Unforgeable Blinded Credentials

Hal Finney hal at finney.org
Sat Apr 1 19:32:16 EST 2006 

Ben Laurie writes:
> It is possible to use blind signatures to produce anonymity-preserving
> credentials....
>
> It seems to me quite obvious that someone must have thought of this
> before - the question is who? Is it IP free?

David Chaum did a great deal of work in this area in the 80s and 90s.
He pretty much invented the idea of anonymous credentials.  Stefan Brands
used slightly different techniques a few years later to create improved
versions.  More recently, Camenisch and Lysyanskaya have created a number
of anonymous credential systems based (roughly) on group signatures.
Some work was obstructed by the patent on the Chaum blind signature
technique, but that expired last year.  I think your basic concept is IP
free, but you should review the patents by these researchers to be sure.


> Obviously this kind of credential could be quite useful in identity
> management. Note, though, that this scheme doesn't give me unlinkability
> unless I only show each public/private key pair once. What I really need
> is a family of unlinkable public/private key pairs that I can somehow
> get signed with a single "family" signature (obviously this would need
> to be unlinkably transformed for each member of the key family).

There is an operational difficulty with this goal as stated.
To demonstrate it, consider a trivial way of achieving the goal.
The credential issuer creates a special public/private key pair that is
associated with the credential.  To everyone who earns the credential,
he reveals the private key (which is the same for everyone who has the
credential).  To show that he holds the credential, the key holder issues
a signature using the private key corresponding to the publicly-known
credential public key.  Now he can show credential ownership as often
as desired, without linkability, because all such demonstrations look
the same, for all members.

This illustrates a problem with multi-show credentials, that the holder
could share his credential freely, and in some cases even publish it,
and this would allow non-authorized parties to use it.  To avoid this,
more complicated techniques are needed that provide for the ability
to revoke a credential or blacklist a credential holder, even in an
environment of unlinkability.  Camenisch and Lysyanskaya have done quite
a bit of work along these lines, for example in
http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list