[21703] in cryptography@c2.net mail archive
Re: Unforgeable Blinded Credentials
daemon@ATHENA.MIT.EDU (Apu Kapadia)
Sun Apr 2 13:03:19 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <442E6570.5060201@algroup.co.uk>
From: Apu Kapadia <akapadia@cs.dartmouth.edu>
Date: Sun, 2 Apr 2006 10:27:22 -0400
To: Cryptography Mailing List <cryptography@metzdowd.com>
I came across the same problem a couple of years ago (and indeed =20
iterated through private/public key solutions with a colleague). The =20
problem is that you can still give your private key to somebody else. =20=
There's no real deterrent unless that private key is used for many =20
other purposes, thereby discouraging sharing. But if that's the case, =20=
there's no real anonymity anymore, since the private key is tied to =20
the person's identity.
I found that Chameleon Certificates had nice properties. You have a =20
"master certificate" that lists all your attributes. For =20
authentication, you generate an unlinkable slave certificate with any =20=
subset of attributes. You have to possess the master certificate at =20
time of use to generate the slave certificate, so you can't pass a =20
slave certificate to a friend for later use. Then you just need to =20
ensure that the master certificate includes personal details like =20
credit card number, SSN, etc. to deter sharing of master =20
certificates. Note that the slave certificates won't have this =20
information, so this personal information is safe as long as the =20
master certificate is not leaked. Since sharing an attribute amounts =20
to sharing all your attributes, including personal information, this =20
property serves as a good deterrent. Maybe somebody else can comment =20
on the technical viability + crypto details of the paper.
P. Persiano and I. Visconti. An Anonymous Credential System and a =20
Privacy-Aware PKI. In Information Security
and Privacy, 8th Australasian Conference, ACISP 2003, volume 2727 of =20
Lecture Notes in Computer Science. Springer Verlag, 2003.
http://springerlink.metapress.com/openurl.asp?=20
genre=3Darticle&issn=3D0302-9743&volume=3D2727&spage=3D27
Here's the abstract:
In this paper we present a non-transferable anonymous credential =20
system that is based on the concept of a chameleon certificate. A =20
chameleon certificate is a special certificate that enjoys two =20
interesting properties. Firstly, the owner can choose which =20
attributes of the certificate to disclose. Moreover, a chameleon =20
certificate is multi-show in the sense that several uses of the same =20
chameleon certificate by the same user cannot be linked together.
We adopt the framework of Brands [2] and our construction improves =20
the results of Camenisch et al. [5] and Verheul [16] since it allows =20
the owner of a certificate to prove general statements on the =20
attributes encoded in the certificate and our certificates enjoy the =20
multi-show property.
Apu
--=20
Apu Kapadia, Ph.D.
Research Fellow, Institute for Security Technology Studies (ISTS)
Dartmouth College, Hanover NH 03755, USA
http://www.cs.dartmouth.edu/~akapadia/
On Apr 1, 2006, at 6:35 AM, Ben Laurie wrote:
> It is possible to use blind signatures to produce anonymity-preserving
> credentials. The general idea is that, say, British Airways want to
> testify that I am a silver BA Executive Club cardholder. First I =20
> create
> a random number (a nonce), I blind it, then send it to BA. They =20
> sign it
> with their =93this guy is a silver member=94 signing key, I unblind =
the
> signature and then I can show the signed nonce to anyone who wants to
> verify that I am silver. All they need to do is check the signature
> against BA=92s published silver member key. BA cannot link this nonce =20=
> back
> to me because they have never seen it, so they cannot distinguish me
> from any other member.
>
> However, anyone I show this proof to can then masquerade as a silver
> member, using my signed nonce. So, it occurred to me that an easy =20
> way to
> prevent this is to create a private/public key pair and instead of the
> nonce use the hash of the public key. Then to prove my silver status I
> have to show that both the hash is signed by BA and that I possess the
> corresponding private key (by signing a nonce, say).
>
> It seems to me quite obvious that someone must have thought of this
> before - the question is who? Is it IP free?
>
> Obviously this kind of credential could be quite useful in identity
> management. Note, though, that this scheme doesn=92t give me =20
> unlinkability
> unless I only show each public/private key pair once. What I really =20=
> need
> is a family of unlinkable public/private key pairs that I can somehow
> get signed with a single =93family=94 signature (obviously this would =
need
> to be unlinkably transformed for each member of the key family).
>
> Permalink: http://www.links.org/?p=3D88
>
> Cheers,
>
> Ben.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
