Re: Unforgeable Blinded Credentials
Hal Finney wrote: Ben Laurie writes: It is possible to use blind signatures to produce anonymity-preserving credentials It seems to me quite obvious that someone must have thought of this before - the question is who? Is it IP free? David Chaum did a great deal of work in this area in the 80s and 90s. He pretty much invented the idea of anonymous credentials. Stefan Brands used slightly different techniques a few years later to create improved versions. More recently, Camenisch and Lysyanskaya have created a number of anonymous credential systems based (roughly) on group signatures. Some work was obstructed by the patent on the Chaum blind signature technique, but that expired last year. I think your basic concept is IP free, but you should review the patents by these researchers to be sure. Obviously this kind of credential could be quite useful in identity management. Note, though, that this scheme doesn't give me unlinkability unless I only show each public/private key pair once. What I really need is a family of unlinkable public/private key pairs that I can somehow get signed with a single family signature (obviously this would need to be unlinkably transformed for each member of the key family). There is an operational difficulty with this goal as stated. To demonstrate it, consider a trivial way of achieving the goal. The credential issuer creates a special public/private key pair that is associated with the credential. To everyone who earns the credential, he reveals the private key (which is the same for everyone who has the credential). To show that he holds the credential, the key holder issues a signature using the private key corresponding to the publicly-known credential public key. Now he can show credential ownership as often as desired, without linkability, because all such demonstrations look the same, for all members. This illustrates a problem with multi-show credentials, that the holder could share his credential freely, and in some cases even publish it, and this would allow non-authorized parties to use it. To avoid this, more complicated techniques are needed that provide for the ability to revoke a credential or blacklist a credential holder, even in an environment of unlinkability. Camenisch and Lysyanskaya have done quite a bit of work along these lines, for example in http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf . So, for the record, has Brands. I agree that, in general, this is a problem with multi-show credentials (though I have to say that using a completely different system to illustrate it seems to me to be cheating somewhat). Brands actually has a neat solution to this where the credential is unlinkable for n shows, but on the (n+1)th show reveals some secret information (n is usually set to 1 but doesn't have to be). This obviously gives a disincentive against sharing if the secret information is well chosen (such as here's where to go to arrest the guy). Hohenberger presented a system (at Eurocrypt 2004? 2005?) where then (n+1)th show makes all the shows linkable, which is even neater, IMO, but is based on rocket science :-) All this goes way beyond the scope of my original question, but I have to confess is necessary to make what I outlined useful. Cheers, Ben. -- http://www.links.org/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Unforgeable Blinded Credentials
Apu Kapadia wrote: I came across the same problem a couple of years ago (and indeed iterated through private/public key solutions with a colleague). The problem is that you can still give your private key to somebody else. There's no real deterrent unless that private key is used for many other purposes, thereby discouraging sharing. But if that's the case, there's no real anonymity anymore, since the private key is tied to the person's identity. I found that Chameleon Certificates had nice properties. You have a master certificate that lists all your attributes. For authentication, you generate an unlinkable slave certificate with any subset of attributes. You have to possess the master certificate at time of use to generate the slave certificate, so you can't pass a slave certificate to a friend for later use. Then you just need to ensure that the master certificate includes personal details like credit card number, SSN, etc. to deter sharing of master certificates. Note that the slave certificates won't have this information, so this personal information is safe as long as the master certificate is not leaked. Since sharing an attribute amounts to sharing all your attributes, including personal information, this property serves as a good deterrent. Maybe somebody else can comment on the technical viability + crypto details of the paper. P. Persiano and I. Visconti. An Anonymous Credential System and a Privacy-Aware PKI. In Information Security and Privacy, 8th Australasian Conference, ACISP 2003, volume 2727 of Lecture Notes in Computer Science. Springer Verlag, 2003. http://springerlink.metapress.com/openurl.asp?genre=articleissn=0302-9743volume=2727spage=27 Here's the abstract: In this paper we present a non-transferable anonymous credential system that is based on the concept of a chameleon certificate. A chameleon certificate is a special certificate that enjoys two interesting properties. Firstly, the owner can choose which attributes of the certificate to disclose. Moreover, a chameleon certificate is multi-show in the sense that several uses of the same chameleon certificate by the same user cannot be linked together. We adopt the framework of Brands [2] and our construction improves the results of Camenisch et al. [5] and Verheul [16] since it allows the owner of a certificate to prove general statements on the attributes encoded in the certificate and our certificates enjoy the multi-show property. If I have understood your description correctly it seems to me that this is defeated if, rather than sharing the master certificate, the bad guy allows their friend to proxy to them for whatever proofs are required. That way they never have to give up the precious master cert, but the friend's slave cert's still work. Cheers, Ben. -- http://www.links.org/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Using Bluetooth to locate stealable items
It's a bit like the idea of putting RFID tags in cash to let muggers know who to target: http://www.cambridge-news.co.uk/news/region_wide/2005/08/17/06967453-8002-45f8-b520-66b9bed6f29f.lpf MOBILE phone technology is being used by thieves to seek out and steal laptops locked in cars in Cambridgeshire. [..] But thieves in Cambridge have cottoned on to an alternative use for the function, using it as a scanner which will let them know if another Bluetooth device is locked in a car boot. Det Sgt Al Funge, from Cambridge's crime investigation unit, said: There have been a number of instances of this new technology being used to identify cars which have valuable electronics, including laptops, inside. [...] Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Black Hole Encryption
What happens to the quantum information ingested by a black hole? In 1997, Thorne and Hawking argued that information swallowed by a black hole is forever hidden, despite the fact that these dense objects do emit a peculiar kind of radiation and eventually evaporate. Preskill countered that for quantum mechanics to remain valid, the theory mandates that the information has to be released from the evaporating black hole in some fashion. Although Hawking conceded in 2004, the disagreement between Preskill and Thorne still stands. Smolin and Oppenheim now find that one of the main assertions made about black holes may be flawed. It is often assumed that as the black hole evaporates, all of the information gets stored in the remnant until the very end, at which point the information is either released or else disappears forever. Instead, Smolin and Oppenheim suggest that the information is distributed among the quanta thatescape during evaporation, but is encrypted and thus effectively locked away. The catch is that it can only be accessed with the help of the quanta released when the black hole disappears, in much the same way as a cryptographic key unlocks a coded message. The result offers a link between general relativity and quantum cryptography. DV Phys. Rev. Lett. 96, 081302 (2006). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Unforgeable Blinded Credentials
On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote: This illustrates a problem with multi-show credentials, that the holder could share his credential freely, and in some cases even publish it, and this would allow non-authorized parties to use it. To avoid this, more complicated techniques are needed that provide for the ability to revoke a credential or blacklist a credential holder, even in an environment of unlinkability. Camenisch and Lysyanskaya have done quite a bit of work along these lines, for example in http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf . So, for the record, has Brands. I agree that, in general, this is a problem with multi-show credentials (though I have to say that using a completely different system to illustrate it seems to me to be cheating somewhat). Brands actually has a neat solution to this where the credential is unlinkable for n shows, but on the (n+1)th show reveals some secret information (n is usually set to 1 but doesn't have to be). I think they shows are linkable, but if you show more than allowed times, all of the attributes are leaked, including the credential secret key and potentially some identifying information like your credit card number, your address etc. The main use I think is to have 1-show, where if you show more than 1 time your identity is leaked -- for offline electronic cash with fraud tracing. But as you say the mechanism generalizes to multiple show. This obviously gives a disincentive against sharing if the secret information is well chosen (such as here's where to go to arrest the guy). Well the other kind of disincentive was a credit card number. My suggestion was to use a large denomination ecash coin to have anonymous disincentives :) ie you get fined, but you are not identified. Adam - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Unforgeable Blinded Credentials
Ben Laurie writes: If I have understood your description correctly it seems to me that this is defeated if, rather than sharing the master certificate, the bad guy allows their friend to proxy to them for whatever proofs are required. That way they never have to give up the precious master cert, but the friend's slave cert's still work. That's a good point, proxies are another way to get around limitations on credential sharing. Attempts to embed sensitive secrets in credentials don't work because there are no sensitive secrets today. You could use credit card numbers or government ID numbers (like US SSN) but in practice such numbers are widely available to the black hat community. Someone getting a credential using a stolen identifier won't be deterred from sharing it, if the only deterrence is fear of the identifier becoming public. Blacklisting seems to me to be the only good solution, and in fact it is the one proposed for the only proposed deployment of this technology I am aware of, Direct Anonymous Attestation proposed for the Trusted Computing group, http://www.zurich.ibm.com/security/daa/ . This is based on the CL signatures I referenced earlier. Trusted Computing systems have a credential which they are supposed to show to prove they are legit. But if these showing instances are linkable it is a privacy violation. (In practice IP address is normally going to provide just as much linkability, so for the most part this is all political posturing IMO, but in principle this would let you authenticate over TOR and retain your privacy.) DAA provides optionally unlinkable credential showing and relies on blacklisting to counter credential sharing. Actually the credentialed keys are supposed to be protected by hardware, so this is a second layer of defense in case someone figures out how to extract them from the chips. I'm skeptical that this will actually go forward; we are all familiar with the arguments against Trusted Computing proposals. But it is still of theoretical interest as a case study for unlinkable credentials which might actually be fielded in the near future. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
