Unforgeable Blinded Credentials
Adam Back
adam at cypherspace.org
Wed Apr 19 15:23:36 EDT 2006
On Wed, Apr 19, 2006 at 11:53:18AM -0700, bear wrote:
> On Sat, 8 Apr 2006, Ben Laurie wrote:
> >Adam Back wrote:
> >> My suggestion was to use a large denomination ecash coin to have
> >> anonymous disincentives :) ie you get fined, but you are not
> >> identified.
> >
> >The problem with that disincentive is that I need to sink the money for
> >each certificate I have. Clearly this doesn't scale at all well.
>
> Um, if it's anonymous and unlinkable, how many certificates do you
> need? I should think the answer would be "one."
Agreed, its very nice if we could do this. However all of the
practical schemes are show-linkable.
I looked at the paper that was referenced earlier in the thread about
the Chameleon [1] credentials which are an attempt to add unlinkable
multi-show to Brands credentials.
So aside from the fact that it uses a non-standard assumption that it
is hard to find e^v = a^x + c mod n (for RSA e,n). Apparently
Camenisch's other assumption that it is hard to find e^v = a^x +1 was
broken... so thats not very comforting to start. (They offer no proof
of this assumption).
Then they use an interactive ZKP in the show which I think will
require say 80 rounds for reasonable security, each round involving
some non-trivial computation.
So its not that practical compared to Chaum, Brands etc -- its not
very efficient in time nor communication required for the showing of
the chameleon certs.
Adam
[1] "An Anonymous Credential System and a Privacy-Aware PKI" by Pino
Persiano and Ivan Visconti
I put a copy online here temporarily:
http://www.cypherspace.org/adam/papers/chameleon.pdf
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list