Brands' private credentials

Adam Back adam at
Sun May 9 05:08:09 EDT 2004

On Wed, Apr 28, 2004 at 07:54:50PM +0000, Jason Holt wrote:
> Last I heard, Brands started a company called Credentica, which
> seems to only have a placeholder page (although it does have an
> info@ address).
> I also heard that his credential system was never implemented, 

It was implemented at least twice: once by ECAFE ESPRIT project years
ago, more recently by ZKS before they stopped licensing the patents.

> Anna Lysyanskaya and Jan Camenisch came up with a credential system
> that I hear is based on Brands'. Anna's dissertation is online and
> might give you some clues.  They might also have been working on an
> implementation.

I looked at Camenisch protocol briefly a couple of years ago and it is
not based Brands.  It is less efficient computationally, and more
rounds of communication are required if I recall.

But one feature that it does have that Brands doesn't have directly is
self-reblindability.  In their protocol it is the credential holder
who does the blinding, rather than the issuer / holder, and the issuer
can also re-blind to get a 2nd unlinkable show.  The way you do this
with Brands is to have the CA issue you a new credential in a
re-issuing protocol; Brands re-issuing protocol has the property that
you do not even have to reveal to the CA what attributes are in the
re-issued cert.

On re-showable/re-blindable approach, as with Ernie Brikell's
re-showable credential proposal for Palladium the converse side of
unlinkable re-showing is that there is no efficient way to revoke
credentials.  (If eg the private key is compromised, or the credential
owner violates some associated policy in the Palladium/DRM case).
(Caveat of course I think DRM is an unenforceable idea and the
schelling point ought to be not to even pretend to do it in software
or hardware, rip-once copy-everywhere *always* wins).

> I came up with a much simpler system that has many similar
> properties to Brands', and even does some things that his doesn't.
> It's much less developed than the other systems, but we did write a
> Java implementation and published a paper at WPES last year about
> it.

Is this the same as described in with
interactive cut-and-choose and large credenitals?  There was some
discussion of that protocol in: 

Not read the new paper you cite yet.

> Note that most anonymous credential systems are encumbered by
> patents.  The implementation for my system is based on the
> Franklin/Boneh IBE which they recently patented, although there's
> another IBE system which may not be encumbered and which should also
> work as a basis for Hidden Credentials.

The problem with the Yacobi's scheme (which is based on a composite
modulus variant of DH where you choose n=p.q such that p and q are
relatively smooth so you can do discrete log to setup the public key
for an identity) is that to get desirable security parameters for n
(eg 1024 bits) you have to expend huge amounts of resources per
identity public key.  So I would say it is not really practical.  It
is the only other semi-practical IBE scheme that I am aware of which
is why Boneh and Franklins IBE based on weil pairing was considered
such a break through.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list