In the IRMA (I Reveal My Attributes) project we are working to make attribute based credentials practical. IRMA provides very efficient implementations of such credentials on (contactless) smart cards. This allows us to use the smart card as a secure and portable container for these credentials. One of the things we have been looking at is possible use cases. Last week I discussed how the IRMA card can be used to stop the resale of event tickets. In this blog post I will discuss an almost trivial application: proving age bounds.
Proving your age, without revealing anything else, is the prototypical application of privacy friendly credentials. In this application, a credential could for instance contain the following attributes: your age in years, and whether you are at least 16, at most 16, at least 18, or at least 65 years of age. Typically, the government would issue such a credential to all its citizens on request. This credential allows you to prove a certain property about your age without revealing anything else.
Which attribute you choose to reveal depends on the application. To buy cigarettes or beer in the Netherlands, you need to prove you are at least 16 years old. To buy strong liquor, you need to prove you are at least 18 years old, and to get reduced fares in public transport you need to prove you are at least 65 years old. The fact that an IRMA card carries the picture of the holder allows the use of the IRMA card for such use cases offline.
Sometimes you need to prove you are below a certain age. For example to join an on-line chat forum for children. Absence of an “at least 16” attribute is no proof of being at most 15, as people may choose not to disclose that attribute. So you need a positive attribute that proves you are below 16. (This is a general principle: attributes that are disqualifying in a certain context may not be revealed by their owners. The negation of that attribute is then a qualifying attribute that must be explicitly verified to achieve the same effect.)
An infrastructure to prove age bounds on-line would also be very useful for other applications. For example, brick-and-mortar shops have to verify the age of people buying age restricted material (booze, but also video games and movies). On-line shops should have to do so too (for fair competition reasons), but are in practice unable to reliably verify the age of their customers. Government has only two options: either outlaw the sale of age restricted material on-line, or provide an infrastructure where people can prove they are a certain age. (In the latter case, it is sufficient if government stimulates the development by such infrastructure by the private sector, provided the necessary privacy safeguards are preserved.)Lack of such possibilities in one of the reasons why offering online gambling services is still not permitted in the Netherlands.
A few details have to be taken care of though. Clearly, the “age-in-years” attribute expires on your birthday. But including your exact birthday as expiry date in the credential is not good idea, because it is revealed whenever the credential is used, and exact birthdays are quite identifying pieces of information. The same holds for the “at most 16” attribute. We deal with this problem by only allowing expiry dates in month and year format (for any type of credential actually). It is up to the issuer to decide whether to be conservative (credential expires before the attribute becomes false) or liberal (credential is valid for at most one month after the attribute becomes false) in setting the expiry date. But even this strategy reveals your month of birth if applied strictly by an issuer that only issues such a credential once with the maximum expiry date. To destroy this correlation, age bounds credentials should have short validity periods, so that they are issued frequently. Unless the age of the bearer is close to the limit implied by the age bound, the expiry date can be chosen to be a random month in the next year.