[Taler] Blind rerandomizable credentials

[Jeff Burdges]

There is a threshold credential scheme called Coconut by a number of people at 
UCL:
https://arxiv.org/pdf/1802.07344.pdf

It’s built on the short rerandomizable signatures by Pointcheval and Sanders, 
so basically a pairing based ElGammal signature  
https://eprint.iacr.org/2015/525.pdf  which you’ll find discussed in numerous 
papers like. http://www.manulis.eu/papers/KuMa_InTrust14.pdf

There is a NIZK for blind withdrawing that already existed in Pointcheval and 
Sanders.  It adds complexity, which is why nobody ever used these for blind 
signatures before, but not too complexity much since it’s just a DLEQ proof, 
assuming you do not add a predicate in there like Coconut does.

I think the new cryptographic piece in Coconut is a second NIZK in the 
proving/spending credentials (ProveCred) which lets you hide the actual 
message, so say prove you’re over 18 without showing your age or prove the 
credential is recent enough, without revealing its age.  You’d have trouble 
adding this IZK to BLS signatures where you must handle hashing to the curve or 
in RSA where you must handle the FDH.

Just to be clear, this second NIZK achieves nothing if you reveal the message 
for double spending protection, and then BLS or RSA sounds best, but if you do 
want a blind credential scheme, then this sounds very useful.

Jeff

p.s.  Boneh-Boyen signatures handle the message similarly but in a reciprocal, 
not ElGammal style.
https://crypto.stanford.edu/~dabo/pubs/papers/bbsigs.pdf
I think these require weaker assumptions, verify in one pairing instead of two, 
and provide some similar properties, like folks wanting them for credentials, 
but aggregation might be at best sequential and they do not support blinding or 
rerandomizing.  I doubt they’re useful for anything since Schnorr signing a 
Merkle tree gives the same thing.

signature.asc
Description: Message signed with OpenPGP