In this paper we consider restricted identification (RI) protocols which enable strongauthentication and privacy protection for access control in an unlimited number of domains. A single secret key per user is used to authenticate and derive his identity within any domain,while the number of domains is unlimited and the scheme guarantees unlinkability between identities of the same user in different domains. RI can be understood as an universal solution thatmay replace unreliable login and password mechanisms. It has to secure against adversaries that gather personal data by working on a global scale, e.g. by breaking into one service for gettingpasswords that a user frequently re-uses at different places. We consider security of an extended version of the Chip Authentication Restricted Identification(ChARI) protocol presented at the 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012). We preserve the features of ChARI (avoidingthe critical security problems of group keys in the RI solution deployed in the German personal identity cards), but provide security proof in the well-studied Canetti-Krawczyk model (sucha proof has not been provided for ChARI). Our extension has similar computational complexity as the original ChARI protocol in terms of the number of modular exponentiations.

restricted identification, chip authentication, ChARI, Diffie-Hellman key agreement, sector identity, unlinkability, eCK model, personal identity card