2019
DOI: 10.1007/978-3-030-12612-4_27
|View full text |Cite
|
Sign up to set email alerts
|

Delegatable Anonymous Credentials from Mercurial Signatures

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
2

Citation Types

0
56
0

Year Published

2019
2019
2022
2022

Publication Types

Select...
5
1

Relationship

1
5

Authors

Journals

citations
Cited by 34 publications
(56 citation statements)
references
References 17 publications
0
56
0
Order By: Relevance
“…In previous instantiations [BCC + 09, Fuc11] of the latter, the showing of a credential is anonymous to anyone, in particular to a user that has delegated said credential to the one showing it. However, in the construction from the ECS variant mercurial signatures [CL19], if Alice delegates a credential to Bob, she can identify Bob whenever he uses the credential to authenticate, which represents a serious infringement to Bob's privacy. In fact, anonymity towards the authority issuing (or delegating) credentials has been considered a fundamental property of anonymous credential schemes.…”
Section: Shortcomings Of Ecsmentioning
confidence: 99%
See 2 more Smart Citations
“…In previous instantiations [BCC + 09, Fuc11] of the latter, the showing of a credential is anonymous to anyone, in particular to a user that has delegated said credential to the one showing it. However, in the construction from the ECS variant mercurial signatures [CL19], if Alice delegates a credential to Bob, she can identify Bob whenever he uses the credential to authenticate, which represents a serious infringement to Bob's privacy. In fact, anonymity towards the authority issuing (or delegating) credentials has been considered a fundamental property of anonymous credential schemes.…”
Section: Shortcomings Of Ecsmentioning
confidence: 99%
“…In [CL19], when Alice delegates a credential to Bob, she uses her secret key (x 0 , x 1 ) ∈ (Z |G| * ) 2 to sign Bob's pseudonym under her own pseudonym (P 0 , P 1 ) = (rx 0 G, rx 1 G) for a random r, which becomes part of Bobs credential. When Bob shows it, he randomizes Alice's pseudonym to (P 0 , P 1 ) := (r P 0 , r P 1 ) for a random r , which Alice can recognize by checking whether x 1 P 0 = x 0 P 1 .…”
Section: Shortcomings Of Ecsmentioning
confidence: 99%
See 1 more Smart Citation
“…Mercurial signatures were introduced in a recent paper by Crites and Lysyanskaya [15]. The construction consists of messages and public keys that are vectors of group elements of a certain fixed length.…”
Section: Introductionmentioning
confidence: 99%
“…In particular, suppose Alice issues a level-2 credential to Bob that grants him access to the same buildings or a subset of the buildings to which she has access, potentially limiting the hours during which Bob is authorized. Under the mercurial signature scheme of [15], if Alices's public key is of length and her attributes are of length k, the CA's public key must be of length + k. This, in turn, severely limits the kinds of keyattribute pairs that Alice can sign with a public key of length and Bob can sign with a public key of length − |attr Bob | (and so on down the chain). Furthermore, while the construction of [15] permits this kind of delegation, the proofs of security do not.…”
Section: Introductionmentioning
confidence: 99%