[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: Stefan Brands' secret-key certificates
From:       Anonymous <nobody () replay ! com>
Date:       1999-10-29 18:33:26
[Download RAW message or body]

Anonymous writes:

> A secret key certificate appears to be conceptually similar to a blind
> signature (aka blind certificate).  It seems possible that the distinction
> is motivated by patent issues as much as by technological ones.

This is not quite right, although the concepts are related.

A secret key certificate is a cryptographic signature on a public key
which can only be verified by the use of the corresponding secret key
(it also requires the use of the signer's public key, of course).

Alice certifies Bob's public key using a secret key certificate.  The
resulting CERT value can only be verified with Bob's cooperation.
Bob has to use his secret key, and then a third party can verify that
CERT was in fact issued by Alice.

This is unlike public key certificates, where a third party can verify
the certification using only the public key value.

By themselves, secret key certificates offer only modest benefits over
public key certificates, the main one being that they are existentially
forgeable, that is, that given a public key anyone can construct a CERT
which is indistinguishable from a valid one.  Hence knowing a list of
public keys and corresponding CERT values gives no advantages in trying
to break the underlying cryptosystem.

Where they really shine is when you deal with blind issuing of secret key
certificates.  Brands develops efficient cash and credential systems using
restrictive blinding of secret key certificates.  The signer does not know
the secret or public keys that he is signing, but he can be assured that
certain predicates are true relating to them.

The patent issue comes into play because a secret-key certificate,
whether issued blindly or not, is arguably not a digital signature.
The reason is that there is no verification relation that can be run
by a third party.  Only if the signature holder cooperates can the CERT
be verified.  This is unlike regular digital signatures, and hence secret
key certificates can be distinguished from digital signatures.

If secret key certs are not digital signatures, then a blind issuing
algorithm is not a blind signature algorithm.  Hence systems built on
this technology do not use blind signatures as defined in Chaum's patent
#4947430 on the subject.

[prev in list] [next in list] [prev in thread] [next in thread]