Blind signatures - Semantic Scholar

Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures

Blind signatures Untraceable Electronic Cash Oblivious communities A survey on how to obtain more privacy on Internet

Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Angelo Spognardi Department of Computer Science University of Rome “La Sapienza”

[email protected]

March 20 2006

Conclusions 1 / 52

Electronic payments system Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA

Variety of electronic banking services may have substantial impact on personal privacy on the nature and extent of criminal use of payments A payment system should address both of these seemingly conflicting sets of concerns.

Avoid double-spending


Conclusions 4 / 52

Electronic payments system (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework


Oblivious communities

Knowledge by a third party of information like payee, amount and time of payment can reveal a great deal about the individual’s whereabouts, associations and lifestyle. On the other hand, an anonymous payments system like bank notes and coins suffers from lack of controls and security. Lack of proof of payments, theft of payments media, black payments for bribes, tax evasion and black markets.

Introduction Oblivious Communities

Conclusions 5 / 52

Blind signature Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

It is a kind of cryptography which allows an automated payment system with these proprieties: 1

Inability of third parties to determine payee, time or amount of payments made by an individual

2

Ability of individuals to provide proof of payment, or to determine the identity of the payee under exceptional circumstances

3

Ability to stop use of payments media reported stolen.

Outline Blind Signatures Introduction Framework



Conclusions 6 / 52

Basic Idea An analogy Blind signatures Untraceable Electronic Cash Oblivious communities

A blind signature from the world of paper documents.

A. Spognardi

Take an envelope carbon paper lined.

Outline

Insert a slip of paper and close the envelope.

Blind Signatures Introduction Framework


Send the envelope to a third party that signs the envelope from the outside and sends it back. Extract the signed slip from the envelope. Give the signed slip to someone. The third party will recognize its signature.


Conclusions 7 / 52

Basic Idea Elections by secret ballot Blind signatures Untraceable Electronic Cash Oblivious communities

Ballot Slips + Carbon paper lined envelopes 1

Every elector sends to the trustee a special envelope inside a normal envelope, with the return address. Inside the special envelope there is the ballot slip for the vote.

2

The trustee signs the special envelopes without look the ballot slip inside and sends it back to the elector.

3

The elector extracts the signed ballot slip and write down its preference.

4

The elector anonymously sends its signed/with preference ballot slip in a normal envelope.

5

The trustee receives the ballots and can put them on public display.

A. Spognardi Outline Blind Signatures Introduction Framework



Conclusions

8 / 52

Basic Idea Elections by secret ballot (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures

The trustee signs only the envelopes of authorized electors. Every elector must check the trustee signature on the slip. Anyone can count the displayed ballots and check the signatures on them.




If electors remember some identifying aspect of their ballot, they can check that their ballot is on display. The trustee never actually saw the ballot slip while signing them.


Every trustee signature must be identical.

Conclusions 9 / 52

Basic Idea Elections by secret ballot (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Unlinkability

Outline

The trustee can not know anything about the correspondence between the ballot containing envelopes signed and the ballots made public. Thus, the trustee can not determine how anyone voted.




Conclusions 10 / 52

Functions Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework

Electronic Cash

Signing function s 0 and its inverse s s 0 is known only to the signer. s is publicly known. s(s 0 (x)) = x. Commutating function c and its inverse c 0 Both are known only to the provider. c 0 (s 0 (c(x))) = s 0 (x), and c(x) and s 0 give no clue about x.

Untraceable coins with RSA Avoid double-spending


Redundancy checking predicate r It checks for sufficient redundancy to make search for valid signatures impractical.

Conclusions 12 / 52

Protocol Blind signatures Untraceable Electronic Cash Oblivious communities

1

Provider chooses x at random such that r(x), forms c(x) and supplies c(x) to the signer.

2

Signer signs c(x) by applying s 0 and returns the signed matter s 0 (c(x)) to provider.

3

Provider strips signed matter by application of c 0 , yielding c 0 (s 0 (c(x))) = s 0 (x).

4

Anyone can check that the stripped matter s 0 was formed by the signer, by applying the signer’s public key s and checking that r(s(s 0 (x))).




Conclusions 13 / 52

Properties Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework

Electronic Cash

Digital signature Anyone can check that a stripped signature s 0 (x) was formed using signer’s private key s 0 Blind signature Signer knows nothing about the correspondence between the elements of the set of stripped signed matter s 0 (xi ) and the element of the set of unstripped signed matter s 0 (c(xi )).



Conclusions

Conservation of signatures Provider can create at most one stripped signature for each thing signed by signer. That is: even with s 0 (c(x1 )) . . . s 0 (c(xn )) and choice of c, c 0 and xi , it is impractical to produce s 0 (y) such that r(y) and y 6= xi .

14 / 52

Paper cash vs Electronic Cash Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework


Paper cash has the advantage over credit cards to respect to privacy (although the serial numbers on cash make it traceable in principle). Blind signature make possible the use of unconditionally untraceable electronic money. But anyone can make several copies of an electronic coin and use them at different shops. Paper cash don’t have this problem, since making exact copies of them is thought to be infeasible.


Conclusions 15 / 52

Untraceable coins with RSA Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

Setup The bank publishes an RSA modulus n, whose factorization is kept secret. The bank chooses its secret exponent d, such that it is able to compute x 1/3 mod n.

Framework


f is a suitable one way function. Alice has an account u with the bank. The bank stores a list of all the deposited coins.


Conclusions 17 / 52

Untraceable coins with RSA (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities

The protocol 1

A (Alice) choose random x and r. A −→ Bank: B = r 3 · f (x)(mod n).

2

Bank −→ A: r · f (x)1/3 (mod n), and withdraws one dollar from Alice’s account.

3

Alice extracts C = f (x)1/3 (mod n) from B.

4

To pay Bob one dollar: A −→ Bob: (x, f (x)1/3 )




5

(all mod n).

Bob calls the bank and verifies that the coin has not already been deposited.


Conclusions 18 / 52

The protocol Why does it work? Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

(x, f (x)1/3 ) (mod n) Alice uses (x, f (x)1/3 ). Why not simply (x, x 1/3 )? Because it’s easy to forge this by first choosing a random y and taking the pair (y 3 , y). To forge (x, f (x)1/3 ) (mod n) without taking the cube root, Alice should produce (f −1 (y 3 ), y).

Framework



B = r 3 · f (x)(mod n) Alice uses r 3 · f (x). Why not simply f (x)? Because it would not be blind!! The product r 3 · f (x) “blinds” the factors.

Conclusions 19 / 52

About the protocol Blind signatures Untraceable Electronic Cash Oblivious communities

Everyone can easily verify that the coin has the right structure and that has been signed by the bank.

A. Spognardi

The bank cannot link a specific coin to Alice account.




But... 1

The protocol is an on-line protocol.

2

Alice privacy is protected unconditionally (also in case of double spending).


Conclusions 20 / 52

The protocol Setup Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework



The bank publishes an RSA modulus n, whose factorization is kept secret and for which φ(n) has no small factors. The bank also sets come security parameter k. Let f and g be two-argument collision-free functions. g also has the property that fixing the first argument gives a 1-to-1 (or c-to-1) map from the second argument onto the range. Alice has an account u with the bank and v is a counter associated with it.


Conclusions 22 / 52

The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Step 1: Alice withdraws the coin 1

Alice chooses ai , ci , di , ri , 1 ≤ i ≤ k, independently and uniformly at random from the residues (mod n).

2

Alice forms k blinded candidates of the form


Bi = ri3 · f (xi , yi ) mod n for 1 ≤ i ≤ k


where xi = g(ai , ci )



3

yi = g(ai ⊕ (u k (v + i)), di )

A −→ Bank: B = B1 , B2 , . . . , Bk


Conclusions 23 / 52

The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline

Step 2: The bank asks for candidates 1

The bank chooses a random subset of k/2 blinded candidate indices R = {ij }, 1 ≤ ij ≤ k for 1 ≤ j ≤ k/2.

2

Bank −→ A: R


Electronic Cash

Assume that R = {k/2 + 1, k/2 + 2, . . . , k}



Conclusions 24 / 52


Step 3: Alice reveals its parameters 1

Blind Signatures

For each i ∈ R A −→ Bank : ri , ai , ci , di



2

The bank (that knows u k (v + i)) can check the values (cut-and-choose methodology).



Conclusions 25 / 52


Step 4: The Bank gives the coin 1

Bank −→ A :

Blind Signatures

Y i ∈R /

Introduction

1/3

Bi

=

Y

1/3

Bi

mod n

1≤i≤k/2

Framework


2

The bank charges Alice’s account one dollar and increments the counter v of u by k.



Conclusions 26 / 52

The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities

Step 5: Alice extracts the coin

A. Spognardi

Alice extracts Outline Blind Signatures Introduction Framework


C=

Y

f (xi , yi )1/3 mod n

i ∈R /

and can verify that (r · C)3 =

Q

1/3 3

i ∈R /

Bi

.



Conclusions 27 / 52

The protocol Spend a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Alice pays Bob a coin 1

A −→ Bob : C

2

Bob −→ A: z1 , . . . , zk/2 (a random binary string) ( ai , ci , yi if zi = 1 −→ Bob : xi , ai ⊕ (u k (v + i)), di if zi = 0

Outline Blind Signatures

3



Oblivious communities Introduction

4

Bob verifies that C is of the proper form and that Alice’s responses fit C.

5

Later, Bob sends C and Alice’s responses to the bank, which verifies their correctness and credits his account.

Oblivious Communities

Conclusions 28 / 52

The protocol Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework



Preventing double spending For every coin, the bank must store C the string z1 , . . . , zk the values ai (for zi = 0) the values ai ⊕ (u k (v + i)) (for zi = 1)

If Alice uses the same coin C twice, then she has a high probability of being traced. In fact, with high probability the bank has both ai and ai ⊕ (u k (v + i)).


Conclusions 29 / 52

Further features Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Add legal significance Alice has to use a digital signature scheme and a certified copy of her public key. Alice can use different account number.



Untraceable checks Instead of coins of a single amount, use checks of a certain value. Using minor and major candidates.



Blacklisting Withdrawals To blacklist all the coins withdrawn.

Conclusions 30 / 52

Standard cryptographic techniques Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework


The PKI based techniques reveal the credential of the CA that signed a certificate For example, in RSA the value of n is public, but the signature over the certificate is sensitive This results in a lack of information when two people want to mutually authenticate



Conclusions 32 / 52

Standard cryptographic techniques Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework



A scenario Alice has a certificate showing that she has top-secret clearance Alice, to protect herself, will only present the certificate to other parties with a top-secret Clarence Similarly Bob Can they establish a secure session? Using automated trust negotiation techniques, neither one is willing to present their certificate first There is a cyclic interdependency between the two negotiators

Conclusions 33 / 52

Oblivious cryptographic techniques Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework


A new tool Despite the existence of secret handshakes, it is not trivial to have secrecy of the membership To achieve this properties we need new cryptographic protocols We can use the Oblivious tools



Conclusions 34 / 52

Oblivious cryptographic techniques What they do Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework



Instead of use cryptography to prove attribute values, they make the attribute values themselves the key They allow to solve policy deadlocks about which party must be the first to disclose attributes They allow to encrypt messages against a signature of a certificate The obliviousness property Ensures that at the end of an execution of the protocol, unqualified recipients cannot learn information about the other party

Conclusions 35 / 52

Oblivious cryptographic techniques What they do Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework


A short classification 1

CA-oblivious encryption

2

Oblivious signature based envelopes

3

Secret handshakes

They differ from the information that are hidden during the protocol



Conclusions 36 / 52

Oblivious cryptographic techniques What they do Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline

CA-oblivious encryption 1

Sender obliviousness

2

Receiver obliviousness



OSBE 1

Sender obliviousness

2

Semantically secure against the receiver


Conclusions 37 / 52

Oblivious cryptographic techniques How they do it? Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline

Main idea In many cases, the secret information in a certificate is the signature of the CA The signature must be never disclosed




They use such signature as a key for an encryption process If one of the party is cheating, the interaction with the other party will not help him in guessing his affiliation


Conclusions 38 / 52

Oblivious cryptographic techniques What they need Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

CA (aka Group Authority) A private key x and a private key y (Schnorr protocol) Able to sign certificates for members Notice: certificates do not reveal information about the signing CA

Framework



Members They use such signature as a key for an encryption process If one of the party is cheating, the interaction with the other party will not help him in guessing his affiliation

Conclusions 39 / 52

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Initialize Pick p, q primes and g as a generator of a subgroup in Z∗p of order q Define a hash function H : {0, 1}∗ → Zq


CAInit Private key x ∈ Z∗q and public key y = g x mod p



Certify member ID Give to ID the pair (ω, t) ∈ (Z∗p , Zq ), where ω = gr t = r + xH(ω, ID) mod q

(r is random)

Conclusions 40 / 52

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities

Recover(y, ID, ω) Output PK = ωy H(ω,ID) mod p




Encryption process: EncPK (m) Output ciphertext C = [c1 , c2 ] where 0

c1 = g r 0 c2 = m ⊕ H(PK r mod p)

(r 0 is random)

Decryption process of C = [c1 , c2 ] m = c2 ⊕ H(c1t mod p)

Skip details Skip Handshake


Conclusions 41 / 52

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities

Decryption process 0

0

c1t = (g r )t = (g t )r =

A. Spognardi

0

Outline

= (g r+xH(ω,ID) )r =

Blind Signatures

= (g r g xH(ω,ID) )r =

0

0

Introduction



0

= (ω y H(ω,ID) )r = PK r mod p

Framework

And then 0

c2 ⊕ H(c1t ) = m ⊕ H(PK r ) ⊕ H(c1t ) = 0

0

= m ⊕ H(PK r ) ⊕ H(PK r ) = m


Conclusions 42 / 52

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

Observations The receiver ID can decrypt C only if he has the trapdoor t computed by the CA for ω ω = g r does not reveal any information about the CA

Framework


C = [c1 , c2 ] does not reveal any information about the CA Skip Handshake


Conclusions 43 / 52

Oblivious cryptographic techniques Secret Handshakes from CA-Oblivious Encryption Blind signatures Untraceable Electronic Cash Oblivious communities

Handshake 1

A. Spognardi

A obtains PKb = Recover(G, IDb , ωb ) A picks ra ← M and cha ← {0, 1}k A computes Ca = EncPKb (ra )




(B −→ A): IDb , ωb

2

(A −→ B): IDa , ωb , Ca , cha B B B B B

obtains PKa = Recover(G, IDa , ωa ) obtains ra = Dectb (Ca ) picks rb ← M and chb ← {0, 1}k computes Cb = EncPKa (rb ) computes respb = H(ra , rb , cha )


Conclusions 44 / 52

Oblivious cryptographic techniques Secret Handshakes from CA-Oblivious Encryption (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Handshake 3

Outline

A obtains rb = Decta (Cb ) if respb 6= H(ra , rb , cha ), A outputs FAIL, o.w. ACCEPT A computes respa = H(ra , rb , chb )



(B −→ A): Cb , respb , chb

4

(A −→ B): respa if respa 6= H(ra , rb , chb ), B outputs FAIL, o.w. ACCEPT



Conclusions 45 / 52

Oblivious communities Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

A family of peer-to-peer oblivious community P2P-Oblivious community A family of peer-to-peer community that uses oblivious techniques

Framework


Members of the community (peers) can establish secure and oblivious channels



Conclusions 47 / 52

Oblivious communities P2P-Oblivious community Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework


Properties From the execution of sessions with any honest peer, a cheating member does not acquire any information about the community of that peer An eavesdropper that obtains a message does not acquire any information about the community



Conclusions 48 / 52

Oblivious communities Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline

The Community Authority It delivers certificates to qualified members It is actually a server that can act as a peer (can establish secure and oblivious channels with others peers of the community)




The peer It can use the CA to find resources in the community and directly contact other peers Alternatively, using a DHT as sub-layer for the community, it can find resources in a completely distributed fashion

Conclusions 49 / 52

Oblivious communities Summary Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Properties High privacy of communitie’s members Obliviousness of communications


(Using DHT) Independence from the CA




Ongoing-work Add lookup privacy Implement a prototype Add anonymity and/or unlinkability


Conclusions 50 / 52

Conclusions Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

Thanks

Framework



Conclusions 51 / 52

Conclusions References Blind signatures Untraceable Electronic Cash Oblivious communities

1

A. Spognardi

3


2

4


Electronic Cash

5



Conclusions

6

D. Chaum - Blind Signatures for Untraceable Payments @ CRYPTO ’82 D. Chaum, A. Fiat, M. Naor - Untraceable Electronic Cash @ CRYPTO ’88 D. Pointcheval, J. Stern - Provably Secure Blind Signature Schemes @ ASIACRYPT ’96 C. Castelluccia, S. Jarecki, G. Tsudik - Secret Handshakes from CA-Oblivious Encryption, Advances in Cryptology @ ASIACRYPT 2004 N. Li, W. Du, D. Boneh - Oblivious signature-based envelope, ACM Symposium on Principles of Distributed Computing @ PODC2003 D. Balfanz, G. Dufree, N. Shankar, D.K. Smetters, J. Staddon, H.C. Wong - Secret handshakes from pairing-based key agreements @ IEEE Symposium on Security and Privacy 2003 52 / 52