Cryptographic privacy protection in TCPA

Adam Back adam at
Sat Aug 24 09:11:42 PDT 2002

On Wed, Aug 21, 2002 at 03:24:21AM +0100, Adam Back wrote:
> Because Camenisch credentials are unlinkable multi-show it makes it
> harder to recognize sharing, so the user could undetectably share
> credentials with a small group that he trusts.  
> [...]
> However if the Camenisch (unlinkable multi-show) credential were
> shared too widely the issuer may also learn the secret key and hence
> be able to link and so revoke the overly-shared credentials.  This
> combats sharing though to a limited extent.

Since writing this I realised that there is a problem revoking
unlinkable multi-show credentials:

- I was presuming that revealing the credential and it's secret key is
sufficient to allow someone to link shows of that credential.

- but to link you'd have to try each revoked credential in turn.

Therefore the verifier would have to perform work linear in the number
of revoked credentials at each show, for the duration of the epoch.

Anonymous suggests one way out is to just define that the issuing CA
and the refreshing CA to be the same entity.  Then you already have to
trust the hardware manufacturer not to issue certs whose secrets are
outside of a TPM.  In this case Brands or Chaum credentials work.

The remaining desiderata are:

- it is not ideal from a risk management perspective to have to have
the hardware manufacturers endorsement private key online to refresh
certificates (or in general for there to be any private key online
that allows issuing of credentials whose private keys lie outside a

- not ideal to have to have an online protocol with an otherwise
non-existant third party (credential refresh CA) in order to avoid

Other ideas I gave in an earlier post towards fixing these remaining
issues now that it seems unlinkable multi-show credentials won't work:

| Perhaps there would be someway to have the privacy CA be a different
| CA to the endorsement CA and for the privacy CA to only be able to
| refresh existing credentials issued by the endorsement CA, but not to
| create fresh ones.
| Or perhaps some restriction could be placed on what the privacy CA
| could do of the form if the privacy CA issued new certificates it
| would reveal it's private key.


More information about the cypherpunks-legacy mailing list