Concurrently-secure credential ownership proofs
We address the case in credential systems where a credential owner wants to show her credential to a verifier without taking the risk that the ability to prove ownership of the same (and any other) credential is transferred to the verifier. We define credential ownership proof protocols for credentials signed by standard signature schemes. We also propose proper security definitions for the protocol, aiming to protect the security of both the credential issuer and the credential owner against concurrent attacks. We give two generic constructions of credential ownership proofs based on identity-based encryption and identity-based identification schemes. Furthermore, we show that signatures with credential ownership proofs are equivalent to identity-based identification schemes, in the sense that any secure construction of each implies a secure construction of the other. Finally, we show that the GQ identification protocol yields an efficient credential ownership proof for credentials signed by the RSA-FDH signature scheme of Bellare and Rogaway and prove the protocol concurrently-secure.