Re: Attack on Brands blind signature

2005-07-13 Thread Christian Paquin 

cypherpunk wrote:

eprint.iacr.org/2005/186 is an attack by Xuesheng Zhong on several
blind signature schemes, including one widely discussed on the
Cypherpunks mailing list back in the 1990s by Stefan Brands.  The paper
seems to show that it is possible for the bank/mint to recognize blind
signatures (i.e. untraceable electronic cash tokens) when they are
re-submitted for deposit, which is exactly what the blind signature is
supposed to prevent. The math looks right although I haven't tried to
look back at Brands' old work to see if it is correctly described in
the new paper.


The claim that Brands' signature scheme is linkable is incorrect (I 
haven't checked the other claims in the paper). The attack checks that 
a^{c'c^{-1}}.g^{s'-c'c^{-1}s} = a' for a signature {m', z', c', s'} and 
a view {m, r, z, a, b, c, s}.


The above equation reduces to

 = g^s' a^{c'c^{-1}} g^{-c'c^{-1}s}
 = g^s' (a g^{-s})^{c'c^{-1}}
 = g^s' (g^s y^{-c} g^-s)^{c'c^{-1}}
 = g^s' y^{-c'}

which is the normal signature validation term. If fact, you can see that 
the attack will match _any_ signature with _any_ view. Therefore, it 
provides no information to the attacker.


Cheers,

 - Christian

--

Christian Paquin
Security Architect
Credentica

Credentica (Re: Is there a Brands certificate reference implementation?)

2004-04-30 Thread Christian Paquin 
Hello Steve,

From: Steve Furlong <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Fwd: [EMAIL PROTECTED], [EMAIL PROTECTED]
Date: 25 Apr 2004 12:14:30 -0400
Does anyone know of a reference implementation for Stefan Brands's
digital certificate scheme? Alternatively, does anyone have an email
address for Brands so I can ask him myself? (I haven't gotten anything
back from ZKS's "contact us" address. But I don't know if Brands is
still at ZKS.)
I am one of the lead developers of Credentica, which is Stefan Brands'
latest venture after his amicable departure from ZKS quite some time
ago. We are exclusively focused on the development of identity and
access management technology based on Stefan's Digital Credential work.
Following our closing of investment from Nokia earlier this year, we
started with the design and implementation of a Software Development
Toolkit for Digital Credentials. We are exploring the idea of releasing
parts of it under an open-source license, and intend to post updates
here from time to time on our progress. More information will be
available on our upcoming Web site, which should be up soon.
Meanwhile, if you are interested in getting a glimpse of what we are 
doing, check out Stefan's keynote materials at a recent NIST PKI 
workshop, which you can find here: 
http://middleware.internet2.edu/pki04/proceedings/

Kind regards,
Christian Paquin
Cryptographic Developer
Credentica