Unforgeable Blinded Credentials

Adam Back adam at cypherspace.org
Tue Apr 4 14:24:38 EDT 2006 

On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
> > This illustrates a problem with multi-show credentials, that the holder
> > could share his credential freely, and in some cases even publish it,
> > and this would allow non-authorized parties to use it.  To avoid this,
> > more complicated techniques are needed that provide for the ability
> > to revoke a credential or blacklist a credential holder, even in an
> > environment of unlinkability.  Camenisch and Lysyanskaya have done quite
> > a bit of work along these lines, for example in
> > http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .
> 
> So, for the record, has Brands.
> 
> I agree that, in general, this is a problem with multi-show credentials
> (though I have to say that using a completely different system to
> illustrate it seems to me to be cheating somewhat).
> 
> Brands actually has a neat solution to this where the credential is
> unlinkable for n shows, but on the (n+1)th show reveals some secret
> information (n is usually set to 1 but doesn't have to be). 

I think they shows are linkable, but if you show more than allowed
times, all of the attributes are leaked, including the credential
secret key and potentially some identifying information like your
credit card number, your address etc.

The main use I think is to have 1-show, where if you show more than 1
time your identity is leaked -- for offline electronic cash with fraud
tracing.  But as you say the mechanism generalizes to multiple show.

> This obviously gives a disincentive against sharing if the secret
> information is well chosen (such as "here's where to go to arrest
> the guy").

Well the other kind of disincentive was a credit card number.  My
suggestion was to use a large denomination ecash coin to have
anonymous disincentives :) ie you get fined, but you are not
identified.

Adam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list