Identity Mixer

A cryptographic algorithm to protect your privacy

Primary tab navigation

Extended features

Identity Mixer is a full-fledged privacy-preserving attribute-based credential (Privacy-ABC) system that offers many features beyond data-minimizing authentication. We summarize the most important features below; a more extensive overview can be found in the documentation.

  • Attribute predicates: Rather than revealing the full value of an attribute, the derived token can merely show that the attribute is within a certain range. For example, if the attribute encodes the user's birth date, then the token can show that the user is over eighteen, without disclosing the exact birth date.
  • Multi-credential tokens: A single token can disclose information from multiple credentials at the same time. Beyond revealing attributes from those credentials, it can show that different attributes have the same value, without disclosing the exact value, or it can provide guarantees that all credentials were issued to the same user.
  • Revocation: When attribute values change, or when a credential has been compromised, the credential can be revoked so that it can no longer be used to create tokens. Note that revocation is slightly more complicated than in a traditional PKI, because Privacy-ABC tokens do not reveal a unique credential identifier such as a serial number. Rather, the token shows that the underlying credential has not been revoked, without revealing its identifier.
  • Inspection: In some situations, absolute anonymity can lead to abuses for which nobody can be held accountable. In such cases, it can be useful to introduce a separate trusted entity called an inspector who can lift the anonymity of tokens if needed. At the moment that a token is created, the user is informed of who the inspector is, which information the inspector can recover, and under which circumstances the token will be inspected. The verifier cannot inspect tokens by himself. Tokens remain anonymous to the verifier until he can convince the inspector that the agreed-upon circumstances have been met.
  • Scope-exclusive pseudonyms: Some applications, for example online opinion polls, do not require users to be identifiable, but do need to make sure that each user can create only a single account, or can use the service only once. Scope-exclusive pseudonyms are a special kind of pseudonyms that are uniquely determined by the user's secret key and a given scope, e.g., the URL of the service. Pseudonyms for different scopes remain unlinkable.
  • Advanced issuance: It is possible to issue credentials on attribute values that remain hidden from the issuer. These attributes can be chosen freely by the user, can be assigned a random value that the user cannot control, or can be carried over from existing credentials. In the latter case, the user shows during issuance that he possesses a valid credential, possibly from a different issuer, that includes the same attribute value as will be embedded in the new credential, but without revealing that value to the issuer.