Frequently Asked Questions

How credible is the U-Prove technology?

The cryptographic protocols underlying the U-Prove technology are being or have been taught in academic courses given at MIT, Harvard law school, Carnegie Mellon University, University of San Diego, Johns Hopkins University, École Normale Supérieure (ENS Paris), Swiss Federal Institute of Technology (ETH in Zürich), Helsinki University of Technology (Finland), Leuven University (Belgium), Aarhus University (Denmark), and leading technical universities in Germany. Papers on the cryptographic protocols of the U-Prove technology have appeared in many leading cryptography and IT security publications. Furthermore, The MIT Press has published a book on the mathematical underpinnings of the U-Prove technology.

Do alternative technologies exist with similar features?

The design of practical authentication technologies that preserve privacy is a challenging research problem that has preoccupied cryptographers for decades. During the eighties, Dr. David Chaum published a series of influential papers on security without identification. While Chaum's work on blind signatures provided strong privacy, it offered little in the way of security. Following this seminal work, many professional cryptographers have broken their teeth on the problem of achieving secure authentication without sacrificing privacy and efficiency. The U-Prove technology is widely recognized as the most powerful and practical solution around. The best alternatives are mainly of academic interest: they are orders of magnitude less efficient, offer low degrees of modularity, and lack many of the security features of the U-Prove technology. Even if a new technology were invented with comparable benefits, it would take many years for experts to verify its strength and practicality. For the U-Prove technology this phase has already taken place over the past fifteen years.

How long has the U-Prove technology been around?

The U-Prove technology has a long history. Throughout the nineties the underlying cryptographic protocols have been scrutinized by numerous experts. In addition, well over a dozen industry leaders have performed due diligence on the technology. Additionally, in the past fifteen years large organizations have implemented and tested the cryptographic protocols underlying the U-Prove technology; notably, from 1993 until 1999 two European industry consortiums (including Siemens, Gemplus, the Dutch Telecom, the Commercial Bank of Greece, and the National Bank of Greece) implemented and piloted a smart card cash system based on the cryptographic protocols underlying the U-Prove technology.

How does one balance privacy and security?

It is a widespread misconception that privacy and security are opposite interests that need to be balanced. Security and privacy are not opposites, but mutually reinforcing if implemented properly. Information privacy can in fact be viewed as a more holistic approach towards information security. For example, in a small-scale single-domain access management context there is no need to protect against insiders; the insider is the very party that owns and operates the protected resources. This is no longer true when you increase the number of resources and the number of resource users, let alone once you start hooking up autonomous organizational domains. When you deal with access control in a multi-domain setting, your outsiders now all of a sudden include the insiders of other organizational domains. In this context, security towards traditional outsiders (i.e., non-participants) is not enough to adequately protect sensitive information; security safeguards also need to address corrupted insiders. The best way to accomplish this is to limit what insiders can see and do to what is strictly needed.

What is meant by “unconditional” privacy, and why is it important?

All privacy guarantees of the U-Prove technology hold in the following sense: they cannot be violated even if insiders would (1) arbitrarily deviate from the protocols, (2) build backdoors into the system parameters and public keys of issuing authorities, and (3) have unlimited computing power at their disposal to prepare, concert, and execute their protocol attacks and analyze the resulting data flows. All that each party needs to trust is that (1) its own client software follows its part of the protocol specifications, (2) does not covertly send out additional information, and (3) uses a source of true randomness whenever random numbers must be generated. In other words, each party can locally verify its own privacy rather than having to trust software or hardware that is under the control of other parties.