1 / 52

BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS ~David Chaum

BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS ~David Chaum. Presented By: Mershack Okoe. Blindly Signing a Signature. Invented By David Chaum . He also invented the first implementation with RSA. Electronic Payment Problem. Problem: The automated way we pay for goods and services…

marion
Download Presentation

BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS ~David Chaum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BLIND SIGNATURES FOR UNTRACEABLE PAYMENTS ~David Chaum Presented By: MershackOkoe

  2. Blindly Signing a Signature • Invented By David Chaum. • He also invented the first implementation with RSA.

  3. Electronic Payment Problem • Problem: The automated way we pay for goods and services… • Has substantial impact on : • personal privacy • Criminal use of payments • User profiling by organizations • Big brother watching you

  4. Electronic payment Problem • Organizations link records from various sources • To protect themselves • Protect customers. • Same information in wrong hands • No protection for businesses or customers • E.g. tracking victims by consulting business-maintained address record. • Singling out taxpayers for audits based on estimates of income compiled by mailing-list companies

  5. Example • If for all your transactions, a third party knows • The payee • Goods and service bought • time of payment e.g. hotels, restaurants, movies, food, transportations pharmaceuticals, books, political contributions, etc. • What can he Learn? • Your lifestyle • Your political affiliation • Your whereabouts • Predict your exact location. • The list goes on and on…

  6. Alternative • Use anonymous payments systems like: • Bank notes • Coins • Problems? • Lack of proof of payment • Theft of the payment media • Tax evasion • Black markets • Black payments for bribes.

  7. Solution • The paper proposed an automated payment system with the following properties: • Inability of third parties to determine the payee, time or amount of payments made by an individual. • Ability of individuals to provide proof of payment, or determine the identity of the payee under exceptional circumstances. • Be able to stop use of the payment media if reported stolen.

  8. INTRODUCING…BLIND SIGNATURES • BASIC IDEA • Imagine a Trustee (Trent) wants to hold a secret ballot election. • The electors are not able to drop their votes in person. • Bob and Alice are part of the electors, but they have something to do on that day….

  9. Blind signatures • What the electors want? • Their votes to be secret from Trent. • And to verify that their vote is counted. • What Trent wants? • Each vote must come from a valid Elector. No Ghost voters • Solution… • Make use of a special carbon lined envelope.

  10. How it works • Alice places a ballot slip with her vote in a carbon lined envelope, • Places the carbon-lined envelope in an outer envelope addressed to Trent with a return address to Alice. • Trent knows the envelope comes from Alice, but does not know the ballot-slip in the inner envelope • Signs the inner envelope and returns it in a different envelope to Alice. • Alice verifies the signature of Trent and checks that the envelope has not been opened. • She removes the signed ballot and sends it to Trent without a return address. • Trent can put the ballots on public display, anyone can count the results, or check if his was part. • With the assumption that the signatures are identical, Trent cannot know any identifying aspect of the ballot slips. • Cannot know how anyone voted.

  11. the signature • The Vote

  12. The voting application Voter Voting Center Identification, Vcard Publishvoter’s cards Signed Voter’s Card ---S(Vcard) Sign Voters card S(Vcard) Voting: Put intent on S(Vcard) Verify & Publish: S(Vcard) + intent (S(Vcard) + intent)

  13. Properties • Correctness • Un-forgeable votes • Votes come from registered voters • Anonymity • Un-linkabilitybased on blind signatures • Anonymous channels

  14. The digital Signature Scheme  Message User Signer  Signature on Message Linkable Verifiable Signer The signer’s signature on “Message”

  15. Blind Signatures • SIMILAR TO DIGITAL SIGNATURES BUT…. • WE DON’T WANT SIGNER TO SEE THE MESSAGE… • WHY??? • WE DON’T WANT SIGNER/THIRD PARTY TO LINK IT TO US.

  16. Blind Signatures • For Blind Signatures to work: • Use in a special way with commutative style of Two key digital signature systems combined e Public key systems. i.e ( ( (M) )) = (M) ( ( (M) )) = (M)

  17. Functions of the blind signature • A signing function known only to the signer and an inverse such that • A commutative function and its inverse both only known by the provider. Such that • A redundancy checking predicaterwhich checks for sufficient redundancy to make search for valid signatures impractical.

  18. Protocol • Alice chooses at random such that, forms , and sends to the Signer. • Signer signs by applying and sends to Alice • Alice extracts the signed matter by applying • Anyone can verify that was signed by the Signer by applying his public key • ………………

  19. Security Properties • Digital Signature: • Anyone can check that was formed using the signer’s private key • Blind Signature?? • The signer knows nothing about the correspondence. • -i.e. cannot link the to • Conservation of Signatures • ---even with …. and choice of ,, and. It is impratical to produce such

  20. Alice pubKeyB = {e,n} privKeyB = {d,n} Bob RSA Review • where 1<e< ø(n), • gcd(e, ø(n))=1 • e * d= 1 mod ø(n) and 0≤d≤n Cannot Infer privKeyB from pubKeyB ! n = p x q Cannot get d given e and n Need p and q !

  21. C= Me mod n Alice Malory pubKeyB = {e,n} pubKeyB = {e,n} 2 privKeyB = {d,n} 1 Intercept C Bob RSA cont. n = p x q M = Cd mod n Cannot obtain M from Me mod n !

  22. Alice Bob The Blind Signature Protocol (RSA) = M M r …. gcd(r, n) = 1 Generates e, d, and n e , n — public d — secret n ----pq

  23. Alice Bob What is the problem with this? = M r…. gcd(r, n) = 1 Generates e, d, and n e,n — public d — secret n — pq

  24. Alice Bob What is the problem with this? = M r…. gcd(r, n) = 1 Generates e, d, and n e,n — public d — secret n----pq Solution: Never use a Signature key pair to encrypt messages

  25. Example : Untraceable Payment System • Single note is formed by the payer, • Signed by bank, • Stripped by the payer, • Provided to the payee and • Cleared by the bank. Payer Payee Banker

  26. Untraceable payment system • Bank is ready to signed anything from the payer. • But it is worth $1. ---fixed amount • Payer chooses x at random such that and forms , forwards to the bank • Bank signs and returns to payer. • Payer strips note to form .. By • Payer makes payment later by providing to payee. • Payee forwards to bank. Bank checks note, adds note to cleared list of notes (stop if already exist), credits account of payee. • When bank receives a note to be cleared from the payee, it doesn’t know which payer the note was originally issued to. • Counterfeiting is impossible by the conservation and digital signatures properties.

  27. Payer Payee Banker Verifier Traced Payer

  28. Auditability • Extendingit such that payers receive digital receipts from payees. • Receipts will include description of purchased goods, date and a copy of the note.. • To prevent Fraud • Note will allow the payer to identify payee’s account with the help of the Bank. • A dissatisfied customer of a black market could reveal note supplied to the black market which can be traced to the account it was deposited in. • Stolen notes can be included in a list and stopped from being cleared or traced if already cleared.

  29. Elaborations • Use of multiple denomination notes • banking and clearing house functions being separated. • Multiple banks and multiple clearing houses, serving overlapping banks • Periodic changes of the key used to signed notes in order to increase security • Different signatures for different amount to reduce uncertainty about the money supplied.

  30. Applications • E-voting • Untraceable Electronic cash

  31. Untraceable Electronic Cash • Veriable by everyone • Untraceable by bank • Untraceable coins • Possible to spend the same coin twice? • Online? No • Offline? Yes.

  32. How to prevent multiple spending of the same coin offline • Use Cut and choose technique • Encode the owner’s identity into the coin such that he remains anonymous after one payment but will be identified if he double-spends.

  33. Cut-and-choose technique • To get a coin • Alice performs the following protocol • Choose , , and , 1 i k uniformly at random from residues of • Send Bank = . f(, ) for 1i k Where = g(, ), = g((u|| v+ i)), ) • Bank chooses blinded candidates randomly, • Alice reveals them and bank checks. • For the unseen bank does the following multiplication, sends to Alice and charges 1 dollar • Alice can get C = and arranges them in lexicographic manner. Bank knows (u|| v+ i))

  34. How to pay Bob • Alice sends C to Bob • Bob chooses a random binary string , … • Alice responds as follows for all 1<=i<=k/2 • If = 1, then Alice sends Bob , , • If = 0, then Alice sends Bob , ((u|| v+ i)), and • Bob verifies, and later sends C and Alice’s responses to the bank, which verifies their correctness and credits his account. • Bank stores C, the binary string , … and ((u|| v+ i ). • If Alice uses the same coin C twice, then she can be traced because two different payees will send complementary binary values for at least one bit . • So the bank has both and ((u || v+ i )., so the bank can isolate u and trace it to Alice. • Problems with This??? • Alice can collude with the second payee, and give him the same order of keys she gave to the first. This way, it cannot be traced back to her. • Bank can also frame up Alice.

  35. An Example coin • , are random strings • The values and ⊕ USER_ID are hidden in the coin.

  36. How the payment protocol works • When the payee receives the coin, he gives a random K-bit vector to user • If user reveals • If , user reveals ⊕ USER_ID • How to catch a cheater?? ⊕ ⊕ USER_ID

  37. Other issues about blind signatures documents

  38. Signing documents with blind signatures • Very Tricky… • Alice can have Bob sign anything at all. “Bob owes Alice $5 billion and a Ferrari” “Bob agrees to marry Alice or pay $10 million” “Bob transfers all his real estate properties to Alice Alice” • Is blind signature useful with documents? • There should be a way Bob should know what he is signing….. • Cut and choose technique. • Works as The immigration Search selection (probabilistic solution)

  39. Blinding documents • Alice receives N documents, randomly opens N-1 and signs the Nth envelope. • Example: The counterintelligence agents problem • Protocol • Bob prepares n documents containing different cover names • Blinds each of the documents with different blinding factor • Bob sends the n blinded documents to Alice • Alice chooses n-1 documents randomly and asks Bob for their blinding factors • Alice checks those documents and realizes that no strange name has been selected • Alice signs the document • Bob’s chance of cheating?? • 1 out of N. (Alice is confident with his signature )

  40. Reducing Bob’s cheating chances • For Identical documents(assumption…document is not secret, but no tracing • Instead of Alice opening n-1 documents, she chooses to open n/2 documents. • Alice multiplies together all of the unchallenged documents and signs as one mega document. • Bob strips off all the blinding factors. Alice’s signature is acceptable only if it is a valid signature of the product of n/2 identical documents. • Can Bob Cheat? • Of course. • Smaller luck…..He has to guess which half of the documents Alice wouldn’t challenge. • Two different documents good and bad, find two different blinding factors that transforms each document into the same blinded document. • Possible but mathematically infeasible.

  41. Digital Signature Problems • Deprive individuals some type of protection though it protects them from the “big brother is watching” situation. • Provide potential problems for law enforcement in some types of crimes • Money Laundering • Untraceable “Ransoms”

  42. Example • Blind Signatures and Perfect Crimes • An example of how blind signatures can be used to commit untraceable crimes • The Kobayashi Credit Card case • Kidnap of a famous Japanese TV actor’s baby • requested for 5 million Yen be paid to account • Blind signature….. • Compute the set = 3 f() mod n. • Tell authorities to get it signed compute = mod n • And Publish the set in a newspaper. • Later get the notes.

  43. Alice To Safely Get a Ransom  Publish the blinded e-cash  Forward the blinded message  Withdraw the blinded e-cash Anonymous Channel Banker  Send a blinded message  Deposit the e-cash Criminal Unblinding

  44. Alice Bob Money Laundering  Withdraw a blinded e-cash Unblinding Banker  Forward the e-cash  Deposit the e-cash

  45. Other related solutions Fair Blind Signatures

  46. Concept of Fair Blind Signatures • A signing protocol involving the signer and a sender • A link-recovery protocol involving signer and the judge. • To cope with the misuse of untraceability….

  47. Alice Fair Blind Signatures (Registration) Judge Identification Protocol License = (SJ(B(K), iduser) Where K is EJ ( iduser,random)

  48. Alice Bob Signing Process B(M,r), user_id, License = (…,B(K)) Verify Licence S (B(M,r) # B(K)) U (S (B (m, r) # B(K)), r) = S(m # K) Signature-message triple: (S(m # K), m , K) V (S(m # K), (m # K)) = True

  49. Revealing stage • Judge can reveal the id of user when supplied K • K = EJ (iduser, random)

  50. Conclusion • Blind Signatures : • Makes untraceable payment systems possible. • Provides • improved auditability and control. • Unforgeability and unlinkability • And also provides Increased personal privacy. • Systems based on it are now being launched by Deutsche Bank and other major banks in European countries. We have it on chip cards and electronic wallets. • Applications • Untraceable Electronic Cash • Anonymous Electronic Voting

More Related