Re: News.com: IBM donates new privacy tool to open-source Higgins

John Gilmore forwards:
> http://news.com.com/IBM+
donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.
html
>
> IBM donates new privacy tool to open-source
>   By  Joris Evers
>   Staff Writer, CNET News.com
>   Published: January 25, 2007, 9:00 PM PST
>
> IBM has developed software designed to let people keep
personal  
> information secret when doing business online and
donated it to the  
> Higgins open-source project.
>
>   The software, called "Identity Mixer," was
developed by IBM  
> researchers. The idea is that people provide encrypted
digital  
> credentials issued by trusted parties like a bank or
government agency  
> when transacting online, instead of sharing credit card
or other  
> details in plain text, Anthony Nadalin, IBM's chief
security architect,  
> said in an interview.
> ...

I just wanted to note that the idemix software implements
what we
sometimes call Camenisch credentials.  This is a very
advanced credential
system based on zero knowledge and group signatures.  The
basic idea is
that you get a credential on one pseudonym and can show it
on another
pseudonym, unlinkably.  More advanced formulations also
allow for
credential revocation.  I don't know the specifics of what
this software
implements, and I'm also unclear about the patent status of
some of the
more sophisticated aspects, but I'm looking forward to being
able to
experiment with this technology.

Hal Finney

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Related to this announcement, credentica.com (Stefan Brands'
company)
has released "U-Prove", their toolkit & SDK
for doing limited-show,
selective disclosure and other aspects of the Brands
credentials.

	http://www.
credentica.com/uprove_sdk.html

(Also on Stefans blog http://www.idcorner.or
g/?p=144).

I believe Brands credentials are considerably more
computationally
efficient and more general/flexible than Camenisch
credentials.

(Re Hal's comment on the patent status of Camenisch
credentials, as
far as I know patents apply to both systems).

Looks like you can obtain an evaluation copy of U-prove
also.

Adam

On Sun, Feb 04, 2007 at 10:34:33AM -0800, "Hal
Finney" wrote:
> John Gilmore forwards:
> > http://news.com.com/IBM+
donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.
html
> >
> > IBM donates new privacy tool to open-source
> >   By  Joris Evers
> >   Staff Writer, CNET News.com
> >   Published: January 25, 2007, 9:00 PM PST
> >
> > IBM has developed software designed to let people
keep personal  
> > information secret when doing business online and
donated it to the  
> > Higgins open-source project.
> >
> >   The software, called "Identity Mixer,"
was developed by IBM  
> > researchers. The idea is that people provide
encrypted digital  
> > credentials issued by trusted parties like a bank
or government agency  
> > when transacting online, instead of sharing credit
card or other  
> > details in plain text, Anthony Nadalin, IBM's
chief security architect,  
> > said in an interview.
> > ...
> 
> I just wanted to note that the idemix software
implements what we
> sometimes call Camenisch credentials.  This is a very
advanced credential
> system based on zero knowledge and group signatures. 
The basic idea is
> that you get a credential on one pseudonym and can show
it on another
> pseudonym, unlinkably.  More advanced formulations also
allow for
> credential revocation.  I don't know the specifics of
what this software
> implements, and I'm also unclear about the patent
status of some of the
> more sophisticated aspects, but I'm looking forward to
being able to
> experiment with this technology.
> 
> Hal Finney
> 
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Adam Back wrote:
> Related to this announcement, credentica.com (Stefan
Brands' company)
> has released "U-Prove", their toolkit &
SDK for doing limited-show,
> selective disclosure and other aspects of the Brands
credentials.
> 
> 	http://www.
credentica.com/uprove_sdk.html
> 
> (Also on Stefans blog http://www.idcorner.or
g/?p=144).
> 
> I believe Brands credentials are considerably more
computationally
> efficient and more general/flexible than Camenisch
credentials.

Not sure about more general. Brands does claim they are more
efficient,
though - however, Camenisch/Lysyanskya credentials have been
improved
since they were first thought of, and are also a lot faster
if you don't
insist on academic rigour. I have not yet put them
side-by-side, but I
do have a partial implementation of C/L credentials for
OpenSSL and am
planning a Brands implementation, too.

> (Re Hal's comment on the patent status of Camenisch
credentials, as
> far as I know patents apply to both systems).
> 
> Looks like you can obtain an evaluation copy of U-prove
also.
> 
> Adam
> 
> On Sun, Feb 04, 2007 at 10:34:33AM -0800, "Hal
Finney" wrote:
>> John Gilmore forwards:
>>> http://news.com.com/IBM+
donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.
html
>>>
>>> IBM donates new privacy tool to open-source
>>>   By  Joris Evers
>>>   Staff Writer, CNET News.com
>>>   Published: January 25, 2007, 9:00 PM PST
>>>
>>> IBM has developed software designed to let
people keep personal  
>>> information secret when doing business online
and donated it to the  
>>> Higgins open-source project.
>>>
>>>   The software, called "Identity
Mixer," was developed by IBM  
>>> researchers. The idea is that people provide
encrypted digital  
>>> credentials issued by trusted parties like a
bank or government agency  
>>> when transacting online, instead of sharing
credit card or other  
>>> details in plain text, Anthony Nadalin, IBM's
chief security architect,  
>>> said in an interview.
>>> ...
>> I just wanted to note that the idemix software
implements what we
>> sometimes call Camenisch credentials.  This is a
very advanced credential
>> system based on zero knowledge and group
signatures.  The basic idea is
>> that you get a credential on one pseudonym and can
show it on another
>> pseudonym, unlinkably.  More advanced formulations
also allow for
>> credential revocation.  I don't know the specifics
of what this software
>> implements, and I'm also unclear about the patent
status of some of the
>> more sophisticated aspects, but I'm looking forward
to being able to
>> experiment with this technology.
>>
>> Hal Finney
>>
>>
------------------------------------------------------------
---------
>> The Cryptography Mailing List
>> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
> 
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
> 
> 


-- 
http://www.apache-
ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Hi

I implemented Chaumian and Brands credentials in a
credential library
(C code, using openSSL).  I implemented some of the
pre-computation
steps.  Have not made any attempt so far to benchmark it. 
But thought
I could take this opportunity to make it public.  I did not
try to
optimize so far.  One optimization opportunity at algorithm
level, is
you dont need witness indistinguishability on a single
attribute
credential, which saves some of the computations.

	http://www.cypher
space.org/credlib/

Ben, if you have a partial implementation of Camenisch
credentials,
you could maybe do some comparisons of that against this C
implementation.

(I previous shared a copy with a few list participants).

The Brands credential paper I used as reference (simpler
precis than
the thesis as a source):

A Technical Overview of Digital Credentials, Technical
Report, February 2002.
http://www.cypherspace.org/credlib/brands-technical.pdf

could be useful as a source of quick reference of whats
modexp, modinv
steps would be involved in issuing, showing etc, for
comparison with
Camenisch.

About flexibility and generality I mean Brands has a huge
list of
features, like a very efficient observer setting, with
cheap
operations suitable for an 8 bit smartcard, limited
multi-show (though
linkable, there is an online credential refresh phase if
unlinkable is
desired), single show, ability to show formulae, ability to
show and
bombine formulae across credentials from different issuers
etc.  And
also prove negatives involving attributes, and related
technique for
testing a black list of revoked credentials blindly.  I am a
bit rusty
about Camenisch, as its been a few years, but from my
recollection it
doesnt do most of these things.  Also Brands in the ecash
setting
there is a neat technique for making offline respendable
coins with
double-spend protection.  (I thought I discovered it, but I
asked
Stefan, and its a foot note in the thesis book that I
missed, and
turns out it was topic of someone's MSc thesis).

The credlib library so far does unlimited show linkable
credentials
(issuing, showing etc) for 0 or more attributes.

The u-prove library does a lot more things, I think, but its
java and
I'm more of a C person, though java is interesting in some
java device
and j2ee server settings, and for app portability.  I guess
I just
like C efficiency.

Adam

On Thu, Feb 15, 2007 at 06:24:11PM +0000, Ben Laurie wrote:
> > I believe Brands credentials are considerably more
computationally
> > efficient and more general/flexible than Camenisch
credentials.
> 
> Not sure about more general. Brands does claim they are
more efficient,
> though - however, Camenisch/Lysyanskya credentials have
been improved
> since they were first thought of, and are also a lot
faster if you don't
> insist on academic rigour. I have not yet put them
side-by-side, but I
> do have a partial implementation of C/L credentials for
OpenSSL and am
> planning a Brands implementation, too.
> 
> > (Re Hal's comment on the patent status of
Camenisch credentials, as
> > far as I know patents apply to both systems).
> > 
> > Looks like you can obtain an evaluation copy of
U-prove also.
> > 
> > Adam
> > 
> > On Sun, Feb 04, 2007 at 10:34:33AM -0800,
"Hal Finney" wrote:
> >> John Gilmore forwards:
> >>> http://news.com.com/IBM+
donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.
html
> >>>
> >>> IBM donates new privacy tool to
open-source
> >>>   By  Joris Evers
> >>>   Staff Writer, CNET News.com
> >>>   Published: January 25, 2007, 9:00 PM
PST
> >>>
> >>> IBM has developed software designed to let
people keep personal  
> >>> information secret when doing business
online and donated it to the  
> >>> Higgins open-source project.
> >>>
> >>>   The software, called "Identity
Mixer," was developed by IBM  
> >>> researchers. The idea is that people
provide encrypted digital  
> >>> credentials issued by trusted parties like
a bank or government agency  
> >>> when transacting online, instead of
sharing credit card or other  
> >>> details in plain text, Anthony Nadalin,
IBM's chief security architect,  
> >>> said in an interview.
> >>> ...
> >> I just wanted to note that the idemix software
implements what we
> >> sometimes call Camenisch credentials.  This is
a very advanced credential
> >> system based on zero knowledge and group
signatures.  The basic idea is
> >> that you get a credential on one pseudonym and
can show it on another
> >> pseudonym, unlinkably.  More advanced
formulations also allow for
> >> credential revocation.  I don't know the
specifics of what this software
> >> implements, and I'm also unclear about the
patent status of some of the
> >> more sophisticated aspects, but I'm looking
forward to being able to
> >> experiment with this technology.
> >>
> >> Hal Finney
> >>
> >>
------------------------------------------------------------
---------
> >> The Cryptography Mailing List
> >> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
> > 
> >
------------------------------------------------------------
---------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
> > 
> > 
> 
> 
> -- 
> http://www.apache-
ssl.org/ben.html           http://www.links.org/
> 
> "There is no limit to what a man can do or how far
he can go if he
> doesn't mind who gets the credit." - Robert
Woodruff
> 
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Credentica (Stefan Brands ecash/credentials) U-prove library
and
open source credlib library implementing the same are on
slashdot:

ht
tp://yro.slashdot.org/yro/07/02/20/2158240.shtml

Maybe some list readers would like to inject some crypto
knowledge
into the discussion.  

There is quite some underinformed speculation as critique on
the
thread...  Its interesting to see people who probably
understand SSL,
SMIME and stuff at least at a power user if not programmer
level, try
to make logical leaps about what must be wrong or limited
about
unlinkable credential schemes.  Shows the challenges faced
in
deploying this stuff.  Cant deploy what people dont
understand!

Adam
--
http://www.cypher
space.org/credlib/

On Fri, Feb 16, 2007 at 11:14:39AM -0500, Adam Back wrote:
> Hi
> 
> I implemented Chaumian and Brands credentials in a
credential library
> (C code, using openSSL).  I implemented some of the
pre-computation
> steps.  Have not made any attempt so far to benchmark
it.  But thought
> I could take this opportunity to make it public.  I did
not try to
> optimize so far.  One optimization opportunity at
algorithm level, is
> you dont need witness indistinguishability on a single
attribute
> credential, which saves some of the computations.
> 
> 	http://www.cypher
space.org/credlib/
> 
> Ben, if you have a partial implementation of Camenisch
credentials,
> you could maybe do some comparisons of that against
this C
> implementation.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

With the expiration of Chaum's key patents it was assumed
that someone 
would step up an try their hand at launching a DBC-based
financial 
service.  Some time has passed and I'm happy to announce
that this has 
finally happened.  Taking a cue from the lively Digital Gold
Currencies, 
eCache's first denomination if gold backed.  Unlike
Digicash's instruments, 
eCache is using a mixing technique, rather than blinding, to
help preserve 
unlinkability.  Its mint is located on a hidden server in
TOR-land.  More 
information at: htt
ps://ffij33ewbnoeqnup.onion.meshmx.com/doc.php

Comments are invited about the technology and governance
aspects that such 
financial services invoke.

Steve

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

I read some of the docs and ecache appears to be based on
HMAC
tickets, plus mixes.  The problem I see is that you have to
trust the
mix.  Now the documentation does mention that they
anticipate 3rd
party mixes, but still you have to trust those mixes also.

And as we know from mixmaster etc., there are attacks on
mixes such as
flooding.

So it seems to me they would achieve much stronger
anonymity, using a
blinding based ecash system such as Chaum (patent expired)
or Brands.

In this way the anonymity set would be with all of the coins
issued
since coin-epoch start, rather than with the mixes used. 
And there
would be no trust concerns as the blinding protocols dont
require
trust in any servers (even the bank and merchant in
collusion cant
identify a coin with its withdrawer).

Adam

On Wed, Feb 21, 2007 at 09:28:03AM -0800, Steve Schear
wrote:
> With the expiration of Chaum's key patents it was
assumed that someone 
> would step up an try their hand at launching a
DBC-based financial 
> service.  Some time has passed and I'm happy to
announce that this has 
> finally happened.  Taking a cue from the lively Digital
Gold Currencies, 
> eCache's first denomination if gold backed.  Unlike
Digicash's instruments, 
> eCache is using a mixing technique, rather than
blinding, to help preserve 
> unlinkability.  Its mint is located on a hidden server
in TOR-land.  More 
> information at: htt
ps://ffij33ewbnoeqnup.onion.meshmx.com/doc.php
> 
> Comments are invited about the technology and
governance aspects that such 
> financial services invoke.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

At 04:40 PM 2/20/2007, Adam Back wrote:
>There is quite some underinformed speculation as
critique on the
>thread...  Its interesting to see people who probably
understand SSL,
>SMIME and stuff at least at a power user if not
programmer level, try
>to make logical leaps about what must be wrong or
limited about
>unlinkable credential schemes.  Shows the challenges
faced in
>deploying this stuff.  Cant deploy what people dont
understand!

I certainly relate with that. Much of what is widely
deployed fits that 
category with me. But then, look at how successful fiat
money, paper money, 
is. That is certainly not understood by most, but it does
not have the 
problem of lack of deployment. So maybe trust and
understanding are not 
related with each other and we need to understand this point
better.

In actuality, most stuff is not understood. Who understands
how their cars 
work, or their airplane rides across the country, or their
computers, 
banks, medical systems and on and on?

I say Adam has a good point, but maybe it's the wrong one.


Steve 

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Adam Back wrote:
> About flexibility and generality I mean Brands has a
huge list of
> features, like a very efficient observer setting, with
cheap
> operations suitable for an 8 bit smartcard, limited
multi-show (though
> linkable, there is an online credential refresh phase
if unlinkable is
> desired), single show, ability to show formulae,
ability to show and
> combine formulae across credentials from different
issuers etc.  And
> also prove negatives involving attributes, and related
technique for
> testing a black list of revoked credentials blindly.
> [...]
> The u-prove library does a lot more things, I think

It may be difficult to understand what's implemented in
U-Prove by
reading the press release and data sheet, so here it is in
more
technical terms.

U-Prove implements what we call ID Tokens: a credential with
three
attributes. The goal of these credentials is to act, as the
name
implies, as identity tokens.

ID Tokens have three fields. The first field contains public
token
attributes, which are always disclosed (e.g., an expiry
date, token
usage info, semantics of the other fields, etc.). The second
field can
contain any data and can be selectively disclosed; not
disclosing the
field gives _no_ information about its value to a verifier.
The third
field contains data committed by the user at issuance time
but unseen by
the issuer (e.g., contact information, an encryption key).

ID Tokens are untraceable and unlinkable among themselves.
Care must of
course be taken when encoding data into them. Traceability
of the tokens
depends only on the encoded data. Reuse of a same token
allows you to
build a pseudonymous relation with a verifier (like a random

username/password).

Presentation of an ID Token results in a user-authenticated
transcript
suitable for audit logs. Furthermore, verifiers can censor
the
information relative to the disclosure of the
selectively-disclosable
token field; auditors do not learn if the user disclosed the
second
field and if so, its value.

Each ID Token specifies a unique identifier (hash of the
token contents
+ other protocol data). This identifier is not under the
control of any
party and is therefore suitable to index user accounts (a
rogue issuer
could not generate an ID Token with the same identifier as
another token
issued by another issuer).

ID Tokens can be revoked individually by their identifiers
(à la X.509).
The SDK offers a more powerful revocation technique. A user
can prove
that the value of the second field is not on a blacklist
without
disclosing the field's value. By encoding a user identifier
in this 
field, an issuer could revoke all of a user's unlinkable
tokens.

ID Tokens can be issued as one-use. Reuse of such tokens
allows an
auditor to compute the token's private key including the
attributes. If
identifying data (e.g. an account number) is encoded in the
never-disclosed field, the auditor learning this value can
trace the
malicious user. This value can then be blacklisted to
prevent the user
from using any of her tokens.

ID Tokens may be protected by a "device" (a smart
card, a Trusted
Computing chip, a remote server, etc.) Devices hold part of
the token's
private key and must collaborate with the user in the
presentation
protocol in order for the token to be usable. The secret in
the device
can be shared by an unlimited number of tokens. The device's
computation
is very efficient (no modexp at presentation time). Useful
to protect 
the user against local malware or to enforce the issuer's
security policies.

As you mentioned, Brands's credential system has a lot of
features. We
did not implement everything for one good reason. This stuff
is still
quite esoteric, even for the crypto community, and we wanted
the SDK to
be identity-centric, with clear use cases. The SDK abstracts
all the
crypto so it should be simple for security developers to use
it.

Some use cases documented in the SDK include:
  * strong user authentication (privacy-friendly PKI)
  * digital signatures
  * protecting attribute assertions (e.g., I'm over 18, I
live in
    Quebec). Could be integrated in frameworks such as SAML,
WS-Trust,
    Liberty ID-WSF)
  * one-use e-tickets, these may contain attributes (similar
to e-coins)

Regards,

  - Christian

--

Christian Paquin
Chief Security Engineer  Credentica
1010 Sherbrooke West Suite 1800
Montreal, QC, Canada H3A 2R7
Tel: +1 (514) 866.6000
www.credentica.com

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com