I need to implement algorithm to create authenticatable irreversible tokens from PAN, without using any secrets.
Is it possible? Is there any standards for that from associations?
I was thinking about HMAC but it needs to distribute secret symmetric key to all relevant parties. How to do it without distributing cryptographic key? Also it should prevent to create an oracle.
The Primary Account Number (which can e.g. be a credit card number) often is 16 decimal digits, with the first 6 (Issuer Identification Number) typically guessable, and the last a check digit a public function of the rest. That leaves 9 decimal digits (about 30 bit) of PAN entropy, under the (unwarranted) assumption the 9 digits are assigned randomly.
Thus if a million tokenized PANs for known IIN are known, then on average it's required only a thousand executions of a deterministic tokenization algorithm to untokenize a PAN.
Thus deterministic tokenization must use a secret key. And in addition, it must be made impossible to use by adversaries, at least at high rate. I don't see how alternatives (like using Argon2 or other entropy stretching, or randomizing, or public key) could solve the problem satisfactorily while making the tokenization useful. But then the question did not specify a functional requirement, so I can only guess.
If the PAN space is sufficiently large then you can use a SHA3-256(Keccak family) and use the required number of bits of the output. I guess in that case you may have to maintain a Card-Data vault for the lookup thing.
