\}_{x\in \mathcal {A}}\) that \(\{\mathcal {C}^0_x\}_{x\in \mathcal {A}}\) evolves into. The server’s knowledge base is

$$\begin{aligned} \mathcal {C}^1_{srv}=\mathcal {C}^0_{srv}\cup \{ip|^{\cdot }_{cli}, ip|^{\cdot }_{srv},E'_{shkey|^{}_{\cdot }}(id|^{}_{su})|^{\pi }_{}\}, \end{aligned}$$

and the server’s reply is

$$\begin{aligned} \mathsf {m}=E'_{shkey|^{}_{\cdot }}(\{age|^{}_{su},n|^{}_{\cdot },S_{k^-|^{}_{srv}}(\{age|^{}_{su},n|^{}_{\cdot }\})\})|^{\pi }_{}. \end{aligned}$$

Indeed, one can verify that

$$\begin{aligned} \mathsf {n}=E'_{shkey|^{\pi }_{\cdot }}(\{col1|^{db}_{1},n|^{\cdot }_{\cdot },S_{k^-|^{\pi }_{srv}}(\{col1|^{db}_{1},n|^{\cdot }_{\cdot }\})\}) \end{aligned}$$

satisfies the conditions from the above definition. Namely, no determined items from \(\mathsf {m}\) have been replaced in \(\mathsf {n}\) (condition 1); both occurrences of \(age|^{\pi }_{su}\) have been replaced by the same item and similarly for \(n|^{\pi }_{\cdot }\) (condition 2); and \(col1|^{db}_{1}\leftrightarrow _{srv}id|^{\pi }_{su}\), i.e. the message contains only associations known by \(srv\) (condition 3). Condition 4 holds trivially because there are no two context items satisfying the given condition.

Trace validity is defined step-by-step from the validity of its message transmissions. A message transmission consists of identifiers \(\mathsf {a},\mathsf {b}\) of the communication parties and communicated message \(\mathsf {m}\). For validity, we require determinability both of the message and of the communication identifiers. This way, we check that both the knowledge required to send the message, and the knowledge of where to send the message to, have been modelled. Formally, for a basic message transmission \(\mathsf {a}\rightarrow \mathsf {b}:\mathsf {m}\), this means determinability by the sender of the context message \(\{\mathsf {m},\mathsf {a},\mathsf {b}\}\). For the other two types of the form \({\mathsf {a}}\mapsto {\mathsf {b}}:{\mathsf {m}}\) modelling cryptographic protocols, both actors contribute information: the initiator of the protocol should determine the sender and receiver addresses \(\mathsf {a}\), \(\mathsf {b}\), and both parties contribute parts of \(\mathsf {m}\):

Definition 15

Let \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\) be a state, and \(\mathfrak {t}\) a message transmission. Let \(\mathfrak {t}=\mathsf {a}\rightarrow \mathsf {b}:\mathsf {m}\) or \({\mathsf {a}}\mapsto {\mathsf {b}}:{\mathsf {m}}\), and let \(a,b\in \mathcal {A}\) be the actors such that \(a\leftrightarrow \sigma (\mathsf {a})\), \(b\leftrightarrow \sigma (\mathsf {b})\). We say that \(\mathfrak {t}\) is valid in \(\{\mathcal {C}_x\}_{x\in \mathcal {A}}\) if the messages indicated in Table 7 are determinable by \(a\) and \(b\), respectively. Trace \(\mathfrak {t}_1;\cdots ;\mathfrak {t}_k\) is valid in state \(\{\mathcal {C}^0_x\}_{x\in \mathcal {A}}\) if, in the evolution

$$\begin{aligned} \{\mathcal {C}^0_x\}_{x\in \mathcal {A}} \mathop {\rightarrow }\limits ^{\mathfrak {t}_1} \{\mathcal {C}^1_x\}_{x\in \mathcal {A}} \mathop {\rightarrow }\limits ^{\mathfrak {t}_2} \cdots \mathop {\rightarrow }\limits ^{\mathfrak {t}_n} \{\mathcal {C}^n_x\}_{x\in \mathcal {A}}, \end{aligned}$$

each message transmission \(\mathfrak {t}_i\) is valid in respective state \(\{\mathcal {C}^{i-1}_x\}_{x\in \mathcal {A}}\).

Table 7 Determinability requirements for the different types of message transmissions

For ZK proofs, the prover needs to know the private information for the proof and both parties contribute randomness. Note that to participate in the protocol, the verifier does not need to know the public information or the properties to be proven; however, he does need to know this information to be able to interpret the proof (i.e. to apply the testing rule). For credential issuing, the user needs to know her secret identifier \(\mathsf {m}_1\), randomness, and the issuer’s public key; the issuer needs to know his private/public key pair, the attributes to be signed, and additional randomness.

The following example highlights validity of message transmissions and traces.

Example 12

Consider the trace given in Example 10. In Example 11, we showed determinability of the two messages transmitted in the trace; this argument can be easily extended to conclude determinability of the messages \(\{\mathsf {a},\mathsf {b},\mathsf {m}\}\) from Definition 15, and hence validity of the two message transmissions. We conclude that the trace is valid.

Trace validity is implemented in the tool supporting our framework. We briefly discuss the implementation. The main task in implementing trace validity is to check for determinability of a message \(\mathsf {m}\); that is, to find a derivable message \(\mathsf {n}\) that is equivalent to \(\mathsf {m}\) and satisfies properties (1)–(4) from Definition 14. Properties (1) and (2) place restrictions on the form of the message, which can be expressed in terms of free variables in a Prolog query to the deductive system. For properties (3) and (4), we check associability as in Sect. 3.3.

Appendix B: Inference rules for zero-knowledge proofs and credential issuing

In this appendix, we show how our models of ZK proofs and the credential issuing protocol are derived.

1.1 B.1 Zero-knowledge proofs

ZK proofs allow a prover to prove to a verifier that he knows some secret information satisfying certain properties with respect to some public information, without revealing any information about the secret. For instance, consider a large group of prime order \(n\) generated by a group element \(g\). Note that given value \(h\), it is infeasible to determine the discrete logarithm \(x=\log _{g}\!h\); this property can be exploited to build a public key cryptosystem in which values of \(h\) are public keys, and the corresponding values of \(x\) are private keys. A prover who knows \(x\) as well as \(n\), \(g\), and \(h\) can engage in a ZK proof protocol with a verifier who just knows \(n\), \(g\), and \(h\); when the protocol has finished successfully, the verifier is convinced that the prover knows the value of \(x\), without learning anything about its value.

The general definition of ZK proofs leaves open different kinds of implementations; we model a particular kind of ZK proof called \(\Sigma \)-protocols [41]. \(\Sigma \)-protocols are three-move protocols in which the prover first sends a commitment; the verifier responds with a randomly generated challenge; and finally the prover sends a response. The ZK proofs used in the systems analysed [8, 24, 25, 51] are of this kind.

An example \(\Sigma \)-protocol is the protocol proposed by Schnorr to prove knowledge of \(x=\log _{g}\!h\) in the setting given above (Fig. 19a). The prover computes a random \(u\) and sends a commitment \(g^u\) to the verifier. The verifier responds with a random challenge \(c\). The prover calculates response \(r=u+cx\). The verifier convinces himself that the prover indeed knows the secret \(x\) by checking that \(g^r = ah^c\) using the response, commitment, and public information. The prover can only calculate a valid response if he knows the secret; also, the response does not reveal any information about \(x\) [85].

Fig. 19

Schnorr proof of knowledge and its formal model. a Schnorr proof of knowledge. b Formal model of Schnorr proof

We formally model ZK proofs at a high level using the primitive \(\text {ZK}(\mathsf {m}_1;\mathsf {m}_2;\mathsf {m}_3;\mathsf {n})\). The secret information \(\mathsf {m}_1\) and public information \(\mathsf {m}_2\) are described in terms of messages; the ZK proof proves that the public information has a certain message structure with respect to the secret information. In addition, the proof can show that context data items \(\mathsf {d}\) occurring in \(\mathsf {m}_1\) satisfy properties \(\psi _k(\mathsf {d})\), listed in \(\mathsf {m}_3\). Finally, \(\mathsf {n}\) represents randomness; in \(\Sigma \)-protocols, \(\mathsf {n}=\{\mathsf {n}_p,\mathsf {n}_v\}\), representing the provers’ randomness \(\mathsf {n}_p\) for the commitment and the verifier’s randomness \(\mathsf {n}_v\) for the challenge. For instance, \(\mathsf {ZK}(\mathsf {k}^-;\mathsf {pk}(\mathsf {k}^-);\varnothing ;\{\mathsf {n}_p,\mathsf {n}_v\})\) is a proof of knowledge of the private key \(\mathsf {k}^-\) corresponding to public key \(\mathsf {pk}(\mathsf {k}^-)\) with no properties and contributed randomness \(\mathsf {n}_p,\mathsf {n}_v\). From this high-level description in terms of structure of messages, the low-level description follows implicitly. For instance, in a setting where public/private key pairs are of the form \((h,x=\log _g h)\), the proof \(\mathsf {ZK}(\mathsf {k}^-;\mathsf {pk}(\mathsf {k}^-);\) \(\varnothing ;\{\mathsf {n}_p,\mathsf {n}_v\})\) corresponds to a proof of knowledge of the discrete logarithm \(x=\log _g h\) of \(h\) like the Schnorr protocol. Figure 19 shows the Schnorr protocol and its formal model in this setting.

In Fig. 20, we present a set of inference rules for the ZK primitive. We first explain them and then argue that for privacy purposes and under certain assumptions, it suffices to consider the smaller set of rules presented in Fig. 4. We first discuss what messages can be derived from a ZK transcript \(\text {ZK}(\mathsf {m}_1;\mathsf {m}_2;\mathsf {m}_3;\{\mathsf {n}_p,\mathsf {n}_v\})\) using elimination and testing rules. The property proven by a ZK proof determines the format of the messages in the ZK proof protocol. Hence, we allow any actor to derive the properties \(\mathsf {m}_3\) from the transcript \((\vdash \!\!\mathbf{EZ}_1')\). (Because different properties may have identically looking ZK proof protocols, this is an over-approximation of knowledge.) The verifier randomness \(\mathsf {n}_v\) is transmitted as challenge and so can be derived from the transcript \((\vdash \!\!\mathbf{EZ}_2')\). Because both parties are assumed to know \(\mathsf {m}_2\) before the start of a ZK proof, it does not need to follow from the transcript. However, depending on the protocol, it may be possible to derive \(\mathsf {m}_2\). For example, in the Schnorr example, \(h=(g^r a^{-1})^{-c}\). Hence, as a possible over-approximation, we allow any observer to derive the public information \(\mathsf {m}_2\) \((\vdash \!\!\mathbf{EZ}_3')\).

Fig. 20

Complete set of inference and rules for ZK (\(\mathcal {C}_a\) a set of context messages; \(\mathsf {m}_*\), \(\mathsf {n}_*\) context messages; \(\mathsf {p}_i\) properties of \(\mathsf {m}_k\), i.e. every \(\mathsf {p}_i=\psi _j(\mathsf {m}_k)\in \mathsf {D}^c\) for some \(j\), \(k\))

The fact that the protocol is zero-knowledge means that a verifier (who knows \(\mathsf {m}_2\), \(\mathsf {m}_3\) and \(\mathsf {n}_v\)) should not be able to learn anything about \(\mathsf {m}_1\). In fact, if there are several possible secrets \(\mathsf {m}_1\) corresponding to public information \(\mathsf {m}_2\), then the probability distribution for protocol transcripts is required to be independent from \(\mathsf {m}_1\). Thus, it is impossible to test \(\mathsf {m}_1\) from the transcript (Of course, if \(\mathsf {m}_2\) determines \(\mathsf {m}_1\), e.g. if they are a public/private key pair, then \(\mathsf {m}_1\) can be derived using \(\mathsf {m}_2\), but this is not due to the ZK proof). Because the verifier, who knows all components of the ZK proof except \(\mathsf {m}_1\) and \(\mathsf {n}_p\), cannot deduce anything about the secret \(\mathsf {m}_1\), any inference rule to derive it needs to have \(\mathsf {n}_p\) as a prerequisite. By a similar line of reasoning, if \(\mathsf {m}_1\) can be derived from \(\mathsf {n}_p\), then an inference rule for \(\mathsf {n}_p\) needs \(\mathsf {m}_1\) or it needs to be a testing rule. In fact, in the Schnorr proof, in \(\Sigma \)-protocols, all these inferences can be made: \(\mathsf {m}_1\) can be derived directly from \(\mathsf {n}_p\) \((\vdash \!\!\mathbf{EZ}_4')\) and vice versa \((\vdash \!\!\mathbf{EZ}_5')\), and \(\mathsf {n}_p\) can be tested \((\vdash \!\!\mathbf{TZ}_2')\).

To generate a transcript \(\text {ZK}(\mathsf {m}_1;\mathsf {m}_2;\mathsf {m}_3;\{\mathsf {n}_p,\mathsf {n}_v\})\) of a \(\Sigma \)-protocol, an actor needs \(\mathsf {n}_p\) for the commitment; \(\mathsf {n}_v\) for the challenge; and both pieces of randomness and the private information for the response \(\mathsf {n}_p\) \((\vdash \mathbf{\!\!CZ' })\). (Technically, the public information is not needed.) Similarly, for determinability of the message transmission \({\mathsf {a}}\mapsto {\mathsf {b}}:{\text{ ZK }(\mathsf {m}_1{;}\mathsf {m}_2{;}\mathsf {m}_3{;}}\) \(\{\mathsf {n}_p{,}\mathsf {n}_v\})\), the prover needs \(\{\mathsf {m}_1,\mathsf {n}_p\}\) in addition to the communication addresses \(\{\mathsf {a},\mathsf {b}\}\); the verifier needs \(\mathsf {n}_v\).

There are two aspects the above model does not take into account. First, from two ZK proofs using the same prover randomness, the secret can be derived: in case of the Schnorr proof, by computing \((r-r')/(c-c')\) from transcripts \((a,c,r)\) and \((a,c',r')\). This is a general property of \(\Sigma \)-protocols called special soundness. However, if the prover always honestly generates his randomness, then this is very unlikely and we can safely ignore it. Second, an actor can also “simulate” a ZK proof transcript without knowing the secret information by first generating the challenge and response and from that determining the commitment. Such a simulation has the exact same form as a ZK proof, but because the randomness in the commitment is unknown, it cannot be used to derive a secret corresponding to the public information. Such simulations are very unlikely to correspond to ZK proofs that really took place, so they are not relevant for knowledge analysis.

To express privacy requirements, the knowledge of randomness is not directly relevant. In addition, assuming that the randomness of the ZK proof is freshly generated and not reused elsewhere, it is clear that it cannot help to derive information indirectly: \((\vdash \!\!\mathbf{EZ}_4')\) is the only rule to derive personal information (namely, \(\mathsf {m}_1\)) using randomness, and it has knowledge of \(\mathsf {n}_p\) as prerequisite, which can only be derived when \(\mathsf {m}_1\) is already known. Ignoring rules \((\vdash \!\!\mathbf{EZ}_2')\), \((\vdash \!\!\mathbf{EZ}_5')\), we obtain the inference rules given in Fig. 4 and determinability requirements in Table 7.

1.2 B.2 Anonymous credentials and issuing

In an anonymous credential system, credentials \(\text {cred}^{M_1}_{\mathsf {k}^-}(M_2;M_3)\) assert the link between a user’s identifier \(M_1\) and her attributes \(M_2\) using secret key \(\mathsf {k}^-\), and such credentials are issued and shown anonymously [24]. Anonymous issuing means the issuer of the credential does not learn the user’s identifier \(M_1\) (in particular, this means he cannot issue credentials containing the identifier without the user’s involvement). We model the issuing protocol by the \(\text {ICred}^{M_1}_{\mathsf {k}^-}(M_2;M'_3)\) primitive. The randomness \(M'_3\) used in the issuing protocol determines the randomness \(M_3\) in the credential. Anonymous showing means that it is possible to perform ZK proofs of ownership of a credential proving certain properties. This is captured by our \(\text {ZK}\) primitive.

We model anonymous credential systems constructed from signature schemes [24, 25] as used in the Identity Mixer system [8]. In general, this construction is possible if the signature scheme allows for issuing of signatures on committed values (Fig. 21). That is, a commitment \(S^0_{\mathsf {k}^-}(\mathsf {m}_1,\mathsf {n}_a)\) to message \(\mathsf {m}_1\) using randomness \(\mathsf {n}_a\) is constructed using public key \(\mathsf {pk}(\mathsf {k}^-)\) \((\vdash \!\!\mathbf{CS}^0)\); this commitment is turned into signature \(S_{\mathsf {k}^-}(\mathsf {m}_1,\mathsf {m}_2,\mathsf {n}_a,\mathsf {n}_b)\) using private key \(\mathsf {k}^-\), message \(\mathsf {m}_2\) and randomness \(\mathsf {n}_b\), \((\vdash \!\!\mathbf{CS}^{0'})\). Based on such a scheme, an anonymous credential \(\text {cred}^{\mathsf {m}_1}_{\mathsf {k}^-}(\mathsf {m}_2;\{\mathsf {n}_a,\mathsf {n}_b\})\) is simply a randomised signature (containing secret identifier \(\mathsf {m}_1\) and attributes \(\mathsf {m}_2\)) along with its used randomness. In the Identity Mixer system, two such signature schemes can be used: SRSA-CL signatures [24] and BM-CL signatures [25]. There are slight technical differences between the two; we discuss SRSA-CL signatures and briefly outline the differences later.

Fig. 21

Inference rules for signature scheme with signatures on committed values (\(\mathcal {C}_a\) a set of context messages; \(\mathsf {k}^-\), \(\mathsf {m}_*\), \(\mathsf {n}_*\) context messages)

The anonymous credential issuing protocol can be modelled as a trace in terms of the signature scheme (Fig. 22a). It involves a user \(\mathsf {a}\) and an issuer \(\mathsf {b}\). As before, \(\mathsf {a}\) is assumed to have sent a commitment \(\mathcal {H}(\mathsf {m}_1,\mathsf {n}_1)\) to her secret identifier to \(\mathsf {b}\) prior to initiating the protocol (Unlike the commitment \(S^0_{\mathsf {k}^-}(\mathsf {m}_1,\mathsf {n}_2)\) for the signature, \(\mathcal {H}(\mathsf {m}_1,\mathsf {n}_1)\) does not depend on \(\mathsf {k}^-\) and can thus be shared with other issuing or showing protocols for credentials having a different key). In the first two messages, actor \(\mathsf {a}\) provides her commitment for the signature and then proves that it is formed correctly; that is, it indeed contains the identifier corresponding to the one in \(\mathcal {H}(\mathsf {m}_1,\mathsf {n}_1)\). Actor \(\mathsf {b}\) uses the commitment to construct a signature on \(\{\mathsf {m}_1,\mathsf {m}_2,\mathsf {n}_2,\mathsf {n}_5\}\) and sends the signature along with his randomness to \(\mathsf {a}\). At this point, \(\mathsf {a}\) knows the signature and the two pieces of randomness used in it: these three components together form the anonymous credential, as shown in the figure (Note that \(\mathsf {b}\) does not know \(\mathsf {n}_2\), so he does not have the complete credential). In the last step, the signer \(\mathsf {b}\) proves that \(S_{\mathsf {k}^-}(\mathsf {m}_1,\mathsf {m}_2,\mathsf {n}_2,\mathsf {n}_5)\) is valid; when using the SRSA-CL signature scheme, this step is technically needed to ensure the security of the signature [8]. Figure 22b displays our high-level model of the issuing protocol and the credential obtained from it.

Fig. 22

Anonymous credentials from signature scheme with signatures on committed values. a Issuing protocol for anonymous credentials. b Formal model of anonymous credential issuing protocol

The high-level inference rules (Fig. 4) and determinability relation (Table 7) for \(\text {cred}\) and \(\text {ICred}\) follow from the lower-level model in Fig. 22a. The credential’s signature can be verified using messages \(\{\mathsf {pk}(\mathsf {k}^-),\mathsf {m}_1,\mathsf {m}_2\}\), and a credential can be constructed from its components \((\vdash \mathbf{\!\!CR })\). Although randomness can be inferred from the credential, we do not model these inferences in the high-level model because they are not relevant for knowledge of personal information.

From the issuing protocol, the user can infer the credential using the randomness from the credential \((\vdash \!\!\mathbf{EI}_1)\). We check the messages of the trace for further possible inferences. For the two ZK proofs, \((\vdash \!\!\mathbf{EZ}_1)\) does not apply because there are no proofs of properties. The \((\vdash \!\!\mathbf{EZ}_2)\) rule can be applied to both ZK proofs occurring in the issuing protocol; this translates to rules \((\vdash \!\!\mathbf{EI}_2)\) and \((\vdash \!\!\mathbf{EI}_3)\). We also consider the derivation of the nonces \(\mathsf {n}_1\), \(\mathsf {n}_2\) \((\vdash \!\!\mathbf{EI}_2)\): \(\mathsf {n}_1\) is generated outside of the issuing protocol, so its derivation may be of interest; \(\mathsf {n}_2\) is a prerequisite for \((\vdash \!\!\mathbf{EZ}_2)\). Rule \((\vdash \!\!\mathbf{EZ}_3)\) gives \((\vdash \!\!\mathbf{EI}_4)\). We do not add a rule to derive \(S^0_{\mathsf {k}^-}(\mathsf {m}_1,\mathsf {n}_2)\) from the transcript because its knowledge is not relevant from a privacy point of view. Also, this message does not allow the derivation of any information that was not already derivable from the zero-knowledge proofs. However, it does give testing rule \((\vdash \!\!\mathbf{TI}_2)\). Testing rule rules \((\vdash \!\!\mathbf{TI}_1)\) and \((\vdash \!\!\mathbf{TI}_3)\) follow from the first message transmission. The other testing rules \((\vdash \!\!\mathbf{TI}_4)\), \((\vdash \!\!\mathbf{TI}_5)\) follow from the corresponding testing rule \((\vdash \!\!\mathbf{TZ}_1)\) for zero-knowledge proofs.

Finally, consider \(\text{ ICred }_{\mathsf {k}^-}^{\mathsf {m}_1}(\mathsf {m}_2;\{\mathsf {n}_i\}_{i=1}^7)\)’s determinability requirements. Assuming fresh nonces, determinability of \(\{\mathsf {a},\mathsf {b},\mathsf {pk}(\mathsf {k}^-),\mathsf {m}_1,\mathsf {n}_2\}\) by \(\mathsf {a}\) is required for the first message transmission. For the first ZK proof, determinability by \(\mathsf {a}\) of \(\mathsf {n}_1\) and \(\mathsf {n}_3\) is required; and determinability by \(\mathsf {b}\) of \(\mathsf {n}_4\). The next message means determinability of \(\{\mathsf {k}^-,\mathsf {m}_2,\mathsf {n}_5\}\) by \(\mathsf {b}\). The last ZK proof additionally means determinability of \(\{\mathsf {pk}(\mathsf {k}^-),\mathsf {n}_6\}\) by \(\mathsf {b}\), and \(\mathsf {n}_7\) by \(\mathsf {a}\). We get the determinability requirements given in Table 7. Note that technically, \(\mathsf {a}\) does not need \(\mathsf {m}_2\) to run the protocol, and \(\mathsf {b}\) does not need \(\mathcal {H}(\mathsf {m}_1,\mathsf {n}_1)\); however, in practice, they will check whether the data supplied matches their expectations using the checks expressed by the testing rules.

We mention two modelling details regarding the use of SRSA-CL signatures for anonymous credentials. First, the last ZK proof in the issuing trace is technically not a proof of knowledge of the private key, but of the RSA inverse of part of the issuer’s randomness. However, in terms of knowledge, this proof is equivalent because the private key can be determined from the RSA inverse and vice versa [18]. Second, due to the structure of the signature, different choices for \(\mathsf {n}_a\) and \(\mathsf {n}_b\) can lead to content equivalent signatures. However, assuming \(\mathsf {n}_a\) and \(\mathsf {n}_b\) are chosen at random, this happens with negligible probability.

Finally, an alternative signature scheme supporting signatures on committed values is the BM-CL scheme [25]. There are two technical differences with the SRSA-CL-based system presented above. First, BM-CL signatures have the additional property that they allow “blinding”: a user can turn a valid credential \(\text {cred}^{\mathsf {m}_1}_{\mathsf {k}^-}(\mathsf {m}_2;\{\mathsf {n}_a,\mathsf {n}_b\})\) into a different credential \(\text {cred}^{\mathsf {m}_1}_{\mathsf {k}^-}(\mathsf {m}_2;\{\mathsf {n}'_a,\mathsf {n}_b\})\) (however, she is not able to change randomness \(\mathsf {n}_b\)). Second, the final ZK proof in the issuing protocol of Fig. 22 is not necessary for a BM-CL-based scheme. We chose the SRSA-CL-based signature scheme because the high-level model is simpler; however, in terms of privacy, the choice of signature scheme does not matter.