announce: credlib library with brands and chaum credentials (Re: see also credentica announcement about U-prove)

Adam Back adam at
Fri Feb 16 11:14:39 EST 2007


I implemented Chaumian and Brands credentials in a credential library
(C code, using openSSL).  I implemented some of the pre-computation
steps.  Have not made any attempt so far to benchmark it.  But thought
I could take this opportunity to make it public.  I did not try to
optimize so far.  One optimization opportunity at algorithm level, is
you dont need witness indistinguishability on a single attribute
credential, which saves some of the computations.

Ben, if you have a partial implementation of Camenisch credentials,
you could maybe do some comparisons of that against this C

(I previous shared a copy with a few list participants).

The Brands credential paper I used as reference (simpler precis than
the thesis as a source):

A Technical Overview of Digital Credentials, Technical Report, February 2002.

could be useful as a source of quick reference of whats modexp, modinv
steps would be involved in issuing, showing etc, for comparison with

About flexibility and generality I mean Brands has a huge list of
features, like a very efficient observer setting, with cheap
operations suitable for an 8 bit smartcard, limited multi-show (though
linkable, there is an online credential refresh phase if unlinkable is
desired), single show, ability to show formulae, ability to show and
bombine formulae across credentials from different issuers etc.  And
also prove negatives involving attributes, and related technique for
testing a black list of revoked credentials blindly.  I am a bit rusty
about Camenisch, as its been a few years, but from my recollection it
doesnt do most of these things.  Also Brands in the ecash setting
there is a neat technique for making offline respendable coins with
double-spend protection.  (I thought I discovered it, but I asked
Stefan, and its a foot note in the thesis book that I missed, and
turns out it was topic of someone's MSc thesis).

The credlib library so far does unlimited show linkable credentials
(issuing, showing etc) for 0 or more attributes.

The u-prove library does a lot more things, I think, but its java and
I'm more of a C person, though java is interesting in some java device
and j2ee server settings, and for app portability.  I guess I just
like C efficiency.


On Thu, Feb 15, 2007 at 06:24:11PM +0000, Ben Laurie wrote:
> > I believe Brands credentials are considerably more computationally
> > efficient and more general/flexible than Camenisch credentials.
> Not sure about more general. Brands does claim they are more efficient,
> though - however, Camenisch/Lysyanskya credentials have been improved
> since they were first thought of, and are also a lot faster if you don't
> insist on academic rigour. I have not yet put them side-by-side, but I
> do have a partial implementation of C/L credentials for OpenSSL and am
> planning a Brands implementation, too.
> > (Re Hal's comment on the patent status of Camenisch credentials, as
> > far as I know patents apply to both systems).
> > 
> > Looks like you can obtain an evaluation copy of U-prove also.
> > 
> > Adam
> > 
> > On Sun, Feb 04, 2007 at 10:34:33AM -0800, "Hal Finney" wrote:
> >> John Gilmore forwards:
> >>>
> >>>
> >>> IBM donates new privacy tool to open-source
> >>>   By  Joris Evers
> >>>   Staff Writer, CNET
> >>>   Published: January 25, 2007, 9:00 PM PST
> >>>
> >>> IBM has developed software designed to let people keep personal  
> >>> information secret when doing business online and donated it to the  
> >>> Higgins open-source project.
> >>>
> >>>   The software, called "Identity Mixer," was developed by IBM  
> >>> researchers. The idea is that people provide encrypted digital  
> >>> credentials issued by trusted parties like a bank or government agency  
> >>> when transacting online, instead of sharing credit card or other  
> >>> details in plain text, Anthony Nadalin, IBM's chief security architect,  
> >>> said in an interview.
> >>> ...
> >> I just wanted to note that the idemix software implements what we
> >> sometimes call Camenisch credentials.  This is a very advanced credential
> >> system based on zero knowledge and group signatures.  The basic idea is
> >> that you get a credential on one pseudonym and can show it on another
> >> pseudonym, unlinkably.  More advanced formulations also allow for
> >> credential revocation.  I don't know the specifics of what this software
> >> implements, and I'm also unclear about the patent status of some of the
> >> more sophisticated aspects, but I'm looking forward to being able to
> >> experiment with this technology.
> >>
> >> Hal Finney
> >>
> >> ---------------------------------------------------------------------
> >> The Cryptography Mailing List
> >> Unsubscribe by sending "unsubscribe cryptography" to majordomo at
> > 
> > ---------------------------------------------------------------------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe cryptography" to majordomo at
> > 
> > 
> -- 
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list