Restricted Identification Secure in the Extended Canetti-Krawczyk Model

In this paper we consider restricted identification (RI) protocols which enable strong authentication and privacy protection for access control in an unlimited number of domains. A single secret key per user is used to authenticate and derive his identity within any domain, while the number of domains is unlimited and the scheme guarantees unlinkability between identities of the same user in different domains. RI can be understood as an universal solution that may replace unreliable login and password mechanisms. It has to secure against adversaries that gather personal data by working on a global scale, e.g. by breaking into one service for getting passwords that a user frequently re-uses at different places. We consider security of an extended version of the Chip Authentication Restricted Identification (ChARI) protocol presented at the 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012). We preserve the features of ChARI (avoiding the critical security problems of group keys in the RI solution deployed in the German personal identity cards), but provide security proof in the well-studied Canetti-Krawczyk model (such a proof has not been provided for ChARI). Our extension has similar computational complexity as the original ChARI protocol in terms of the number of modular exponentiations.