A Privacy-Preserving 3rd-Party Proxy for Transactions that Use Digital Credentials

In this paper we propose modifications and extensions to the digital credentials issuing and showing protocols to make them appropriate for an e-commerce environment in which the user has only a hand-held constrained device (such as a PDA or a cell phone), with limited memory and processing power. In particular, this device does not hold the digital credentials or conduct the corresponding protocols; this is done by a 3rd party (a proxy) on behalf of the user, who simply needs to authorize the transaction once it is complete. Our proposal frees the user from having to carry the digital credentials and protocol engine with him/her at all times (which may be unrealistic in some environments), while retaining the desired privacy properties (e.g., the 3rd party proxy performs computations on the user´s behalf and participates in the required protocols without learning any of the user´s private information). The complete architecture that we describe also includes mechanisms to prevent the following three forms of attack: password cracking, betrayal, and collusion.