Re: Unforgeable Blinded Credentials

2006-04-04 Thread Ben Laurie
Hal Finney wrote:
 Ben Laurie writes:
 It is possible to use blind signatures to produce anonymity-preserving
 credentials

 It seems to me quite obvious that someone must have thought of this
 before - the question is who? Is it IP free?
 
 David Chaum did a great deal of work in this area in the 80s and 90s.
 He pretty much invented the idea of anonymous credentials.  Stefan Brands
 used slightly different techniques a few years later to create improved
 versions.  More recently, Camenisch and Lysyanskaya have created a number
 of anonymous credential systems based (roughly) on group signatures.
 Some work was obstructed by the patent on the Chaum blind signature
 technique, but that expired last year.  I think your basic concept is IP
 free, but you should review the patents by these researchers to be sure.
 
 
 Obviously this kind of credential could be quite useful in identity
 management. Note, though, that this scheme doesn't give me unlinkability
 unless I only show each public/private key pair once. What I really need
 is a family of unlinkable public/private key pairs that I can somehow
 get signed with a single family signature (obviously this would need
 to be unlinkably transformed for each member of the key family).
 
 There is an operational difficulty with this goal as stated.
 To demonstrate it, consider a trivial way of achieving the goal.
 The credential issuer creates a special public/private key pair that is
 associated with the credential.  To everyone who earns the credential,
 he reveals the private key (which is the same for everyone who has the
 credential).  To show that he holds the credential, the key holder issues
 a signature using the private key corresponding to the publicly-known
 credential public key.  Now he can show credential ownership as often
 as desired, without linkability, because all such demonstrations look
 the same, for all members.
 
 This illustrates a problem with multi-show credentials, that the holder
 could share his credential freely, and in some cases even publish it,
 and this would allow non-authorized parties to use it.  To avoid this,
 more complicated techniques are needed that provide for the ability
 to revoke a credential or blacklist a credential holder, even in an
 environment of unlinkability.  Camenisch and Lysyanskaya have done quite
 a bit of work along these lines, for example in
 http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .

So, for the record, has Brands.

I agree that, in general, this is a problem with multi-show credentials
(though I have to say that using a completely different system to
illustrate it seems to me to be cheating somewhat).

Brands actually has a neat solution to this where the credential is
unlinkable for n shows, but on the (n+1)th show reveals some secret
information (n is usually set to 1 but doesn't have to be). This
obviously gives a disincentive against sharing if the secret information
is well chosen (such as here's where to go to arrest the guy).

Hohenberger presented a system (at Eurocrypt 2004? 2005?) where then
(n+1)th show makes all the shows linkable, which is even neater, IMO,
but is based on rocket science :-)

All this goes way beyond the scope of my original question, but I have
to confess is necessary to make what I outlined useful.

Cheers,

Ben.

-- 
http://www.links.org/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Unforgeable Blinded Credentials

2006-04-04 Thread Ben Laurie
Apu Kapadia wrote:
 
 I came across the same problem a couple of years ago (and indeed
 iterated through private/public key solutions with a colleague). The
 problem is that you can still give your private key to somebody else.
 There's no real deterrent unless that private key is used for many other
 purposes, thereby discouraging sharing. But if that's the case, there's
 no real anonymity anymore, since the private key is tied to the person's
 identity.
 
 I found that Chameleon Certificates had nice properties. You have a
 master certificate that lists all your attributes. For authentication,
 you generate an unlinkable slave certificate with any subset of
 attributes. You have to possess the master certificate at time of use to
 generate the slave certificate, so you can't pass a slave certificate to
 a friend for later use. Then you just need to ensure that the master
 certificate includes personal details like credit card number, SSN, etc.
 to deter sharing of master certificates. Note that the slave
 certificates won't have this information, so this personal information
 is safe as long as the master certificate is not leaked. Since sharing
 an attribute amounts to sharing all your attributes, including personal
 information, this property serves as a good deterrent. Maybe somebody
 else can comment on the technical viability + crypto details of the paper.
 
 P. Persiano and I. Visconti. An Anonymous Credential System and a
 Privacy-Aware PKI. In Information Security
 and Privacy, 8th Australasian Conference, ACISP 2003, volume 2727 of
 Lecture Notes in Computer Science. Springer Verlag, 2003.
 http://springerlink.metapress.com/openurl.asp?genre=articleissn=0302-9743volume=2727spage=27
 
 
 Here's the abstract:
  In this paper we present a non-transferable anonymous credential system
 that is based on the concept of a chameleon certificate. A chameleon
 certificate is a special certificate that enjoys two interesting
 properties. Firstly, the owner can choose which attributes of the
 certificate to disclose. Moreover, a chameleon certificate is multi-show
 in the sense that several uses of the same chameleon certificate by the
 same user cannot be linked together.
 
 We adopt the framework of Brands [2] and our construction improves the
 results of Camenisch et al. [5] and Verheul [16] since it allows the
 owner of a certificate to prove general statements on the attributes
 encoded in the certificate and our certificates enjoy the multi-show
 property.

If I have understood your description correctly it seems to me that this
is defeated if, rather than sharing the master certificate, the bad guy
allows their friend to proxy to them for whatever proofs are required.
That way they never have to give up the precious master cert, but the
friend's slave cert's still work.

Cheers,

Ben.

-- 
http://www.links.org/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Using Bluetooth to locate stealable items

2006-04-04 Thread Peter Gutmann
It's a bit like the idea of putting RFID tags in cash to let muggers know who
to target:

  
http://www.cambridge-news.co.uk/news/region_wide/2005/08/17/06967453-8002-45f8-b520-66b9bed6f29f.lpf

  MOBILE phone technology is being used by thieves to seek out and steal
  laptops locked in cars in Cambridgeshire.

  [..]
  
  But thieves in Cambridge have cottoned on to an alternative use for the
  function, using it as a scanner which will let them know if another
  Bluetooth device is locked in a car boot.

  Det Sgt Al Funge, from Cambridge's crime investigation unit, said: There
  have been a number of instances of this new technology being used to
  identify cars which have valuable electronics, including laptops, inside.

  [...]

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Black Hole Encryption

2006-04-04 Thread Steve Schear
What happens to the quantum information ingested by a black hole? In 1997, 
Thorne and Hawking argued that information swallowed by a black hole is 
forever hidden, despite the fact that these dense objects do emit a 
peculiar kind of radiation and eventually evaporate. Preskill countered 
that for quantum mechanics to remain valid, the theory mandates that the 
information has to be released from the evaporating black hole in some 
fashion. Although Hawking conceded in 2004, the disagreement between 
Preskill and Thorne still stands.


Smolin and Oppenheim now find that one of the main assertions made about 
black holes may be flawed. It is often assumed that as the black hole 
evaporates, all of the information gets stored in the remnant until the 
very end, at which point the information is either released or else 
disappears forever. Instead, Smolin and Oppenheim suggest that the 
information is distributed among the quanta thatescape during evaporation, 
but is encrypted and thus effectively locked away.


The catch is that it can only be accessed with the help of the quanta 
released when the black hole disappears, in much the same way as a 
cryptographic key unlocks a coded message. The result offers a link between 
general relativity and quantum cryptography. — DV


Phys. Rev. Lett. 96, 081302 (2006).


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Unforgeable Blinded Credentials

2006-04-04 Thread Adam Back
On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
  This illustrates a problem with multi-show credentials, that the holder
  could share his credential freely, and in some cases even publish it,
  and this would allow non-authorized parties to use it.  To avoid this,
  more complicated techniques are needed that provide for the ability
  to revoke a credential or blacklist a credential holder, even in an
  environment of unlinkability.  Camenisch and Lysyanskaya have done quite
  a bit of work along these lines, for example in
  http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .
 
 So, for the record, has Brands.
 
 I agree that, in general, this is a problem with multi-show credentials
 (though I have to say that using a completely different system to
 illustrate it seems to me to be cheating somewhat).
 
 Brands actually has a neat solution to this where the credential is
 unlinkable for n shows, but on the (n+1)th show reveals some secret
 information (n is usually set to 1 but doesn't have to be). 

I think they shows are linkable, but if you show more than allowed
times, all of the attributes are leaked, including the credential
secret key and potentially some identifying information like your
credit card number, your address etc.

The main use I think is to have 1-show, where if you show more than 1
time your identity is leaked -- for offline electronic cash with fraud
tracing.  But as you say the mechanism generalizes to multiple show.

 This obviously gives a disincentive against sharing if the secret
 information is well chosen (such as here's where to go to arrest
 the guy).

Well the other kind of disincentive was a credit card number.  My
suggestion was to use a large denomination ecash coin to have
anonymous disincentives :) ie you get fined, but you are not
identified.

Adam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Unforgeable Blinded Credentials

2006-04-04 Thread Hal Finney
Ben Laurie writes:
 If I have understood your description correctly it seems to me that this
 is defeated if, rather than sharing the master certificate, the bad guy
 allows their friend to proxy to them for whatever proofs are required.
 That way they never have to give up the precious master cert, but the
 friend's slave cert's still work.

That's a good point, proxies are another way to get around limitations on
credential sharing.  Attempts to embed sensitive secrets in credentials
don't work because there are no sensitive secrets today.  You could
use credit card numbers or government ID numbers (like US SSN) but in
practice such numbers are widely available to the black hat community.
Someone getting a credential using a stolen identifier won't be deterred
from sharing it, if the only deterrence is fear of the identifier
becoming public.

Blacklisting seems to me to be the only good solution, and in fact it
is the one proposed for the only proposed deployment of this technology
I am aware of, Direct Anonymous Attestation proposed for the Trusted
Computing group, http://www.zurich.ibm.com/security/daa/ .  This is
based on the CL signatures I referenced earlier.

Trusted Computing systems have a credential which they are supposed
to show to prove they are legit.  But if these showing instances
are linkable it is a privacy violation.  (In practice IP address is
normally going to provide just as much linkability, so for the most
part this is all political posturing IMO, but in principle this would
let you authenticate over TOR and retain your privacy.)  DAA provides
optionally unlinkable credential showing and relies on blacklisting to
counter credential sharing.  Actually the credentialed keys are supposed
to be protected by hardware, so this is a second layer of defense in
case someone figures out how to extract them from the chips.

I'm skeptical that this will actually go forward; we are all familiar
with the arguments against Trusted Computing proposals.  But it is still
of theoretical interest as a case study for unlinkable credentials which
might actually be fielded in the near future.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]