Adam Back wrote:
On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
Brands actually has a neat solution to this where the credential is
unlinkable for n shows, but on the (n+1)th show reveals some secret
information (n is usually set to 1 but doesn't have to be).
I think they shows are linkable, but if you show more than allowed
times, all of the attributes are leaked, including the credential
secret key and potentially some identifying information like your
credit card number, your address etc.
In Brands' system, multiple uses of a n-show credential are not linkable
to the issuing (i.e. they are untraceable), but they are indeed linkable
if presented to the same party: the verifier will recognize the
credential when re-used. This is useful for limited pseudonymous access
to accounts or resources. If you want showing unlinkability, better
get n one-show credentials (simpler and more efficient).
The protection you get, as pointed out by Adam, is that when a n-show
credential is presented n+1 times (to the same or different verifiers,
as long as the audit data is collected centrally) all attributes drop
out (*). In cases where you had to authenticate to get those credentials
(paid by credit card to get e-coins, had a "gold" account to get
discount coupons, etc.), the issuer usually embeds an invisible and
always hidden identifier into the credential so it can recognize you and
take application-specific measures against the fraud (revoke your
account (**), charge money on your credit card, etc.)
Cheers,
- Christian
(*) For those who wonder how this works, imagine the credential private
key and attributes being the (secret) slope of a line. At every showing,
the verifier challenges the user to disclose one (random) point on the
line. For a one-use credential, re-using it reveals two points which is
all you need to compute the slope. If it's only used once, it's
infeasible for the verifier (even in collusion with the issuer) to
figure out on which line the point belongs to (and therefore break the
untraceability property).
(**) Note that there is also a nice revocation technique where an issuer
publishes a blacklist containing the revoked user's "secret"
identifiers. When a multi-use fraud is detected and that the malicious
user's identity drops out, it can be added to the blacklist. Users can
prove that the identifier in their credential is not equal to any
blacklisted values without revealing it. This can be used, e.g., to
effectively revoked a bunch of anonymous and unlinkable e-coins
(containing the same secret id) if the owner double-spend any one of them.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
