blinding & BF IBE CA assisted credential system (Re: chaum's patent expiry?)

Jason Holt jason at
Mon May 10 14:45:56 EDT 2004

On Mon, 10 May 2004, Adam Back wrote:

> On Mon, May 10, 2004 at 03:03:56AM +0000, Jason Holt wrote:
> > [...] Actually, now that you mention Chaum, I'll have to look into
> > blind signatures with the B&F IBE (issuing is just a scalar*point
> > multiply on a curve).  
> I think you mean so that the CA/IBE server even though he learns
> pseudonyms private key, does not learn the linkage between true name
> and pseudonym.  (At any time during a show protocol whether the
> private key issuing protocol is blinded or not the IBE server can
> compute the pseudonyms private key).

Well, he can always generate private keys for any pseudonym, just as in cash
systems where the bank can always issue bank notes.  Here's what I'm
suggesting, where "b" is a blinding function and n1... are random nyms:


Alice              FBI TTP

<---cut & choose: n1,n3



(Alice unblinds and now has a credential for nym n2)

So it's vanilla Chaum-style blinded credentials.  The FBI signs Alice's agent
cred without learning the nym.  Alice can use the nym, and the server can ask
the FBI the attributes (agent? chief? secretary?) of the person with the nym,
but the FBI won't know.  The FBI could eavesdrop on Alice's connection and
generate whatever creds are necessary to read the resource Bob sends her, but
that's why I was talking about building it in a protocol with PFS.

But now that I think of it, PFS isn't really necessary at all for Alice&Bob to
have a conversation where their policies are respected:

Alice                                         Bob

(Alice generates random nonce na)
HC_E(na, "Bob:agent", FBI)--->

                         (Bob generates random nb)
                 <---HC_E(nb, "Alice:member", NRA)

Both generate session keys from Hash(na,nb).

So, Alice wants to connect iff Bob's FBI, and Bob wants to talk iff Alice is
in the NRA, where "Alice" and "Bob" are random pseudonyms.  Thus they send
their random nonces na and nb encrypted against those creds (HC_E is a hidden
cred encrypt), then use those nonces for the session keys.

The FBI can *always* impersonate an agent, because, well, they're the CA and
they can make up pseudonymous agents all day long. But in this protocol, I
believe they wouldn't be able to be a MITM and/or just eavesdrop on Alice&Bob.  
That's because Bob only wants to talk to NRA members, and the FBI can't
impersonate that.

Now, this is for an interactive session, rather than just sending a single
request/response round like I discuss in the paper.  But even then, policies
are always respected.  Just change "na" to "request" and "nb" to "response".  
Alice's policy is respected whether she talks to FBI-authorized-Bob or
FBI-authorized-FBI, and the FBI doesn't get to read Bob's NRA-Alice-only


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list