Rethinking Identification Protocols from the Point of View of the GDPR

  • Mirosław KutyłowskiEmail author
  • Łukasz Krzywiecki
  • Xiaofeng Chen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)


An identification protocol has to deliver a proof that the protocol participants are who they claim to be. Related to the circumstances, the proof must be sufficiently convincing for the addressee. On the other hand, as long as the data minimality principle is concerned, the proof should be useless for any party that is not the intended addressee. While the first goal has attracted a lot of attention, the second one has been rather neglected.

In this paper we discuss requirements for identification protocols from the point of view of privacy protection requirements of the GDPR regulation introduced in Europe. We concern the problem of cryptographic data created by identification protocols and misusing them as an evidence presented to third parties. We concern in particular the case when it appears that a malicious participant follows the protocol, however the privacy protection guarantees supposedly provided by the scheme are effectively broken.

We show that from the point of view of GDPR the classical schemes like static Diffie-Hellman, Schnorr, Wu, Stinson-Wu, and Di Raimondo-Gennaro fail to comply with the EU Regulation even if they are deniable.


Identification scheme Privacy protection GDPR Attack Deniability Simulatability 


  1. 1.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976). Scholar
  2. 2.
    Blake-Wilson, S., Menezes, A.: Authenticated Diffe-Hellman key agreement protocols. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 339–361. Springer, Heidelberg (1999). Scholar
  3. 3.
    The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ec (General Data Protection Regulation). Off. J. Eur. Union 119(1) (2016)Google Scholar
  4. 4.
    Hanzlik, L., Kluczniak, K., Kutyłowski, M.: Controlled randomness – a defense against backdoors in cryptographic devices. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 215–232. Springer, Cham (2017). Scholar
  5. 5.
    Young, A.L., Yung, M.: Malicious Cryptography - Exposing Cryptovirology. Wiley, Hoboken (2004)Google Scholar
  6. 6.
    Błaśkiewicz, P., et al.: Pseudonymous signature schemes. In: Li, K.-C., Chen, X., Susilo, W. (eds.) Advances in Cyber Security: Principles, Techniques, and Applications, pp. 185–255. Springer, Singapore (2019). Scholar
  7. 7.
    Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. J. Cryptol. 22(4), 572–615 (2009). Scholar
  8. 8.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE\(|\)AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). Scholar
  9. 9.
    Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). Scholar
  10. 10.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefGoogle Scholar
  11. 11.
    Wu, J.: Cryptographic protocols, sensor network key management, and RFID authentication. Ph.D. thesis, University of Waterloo, Ontario, Canada (2009).
  12. 12.
    Stinson, D.R., Wu, J.: An efficient and secure two-flow zero-knowledge identification protocol. J. Math. Cryptol. 1(3), 201–220 (2007). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Mirosław Kutyłowski
    • 1
    • 2
    Email author
  • Łukasz Krzywiecki
    • 1
  • Xiaofeng Chen
    • 2
  1. 1.Department of Computer Science, Faculty of Fundamental Problems of TechnologyWrocław University of TechnologyWrocławPoland
  2. 2.School of Cyber EngineeringXidian UniversityXi’anPeople’s Republic of China

Personalised recommendations