[21756] in cryptography@c2.net mail archive
Re: Unforgeable Blinded Credentials
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Apr 4 13:48:08 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 04 Apr 2006 06:15:48 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Hal Finney <hal@finney.org>
Cc: cryptography@metzdowd.com
In-Reply-To: <20060402003216.2E97757FAE@finney.org>
Hal Finney wrote:
> Ben Laurie writes:
>> It is possible to use blind signatures to produce anonymity-preserving
>> credentials....
>>
>> It seems to me quite obvious that someone must have thought of this
>> before - the question is who? Is it IP free?
>
> David Chaum did a great deal of work in this area in the 80s and 90s.
> He pretty much invented the idea of anonymous credentials. Stefan Brands
> used slightly different techniques a few years later to create improved
> versions. More recently, Camenisch and Lysyanskaya have created a number
> of anonymous credential systems based (roughly) on group signatures.
> Some work was obstructed by the patent on the Chaum blind signature
> technique, but that expired last year. I think your basic concept is IP
> free, but you should review the patents by these researchers to be sure.
>
>
>> Obviously this kind of credential could be quite useful in identity
>> management. Note, though, that this scheme doesn't give me unlinkability
>> unless I only show each public/private key pair once. What I really need
>> is a family of unlinkable public/private key pairs that I can somehow
>> get signed with a single "family" signature (obviously this would need
>> to be unlinkably transformed for each member of the key family).
>
> There is an operational difficulty with this goal as stated.
> To demonstrate it, consider a trivial way of achieving the goal.
> The credential issuer creates a special public/private key pair that is
> associated with the credential. To everyone who earns the credential,
> he reveals the private key (which is the same for everyone who has the
> credential). To show that he holds the credential, the key holder issues
> a signature using the private key corresponding to the publicly-known
> credential public key. Now he can show credential ownership as often
> as desired, without linkability, because all such demonstrations look
> the same, for all members.
>
> This illustrates a problem with multi-show credentials, that the holder
> could share his credential freely, and in some cases even publish it,
> and this would allow non-authorized parties to use it. To avoid this,
> more complicated techniques are needed that provide for the ability
> to revoke a credential or blacklist a credential holder, even in an
> environment of unlinkability. Camenisch and Lysyanskaya have done quite
> a bit of work along these lines, for example in
> http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .
So, for the record, has Brands.
I agree that, in general, this is a problem with multi-show credentials
(though I have to say that using a completely different system to
illustrate it seems to me to be cheating somewhat).
Brands actually has a neat solution to this where the credential is
unlinkable for n shows, but on the (n+1)th show reveals some secret
information (n is usually set to 1 but doesn't have to be). This
obviously gives a disincentive against sharing if the secret information
is well chosen (such as "here's where to go to arrest the guy").
Hohenberger presented a system (at Eurocrypt 2004? 2005?) where then
(n+1)th show makes all the shows linkable, which is even neater, IMO,
but is based on rocket science :-)
All this goes way beyond the scope of my original question, but I have
to confess is necessary to make what I outlined useful.
Cheers,
Ben.
--
http://www.links.org/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
