Unforgeable Blinded Credentials

Adam Back adam at cypherspace.org
Sun Apr 2 13:29:26 EDT 2006 

On Sat, Apr 01, 2006 at 12:35:12PM +0100, Ben Laurie wrote:
> However, anyone I show this proof to can then masquerade as a silver
> member, using my signed nonce. So, it occurred to me that an easy
> way to prevent this is to create a private/public key pair and
> instead of the nonce use the hash of the public key. Then to prove
> my silver status I have to show that both the hash is signed by BA
> and that I possess the corresponding private key (by signing a
> nonce, say).  It seems to me quite obvious that someone must have
> thought of this before - the question is who? Is it IP free?

Well I thought of this a few years ago also.  However I suspect you'd
find the same idea earlier as a footnote in Stefan Brands book.  (Its
amazing how much stuff is in there, I thought I found something else
interesting -- offline transferable cash, turns out that also was a
footnote referring to someone's MSc thesis.)

> Obviously this kind of credential could be quite useful in identity
> management. Note, though, that this scheme doesn’t give me
> unlinkability unless I only show each public/private key pair
> once. What I really need is a family of unlinkable public/private
> key pairs that I can somehow get signed with a single “family”
> signature (obviously this would need to be unlinkably transformed
> for each member of the key family).

This is harder, I thought about this a bit also.

I was thinking a way to do this would be to have a self-reblindable
signature.  Ie you can re-blind the certificate signature such that
the signature remains, but it is unlinkable.  I didn't so far find a
way to do this with any of the schemes.

So it would for example be related to the more recent publicly
re-encryptable Elgamal based signatures.  (Third party can re-encrypt
the already encrypted message with out themselves being able to
decrypt the message).


Brands also has a mechanism to simplify the use each cert once method.
He can have the CA reissue you a new cert without having to go through
the attribute verification phase.  Ie you present an old cert and get
it reblinded, and the CA does not even if I recall see what attributes
you have.  So you just periodically get yourself another batch.
Mostly does what you want just with some assistance from the CA.

Adam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list