Unforgeable Blinded Credentials
Adam Back
adam at cypherspace.org
Sat Apr 8 16:16:03 EDT 2006
On Sat, Apr 08, 2006 at 07:53:37PM +0100, Ben Laurie wrote:
> Adam Back wrote:
> > [about Brands credentials]
> > I think they shows are linkable, but if you show more than allowed
> > times, all of the attributes are leaked, including the credential
> > secret key and potentially some identifying information like your
> > credit card number, your address etc.
>
> I could be wrong, but I'm pretty sure they're unlinkable - that's part
> of the point of Brands' certificates.
No they are definitely mutually linkable (pseudonymous), tho obviously
not linkable to the real identity at the issuer.
> Christian Paquin wrote:
> > In Brands' system, multiple uses of a n-show credential are not linkable
> > to the issuing (i.e. they are untraceable), but they are indeed linkable
> > if presented to the same party: the verifier will recognize the
> > credential when re-used. This is useful for limited pseudonymous access
> > to accounts or resources. If you want showing unlinkability, better get
> > n one-show credentials (simpler and more efficient).
>
> That's only true if the credential contains any unblinded unique data,
> surely?
No. It arises because the credential public key is necessarily shown
during a show. (The credential public key is blinded during
credential issue so its not linkable to issue). So you can link
across shows simply by comparing the credential public key.
Its hard to blind the public key also. I thought thats what you were
talking about in a previous mail where you were saying about what
could be done to make things unlinkable. (Or maybe trying to find the
same property you thought Brands had ie unlinkable multi-show, for
Chaums credentials.)
Note with Brands credentials you can choose: unlimited show, 1-show or
n-show. To do 1-show or n-show you make some formula for initial
witness that is fair and verifiable by the verifier, so there are only
n allowed IWs, and consequently if you reuse one it leaks two shows
with the same IW which allows the credential private key to be
recovered. ie its just a trick to define a limited number of allowed
(and verifier verified) IWs -- IW is a sort of commitment by the
credential owner in the show protocol.
So there is something compact that the verifier can send
somewhere and it can then collate them and notice when a show is > n
shows (presuming there are multiple verifiers and you want to impose n
shows across all of them).
> Adam Back wrote:
> > Well the other kind of disincentive was a credit card number. My
> > suggestion was to use a large denomination ecash coin to have
> > anonymous disincentives :) ie you get fined, but you are not
> > identified.
>
> The problem with that disincentive is that I need to sink the money for
> each certificate I have. Clearly this doesn't scale at all well.
No I mean put the same high value ecash coin in all of your offline
limited show credentials / offline ecash coins.
eg say you can choose to hand over $100 and retain your anonymity even
in event of double-spending offline ecash coins, or over-using
limited-show credentials.
I was curious about the Chameleon credential as they claim to work
with Brands credentials, I wrote to one of the authors to see if I
could get an electronic copy, but no reply so far.
Note also about your earlier comments on lending deterrence,
ultimately I think you can always do online lending.
Adam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list