[cryptography] A question regarding (relatively recent) ASM-based blindable credential research

Jane third at angels.la
Thu Oct 2 16:23:13 EDT 2014

Good time-of-day, respected cryptographically gifted individuals.

My friends and I  have been reading up on anonymous authentication schemes,
and we've run into a very interesting paper:

Self-blindable Credential: Towards Lightweight Anonymous Entity
Authentication (by Yanjiang Yang, Xuhua Dingy, Haibing Luz, Jian Weng)

It's available at iacr :

And basically, there's some disagreement over interpretation of a
particular part of the text (do note that despite certain interest in the
field, none of us are particularly mathematically gifted, to put it kindly)

The part in question is (quote follows, with busted notation, alas)
Suppose that user u's long term signing key is an ElGamal-type key pair (m;
y = gm), where y
is the public key certi¯ed by a CA and m is the private key. To get a
credential from the credential
issuer, the user submits am and PoKf(m) : A = am^y = gmg. Then, the
credential issuer computes
an ASM signature on m (instead of on user identity u). Our scheme ensures
that the user must
know m in order to construct the proof of knowledge for A0 = am¢f bs¢fdf in
running the Blind
algorithm. As a result, user u is enforced to share her private key m in
order to share her credential
with another user.

does the "credential issuer" gain possession of the "naked" private key m,
and thus abusive abilities usually associated with such possession (like,
impersonating the user on a whim) ?

A pointy-haired-boss explanation would be very appreciated.

Thank you very much for your time.

Warm regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20141003/3426f727/attachment.html>

More information about the cryptography mailing list