On Sat, Apr 08, 2006 at 07:53:37PM +0100, Ben Laurie wrote: > Adam Back wrote: > > [about Brands credentials] > > I think they shows are linkable, but if you show more than allowed > > times, all of the attributes are leaked, including the credential > > secret key and potentially some identifying information like your > > credit card number, your address etc. > > I could be wrong, but I'm pretty sure they're unlinkable - that's part > of the point of Brands' certificates.
No they are definitely mutually linkable (pseudonymous), tho obviously not linkable to the real identity at the issuer. > Christian Paquin wrote: > > In Brands' system, multiple uses of a n-show credential are not linkable > > to the issuing (i.e. they are untraceable), but they are indeed linkable > > if presented to the same party: the verifier will recognize the > > credential when re-used. This is useful for limited pseudonymous access > > to accounts or resources. If you want showing unlinkability, better get > > n one-show credentials (simpler and more efficient). > > That's only true if the credential contains any unblinded unique data, > surely? No. It arises because the credential public key is necessarily shown during a show. (The credential public key is blinded during credential issue so its not linkable to issue). So you can link across shows simply by comparing the credential public key. Its hard to blind the public key also. I thought thats what you were talking about in a previous mail where you were saying about what could be done to make things unlinkable. (Or maybe trying to find the same property you thought Brands had ie unlinkable multi-show, for Chaums credentials.) Note with Brands credentials you can choose: unlimited show, 1-show or n-show. To do 1-show or n-show you make some formula for initial witness that is fair and verifiable by the verifier, so there are only n allowed IWs, and consequently if you reuse one it leaks two shows with the same IW which allows the credential private key to be recovered. ie its just a trick to define a limited number of allowed (and verifier verified) IWs -- IW is a sort of commitment by the credential owner in the show protocol. So there is something compact that the verifier can send somewhere and it can then collate them and notice when a show is > n shows (presuming there are multiple verifiers and you want to impose n shows across all of them). > Adam Back wrote: > > Well the other kind of disincentive was a credit card number. My > > suggestion was to use a large denomination ecash coin to have > > anonymous disincentives :) ie you get fined, but you are not > > identified. > > The problem with that disincentive is that I need to sink the money for > each certificate I have. Clearly this doesn't scale at all well. No I mean put the same high value ecash coin in all of your offline limited show credentials / offline ecash coins. eg say you can choose to hand over $100 and retain your anonymity even in event of double-spending offline ecash coins, or over-using limited-show credentials. I was curious about the Chameleon credential as they claim to work with Brands credentials, I wrote to one of the authors to see if I could get an electronic copy, but no reply so far. Note also about your earlier comments on lending deterrence, ultimately I think you can always do online lending. Adam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]