[copied to cpunks as cryptography seems to have a multi-week lag these days]. OK, now having read:
http://isrl.cs.byu.edu/HiddenCredentials.html http://isrl.cs.byu.edu/pubs/wpes03.pdf
and seeing that it is a completely different proposal essentially being an application of IBE, and extension of the idea that one has multiple "identities" encoding attributes. (The usual attribute this approach is used for is time-period of receipt .. eg month of receipt so the sender knows which key to encrypt with). On Wed, Apr 28, 2004 at 07:54:50PM +0000, Jason Holt wrote:
properties to Brands', and even does some things that his doesn't.
so here is one major problem with using IBE: everyone in the system has to trust the IBE server!
I feel a little presumptuous mentioning it in the context of the other systems, which have a much more esteemed set of authors and are much more developed, but I'm also pretty confident in its simplicity.
One claim is that the system should hide sensitive attributes from disclosure during a showing protocol. So the example given an AIDs patient could authenticate to an AIDS db server without revealing to an outside observer whether he is an AIDs patient or an authorised doctor. However can't one achieve the same thing with encryption: eg an SSL connection and conventional authentication? Outside of this, the usual approach to this is to authenticate the server first, then authenticate the client so the client's privacy is preserved. Further more there seems to be no blinding at issue time. So to obtain a credential you would have to identify yourself to the CA / IBE identity server, show paper credentials, typically involving True Name credentials, and come away with a private key. So it is proposed in the paper the credential would be issued with a pseudonym. However the CA can maintain a mapping between True Name and pseudonym. However whenever you show the credential the event is traceable back to you by collision with the CA.
Note that most anonymous credential systems are encumbered by patents.
I would not say your Hidden Credential system _is_ an anonymous credential system. There is no blinding in the system period. All is gated via a "trust-me" CA that in this case happens to be an IBE server, so providing the communication pattern advantages of an IBE system. What it enables is essentially an offline server assisted oblivious encryption where you can send someone a message they can only decrypt if they happen to have an attribute. You could call this a credential system kind of where the showing protcool is the verifier sends you a challenge, and the shower decrypts the challenge and sends the result back. In particular I don't see any way to implement an anonymous epayment system using Hidden Credentials. As I understand it is simply not possible as the system has no inherent cryptographic anonymity? Adam