[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Taler] Blind rerandomizable credentials
From: |
Jeff Burdges |
Subject: |
[Taler] Blind rerandomizable credentials |
Date: |
Sun, 16 Sep 2018 13:41:33 +0200 |
There is a threshold credential scheme called Coconut by a number of people at
UCL:
https://arxiv.org/pdf/1802.07344.pdf
It’s built on the short rerandomizable signatures by Pointcheval and Sanders,
so basically a pairing based ElGammal signature
https://eprint.iacr.org/2015/525.pdf which you’ll find discussed in numerous
papers like. http://www.manulis.eu/papers/KuMa_InTrust14.pdf
There is a NIZK for blind withdrawing that already existed in Pointcheval and
Sanders. It adds complexity, which is why nobody ever used these for blind
signatures before, but not too complexity much since it’s just a DLEQ proof,
assuming you do not add a predicate in there like Coconut does.
I think the new cryptographic piece in Coconut is a second NIZK in the
proving/spending credentials (ProveCred) which lets you hide the actual
message, so say prove you’re over 18 without showing your age or prove the
credential is recent enough, without revealing its age. You’d have trouble
adding this IZK to BLS signatures where you must handle hashing to the curve or
in RSA where you must handle the FDH.
Just to be clear, this second NIZK achieves nothing if you reveal the message
for double spending protection, and then BLS or RSA sounds best, but if you do
want a blind credential scheme, then this sounds very useful.
Jeff
p.s. Boneh-Boyen signatures handle the message similarly but in a reciprocal,
not ElGammal style.
https://crypto.stanford.edu/~dabo/pubs/papers/bbsigs.pdf
I think these require weaker assumptions, verify in one pairing instead of two,
and provide some similar properties, like folks wanting them for credentials,
but aggregation might be at best sequential and they do not support blinding or
rerandomizing. I doubt they’re useful for anything since Schnorr signing a
Merkle tree gives the same thing.
signature.asc
Description: Message signed with OpenPGP
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Taler] Blind rerandomizable credentials,
Jeff Burdges <=