U-Prove ID escrow extension

This document extends the U-Prove Cryptographic Specification by specifying an identity escrow mechanism.

The U-Prove identity escrow feature allows a U-Prove token to be presented anonymously to a Verifier, but the presentation contains the token holder’s identity in an encrypted form. This allows the presentation proof to be de-anonymized if needed by a designated entity called the Auditor.

To prevent users from encrypting junk data instead of their identity, the presentation proof with ID escrow includes an additional proof that the encryption of the identity is valid. In this context, valid means i) the ciphertext was computed correctly, following the encryption algorithm, and ii) the plaintext is an attribute from the U-Prove token.