On Sun, Aug 18, 2002 at 04:58:56PM +0100, Adam Back wrote:
[...] "Also relevant is An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation", Jan Camenisch and Anna Lysyanskaya, Eurocrypt 01
http://eprint.iacr.org/2001/019/
These credentials allow the user to do unlinkable multi-show without involving a CA. They are somewhat less efficient than Chaum or Brands credentials though. But for this application does this removes the need to trusting a CA, or even have a CA: the endorsement key and credential can be inserted by the manufacturer, can be used indefinitely many times, and are not linkable.
There was some off-list discussion about possibility for sharing these credentials once a given credential is extracted from it's TPM by a user who broke the tamper resistance of his TPM. I also said:
[...] Credentials which are shared are easier to revoke -- knowledge of the private keys typically will render most schemes linkable and revocable. This leaves only online lending which is anyway harder to prevent.
Because Camenisch credentials are unlinkable multi-show it makes it harder to recognize sharing, so the user could undetectably share credentials with a small group that he trusts. (By comparison with linkable pseudonymous credentials and a privacy CA the issuer and/or verifier would see unusually high activity from a given pseudonym or TPM endorsement key if the corresponding credential were shared too widely.) However if the Camenisch (unlinkable multi-show) credential were shared too widely the issuer may also learn the secret key and hence be able to link and so revoke the overly-shared credentials. This combats sharing though to a limited extent. Another idea to improve upon this inherent risk of sharing too widely may be to use a protocol which it is not safe to do parallel shows with. (Some ZKPs are not secure when you engage in multiple show protocols in parallel. Usually this is considered a bad thing, and steps are taken to allow safe parallel show.) For this application a show protocol which it is not safe to engage in parallel shows may frustrate sharing: someone who shared the credential too widely would have difficulty coordinating amongst the sharees not to show the same credential in parallel. I notice Camenisch et al mention steps to avoid parallel showing problem, so perhaps that feature could be reintroduced. In contrast, the TPM can easily ensure that the credential is not used in parallel shows. Adam -- http://www.cypherspace.org/adam/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com