Hal Finney wrote: > Ben Laurie writes: >> It is possible to use blind signatures to produce anonymity-preserving >> credentials.... >> >> It seems to me quite obvious that someone must have thought of this >> before - the question is who? Is it IP free? > > David Chaum did a great deal of work in this area in the 80s and 90s. > He pretty much invented the idea of anonymous credentials. Stefan Brands > used slightly different techniques a few years later to create improved > versions. More recently, Camenisch and Lysyanskaya have created a number > of anonymous credential systems based (roughly) on group signatures. > Some work was obstructed by the patent on the Chaum blind signature > technique, but that expired last year. I think your basic concept is IP > free, but you should review the patents by these researchers to be sure. > > >> Obviously this kind of credential could be quite useful in identity >> management. Note, though, that this scheme doesn't give me unlinkability >> unless I only show each public/private key pair once. What I really need >> is a family of unlinkable public/private key pairs that I can somehow >> get signed with a single "family" signature (obviously this would need >> to be unlinkably transformed for each member of the key family). > > There is an operational difficulty with this goal as stated. > To demonstrate it, consider a trivial way of achieving the goal. > The credential issuer creates a special public/private key pair that is > associated with the credential. To everyone who earns the credential, > he reveals the private key (which is the same for everyone who has the > credential). To show that he holds the credential, the key holder issues > a signature using the private key corresponding to the publicly-known > credential public key. Now he can show credential ownership as often > as desired, without linkability, because all such demonstrations look > the same, for all members. > > This illustrates a problem with multi-show credentials, that the holder > could share his credential freely, and in some cases even publish it, > and this would allow non-authorized parties to use it. To avoid this, > more complicated techniques are needed that provide for the ability > to revoke a credential or blacklist a credential holder, even in an > environment of unlinkability. Camenisch and Lysyanskaya have done quite > a bit of work along these lines, for example in > http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .
So, for the record, has Brands. I agree that, in general, this is a problem with multi-show credentials (though I have to say that using a completely different system to illustrate it seems to me to be cheating somewhat). Brands actually has a neat solution to this where the credential is unlinkable for n shows, but on the (n+1)th show reveals some secret information (n is usually set to 1 but doesn't have to be). This obviously gives a disincentive against sharing if the secret information is well chosen (such as "here's where to go to arrest the guy"). Hohenberger presented a system (at Eurocrypt 2004? 2005?) where then (n+1)th show makes all the shows linkable, which is even neater, IMO, but is based on rocket science :-) All this goes way beyond the scope of my original question, but I have to confess is necessary to make what I outlined useful. Cheers, Ben. -- http://www.links.org/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]