Cryptographic privacy protection in TCPA

Adam Back adam at cypherspace.org
Tue Aug 20 19:24:21 PDT 2002 

On Sun, Aug 18, 2002 at 04:58:56PM +0100, Adam Back wrote:
> [...] "Also relevant is An Efficient System for Non-transferable
> Anonymous Credentials with Optional Anonymity Revocation", Jan
> Camenisch and Anna Lysyanskaya, Eurocrypt 01
> 
> 	http://eprint.iacr.org/2001/019/
> 
> These credentials allow the user to do unlinkable multi-show without
> involving a CA.  They are somewhat less efficient than Chaum or Brands
> credentials though.  But for this application does this removes the
> need to trusting a CA, or even have a CA: the endorsement key and
> credential can be inserted by the manufacturer, can be used
> indefinitely many times, and are not linkable.

There was some off-list discussion about possibility for sharing these
credentials once a given credential is extracted from it's TPM by a
user who broke the tamper resistance of his TPM.

I also said:

> [...] Credentials which are shared are easier to revoke -- knowledge
> of the private keys typically will render most schemes linkable and
> revocable.  This leaves only online lending which is anyway harder
> to prevent.

Because Camenisch credentials are unlinkable multi-show it makes it
harder to recognize sharing, so the user could undetectably share
credentials with a small group that he trusts.  

(By comparison with linkable pseudonymous credentials and a privacy CA
the issuer and/or verifier would see unusually high activity from a
given pseudonym or TPM endorsement key if the corresponding credential
were shared too widely.)

However if the Camenisch (unlinkable multi-show) credential were
shared too widely the issuer may also learn the secret key and hence
be able to link and so revoke the overly-shared credentials.  This
combats sharing though to a limited extent.

Another idea to improve upon this inherent risk of sharing too widely
may be to use a protocol which it is not safe to do parallel shows
with.  (Some ZKPs are not secure when you engage in multiple show
protocols in parallel.  Usually this is considered a bad thing, and
steps are taken to allow safe parallel show.)  

For this application a show protocol which it is not safe to engage in
parallel shows may frustrate sharing: someone who shared the
credential too widely would have difficulty coordinating amongst the
sharees not to show the same credential in parallel.  I notice
Camenisch et al mention steps to avoid parallel showing problem, so
perhaps that feature could be reintroduced.

In contrast, the TPM can easily ensure that the credential is not used
in parallel shows.

Adam
--
http://www.cypherspace.org/adam/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cypherpunks-legacy mailing list