asonnino
commented
5 years ago It is not at all a basic question, and you are touching one of the limitations of the system.
If additional authorities join the system, you can either re-run the key generation algorithm or use some kind of proactive secret sharing techniques to add them to the current set of authorities; if you need to remove authorities, then you have to re-run the key generation algorithm. I don't think there are currently any ways to mitigate the above, but please feel free to correct me if you have ideas (that would make me very happy).
Coconut credentials are publicly verifiable -- anyone in possession of the appropriate public keys can verify the credentials. This implies that if you change the set of authorities, old credentials are still valid as they can be verified using the public key of the old authorities (note however that frequent changes of authorities may reduce privacy, as different key sets are distinguishable).
The set of authorities is expected to be fixed for certain applications (eg. the coin tumbler, at least the one we implemented), and it may vary for other applications (eg. e-petitions). In the example of the e-petition, each petition creator chooses the set of authorities they trust upon creating the petition; thus, the authorities can change for each petition without any problem. This means that depending on your system, you may be able to architect it in such a way that it support changes of authorities without compromising other properties; but ultimately this remains a limitation of Coconut which is inherited from the underlying secret sharing protocol.
A nice start to understand the system is the following blog post: https://www.benthamsgaze.org/2018/03/09/coconut-threshold-issuance-selective-disclosure-credentials-with-applications-to-distributed-ledgers/
cbruguera
This is probably a basic question about the way Coconut works, and I'm guessing this is a proper channel to ask. If not, I'd appreciate any pointers to other means for discussion.
My understanding is that a Coconut system presents a set of advantages as long as the list of "authorities" is fixed. That is, if new entities are aggregated to (or existing ones are removed from) the issuers' list, all keys have to be re-calculated. My precise question is: what are the implications of this re-calculation? Does this mean that older proofs lose validity (cannot be verified anymore)? Could anyone explain the disadvantages of this "variability" with regard to the list of issuers? Also, are there known ways to mitigate these disadvantages? Are there considered cases where variability of the authority set is expected and Coconut can still work as a fitting crypto-system for that scenario?
I'm still trying to understand this scheme, so any pointers in favor of helping me comprehend it further on this regard are highly appreciated.
Thanks.