Brands' private credentials

Adam Back adam at cypherspace.org
Sun May 9 06:04:31 EDT 2004


[copied to cpunks as cryptography seems to have a multi-week lag these
days].

OK, now having read:

> http://isrl.cs.byu.edu/HiddenCredentials.html
> http://isrl.cs.byu.edu/pubs/wpes03.pdf

and seeing that it is a completely different proposal essentially
being an application of IBE, and extension of the idea that one has
multiple "identities" encoding attributes.  (The usual attribute this
approach is used for is time-period of receipt .. eg month of receipt
so the sender knows which key to encrypt with).

On Wed, Apr 28, 2004 at 07:54:50PM +0000, Jason Holt wrote:
> properties to Brands', and even does some things that his doesn't.

so here is one major problem with using IBE: everyone in the system
has to trust the IBE server!

> I feel a little presumptuous mentioning it in the context of the
> other systems, which have a much more esteemed set of authors and
> are much more developed, but I'm also pretty confident in its
> simplicity.

One claim is that the system should hide sensitive attributes from
disclosure during a showing protocol.  So the example given an AIDs
patient could authenticate to an AIDS db server without revealing to
an outside observer whether he is an AIDs patient or an authorised
doctor.

However can't one achieve the same thing with encryption: eg an SSL
connection and conventional authentication?  

Outside of this, the usual approach to this is to authenticate the
server first, then authenticate the client so the client's privacy is
preserved.


Further more there seems to be no blinding at issue time.  So to
obtain a credential you would have to identify yourself to the CA /
IBE identity server, show paper credentials, typically involving True
Name credentials, and come away with a private key.  So it is proposed
in the paper the credential would be issued with a pseudonym.  However
the CA can maintain a mapping between True Name and pseudonym.

However whenever you show the credential the event is traceable back
to you by collision with the CA.

> Note that most anonymous credential systems are encumbered by
> patents.

I would not say your Hidden Credential system _is_ an anonymous
credential system.  There is no blinding in the system period.  All is
gated via a "trust-me" CA that in this case happens to be an IBE
server, so providing the communication pattern advantages of an IBE
system.

What it enables is essentially an offline server assisted oblivious
encryption where you can send someone a message they can only decrypt
if they happen to have an attribute.  You could call this a credential
system kind of where the showing protcool is the verifier sends you a
challenge, and the shower decrypts the challenge and sends the result
back.

In particular I don't see any way to implement an anonymous epayment
system using Hidden Credentials.  As I understand it is simply not
possible as the system has no inherent cryptographic anonymity?

Adam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list