[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] BBS+ blind signatures relevant?
|
From: |
Schanzenbach, Martin |
|
Subject: |
Re: [Taler] BBS+ blind signatures relevant? |
|
Date: |
Wed, 29 Sep 2021 16:25:00 +0000 |
Hi,
> On 29. Sep 2021, at 14:48, Jeff Burdges <burdges@gnunet.org> wrote:
>
>
> Any group signature like BBS, and surely BBS+ too, permits the master secret
> key to deanonymize the derived keys’ signatures.
>
> There do exist messaging applications for group signatures. As an example,
> Pond identified accounts by a BBS master public key, with master secret key
> held by the account’s owner, who gave BBS derived keys to their contacts. In
> this way, the account owner knows who submitted every message, but the server
> knows nothing. We only assure the server knows nothing because the users hold
> the master keys.
>
Hmm interesting, I thought usually in credential schemes using BBS+ users and
issues have their own master keys:
https://github.com/ontio/ontology-crypto/wiki/Anonymous-Credential
But I need to look at it again in that regard.
> Any ecash system like Taler has issuing keys and then secrets used by the
> client. It’s now clear Taler issuing key cannot be BBS master keys because
> then Taler looses anonymity. ;)
>
> In principle, BBS might be relevant among the client secrets, so you’re Taler
> would benefit from using a divisible eCash system somehow involving BBS. We
> looked into divisible eCash systems early on, but rejected them partially for
> performance reasons, but mostly because our real cost is double spending
> protections, which they do not help.
>
> I think Fuchsbauer has newer divisible-ish ecash proposals, but likely this
> moved on beyond ideas based on BBS. I’ve not read paper yet, but likely less
> efficient than Taler’s current system.
>
> Jeff
>
> p.s. I’m superficially suspicious that identity working groups push group
> signatures like BBS in part because behind the scenes certain figures want
> this deanonymization by master key feature.
Well, for now let's stick to hanlons razor... ;)
>
>
>
>
>> On 29 Sep 2021, at 12:27, Schanzenbach, Martin <mschanzenbach@posteo.de>
>> wrote:
>> in our DISSENS project [1] we investigated BBS+ signatures on BLS12-381 as a
>> state of the art method for privacy credentials (specifically selective
>> disclosure).
>> We therefore built a C/C++ implementation for such a scheme.
>> For some time now there has been an effort to standardise the signatures [2]
>> and maybe this is relevant to Taler as well?
>> I know that you are looking into blind Schnorr signatures, which are likely
>> to be more efficient than BBS+ as those are pairing-based.
>> I also do not know if BBS+ signatures can actually be used in the way Taler
>> needs blind signatures.
>>
>> Anyway, may be worth checking out; I am following the standardisation
>> efforts in case we want to follow the standards for our library and,
>> eventually, reclaimID.
>>
>> BR
>> Martin
>>
>>
>> [1] https://gnunet.org/en/news/2021-05-DISSENS.html
>> [2] https://identity.foundation/bbs-signature
>
>
signature.asc
Description: Message signed with OpenPGP