Unforgeable Blinded Credentials

Ben Laurie ben at algroup.co.uk
Tue Apr 4 01:15:48 EDT 2006 

Hal Finney wrote:
> Ben Laurie writes:
>> It is possible to use blind signatures to produce anonymity-preserving
>> credentials....
>>
>> It seems to me quite obvious that someone must have thought of this
>> before - the question is who? Is it IP free?
> 
> David Chaum did a great deal of work in this area in the 80s and 90s.
> He pretty much invented the idea of anonymous credentials.  Stefan Brands
> used slightly different techniques a few years later to create improved
> versions.  More recently, Camenisch and Lysyanskaya have created a number
> of anonymous credential systems based (roughly) on group signatures.
> Some work was obstructed by the patent on the Chaum blind signature
> technique, but that expired last year.  I think your basic concept is IP
> free, but you should review the patents by these researchers to be sure.
> 
> 
>> Obviously this kind of credential could be quite useful in identity
>> management. Note, though, that this scheme doesn't give me unlinkability
>> unless I only show each public/private key pair once. What I really need
>> is a family of unlinkable public/private key pairs that I can somehow
>> get signed with a single "family" signature (obviously this would need
>> to be unlinkably transformed for each member of the key family).
> 
> There is an operational difficulty with this goal as stated.
> To demonstrate it, consider a trivial way of achieving the goal.
> The credential issuer creates a special public/private key pair that is
> associated with the credential.  To everyone who earns the credential,
> he reveals the private key (which is the same for everyone who has the
> credential).  To show that he holds the credential, the key holder issues
> a signature using the private key corresponding to the publicly-known
> credential public key.  Now he can show credential ownership as often
> as desired, without linkability, because all such demonstrations look
> the same, for all members.
> 
> This illustrates a problem with multi-show credentials, that the holder
> could share his credential freely, and in some cases even publish it,
> and this would allow non-authorized parties to use it.  To avoid this,
> more complicated techniques are needed that provide for the ability
> to revoke a credential or blacklist a credential holder, even in an
> environment of unlinkability.  Camenisch and Lysyanskaya have done quite
> a bit of work along these lines, for example in
> http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .

So, for the record, has Brands.

I agree that, in general, this is a problem with multi-show credentials
(though I have to say that using a completely different system to
illustrate it seems to me to be cheating somewhat).

Brands actually has a neat solution to this where the credential is
unlinkable for n shows, but on the (n+1)th show reveals some secret
information (n is usually set to 1 but doesn't have to be). This
obviously gives a disincentive against sharing if the secret information
is well chosen (such as "here's where to go to arrest the guy").

Hohenberger presented a system (at Eurocrypt 2004? 2005?) where then
(n+1)th show makes all the shows linkable, which is even neater, IMO,
but is based on rocket science :-)

All this goes way beyond the scope of my original question, but I have
to confess is necessary to make what I outlined useful.

Cheers,

Ben.

-- 
http://www.links.org/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list