Unforgeable Blinded Credentials
It is possible to use blind signatures to produce anonymity-preserving credentials. The general idea is that, say, British Airways want to testify that I am a silver BA Executive Club cardholder. First I create a random number (a nonce), I blind it, then send it to BA. They sign it with their “this guy is a silver member” signing key, I unblind the signature and then I can show the signed nonce to anyone who wants to verify that I am silver. All they need to do is check the signature against BA’s published silver member key. BA cannot link this nonce back to me because they have never seen it, so they cannot distinguish me from any other member. However, anyone I show this proof to can then masquerade as a silver member, using my signed nonce. So, it occurred to me that an easy way to prevent this is to create a private/public key pair and instead of the nonce use the hash of the public key. Then to prove my silver status I have to show that both the hash is signed by BA and that I possess the corresponding private key (by signing a nonce, say). It seems to me quite obvious that someone must have thought of this before - the question is who? Is it IP free? Obviously this kind of credential could be quite useful in identity management. Note, though, that this scheme doesn’t give me unlinkability unless I only show each public/private key pair once. What I really need is a family of unlinkable public/private key pairs that I can somehow get signed with a single “family” signature (obviously this would need to be unlinkably transformed for each member of the key family). Permalink: http://www.links.org/?p=88 Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SHA1 coll
Hi All, The following two byte-strings (differing in a few bits only): 59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 30 30 36 39 30 30 32 35 31 33 31 00 and 59 6F 75 20 61 72 65 20 41 70 72 69 6C 20 46 6F 6F 6C 20 6E 6F 2E 20 31 37 38 36 37 33 32 39 32 31 39 00 both have SHA-1 20060401 For more explanation, visit http://deweger.xs4all.nl/20060401.html Grtz, Benne de Weger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: [Cfrg] HMAC-MD5
From: [EMAIL PROTECTED] Sent: Mar 30, 2006 3:38 PM To: cryptography@metzdowd.com Subject: Re: [Cfrg] HMAC-MD5 I think that we have the evidence. The security MD5 depends heavily on a lot of nonlinearities in functions F,G,I and on carries in arithmetic additions. Nonlinearities in F,G,I are bitwise and very weak. Carries are much stronger, but the collision attacks showed that it is possible to controll them also. The question is, can these still be controlled when the attacker doesn't know the internal state of the chaining variables? If not, we may end up with second preimage attacks (which would finish off MD5 for most hashing applications!), but still not know how to attack HMAC. The attack model is really different! For what it's worth, though, I agree that we need to get rid of MD5 anywhere it's still in place, since the only thing we know about its security is that it's a lot less than anyone expected it to be even a year ago. In fact, we should have started this when Dobbertin had his free-start collision result. If we had, we'd be able to regard the devastating MD5 collisions we're seeing now in the same way we regard devastating attacks on FEAL. (If someone extends the best attack on FEAL to 64 rounds, that will be cool, but nobody will be scrambling to replace FEAL in their products and protocols.) Vlastimil Klima --John Kelsey, NIST - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Unforgeable Blinded Credentials
Ben Laurie writes: It is possible to use blind signatures to produce anonymity-preserving credentials It seems to me quite obvious that someone must have thought of this before - the question is who? Is it IP free? David Chaum did a great deal of work in this area in the 80s and 90s. He pretty much invented the idea of anonymous credentials. Stefan Brands used slightly different techniques a few years later to create improved versions. More recently, Camenisch and Lysyanskaya have created a number of anonymous credential systems based (roughly) on group signatures. Some work was obstructed by the patent on the Chaum blind signature technique, but that expired last year. I think your basic concept is IP free, but you should review the patents by these researchers to be sure. Obviously this kind of credential could be quite useful in identity management. Note, though, that this scheme doesn't give me unlinkability unless I only show each public/private key pair once. What I really need is a family of unlinkable public/private key pairs that I can somehow get signed with a single family signature (obviously this would need to be unlinkably transformed for each member of the key family). There is an operational difficulty with this goal as stated. To demonstrate it, consider a trivial way of achieving the goal. The credential issuer creates a special public/private key pair that is associated with the credential. To everyone who earns the credential, he reveals the private key (which is the same for everyone who has the credential). To show that he holds the credential, the key holder issues a signature using the private key corresponding to the publicly-known credential public key. Now he can show credential ownership as often as desired, without linkability, because all such demonstrations look the same, for all members. This illustrates a problem with multi-show credentials, that the holder could share his credential freely, and in some cases even publish it, and this would allow non-authorized parties to use it. To avoid this, more complicated techniques are needed that provide for the ability to revoke a credential or blacklist a credential holder, even in an environment of unlinkability. Camenisch and Lysyanskaya have done quite a bit of work along these lines, for example in http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf . Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]