Good time-of-day, respected cryptographically gifted individuals. My friends and I have been reading up on anonymous authentication schemes, and we've run into a very interesting paper:
Self-blindable Credential: Towards Lightweight Anonymous Entity Authentication (by Yanjiang Yang, Xuhua Dingy, Haibing Luz, Jian Weng) It's available at iacr : https://eprint.iacr.org/2013/207.pdf And basically, there's some disagreement over interpretation of a particular part of the text (do note that despite certain interest in the field, none of us are particularly mathematically gifted, to put it kindly) The part in question is (quote follows, with busted notation, alas) ---- Suppose that user u's long term signing key is an ElGamal-type key pair (m; y = gm), where y is the public key certi¯ed by a CA and m is the private key. To get a credential from the credential issuer, the user submits am and PoKf(m) : A = am^y = gmg. Then, the credential issuer computes an ASM signature on m (instead of on user identity u). Our scheme ensures that the user must know m in order to construct the proof of knowledge for A0 = am¢f bs¢fdf in running the Blind algorithm. As a result, user u is enforced to share her private key m in order to share her credential with another user. ---- Question: does the "credential issuer" gain possession of the "naked" private key m, and thus abusive abilities usually associated with such possession (like, impersonating the user on a whim) ? A pointy-haired-boss explanation would be very appreciated. Thank you very much for your time. Warm regards, J
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography