Hasso-Plattner-Institut
Prof. Dr. Anja Lehmann
 

Cybersecurity – Identity Management

The research group Cybersecurity – Identity Management, led by Prof. Dr. Anja Lehmann, develops and analyzes cryptographic protocols with provable security guarantees. A focus is on privacy-preserving technologies, especially for identity management, where users must be authenticated and their data handled securely without sacrificing their privacy.

Provable security is the methodological core of modern cryptography: guarantees rest on formal models that make precise what security and privacy a protocol is meant to provide, and on rigorous proofs that reduce the security of a complex protocol to well-established assumptions about the simpler primitives it is built from. The group both applies these techniques to concrete systems and studies the underlying models and primitives, working from cryptographic foundations to applied protocols for real-world problems. A current example of the latter are the group's contributions to the European Digital Identity (EUDI) Wallet towards enabling the use of privacy-preserving credentials.

    team 2026

     

    Ressearch Profile

    Provable security is the methodological core of modern cryptography: guarantees rest on formal models that make precise what security and privacy a protocol is meant to provide, and on rigorous proofs that reduce the security of a complex protocol to well-established assumptions about the simpler primitives it is built from. Our research both applies these techniques to concrete systems and studies the underlying models and primitives, working from cryptographic foundations to applied protocols for real-world problems. Our current focus areas are as follows:

    1. Privacy-Preserving Authentication: Cryptography provides well-understood tools for authentication, most notably digital signatures. In user-centric settings, however, these tools fall short of two distinct privacy goals. Authentication should be selective, letting users reveal only the attributes a service genuinely requires; and the cryptographic evidence that establishes security must not itself become a means of tracking. We design and analyze protocols that reconcile strong authentication with these privacy requirements. This work centers around anonymous credentials and group signatures, as well as privacy-preserving single sign-on. 
    2. Foundations of Real-World Cryptography: Formalizing the guarantees of complex cryptographic protocols is inherently challenging, and as a result such protocols still get deployed without rigorous analysis of their security and privacy properties. We develop formal models that capture the guarantees real-world protocols are intended to achieve and study whether deployed systems satisfy these formalized properties.  Our study extends to the primitives and idealized models underlying applied protocols, such as oblivious pseudorandom functions (OPRFs) and the random oracle model. For these building blocks, we aim to sharpen the understanding of the exact security their formal models guarantee, and how those guarantees are preserved under composition. 
    3. Human-Centric Key Management: The security of cryptographic systems depends on the secrecy of their keys. Maintaining that secrecy is particularly challenging in user-centric settings, where keys must stay protected despite humans' inability to memorize high-entropy secrets and the absence of secure hardware on the user side. Password-based protocols tackle the first problem, deriving keys from a memorizable password while still aiming for strong guarantees despite its low entropy. Distributed cryptography tackles the second, spreading keys and operations across multiple parties so that compromising individual ones does not break the system's security.