Brands' private credentials
adam at cypherspace.org
Sun May 9 05:08:09 EDT 2004
On Wed, Apr 28, 2004 at 07:54:50PM +0000, Jason Holt wrote:
> Last I heard, Brands started a company called Credentica, which
> seems to only have a placeholder page (although it does have an
> info@ address).
> I also heard that his credential system was never implemented,
It was implemented at least twice: once by ECAFE ESPRIT project years
ago, more recently by ZKS before they stopped licensing the patents.
> Anna Lysyanskaya and Jan Camenisch came up with a credential system
> that I hear is based on Brands'. Anna's dissertation is online and
> might give you some clues. They might also have been working on an
I looked at Camenisch protocol briefly a couple of years ago and it is
not based Brands. It is less efficient computationally, and more
rounds of communication are required if I recall.
But one feature that it does have that Brands doesn't have directly is
self-reblindability. In their protocol it is the credential holder
who does the blinding, rather than the issuer / holder, and the issuer
can also re-blind to get a 2nd unlinkable show. The way you do this
with Brands is to have the CA issue you a new credential in a
re-issuing protocol; Brands re-issuing protocol has the property that
you do not even have to reveal to the CA what attributes are in the
On re-showable/re-blindable approach, as with Ernie Brikell's
re-showable credential proposal for Palladium the converse side of
unlinkable re-showing is that there is no efficient way to revoke
credentials. (If eg the private key is compromised, or the credential
owner violates some associated policy in the Palladium/DRM case).
(Caveat of course I think DRM is an unenforceable idea and the
schelling point ought to be not to even pretend to do it in software
or hardware, rip-once copy-everywhere *always* wins).
> I came up with a much simpler system that has many similar
> properties to Brands', and even does some things that his doesn't.
> It's much less developed than the other systems, but we did write a
> Java implementation and published a paper at WPES last year about
Is this the same as described in http://eprint.iacr.org/2002/151/ with
interactive cut-and-choose and large credenitals? There was some
discussion of that protocol in:
Not read the new paper you cite yet.
> Note that most anonymous credential systems are encumbered by
> patents. The implementation for my system is based on the
> Franklin/Boneh IBE which they recently patented, although there's
> another IBE system which may not be encumbered and which should also
> work as a basis for Hidden Credentials.
The problem with the Yacobi's scheme (which is based on a composite
modulus variant of DH where you choose n=p.q such that p and q are
relatively smooth so you can do discrete log to setup the public key
for an identity) is that to get desirable security parameters for n
(eg 1024 bits) you have to expend huge amounts of resources per
identity public key. So I would say it is not really practical. It
is the only other semi-practical IBE scheme that I am aware of which
is why Boneh and Franklins IBE based on weil pairing was considered
such a break through.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography