blinding & BF IBE CA assisted credential system (Re: chaum's patent expiry?)

Adam Back adam at
Mon May 10 03:02:51 PDT 2004

On Mon, May 10, 2004 at 03:03:56AM +0000, Jason Holt wrote:
> [...] Actually, now that you mention Chaum, I'll have to look into
> blind signatures with the B&F IBE (issuing is just a scalar*point
> multiply on a curve).  

I think you mean so that the CA/IBE server even though he learns
pseudonyms private key, does not learn the linkage between true name
and pseudonym.  (At any time during a show protocol whether the
private key issuing protocol is blinded or not the IBE server can
compute the pseudonyms private key).

Seems like an incremental improvement yes.

> That could be a way to get CA anonymity for hidden credentials -
> just do vanilla cut and choose on blinded pseudonymous credential
> strings, then use a client/server protocol with perfect forward
> secrecy so he can't listen in.  

Note PFS does not make end-2-end secure against an adversary who can
compute the correspondents private keys, as vulnerable to MITM.  Could
say invulnerable to passive eavesdropper.  However you might have an
opening here for a new security model combining features of Hidden
Credentials with a kind of MITM resistance via anonymity.  What I mean
is HC allows 2 parties to communicate, and they know who they are
communicating with.  The CA colluding MITM however we'll say does not
apriori, so he has to brute force try all psuedonym, attribute
combinations until he gets the right one.  Well still not desirable
security margin, but some extra difficulty for the MITM.


More information about the cypherpunks-legacy mailing list