Unforgeable Blinded Credentials

Ben Laurie ben at algroup.co.uk
Sat Apr 8 14:53:37 EDT 2006 

Adam Back wrote:
> On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
>>> This illustrates a problem with multi-show credentials, that the holder
>>> could share his credential freely, and in some cases even publish it,
>>> and this would allow non-authorized parties to use it.  To avoid this,
>>> more complicated techniques are needed that provide for the ability
>>> to revoke a credential or blacklist a credential holder, even in an
>>> environment of unlinkability.  Camenisch and Lysyanskaya have done quite
>>> a bit of work along these lines, for example in
>>> http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .
>> So, for the record, has Brands.
>>
>> I agree that, in general, this is a problem with multi-show credentials
>> (though I have to say that using a completely different system to
>> illustrate it seems to me to be cheating somewhat).
>>
>> Brands actually has a neat solution to this where the credential is
>> unlinkable for n shows, but on the (n+1)th show reveals some secret
>> information (n is usually set to 1 but doesn't have to be). 
> 
> I think they shows are linkable, but if you show more than allowed
> times, all of the attributes are leaked, including the credential
> secret key and potentially some identifying information like your
> credit card number, your address etc.

I could be wrong, but I'm pretty sure they're unlinkable - that's part
of the point of Brands' certificates.

> The main use I think is to have 1-show, where if you show more than 1
> time your identity is leaked -- for offline electronic cash with fraud
> tracing.  But as you say the mechanism generalizes to multiple show.
> 
>> This obviously gives a disincentive against sharing if the secret
>> information is well chosen (such as "here's where to go to arrest
>> the guy").
> 
> Well the other kind of disincentive was a credit card number.  My
> suggestion was to use a large denomination ecash coin to have
> anonymous disincentives :) ie you get fined, but you are not
> identified.

The problem with that disincentive is that I need to sink the money for
each certificate I have. Clearly this doesn't scale at all well.

Cheers,

Ben.

-- 
http://www.links.org/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list