Adam Back wrote: > On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote: >>> This illustrates a problem with multi-show credentials, that the holder >>> could share his credential freely, and in some cases even publish it, >>> and this would allow non-authorized parties to use it. To avoid this, >>> more complicated techniques are needed that provide for the ability >>> to revoke a credential or blacklist a credential holder, even in an >>> environment of unlinkability. Camenisch and Lysyanskaya have done quite >>> a bit of work along these lines, for example in >>> http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf . >> So, for the record, has Brands. >> >> I agree that, in general, this is a problem with multi-show credentials >> (though I have to say that using a completely different system to >> illustrate it seems to me to be cheating somewhat). >> >> Brands actually has a neat solution to this where the credential is >> unlinkable for n shows, but on the (n+1)th show reveals some secret >> information (n is usually set to 1 but doesn't have to be). > > I think they shows are linkable, but if you show more than allowed > times, all of the attributes are leaked, including the credential > secret key and potentially some identifying information like your > credit card number, your address etc.
I could be wrong, but I'm pretty sure they're unlinkable - that's part of the point of Brands' certificates. > The main use I think is to have 1-show, where if you show more than 1 > time your identity is leaked -- for offline electronic cash with fraud > tracing. But as you say the mechanism generalizes to multiple show. > >> This obviously gives a disincentive against sharing if the secret >> information is well chosen (such as "here's where to go to arrest >> the guy"). > > Well the other kind of disincentive was a credit card number. My > suggestion was to use a large denomination ecash coin to have > anonymous disincentives :) ie you get fined, but you are not > identified. The problem with that disincentive is that I need to sink the money for each certificate I have. Clearly this doesn't scale at all well. Cheers, Ben. -- http://www.links.org/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
