###### Usages of Polymorphic structures

Activation

- Polymorphic Identity (PI) or Polymorphic Pseudonym (PP)
- Polymorphic Identity and Pseudonym (PIP)
- Verifiable Polymorphic Identity and Pseudonym (VPIP)

Users of Polymorphic structures are: AD, MU, EB and MR.

#### Format for Polymorphic Identity or Pseudonym

A Polymorphic Identity or Pseudonym is a combination of points on an elliptic curve. In order for the Identity or Pseudonym to be properly usable in the scheme, some additional information is needed. This information is necessary for practical management and secure implementation of Identity or Pseudonym in the Scheme and consists of elements like versioning (for key management) and recipient. The syntax for expressing an Identity or Pseudonym with this information is listed below.

Values of the notations below SHALL be represented as (the base64 encoding of) the DER-encoded structure in ASN.1 notation.

##### Polymorphic Identity or Pseudonym

A Polymorphic Identity or Pseudonym consists of 3 points on an elliptic curve. Polymorphic Identity or Pseudonym are provided via the Interface spec BSNk: activate. They are used via the interface Interface spec BSNk: transform. The notation for a complete Polymorphic Identity or Pseudonym is as follows:

**Polymorphic Identity or Pseudonym ASN.1 notation**

PolymorphicIdentity ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-identity), schemeVersion INTEGER, schemeKeySetVersion INTEGER, creator IA5String, recipient IA5String, recipientKeySetVersion INTEGER, points SEQUENCE (SIZE (3)) OF ECPoint } PolymorphicPseudonym ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pseudonym), schemeVersion INTEGER, schemeKeySetVersion INTEGER, creator IA5String, recipient IA5String, recipientKeySetVersion INTEGER, type INTEGER, points SEQUENCE (SIZE (3)) OF ECPoint }

Herein the `schemeVersion`

indicates the version of the cryptographic scheme and this syntax and SHALL start at 1. The `schemeKeySetVersion`

is a version that SHALL start at 1 and represents the effective set of long term scheme master keys (PP-M, PD-M, etc...). The `schemeVersion`

defines the elliptic curve used in the scheme as well. The `creator`

SHALL contain the entityID (OIN) of the creator, and the `recipient`

SHALL contain the entityID (OIN) of the recipient. The `recipientKeySetVersion`

holds the version number for the set of recipient's keys for Polymorphic Identities and Pseudonyms (PA-Di). Note: In `schemeVersion`

1 the `recipientKeySetVersion`

for MUs, ADs, MRs and the EB is a sequence starting at 1. The `type`

defines the identity type the Pseudonym is derived of, e.g. from a BSN or an eIDAS Uniqueness Identifier. This field is not necessary in identity based forms as here the identity type will become clear as part of decryption of the final structure, i.e. the Encrypted Identity. The values currently defined are the ASCII value of '`B`

' (0x42) for BSN based and '`E`

' (0x45) when based on a eIDAS uniqueness identifier. ECPoint is identical to ECPoint as defined in BSI TR 03111 and ANSI X9.62 (2005). Here two encodings are specified, compressed and compressed. Both encodings are allowed, with a preference for uncompressed encoding.

A Polymorphic Identity of Polymorphic Pseudonym can be signed for integrity protection:

SignedPolymorphicIdentity ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-identity-signed), signedPI SEQUENCE { polymorphicIdentity PolymorphicIdentity, auditElement OCTET STRING, signingKeyVersion INTEGER }, signatureValue ECDSA-Signature } SignedPolymorphicPseudonym ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pseudonym-signed), signedPP SEQUENCE { polymorphicPseudonym PolymorphicPseudonym, auditElement OCTET STRING, signingKeyVersion INTEGER }, signatureValue ECDSA-Signature }

An `auditElement`

holds an audit value consisting of an identifier for the creator, a timestamp and a sequence number from that creator. This `auditElement`

is 16 bytes in big-endian (32-bit origin, 32-bit timestamp and 64-bit sequence-number). The origin identifies the party providing the Polymorphic/Encrypted Identity or Pseudonym and the unique device used. The timestamp and sequence number can be used in case of a compromise or dispute, so that mitigating measure or resolution can be accomplished. Note: the timestamp is 32-bit in seconds since 1 jan 1970 UTC. The `auditElement`

is encrypted under a key only retrievable by the supervisor of the scheme, which is provided to the supervisior by the keymanagement role.

The `signatureValue`

can be used to assert the authenticity of the (polymorphic/encrypted) Identity or Pseudonym. The signature is applied to the byte sequence of the complete DER-encoded signed sequence (e.g. signedPP in a SignedPolymorphicPseudonym). The public key for verification can be retrieved from the Metadata using the creator from the structure covered under the signature and the `signingKeyVersion`

.

-- ECPoint is described in ANSI X9.62 (2005), annex E.6. -- In particular, encoding from point to octet string and -- from octet string to a point is defined in annex A.5.7 -- and A.5.8 of ANSI X9.62. ECPoint ::= OCTET STRING ECDSA-Signature ::= SEQUENCE { signatureType OBJECT IDENTIFIER (ecdsa-with-SHA384), signatureValue EC-Sig-Value } -- EC-Sig-Value is identitical to BSI TR 03111 ECDSA-Sig-Value. -- which is identical to ECDSA-Sig-Value defined in RFC5480 as well. EC-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } id-BSNk-scheme-nl OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) nl(528) nederlandse-organisatie(1) nederlandse-overheid(1003) logius-beheer-usve(10) } id-BSNk-identifiers OBJECT IDENTIFIER ::= { id-BSNk-scheme-nl 1 } id-BSNk-polymorphics OBJECT IDENTIFIER ::= { id-BSNk-identifiers 1 } id-BSNk-polymorphic-identity OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 1 } id-BSNk-polymorphic-pseudonym OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 2 } id-BSNk-polymorphic-identity-signed OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 3 } id-BSNk-polymorphic-pseudonym-signed OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 4 }

##### PIP – PPCA optimized

For privacy enhanced implementation, Polymorphic Identities and Pseudonyms can be implemented on a smartcard. This is called a PP-card application, or PPCA. A Polymorphic Identity and a Polymorphic Pseudonym can be combined to 5 points on an elliptic curve rather than six, for optimization in a smartcard implementation. The PPCA-optimized PIP version of Polymorphic Identities or Pseudonyms are provided in Interface spec BSNk: activate.

The combined notation for an Polymorphic Identity and Pseudonym is as follows:

**Polymorphic Identity and Pseudonym (PIP) ASN.1 notation**

PIP ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pip), schemeVersion INTEGER, schemeKeySetVersion INTEGER, creator IA5String, recipient IA5String, recipientKeySetVersion INTEGER, type INTEGER, points SEQUENCE (SIZE (5)) OF ECPoint }

The first, second and fourth ECPoint of the `points`

in a PIP correspond to those of a PI. Similarly, the first, third and fifth correspond to those of a PP. In this fashion one can extract a PI and PP from a PIP.

There also exists a signed version of a PIP:

SignedPIP ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pip-signed), signedPIP SEQUENCE { pip PIP, auditElement OCTET STRING, signingKeyVersion INTEGER }, signatureValue ECDSA-Signature }

Which follows the same concepts as described for a Polymorphic Identity or Polymorphic Pseudonym.

id-BSNk-polymorphic-pip OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 5 } id-BSNk-polymorphic-pip-signed OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 6 } -- the following OID is reserved for usage in the specifications of the protocol for PP on smartcard (polymorphic card application) id-PCA OBJECT IDENTIFIER ::= { id-BSNk-scheme-nl 9 }

##### Verifiable PIP

When a PIP is personalized onto a smartcard, the issuer typically wants to perform some quality assurance prior to issuing the card. This is not straightforward due to the use of privacy enhancing technology. To allow quality assurance in combination with a PIP, a Verifiable PIP is described.

This Verifiable PIP is a PIP accompanied by a *Proof of Conformity*. Using this proof, a means issuer can verify a PIP is personalized correctly without the need to reveal the original stem (BSN) in the verifiable representation.

VerifiablePIP ::= SEQUENCE { notationIdentifier OBJECT IDENTIFIER (id-BSNk-polymorphic-pip-verifiable), signedPIP SignedPIP, proofOfConformity SEQUENCE { p1 ECPoint, t ECPoint, zp1 SEQUENCE { r1 INTEGER, s1 INTEGER }, zp2 SEQUENCE { r2 INTEGER, s2 INTEGER } } }

The `signedPIP`

is the signed PIP structure as defined above and allows for verification of authenticity. The `proofOfConformity`

can be used to verify the PIP is personalized correctly.

id-BSNk-polymorphic-pip-verifiable OBJECT IDENTIFIER ::= { id-BSNk-polymorphics 11 }