Unforgeable Blinded Credentials

Ben Laurie ben at algroup.co.uk
Tue Apr 4 01:20:31 EDT 2006 

Apu Kapadia wrote:
> 
> I came across the same problem a couple of years ago (and indeed
> iterated through private/public key solutions with a colleague). The
> problem is that you can still give your private key to somebody else.
> There's no real deterrent unless that private key is used for many other
> purposes, thereby discouraging sharing. But if that's the case, there's
> no real anonymity anymore, since the private key is tied to the person's
> identity.
> 
> I found that Chameleon Certificates had nice properties. You have a
> "master certificate" that lists all your attributes. For authentication,
> you generate an unlinkable slave certificate with any subset of
> attributes. You have to possess the master certificate at time of use to
> generate the slave certificate, so you can't pass a slave certificate to
> a friend for later use. Then you just need to ensure that the master
> certificate includes personal details like credit card number, SSN, etc.
> to deter sharing of master certificates. Note that the slave
> certificates won't have this information, so this personal information
> is safe as long as the master certificate is not leaked. Since sharing
> an attribute amounts to sharing all your attributes, including personal
> information, this property serves as a good deterrent. Maybe somebody
> else can comment on the technical viability + crypto details of the paper.
> 
> P. Persiano and I. Visconti. An Anonymous Credential System and a
> Privacy-Aware PKI. In Information Security
> and Privacy, 8th Australasian Conference, ACISP 2003, volume 2727 of
> Lecture Notes in Computer Science. Springer Verlag, 2003.
> http://springerlink.metapress.com/openurl.asp?genre=article&issn=0302-9743&volume=2727&spage=27
> 
> 
> Here's the abstract:
>  In this paper we present a non-transferable anonymous credential system
> that is based on the concept of a chameleon certificate. A chameleon
> certificate is a special certificate that enjoys two interesting
> properties. Firstly, the owner can choose which attributes of the
> certificate to disclose. Moreover, a chameleon certificate is multi-show
> in the sense that several uses of the same chameleon certificate by the
> same user cannot be linked together.
> 
> We adopt the framework of Brands [2] and our construction improves the
> results of Camenisch et al. [5] and Verheul [16] since it allows the
> owner of a certificate to prove general statements on the attributes
> encoded in the certificate and our certificates enjoy the multi-show
> property.

If I have understood your description correctly it seems to me that this
is defeated if, rather than sharing the master certificate, the bad guy
allows their friend to proxy to them for whatever proofs are required.
That way they never have to give up the precious master cert, but the
friend's slave cert's still work.

Cheers,

Ben.

-- 
http://www.links.org/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list