Re: Unforgeable Blinded Credentials
On Sat, Apr 08, 2006 at 07:53:37PM +0100, Ben Laurie wrote: > Adam Back wrote: > > [about Brands credentials] > > I think they shows are linkable, but if you show more than allowed > > times, all of the attributes are leaked, including the credential > > secret key and potentially some identifying information like your > > credit card number, your address etc. > > I could be wrong, but I'm pretty sure they're unlinkable - that's part > of the point of Brands' certificates. No they are definitely mutually linkable (pseudonymous), tho obviously not linkable to the real identity at the issuer. > Christian Paquin wrote: > > In Brands' system, multiple uses of a n-show credential are not linkable > > to the issuing (i.e. they are untraceable), but they are indeed linkable > > if presented to the same party: the verifier will recognize the > > credential when re-used. This is useful for limited pseudonymous access > > to accounts or resources. If you want showing unlinkability, better get > > n one-show credentials (simpler and more efficient). > > That's only true if the credential contains any unblinded unique data, > surely? No. It arises because the credential public key is necessarily shown during a show. (The credential public key is blinded during credential issue so its not linkable to issue). So you can link across shows simply by comparing the credential public key. Its hard to blind the public key also. I thought thats what you were talking about in a previous mail where you were saying about what could be done to make things unlinkable. (Or maybe trying to find the same property you thought Brands had ie unlinkable multi-show, for Chaums credentials.) Note with Brands credentials you can choose: unlimited show, 1-show or n-show. To do 1-show or n-show you make some formula for initial witness that is fair and verifiable by the verifier, so there are only n allowed IWs, and consequently if you reuse one it leaks two shows with the same IW which allows the credential private key to be recovered. ie its just a trick to define a limited number of allowed (and verifier verified) IWs -- IW is a sort of commitment by the credential owner in the show protocol. So there is something compact that the verifier can send somewhere and it can then collate them and notice when a show is > n shows (presuming there are multiple verifiers and you want to impose n shows across all of them). > Adam Back wrote: > > Well the other kind of disincentive was a credit card number. My > > suggestion was to use a large denomination ecash coin to have > > anonymous disincentives :) ie you get fined, but you are not > > identified. > > The problem with that disincentive is that I need to sink the money for > each certificate I have. Clearly this doesn't scale at all well. No I mean put the same high value ecash coin in all of your offline limited show credentials / offline ecash coins. eg say you can choose to hand over $100 and retain your anonymity even in event of double-spending offline ecash coins, or over-using limited-show credentials. I was curious about the Chameleon credential as they claim to work with Brands credentials, I wrote to one of the authors to see if I could get an electronic copy, but no reply so far. Note also about your earlier comments on lending deterrence, ultimately I think you can always do online lending. Adam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable Blinded Credentials
Christian Paquin wrote: > Adam Back wrote: >> On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote: >>> Brands actually has a neat solution to this where the credential is >>> unlinkable for n shows, but on the (n+1)th show reveals some secret >>> information (n is usually set to 1 but doesn't have to be). >> >> I think they shows are linkable, but if you show more than allowed >> times, all of the attributes are leaked, including the credential >> secret key and potentially some identifying information like your >> credit card number, your address etc. > > In Brands' system, multiple uses of a n-show credential are not linkable > to the issuing (i.e. they are untraceable), but they are indeed linkable > if presented to the same party: the verifier will recognize the > credential when re-used. This is useful for limited pseudonymous access > to accounts or resources. If you want showing unlinkability, better get > n one-show credentials (simpler and more efficient). That's only true if the credential contains any unblinded unique data, surely? Cheers, Ben. -- http://www.links.org/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unforgeable Blinded Credentials
Adam Back wrote: > On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote: >>> This illustrates a problem with multi-show credentials, that the holder >>> could share his credential freely, and in some cases even publish it, >>> and this would allow non-authorized parties to use it. To avoid this, >>> more complicated techniques are needed that provide for the ability >>> to revoke a credential or blacklist a credential holder, even in an >>> environment of unlinkability. Camenisch and Lysyanskaya have done quite >>> a bit of work along these lines, for example in >>> http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf . >> So, for the record, has Brands. >> >> I agree that, in general, this is a problem with multi-show credentials >> (though I have to say that using a completely different system to >> illustrate it seems to me to be cheating somewhat). >> >> Brands actually has a neat solution to this where the credential is >> unlinkable for n shows, but on the (n+1)th show reveals some secret >> information (n is usually set to 1 but doesn't have to be). > > I think they shows are linkable, but if you show more than allowed > times, all of the attributes are leaked, including the credential > secret key and potentially some identifying information like your > credit card number, your address etc. I could be wrong, but I'm pretty sure they're unlinkable - that's part of the point of Brands' certificates. > The main use I think is to have 1-show, where if you show more than 1 > time your identity is leaked -- for offline electronic cash with fraud > tracing. But as you say the mechanism generalizes to multiple show. > >> This obviously gives a disincentive against sharing if the secret >> information is well chosen (such as "here's where to go to arrest >> the guy"). > > Well the other kind of disincentive was a credit card number. My > suggestion was to use a large denomination ecash coin to have > anonymous disincentives :) ie you get fined, but you are not > identified. The problem with that disincentive is that I need to sink the money for each certificate I have. Clearly this doesn't scale at all well. Cheers, Ben. -- http://www.links.org/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
wiretapping in Europe
There's a long AP wire story on wiretapping in Europe; see http://www.washingtonpost.com/wp-dyn/content/article/2006/04/08/AR2006040800529.html There are a number of intriguing statements in the article. For example, in Italy 106,000 wiretaps were approved last year. By contrast, in the US there were only about about 1,700 wiretaps in 2004. (That number does not include Foreign Intelligence Surveillance Act wiretaps. It is also unclear to me if the Italian number represents calls tapped, as opposed to "court orders issued", which is what the US number represents.) Italian prosecutors strongly defend the need for wiretaps, but called the recent warrantless NSA wiretaps "illegal under our judicial traditions". A study at the Max Planck Institute said that Italy, followed by the Netherlands, does the most wiretapping. One of the authors said: wiretaps are much more common on the European continent than in Britain or the United States, where he said there is a more "institutionalized mistrust in the relationship between civil society and a state-organized judiciary." He said research showed that wiretaps are often used to support weak cases and seldom help to achieve a guilty verdict. "The more wiretaps are used, the lower the conviction rates," he said. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Creativity and security
Anne & Lynn Wheeler wrote: the trivial case from nearly 10 years ago was the waiter in nyc restaurant (something sticks in my mind it was the Brazilian restaurant just off times sq) that had pda and small magstripe reader pined to the inside of their jacket. At some opportunity, they would causally pass the card down the inside of their lapel (doesn't even really have to disappear anyplace). This was before wireless and 801.11 ... so the magstripe images would accumulate in the pda until the waiter took a break ... and then they would be uploaded to a PC and then to the internet (hong kong was used as example) ... counterfeit cards would be on the street (opposite side of the world), still within a few hours at most. supposedly new? iPod used to store data in identity theft http://news.com.com/2061-10789_3-6059128.html from above .. April 7, 2006 4:55 PM PDT A 35-year-old identity theft suspect may have taken Apple Computer's mandate, "Think Different," a little too far. ... snip ... above article references: Beware the 'pod slurping' employee http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html?tag=nl ... from above Published: February 15, 2006, 10:29 AM PST A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. ... snip and some conjecture about a possible MITM-attack ... using counterfeit card in conjunction with PDA wireless internet connection to a lost/stolen valid card at some remote location. http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin http://www.garlic.com/~lynn/aadsm22.htm#29 Mecccano Trojans coming to a desktop near you This is scenario where a card may be authenticated separately from its actual operation. The hypothetical MITM-attack is against a terminal's willingness to agree with the business rules in a valid card used for offline transactions. Since the attack is against the offline transaction business rules in a valid card, it may not even be necessary to obtain a lost/stolen valid card ... it may just be just necessary to obtain any valid card (say thru valid application using false information) ... the MITM counterfeit card uses any valid card for the authentication exchange ... and then proceeds with the rest of the transaction using its own business rules. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: is breaking RSA at least as hard as factoring or vice-versa?
Yet another paper on the topic: Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring by Jean-Sebastien Coron and Alexander May http://eprint.iacr.org/2004/208 Max - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
