Paper 2018/1148

Towards Practical Security of Pseudonymous Signature on the BSI eIDAS Token

Mirosław Kutyłowski, Lucjan Hanzlik, and Kamil Kluczniak


In this paper we present an extension of Pseudonymous Signature introduced by the German Federal BSI authority as a part of technical recommendations for electronic identity documents. Without switching to pairing friendly groups we enhance the scheme so that: (a) the issuer does not know the private keys of the citizen (so it cannot impersonate the citizen), (b) a powerful adversary that breaks any number of ID cards created by the Issuer cannot forge new cards that could be proven as fake ones, (c) deanonymization of the pseudonyms used by a citizen is a multi-party protocol, where the consent of each authority is necessary to reveal the identity of a user. (d) we propose extended features concerning fully anonymous signatures and a pragmatic revocation approach. (e) we present an argument for unlinkability (cross-domain anonymity) of the presented schemes. In this way we make a step forwards to overcome the substantial weaknesses of the Pseudonymous Signature scheme. Moreover, the extension is on top of the original scheme with relatively small number of changes, following the strategy of reusing the previous schemes -- thereby reducing the costs of potential technology update.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. Pseudonymous Signature on eIDAS Token - Implementation Based Privacy Threats, Proc. ACISP 2016
anonymitydigital signaturespseudonymdomain specific signatureseIDAS token
Contact author(s)
miroslaw kutylowski @ pwr edu pl
2018-12-03: received
Short URL
Creative Commons Attribution


      author = {Mirosław Kutyłowski and Lucjan Hanzlik and Kamil Kluczniak},
      title = {Towards Practical Security of Pseudonymous Signature on the {BSI} {eIDAS} Token},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1148},
      year = {2018},
      doi = {10.1007/978-3-319-40367-0_31},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.