anonymity +- credentials

[Anton Stiglic]

----- Original Message ----- 
From: "Ian Grigg" <iang at systemics.com>

> [...]
> In terms of actual "practical" systems, ones
> that implement to Brands' level don't exist,
> as far as I know?  

There were however several projects that implemented 
and tested the credentials system.  There was CAFE, an 
ESPRIT project.

At Zeroknowledge there was working implementation written 
in Java, with a client that ran on a blackberry.

There was also the implementation at ZKS of a library in C 
that implemented Brands's stuff, of which I participated in.
The library implemented issuing and showing of credentials,
with a limit on the number of possible showing (if you passed
the limit, identity was revealed, thus allowing for off-line
verification of payments for example.  If you did not pass the
limit, no information about your identity was revealed).  
The underlying math was modular, you could work in a 
subgroup of Z*p for prime p, or use Elliptic curves, or 
base it on the RSA problem.  We plugged in OpenSSL 
library to test all of these cases.
Basically we implemented the protocols described in 
[1], with some of the extensions mentioned in the conclusion.

The library was presented by Ulf Moller at some coding
conference which I don't recall the name of...

It was to be used in Freedom, for payment of services, 
but you know what happended to that projet.

> Also, the use of Brands work
> would need to consider that he holds a swag of
> patents over it all (as also applies to all of
> the Chaum concepts).

Yes, most of the stuff is patented, as is Chaum's stuff.
Somebody had suggested that to build an ecash system
for example, you could start out by implementing David
Wagner's suggestion as described in Lucre [2], and then
if you sell and want extra features and flexibility get the
patents and implement Brands stuff.  Similar strategy 
would seem to apply for digital credentials in general.

> There is an alternate approach, the E/capabilities
> world.  Capabilities probably easily support the
> development of psuedonyms and credentials, probably
> more easily than any other system.   But, it would
> seem that the E development is still a research
> project, showing lots of promise, not yet breaking
> out into the wider applications space.
> 
> A further alternate is what could be called the
> hard-coded psuedonym approach as characterised
> by SOX.  (That's the protocol that my company
> wrote, so normal biases expected.)  This approach
> builds psuedonyms from the ground up, which results
> in a capabilities model like E, but every separate
> use of the capability must be then re-coded in hard
> lines by hardened coders.

Do you have any references on this?

Thanks.

--Anton

[1] http://crypto.cs.mcgill.ca/~stiglic/Papers/brands.pdf
[2] http://anoncvs.aldigital.co.uk/lucre/theory2.pdf

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com