Hi I implemented Chaumian and Brands credentials in a credential library (C code, using openSSL). I implemented some of the pre-computation steps. Have not made any attempt so far to benchmark it. But thought I could take this opportunity to make it public. I did not try to optimize so far. One optimization opportunity at algorithm level, is you dont need witness indistinguishability on a single attribute credential, which saves some of the computations.
http://www.cypherspace.org/credlib/ Ben, if you have a partial implementation of Camenisch credentials, you could maybe do some comparisons of that against this C implementation. (I previous shared a copy with a few list participants). The Brands credential paper I used as reference (simpler precis than the thesis as a source): A Technical Overview of Digital Credentials, Technical Report, February 2002. http://www.cypherspace.org/credlib/brands-technical.pdf could be useful as a source of quick reference of whats modexp, modinv steps would be involved in issuing, showing etc, for comparison with Camenisch. About flexibility and generality I mean Brands has a huge list of features, like a very efficient observer setting, with cheap operations suitable for an 8 bit smartcard, limited multi-show (though linkable, there is an online credential refresh phase if unlinkable is desired), single show, ability to show formulae, ability to show and bombine formulae across credentials from different issuers etc. And also prove negatives involving attributes, and related technique for testing a black list of revoked credentials blindly. I am a bit rusty about Camenisch, as its been a few years, but from my recollection it doesnt do most of these things. Also Brands in the ecash setting there is a neat technique for making offline respendable coins with double-spend protection. (I thought I discovered it, but I asked Stefan, and its a foot note in the thesis book that I missed, and turns out it was topic of someone's MSc thesis). The credlib library so far does unlimited show linkable credentials (issuing, showing etc) for 0 or more attributes. The u-prove library does a lot more things, I think, but its java and I'm more of a C person, though java is interesting in some java device and j2ee server settings, and for app portability. I guess I just like C efficiency. Adam On Thu, Feb 15, 2007 at 06:24:11PM +0000, Ben Laurie wrote: > > I believe Brands credentials are considerably more computationally > > efficient and more general/flexible than Camenisch credentials. > > Not sure about more general. Brands does claim they are more efficient, > though - however, Camenisch/Lysyanskya credentials have been improved > since they were first thought of, and are also a lot faster if you don't > insist on academic rigour. I have not yet put them side-by-side, but I > do have a partial implementation of C/L credentials for OpenSSL and am > planning a Brands implementation, too. > > > (Re Hal's comment on the patent status of Camenisch credentials, as > > far as I know patents apply to both systems). > > > > Looks like you can obtain an evaluation copy of U-prove also. > > > > Adam > > > > On Sun, Feb 04, 2007 at 10:34:33AM -0800, "Hal Finney" wrote: > >> John Gilmore forwards: > >>> http://news.com.com/IBM+donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.html > >>> > >>> IBM donates new privacy tool to open-source > >>> By Joris Evers > >>> Staff Writer, CNET News.com > >>> Published: January 25, 2007, 9:00 PM PST > >>> > >>> IBM has developed software designed to let people keep personal > >>> information secret when doing business online and donated it to the > >>> Higgins open-source project. > >>> > >>> The software, called "Identity Mixer," was developed by IBM > >>> researchers. The idea is that people provide encrypted digital > >>> credentials issued by trusted parties like a bank or government agency > >>> when transacting online, instead of sharing credit card or other > >>> details in plain text, Anthony Nadalin, IBM's chief security architect, > >>> said in an interview. > >>> ... > >> I just wanted to note that the idemix software implements what we > >> sometimes call Camenisch credentials. This is a very advanced credential > >> system based on zero knowledge and group signatures. The basic idea is > >> that you get a credential on one pseudonym and can show it on another > >> pseudonym, unlinkably. More advanced formulations also allow for > >> credential revocation. I don't know the specifics of what this software > >> implements, and I'm also unclear about the patent status of some of the > >> more sophisticated aspects, but I'm looking forward to being able to > >> experiment with this technology. > >> > >> Hal Finney > >> > >> --------------------------------------------------------------------- > >> The Cryptography Mailing List > >> Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > > The Cryptography Mailing List > > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > > > > > > > -- > http://www.apache-ssl.org/ben.html http://www.links.org/ > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]