Brands' private credentials

[Ben Laurie]

Adam Back wrote:
> On Mon, May 10, 2004 at 02:42:04AM +0000, Jason Holt wrote:
> Another approach to hiding membership is one of the techniques
> proposed for non-transferable signatures, where you use construct:
> 
> RSA-sig_A(x),RSA-sig_B(y) and verification is x xor y = hash(message).
> 
> Where the sender is proving he is one of A and B without revealing
> which one.  (One of the values is an existential forgery, where you
> choose a z value first, raise it to the power e, and claim z is a
> signature on x= z^e mod n; then you use private key for B (or A) to
> compute the real signature on the xor of that and the hash of the
> message).  You can extend it to moer than two potential signers if
> desired.

There is code for this in openssl (not sure if its the same technique, 
its described as a ring signature). One of the more amusing aspects is 
it was posted anonymously and signed by a group of likely-looking 
candidates.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff