On Wed, Apr 19, 2006 at 11:53:18AM -0700, bear wrote: > On Sat, 8 Apr 2006, Ben Laurie wrote: > >Adam Back wrote: > >> My suggestion was to use a large denomination ecash coin to have > >> anonymous disincentives :) ie you get fined, but you are not > >> identified. > > > >The problem with that disincentive is that I need to sink the money for > >each certificate I have. Clearly this doesn't scale at all well. > > Um, if it's anonymous and unlinkable, how many certificates do you > need? I should think the answer would be "one."
Agreed, its very nice if we could do this. However all of the practical schemes are show-linkable. I looked at the paper that was referenced earlier in the thread about the Chameleon [1] credentials which are an attempt to add unlinkable multi-show to Brands credentials. So aside from the fact that it uses a non-standard assumption that it is hard to find e^v = a^x + c mod n (for RSA e,n). Apparently Camenisch's other assumption that it is hard to find e^v = a^x +1 was broken... so thats not very comforting to start. (They offer no proof of this assumption). Then they use an interactive ZKP in the show which I think will require say 80 rounds for reasonable security, each round involving some non-trivial computation. So its not that practical compared to Chaum, Brands etc -- its not very efficient in time nor communication required for the showing of the chameleon certs. Adam [1] "An Anonymous Credential System and a Privacy-Aware PKI" by Pino Persiano and Ivan Visconti I put a copy online here temporarily: http://www.cypherspace.org/adam/papers/chameleon.pdf --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
