State of the Art in Credential Systems

[Note - this is an archived version of the original posting from 10:15 PM EDT, Oct 05 2003]

Here is another message which was censored by the cryptography list moderator because it was posted anonymously. Surely it should be obvious that this kind of posting is exactly what the cryptography list was designed to supply to its subscribers. The moderator's action in unfairly and arbitrarily excluding postings from anonymous contributors is misguided and wrong. Subscribers to the cryptography list should demand an explanation of the moderator's policy with regard to anonymous messages.

===

"bear" writes:

> On Fri, 3 Oct 2003, John S. Denker wrote:
> >We need a practical system for anonymous/pseudonymous
> >credentials.  Can somebody tell us, what's the state of
> >the art?  What's currently deployed?  What's on the
> >drawing boards?
>
> The state of the art, AFAIK, is Chaum's credential system.

Nonsense! What an absurd statement. Nothing could be further from the truth. You, "bear", need to check your facts before posting. You have a habit of making superficial and incorrect comments.

Chaum's credentials are described in his paper with Evertse from Crypto 86, "A secure and privacy-protecting protocol for transmitting personal information between organizations". Contrary to "bear", there has indeed been some progress in the 17 years since.

There have been two main lines of improvement since then. One is the work of Brands, best described in his book (and PhD thesis), "Rethinking Public Key Infrastructures and Digital Certificates". A few chapters are available on his web site at http://www.credentica.com/technology/book.html, and a summary of the technology is at http://www.credentica.com/technology/overview.pdf. Brands' credentials are highly efficient and compact, with many variations possible in terms of the protocols and mathematical representations. They support revealing boolean and some mathematical functions of credential values.

The other is the work of Camenisch and Lysyanskaya, based on group signatures. See http://www.zurich.ibm.com/~jca/publications.html, especially the papers from Eurocrypt 2001 and Crypto 2002. These credentials are quite flexible and work well in a decentralized, multi-issuer environment. They allow for both optional piercing of anonymity and for anonymity-preserving credential revocation, and can provide protection against credential sharing.

Unfortunately, the Chaum and Brands credentials are heavily patented, and Camenisch & Lysyanskaya have said (personal communication) that they will be seeking patents as well. Searching uspto.gov reveals one patent application by the pair, dated two weeks ago, and specific to some of the novel revocation features of their system.