Secure offline legitimation systems

rganizing the interdependencies within and between communities is one of the ongoing challenges of mankind. Once organizations are formed, companies run their businesses, and a legal system is in place, there is an urgent need for procedures to perform legally binding transactions. This in turn brings up the need for unforgeable documents or tokens of legitimation. Traditional examples are letters and cheques with handwritten signatures or seals, hard-to-counterfeit bills, drivers licences and passports with hardly removable pictures imprinted, etc. The implementations of legitimations change as the technological paradigms change, but the need for legitimations persists. In information societies, many of the traditional implementations are obsolete because they are no longer efficient and often too costly. In addition, information technology often provides better approximations to the ideal properties of legitimations, e.g. unforgeability. Electronic commerce is one if not the pioneering area where the new implementations of legitimations are developed, tested and put into everyday’s practice. Examples are electronic wallets, phone cards, e-cash, e-tickets, etc. While an amount of money can be regarded as a legitimation to consume a corresponding portion of the national gross product, there are also other kinds of legitimations. This work starts by categorizing them and identifying important examples in real life. Namely, we distinguish personal and coin legitimations. The former cannot be transferred between holders and the latter cannot be used more often than a pre-specified limit. Orthogonal to these categories then are privacy requirements. This is where electronic implementations are really superior to traditional implementations: Not only are they more efficient, but they can achieve more privacy for holders of legitimations than the conventional paper based implementations can. Such electronic implementations have been introduced in 1985 by Chaum [60] as credentials. Holders can get a credential from an issuer and later show it to a verifier without letting the issuer and verifiers recognize that they have issued and verified a credential of the same holder (unlinkability). Although several cryptographic mechanisms for credentials have been suggested since, formal definitions have been given only for the special case of electronic cash. We propose a formal modular framework to define the different categories of credentials sketched above (including electronic cash). Furthermore, we suggest the first mechanism for personal credentials that can be shown many times in an unlinkable way. In order to achieve non-transferability, we suggest the use of O