You're omitting the part where you have to disclose who you are to the party issuing the credential. If they issue you a unique credential while knowing your identity then they can trace back all your uses of it to your identity. When that party is the government or within the government's jurisdiction, the government has the capacity to do that even if the services where you use the credential are operated by a third party, so you very much haven't solved the privacy problem.
The only way to actually solve it is to make the credential non-unique, i.e. issue the same one to everybody so they're fully indistinguishable. That does solve the privacy problem, but then you have the "who is telling the kids the secret password" problem.
The party that you must disclose your identity to doesn’t necessarily need to see the credential you will present to the party you wish to demonstrate your age to.
A blind signature could be used to have the ID checking party sign the credential without seeing it.
That's just introducing a complex new vector for compromise without getting out of the dichotomy.
Option 1: Bob gets a credential that can be traced back to Bob; privacy fail.
Option 2: Bob gets a credential that cannot be traced back to Bob, shares it with everyone; defeats the system.
Notice also the tradeoff you're forcing for no benefit. If Bob has a unique blinded signature, even if the signer doesn't know the unblinded value, the verifier would and so Bob has to get a new signature for each use or the verifiers could correlate one use with another. But needing a new signature for each use creates a timing attack because now you can see that every time "someone" presents a signature to use a particular service, Bob had just requested a new signature.
In this context blinded signatures have only costs and no benefits over universal shared passwords.
Let W be a website that wants you to give evidence you are an adult.
Let C be an age check service.
A first stab at this would be something like this:
1. W gives you a token T
2. You show T and proof of identity/age to C
3. C signs T
4. You return the signed T to W
5. W checks the signature and sees it is from C
The problem with that is what you noted. W and C could get together and then W could learn your full identity and C could learn that you use W.
C had to see the token to sign it, so at that point C and W both know T, and so that enables that matching up.
A blind signature addresses that by allowing C to sign with C needing to receive a copy of the token.
The way a blind signature works is that when you get the token, T, from W you apply a transformation to it which produces T'. It is T' that you send to C to sign for you. That gives you T' and a signature for T'. The signature algorithm and the blinding transformation are chosen so that they have this property:
• Given a document D, a blinded document D' produced by applying a blinding transformation do D, and a signature S' of the blinded document D', if you know the blinding transformation you can compute from D' and S' a signature S for D that will verify with the same key that produced S'.
The blinding transformation involves a random number that you pick. Even if C and W get together and compare lists of tokens they have seen they won't see any matches because W only saw unblinded tokens and C only saw blinded tokens and without knowing the random number used for that particular blinding they can't tell which unblinded token matches which blinded token.
They might try to match based on timing. If there isn't enough volume of people verifying they might be able to figure something out so care would definitely be needed especially at the start.
> They might try to match based on timing. If there isn't enough volume of people verifying they might be able to figure something out so care would definitely be needed especially at the start.
The timing attack is worse than that.
Suppose Bob has a pseudonymous account with the service. So he signs into his account, NotBob99, which is not supposed to be associated with Bob. Or even just uses a device with the same cookie or device fingerprint. On a dozen separate occasions.
Is he unmasked the first time? Maybe not, there could have been thousands of people requesting a signature at that time, although you have immediately narrowed it down by 99.999% from hundreds of millions. Is he unmasked the second time? Pretty good chance of that, because you can exclude anyone who didn't request a signature the first time. Even if it isn't fully unique yet, the number of candidates can now be counted on one hand. Has he been unmasked by the twelfth time? Almost certainly.
It's also not clear what the fancy cryptography is supposed to be buying you over the alternative. If you use blinded signatures, you have a timing attack, but Bob can still share the signatures unless the timing attack is being actively exploited, which it obviously isn't supposed to be as if it was it would only prove the signature scheme ineffective.
Now suppose you just have secret "is over 18" and "is over 21" passwords, changed on the same interval as the signatures would expire. The passwords aren't unique, everyone in the eligible age group gets the same one (and services that are 18+ request the 18+ password even from people over 21), so you can't correlate them with an individual and each person only has to request the password once per change interval (e.g. 30 days) rather than once per use. What advantage do blinded signatures have over this?
Thanks so much for that explanation. You even addressed timing attacks, which is what I was about to ask as a follow-up until I scrolled down and saw the final paragraph. I appreciate the write up!
The only way to actually solve it is to make the credential non-unique, i.e. issue the same one to everybody so they're fully indistinguishable. That does solve the privacy problem, but then you have the "who is telling the kids the secret password" problem.