On Mon, May 10, 2004 at 03:03:56AM +0000, Jason Holt wrote:
[...] Actually, now that you mention Chaum, I'll have to look into blind signatures with the B&F IBE (issuing is just a scalar*point multiply on a curve).
I think you mean so that the CA/IBE server even though he learns pseudonyms private key, does not learn the linkage between true name and pseudonym. (At any time during a show protocol whether the private key issuing protocol is blinded or not the IBE server can compute the pseudonyms private key). Seems like an incremental improvement yes.
That could be a way to get CA anonymity for hidden credentials - just do vanilla cut and choose on blinded pseudonymous credential strings, then use a client/server protocol with perfect forward secrecy so he can't listen in.
Note PFS does not make end-2-end secure against an adversary who can compute the correspondents private keys, as vulnerable to MITM. Could say invulnerable to passive eavesdropper. However you might have an opening here for a new security model combining features of Hidden Credentials with a kind of MITM resistance via anonymity. What I mean is HC allows 2 parties to communicate, and they know who they are communicating with. The CA colluding MITM however we'll say does not apriori, so he has to brute force try all psuedonym, attribute combinations until he gets the right one. Well still not desirable security margin, but some extra difficulty for the MITM. Adam