On Wed, Apr 28, 2004 at 07:54:50PM +0000, Jason Holt wrote: > Last I heard, Brands started a company called Credentica, which > seems to only have a placeholder page (although it does have an > info@ address). > > I also heard that his credential system was never implemented,
It was implemented at least twice: once by ECAFE ESPRIT project years ago, more recently by ZKS before they stopped licensing the patents. > Anna Lysyanskaya and Jan Camenisch came up with a credential system > that I hear is based on Brands'. Anna's dissertation is online and > might give you some clues. They might also have been working on an > implementation. I looked at Camenisch protocol briefly a couple of years ago and it is not based Brands. It is less efficient computationally, and more rounds of communication are required if I recall. But one feature that it does have that Brands doesn't have directly is self-reblindability. In their protocol it is the credential holder who does the blinding, rather than the issuer / holder, and the issuer can also re-blind to get a 2nd unlinkable show. The way you do this with Brands is to have the CA issue you a new credential in a re-issuing protocol; Brands re-issuing protocol has the property that you do not even have to reveal to the CA what attributes are in the re-issued cert. On re-showable/re-blindable approach, as with Ernie Brikell's re-showable credential proposal for Palladium the converse side of unlinkable re-showing is that there is no efficient way to revoke credentials. (If eg the private key is compromised, or the credential owner violates some associated policy in the Palladium/DRM case). (Caveat of course I think DRM is an unenforceable idea and the schelling point ought to be not to even pretend to do it in software or hardware, rip-once copy-everywhere *always* wins). > I came up with a much simpler system that has many similar > properties to Brands', and even does some things that his doesn't. > It's much less developed than the other systems, but we did write a > Java implementation and published a paper at WPES last year about > it. Is this the same as described in http://eprint.iacr.org/2002/151/ with interactive cut-and-choose and large credenitals? There was some discussion of that protocol in: http://archives.abditum.com/cypherpunks/C-punks20021028/0076.html Not read the new paper you cite yet. > Note that most anonymous credential systems are encumbered by > patents. The implementation for my system is based on the > Franklin/Boneh IBE which they recently patented, although there's > another IBE system which may not be encumbered and which should also > work as a basis for Hidden Credentials. The problem with the Yacobi's scheme (which is based on a composite modulus variant of DH where you choose n=p.q such that p and q are relatively smooth so you can do discrete log to setup the public key for an identity) is that to get desirable security parameters for n (eg 1024 bits) you have to expend huge amounts of resources per identity public key. So I would say it is not really practical. It is the only other semi-practical IBE scheme that I am aware of which is why Boneh and Franklins IBE based on weil pairing was considered such a break through. Adam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]