Attribute-based credentials are a privacy-enhancing technology that allow users to prove things about themselves in a privacy-friendly manner: they allow a user to only reveal the minimal amount of information necessary. To make these credentials easy to use, we recently proposed to place them in a smart phone application. But, what if such a smart-phone is lost or hacked? All of a sudden an attacker may be able to use these credentials to impersonate the user.

Threshold cryptography is often touted as a mechanism to protect keys by sharing the key among different parties. It seems then that threshold cryptography is an excellent candidate to secure the keys of sensitive attribute-based credentials. The challenge, however, is finding trusted parties to distribute keys to. Not everyone has a second device readily available. A central server seems a convenient highly-available second party, however, as I’ll show this talk, the use of a central server is often subject to timing attacks, undermining the user’s privacy.

In the second part of my talk I’ll sketch a solution that makes using threshold cryptographic variants of attribute-based credentials with a phone and a central server privacy-friendly. This new approach protects the privacy of the user against malicious central servers, even if they collude with service providers. At the same time, this approach retain the benefits of threshold cryptography with a central server: it is possible to block keys, stopping attackers from impersonating users.

For non-cryptographers: while this talk does feature a small amount of cryptography, the ideas should be understandable without a lot of experience with cryptography. For the cryptographers: while the ideas presented are simple, proving security and privacy thereof is quite challenging, feel free to ask difficult questions.