Ben Laurie writes: > It is possible to use blind signatures to produce anonymity-preserving > credentials.... > > It seems to me quite obvious that someone must have thought of this > before - the question is who? Is it IP free?
David Chaum did a great deal of work in this area in the 80s and 90s. He pretty much invented the idea of anonymous credentials. Stefan Brands used slightly different techniques a few years later to create improved versions. More recently, Camenisch and Lysyanskaya have created a number of anonymous credential systems based (roughly) on group signatures. Some work was obstructed by the patent on the Chaum blind signature technique, but that expired last year. I think your basic concept is IP free, but you should review the patents by these researchers to be sure. > Obviously this kind of credential could be quite useful in identity > management. Note, though, that this scheme doesn't give me unlinkability > unless I only show each public/private key pair once. What I really need > is a family of unlinkable public/private key pairs that I can somehow > get signed with a single "family" signature (obviously this would need > to be unlinkably transformed for each member of the key family). There is an operational difficulty with this goal as stated. To demonstrate it, consider a trivial way of achieving the goal. The credential issuer creates a special public/private key pair that is associated with the credential. To everyone who earns the credential, he reveals the private key (which is the same for everyone who has the credential). To show that he holds the credential, the key holder issues a signature using the private key corresponding to the publicly-known credential public key. Now he can show credential ownership as often as desired, without linkability, because all such demonstrations look the same, for all members. This illustrates a problem with multi-show credentials, that the holder could share his credential freely, and in some cases even publish it, and this would allow non-authorized parties to use it. To avoid this, more complicated techniques are needed that provide for the ability to revoke a credential or blacklist a credential holder, even in an environment of unlinkability. Camenisch and Lysyanskaya have done quite a bit of work along these lines, for example in http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf . Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
