Unforgeable Blinded Credentials
Ben Laurie
ben at algroup.co.uk
Sun Apr 9 16:55:44 EDT 2006
Adam Back wrote:
> On Sat, Apr 08, 2006 at 07:53:37PM +0100, Ben Laurie wrote:
>> Adam Back wrote:
>>> [about Brands credentials]
>>> I think they shows are linkable, but if you show more than allowed
>>> times, all of the attributes are leaked, including the credential
>>> secret key and potentially some identifying information like your
>>> credit card number, your address etc.
>> I could be wrong, but I'm pretty sure they're unlinkable - that's part
>> of the point of Brands' certificates.
>
> No they are definitely mutually linkable (pseudonymous), tho obviously
> not linkable to the real identity at the issuer.
>
>> Christian Paquin wrote:
>>> In Brands' system, multiple uses of a n-show credential are not linkable
>>> to the issuing (i.e. they are untraceable), but they are indeed linkable
>>> if presented to the same party: the verifier will recognize the
>>> credential when re-used. This is useful for limited pseudonymous access
>>> to accounts or resources. If you want showing unlinkability, better get
>>> n one-show credentials (simpler and more efficient).
>> That's only true if the credential contains any unblinded unique data,
>> surely?
>
> No. It arises because the credential public key is necessarily shown
> during a show. (The credential public key is blinded during
> credential issue so its not linkable to issue). So you can link
> across shows simply by comparing the credential public key.
>
> Its hard to blind the public key also. I thought thats what you were
> talking about in a previous mail where you were saying about what
> could be done to make things unlinkable. (Or maybe trying to find the
> same property you thought Brands had ie unlinkable multi-show, for
> Chaums credentials.)
This is what I was talking about.
> Note with Brands credentials you can choose: unlimited show, 1-show or
> n-show. To do 1-show or n-show you make some formula for initial
> witness that is fair and verifiable by the verifier, so there are only
> n allowed IWs, and consequently if you reuse one it leaks two shows
> with the same IW which allows the credential private key to be
> recovered. ie its just a trick to define a limited number of allowed
> (and verifier verified) IWs -- IW is a sort of commitment by the
> credential owner in the show protocol.
>
> So there is something compact that the verifier can send
> somewhere and it can then collate them and notice when a show is > n
> shows (presuming there are multiple verifiers and you want to impose n
> shows across all of them).
>
>
>> Adam Back wrote:
>>> Well the other kind of disincentive was a credit card number. My
>>> suggestion was to use a large denomination ecash coin to have
>>> anonymous disincentives :) ie you get fined, but you are not
>>> identified.
>> The problem with that disincentive is that I need to sink the money for
>> each certificate I have. Clearly this doesn't scale at all well.
>
> No I mean put the same high value ecash coin in all of your offline
> limited show credentials / offline ecash coins.
>
> eg say you can choose to hand over $100 and retain your anonymity even
> in event of double-spending offline ecash coins, or over-using
> limited-show credentials.
If you use the same coin then at some point it becomes worth losing it
so you can then double-spend everything secured with it.
> I was curious about the Chameleon credential as they claim to work
> with Brands credentials, I wrote to one of the authors to see if I
> could get an electronic copy, but no reply so far.
>
>
> Note also about your earlier comments on lending deterrence,
> ultimately I think you can always do online lending.
Yes, I think this is true, the question is how unattractive it can be
made...
Cheers,
Ben.
--
http://www.links.org/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list