[23190] in cryptography@c2.net mail archive
Re: Unforgeable Blinded Credentials
daemon@ATHENA.MIT.EDU (Adam Back)
Wed Apr 19 16:11:27 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 19 Apr 2006 15:23:36 -0400
From: Adam Back <adam@cypherspace.org>
To: bear <bear@sonic.net>
Cc: Ben Laurie <ben@algroup.co.uk>, Hal Finney <hal@finney.org>,
cryptography@metzdowd.com, Adam Back <adam@cypherspace.org>
In-Reply-To: <Pine.LNX.4.58.0604191152150.4219@bolt.sonic.net>
On Wed, Apr 19, 2006 at 11:53:18AM -0700, bear wrote:
> On Sat, 8 Apr 2006, Ben Laurie wrote:
> >Adam Back wrote:
> >> My suggestion was to use a large denomination ecash coin to have
> >> anonymous disincentives :) ie you get fined, but you are not
> >> identified.
> >
> >The problem with that disincentive is that I need to sink the money for
> >each certificate I have. Clearly this doesn't scale at all well.
>
> Um, if it's anonymous and unlinkable, how many certificates do you
> need? I should think the answer would be "one."
Agreed, its very nice if we could do this. However all of the
practical schemes are show-linkable.
I looked at the paper that was referenced earlier in the thread about
the Chameleon [1] credentials which are an attempt to add unlinkable
multi-show to Brands credentials.
So aside from the fact that it uses a non-standard assumption that it
is hard to find e^v = a^x + c mod n (for RSA e,n). Apparently
Camenisch's other assumption that it is hard to find e^v = a^x +1 was
broken... so thats not very comforting to start. (They offer no proof
of this assumption).
Then they use an interactive ZKP in the show which I think will
require say 80 rounds for reasonable security, each round involving
some non-trivial computation.
So its not that practical compared to Chaum, Brands etc -- its not
very efficient in time nor communication required for the showing of
the chameleon certs.
Adam
[1] "An Anonymous Credential System and a Privacy-Aware PKI" by Pino
Persiano and Ivan Visconti
I put a copy online here temporarily:
http://www.cypherspace.org/adam/papers/chameleon.pdf
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
