Unforgeable Blinded Credentials

Christian Paquin paquin at credentica.com
Wed Apr 5 13:06:18 EDT 2006 

Adam Back wrote:
> On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
>>Brands actually has a neat solution to this where the credential is
>>unlinkable for n shows, but on the (n+1)th show reveals some secret
>>information (n is usually set to 1 but doesn't have to be). 
> 
> I think they shows are linkable, but if you show more than allowed
> times, all of the attributes are leaked, including the credential
> secret key and potentially some identifying information like your
> credit card number, your address etc.

In Brands' system, multiple uses of a n-show credential are not linkable 
to the issuing (i.e. they are untraceable), but they are indeed linkable 
if presented to the same party: the verifier will recognize the 
credential when re-used. This is useful for limited pseudonymous access 
  to accounts or resources. If you want showing unlinkability, better 
get n one-show credentials (simpler and more efficient).

The protection you get, as pointed out by Adam, is that when a n-show 
credential is presented n+1 times (to the same or different verifiers, 
as long as the audit data is collected centrally) all attributes drop 
out (*). In cases where you had to authenticate to get those credentials 
(paid by credit card to get e-coins, had a "gold" account to get 
discount coupons, etc.), the issuer usually embeds an invisible and 
always hidden identifier into the credential so it can recognize you and 
take application-specific measures against the fraud (revoke your 
account (**), charge money on your credit card, etc.)

Cheers,

  - Christian

(*) For those who wonder how this works, imagine the credential private 
key and attributes being the (secret) slope of a line. At every showing, 
the verifier challenges the user to disclose one (random) point on the 
line. For a one-use credential, re-using it reveals two points which is 
all you need to compute the slope. If it's only used once, it's 
infeasible for the verifier (even in collusion with the issuer) to 
figure out on which line the point belongs to (and therefore break the 
untraceability property).

(**) Note that there is also a nice revocation technique where an issuer 
publishes a blacklist containing the revoked user's "secret" 
identifiers. When a multi-use fraud is detected and that the malicious 
user's identity drops out, it can be added to the blacklist. Users can 
prove that the identifier in their credential is not equal to any 
blacklisted values without revealing it. This can be used, e.g., to 
effectively revoked a bunch of anonymous and unlinkable e-coins 
(containing the same secret id) if the owner double-spend any one of them.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list