Unforgeable Blinded Credentials

On Wed, Apr 19, 2006 at 11:53:18AM -0700, bear wrote:
> On Sat, 8 Apr 2006, Ben Laurie wrote:
> >Adam Back wrote:
> >> My suggestion was to use a large denomination
ecash coin to have
> >> anonymous disincentives  ie you get
fined, but you are not
> >> identified.
> >
> >The problem with that disincentive is that I need
to sink the money for
> >each certificate I have. Clearly this doesn't
scale at all well.
> 
> Um, if it's anonymous and unlinkable, how many
certificates do you
> need?  I should think the answer would be
"one."

Agreed, its very nice if we could do this.  However all of
the
practical schemes are show-linkable.

I looked at the paper that was referenced earlier in the
thread about
the Chameleon [1] credentials which are an attempt to add
unlinkable
multi-show to Brands credentials.

So aside from the fact that it uses a non-standard
assumption that it
is hard to find e^v = a^x + c mod n (for RSA e,n). 
Apparently
Camenisch's other assumption that it is hard to find e^v =
a^x +1 was
broken... so thats not very comforting to start.  (They
offer no proof
of this assumption).

Then they use an interactive ZKP in the show which I think
will
require say 80 rounds for reasonable security, each round
involving
some non-trivial computation.

So its not that practical compared to Chaum, Brands etc --
its not
very efficient in time nor communication required for the
showing of
the chameleon certs.

Adam

[1] "An Anonymous Credential System and a
Privacy-Aware PKI" by Pino
Persiano and Ivan Visconti

I put a copy online here temporarily:


http://www.cypherspace.org/adam/papers/chameleon.pdf

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com