[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] BBS+ blind signatures relevant?

From: Schanzenbach, Martin
Subject: Re: [Taler] BBS+ blind signatures relevant?
Date: Wed, 29 Sep 2021 16:25:00 +0000


> On 29. Sep 2021, at 14:48, Jeff Burdges <burdges@gnunet.org> wrote:
> Any group signature like BBS, and surely BBS+ too, permits the master secret 
> key to deanonymize the derived keys’ signatures.
> There do exist messaging applications for group signatures.  As an example, 
> Pond identified accounts by a BBS master public key, with master secret key 
> held by the account’s owner, who gave BBS derived keys to their contacts.  In 
> this way, the account owner knows who submitted every message, but the server 
> knows nothing. We only assure the server knows nothing because the users hold 
> the master keys.

Hmm interesting, I thought usually in credential schemes using BBS+ users and 
issues have their own master keys: 

But I need to look at it again in that regard.

> Any ecash system like Taler has issuing keys and then secrets used by the 
> client.  It’s now clear Taler issuing key cannot be BBS master keys because 
> then Taler looses anonymity.  ;)
> In principle, BBS might be relevant among the client secrets, so you’re Taler 
> would benefit from using a divisible eCash system somehow involving BBS.  We 
> looked into divisible eCash systems early on, but rejected them partially for 
> performance reasons, but mostly because our real cost is double spending 
> protections, which they do not help.
> I think Fuchsbauer has newer divisible-ish ecash proposals, but likely this 
> moved on beyond ideas based on BBS.  I’ve not read paper yet, but likely less 
> efficient than Taler’s current system.
> Jeff
> p.s.  I’m superficially suspicious that identity working groups push group 
> signatures like BBS in part because behind the scenes certain figures want 
> this deanonymization by master key feature.

Well, for now let's stick to hanlons razor... ;)

>> On 29 Sep 2021, at 12:27, Schanzenbach, Martin <mschanzenbach@posteo.de> 
>> wrote:
>> in our DISSENS project [1] we investigated BBS+ signatures on BLS12-381 as a 
>> state of the art method for privacy credentials (specifically selective 
>> disclosure).
>> We therefore built a C/C++ implementation for such a scheme.
>> For some time now there has been an effort to standardise the signatures [2] 
>> and maybe this is relevant to Taler as well?
>> I know that you are looking into blind Schnorr signatures, which are likely 
>> to be more efficient than BBS+ as those are pairing-based.
>> I also do not know if BBS+ signatures can actually be used in the way Taler 
>> needs blind signatures.
>> Anyway, may be worth checking out; I am following the standardisation 
>> efforts in case we want to follow the standards for our library and, 
>> eventually, reclaimID.
>> BR
>> Martin
>> [1] https://gnunet.org/en/news/2021-05-DISSENS.html
>> [2] https://identity.foundation/bbs-signature

Attachment: signature.asc
Description: Message signed with OpenPGP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]