Tracing Attacks on U-Prove with Revocation Mechanism: Tracing Attacks for U-Prove.

ABSTRACTAnonymous credential systems have to provide strong privacy protection: a user may prove his (chosen) attributes without leaking neither his identity nor other attributes. In this paper we consider U-Prove - one of the major commercial anonymous credential systems. We show that the revocation mechanism designed for U-Prove enables a system provider to efficiently trace the users' activities. Namely, the Revocation Authority run the system provider may execute the U-Prove protocol in a malicious way so that: (a) the deviations from the protocol remain undetected, (b) the Revocation Authority becomes aware of each single authentication of a user in the whole system and can link them (regardless which attributes are disclosed by the user against the verifiers), (c) it can link presentation tokens with the corresponding token issuing procedure (under some conditions). Thereby, the system described in the technical drafts of U-Prove does not guarantee privacy protection unless the system provider can be trusted unconditionally. In fact, a malicious provider may convert the Revocation Authority into a "Big Brother" installation.