taler
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] BBS+ blind signatures relevant?

From: Jeff Burdges
Subject: Re: [Taler] BBS+ blind signatures relevant?
Date: Wed, 29 Sep 2021 14:48:54 +0200 
Any group signature like BBS, and surely BBS+ too, permits the master secret 
key to deanonymize the derived keys’ signatures.

There do exist messaging applications for group signatures.  As an example, 
Pond identified accounts by a BBS master public key, with master secret key 
held by the account’s owner, who gave BBS derived keys to their contacts.  In 
this way, the account owner knows who submitted every message, but the server 
knows nothing. We only assure the server knows nothing because the users hold 
the master keys.

Any ecash system like Taler has issuing keys and then secrets used by the 
client.  It’s now clear Taler issuing key cannot be BBS master keys because 
then Taler looses anonymity.  ;)  

In principle, BBS might be relevant among the client secrets, so you’re Taler 
would benefit from using a divisible eCash system somehow involving BBS.  We 
looked into divisible eCash systems early on, but rejected them partially for 
performance reasons, but mostly because our real cost is double spending 
protections, which they do not help.  

I think Fuchsbauer has newer divisible-ish ecash proposals, but likely this 
moved on beyond ideas based on BBS.  I’ve not read paper yet, but likely less 
efficient than Taler’s current system.

Jeff

p.s.  I’m superficially suspicious that identity working groups push group 
signatures like BBS in part because behind the scenes certain figures want this 
deanonymization by master key feature.




> On 29 Sep 2021, at 12:27, Schanzenbach, Martin <mschanzenbach@posteo.de> 
> wrote:
> in our DISSENS project [1] we investigated BBS+ signatures on BLS12-381 as a 
> state of the art method for privacy credentials (specifically selective 
> disclosure).
> We therefore built a C/C++ implementation for such a scheme.
> For some time now there has been an effort to standardise the signatures [2] 
> and maybe this is relevant to Taler as well?
> I know that you are looking into blind Schnorr signatures, which are likely 
> to be more efficient than BBS+ as those are pairing-based.
> I also do not know if BBS+ signatures can actually be used in the way Taler 
> needs blind signatures.
> 
> Anyway, may be worth checking out; I am following the standardisation efforts 
> in case we want to follow the standards for our library and, eventually, 
> reclaimID.
> 
> BR
> Martin
> 
> 
> [1] https://gnunet.org/en/news/2021-05-DISSENS.html
> [2] https://identity.foundation/bbs-signature
reply via email to
[Prev in Thread] Current Thread [Next in Thread]