Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures
Blind signatures Untraceable Electronic Cash Oblivious communities A survey on how to obtain more privacy on Internet
Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Angelo Spognardi Department of Computer Science University of Rome “La Sapienza”
[email protected]
March 20 2006
Conclusions 1 / 52
Electronic payments system Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
Variety of electronic banking services may have substantial impact on personal privacy on the nature and extent of criminal use of payments A payment system should address both of these seemingly conflicting sets of concerns.
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 4 / 52
Electronic payments system (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
Knowledge by a third party of information like payee, amount and time of payment can reveal a great deal about the individual’s whereabouts, associations and lifestyle. On the other hand, an anonymous payments system like bank notes and coins suffers from lack of controls and security. Lack of proof of payments, theft of payments media, black payments for bribes, tax evasion and black markets.
Introduction Oblivious Communities
Conclusions 5 / 52
Blind signature Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
It is a kind of cryptography which allows an automated payment system with these proprieties: 1
Inability of third parties to determine payee, time or amount of payments made by an individual
2
Ability of individuals to provide proof of payment, or to determine the identity of the payee under exceptional circumstances
3
Ability to stop use of payments media reported stolen.
Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 6 / 52
Basic Idea An analogy Blind signatures Untraceable Electronic Cash Oblivious communities
A blind signature from the world of paper documents.
A. Spognardi
Take an envelope carbon paper lined.
Outline
Insert a slip of paper and close the envelope.
Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Send the envelope to a third party that signs the envelope from the outside and sends it back. Extract the signed slip from the envelope. Give the signed slip to someone. The third party will recognize its signature.
Oblivious communities Introduction Oblivious Communities
Conclusions 7 / 52
Basic Idea Elections by secret ballot Blind signatures Untraceable Electronic Cash Oblivious communities
Ballot Slips + Carbon paper lined envelopes 1
Every elector sends to the trustee a special envelope inside a normal envelope, with the return address. Inside the special envelope there is the ballot slip for the vote.
2
The trustee signs the special envelopes without look the ballot slip inside and sends it back to the elector.
3
The elector extracts the signed ballot slip and write down its preference.
4
The elector anonymously sends its signed/with preference ballot slip in a normal envelope.
5
The trustee receives the ballots and can put them on public display.
A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions
8 / 52
Basic Idea Elections by secret ballot (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures
The trustee signs only the envelopes of authorized electors. Every elector must check the trustee signature on the slip. Anyone can count the displayed ballots and check the signatures on them.
Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
If electors remember some identifying aspect of their ballot, they can check that their ballot is on display. The trustee never actually saw the ballot slip while signing them.
Introduction Oblivious Communities
Every trustee signature must be identical.
Conclusions 9 / 52
Basic Idea Elections by secret ballot (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Unlinkability
Outline
The trustee can not know anything about the correspondence between the ballot containing envelopes signed and the ballots made public. Thus, the trustee can not determine how anyone voted.
Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 10 / 52
Functions Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash
Signing function s 0 and its inverse s s 0 is known only to the signer. s is publicly known. s(s 0 (x)) = x. Commutating function c and its inverse c 0 Both are known only to the provider. c 0 (s 0 (c(x))) = s 0 (x), and c(x) and s 0 give no clue about x.
Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Redundancy checking predicate r It checks for sufficient redundancy to make search for valid signatures impractical.
Conclusions 12 / 52
Protocol Blind signatures Untraceable Electronic Cash Oblivious communities
1
Provider chooses x at random such that r(x), forms c(x) and supplies c(x) to the signer.
2
Signer signs c(x) by applying s 0 and returns the signed matter s 0 (c(x)) to provider.
3
Provider strips signed matter by application of c 0 , yielding c 0 (s 0 (c(x))) = s 0 (x).
4
Anyone can check that the stripped matter s 0 was formed by the signer, by applying the signer’s public key s and checking that r(s(s 0 (x))).
A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 13 / 52
Properties Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash
Digital signature Anyone can check that a stripped signature s 0 (x) was formed using signer’s private key s 0 Blind signature Signer knows nothing about the correspondence between the elements of the set of stripped signed matter s 0 (xi ) and the element of the set of unstripped signed matter s 0 (c(xi )).
Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions
Conservation of signatures Provider can create at most one stripped signature for each thing signed by signer. That is: even with s 0 (c(x1 )) . . . s 0 (c(xn )) and choice of c, c 0 and xi , it is impractical to produce s 0 (y) such that r(y) and y 6= xi .
14 / 52
Paper cash vs Electronic Cash Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Paper cash has the advantage over credit cards to respect to privacy (although the serial numbers on cash make it traceable in principle). Blind signature make possible the use of unconditionally untraceable electronic money. But anyone can make several copies of an electronic coin and use them at different shops. Paper cash don’t have this problem, since making exact copies of them is thought to be infeasible.
Oblivious communities Introduction Oblivious Communities
Conclusions 15 / 52
Untraceable coins with RSA Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction
Setup The bank publishes an RSA modulus n, whose factorization is kept secret. The bank chooses its secret exponent d, such that it is able to compute x 1/3 mod n.
Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
f is a suitable one way function. Alice has an account u with the bank. The bank stores a list of all the deposited coins.
Oblivious communities Introduction Oblivious Communities
Conclusions 17 / 52
Untraceable coins with RSA (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities
The protocol 1
A (Alice) choose random x and r. A −→ Bank: B = r 3 · f (x)(mod n).
2
Bank −→ A: r · f (x)1/3 (mod n), and withdraws one dollar from Alice’s account.
3
Alice extracts C = f (x)1/3 (mod n) from B.
4
To pay Bob one dollar: A −→ Bob: (x, f (x)1/3 )
A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
5
(all mod n).
Bob calls the bank and verifies that the coin has not already been deposited.
Introduction Oblivious Communities
Conclusions 18 / 52
The protocol Why does it work? Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction
(x, f (x)1/3 ) (mod n) Alice uses (x, f (x)1/3 ). Why not simply (x, x 1/3 )? Because it’s easy to forge this by first choosing a random y and taking the pair (y 3 , y). To forge (x, f (x)1/3 ) (mod n) without taking the cube root, Alice should produce (f −1 (y 3 ), y).
Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
B = r 3 · f (x)(mod n) Alice uses r 3 · f (x). Why not simply f (x)? Because it would not be blind!! The product r 3 · f (x) “blinds” the factors.
Conclusions 19 / 52
About the protocol Blind signatures Untraceable Electronic Cash Oblivious communities
Everyone can easily verify that the coin has the right structure and that has been signed by the bank.
A. Spognardi
The bank cannot link a specific coin to Alice account.
Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
But... 1
The protocol is an on-line protocol.
2
Alice privacy is protected unconditionally (also in case of double spending).
Introduction Oblivious Communities
Conclusions 20 / 52
The protocol Setup Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
The bank publishes an RSA modulus n, whose factorization is kept secret and for which φ(n) has no small factors. The bank also sets come security parameter k. Let f and g be two-argument collision-free functions. g also has the property that fixing the first argument gives a 1-to-1 (or c-to-1) map from the second argument onto the range. Alice has an account u with the bank and v is a counter associated with it.
Introduction Oblivious Communities
Conclusions 22 / 52
The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Step 1: Alice withdraws the coin 1
Alice chooses ai , ci , di , ri , 1 ≤ i ≤ k, independently and uniformly at random from the residues (mod n).
2
Alice forms k blinded candidates of the form
Outline Blind Signatures Introduction Framework
Bi = ri3 · f (xi , yi ) mod n for 1 ≤ i ≤ k
Electronic Cash Untraceable coins with RSA
where xi = g(ai , ci )
Avoid double-spending
Oblivious communities
3
yi = g(ai ⊕ (u k (v + i)), di )
A −→ Bank: B = B1 , B2 , . . . , Bk
Introduction Oblivious Communities
Conclusions 23 / 52
The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline
Step 2: The bank asks for candidates 1
The bank chooses a random subset of k/2 blinded candidate indices R = {ij }, 1 ≤ ij ≤ k for 1 ≤ j ≤ k/2.
2
Bank −→ A: R
Blind Signatures Introduction Framework
Electronic Cash
Assume that R = {k/2 + 1, k/2 + 2, . . . , k}
Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 24 / 52
The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline
Step 3: Alice reveals its parameters 1
Blind Signatures
For each i ∈ R A −→ Bank : ri , ai , ci , di
Introduction Framework
Electronic Cash Untraceable coins with RSA
2
The bank (that knows u k (v + i)) can check the values (cut-and-choose methodology).
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 25 / 52
The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline
Step 4: The Bank gives the coin 1
Bank −→ A :
Blind Signatures
Y i ∈R /
Introduction
1/3
Bi
=
Y
1/3
Bi
mod n
1≤i≤k/2
Framework
Electronic Cash Untraceable coins with RSA
2
The bank charges Alice’s account one dollar and increments the counter v of u by k.
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 26 / 52
The protocol Withdraw a coin Blind signatures Untraceable Electronic Cash Oblivious communities
Step 5: Alice extracts the coin
A. Spognardi
Alice extracts Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
C=
Y
f (xi , yi )1/3 mod n
i ∈R /
and can verify that (r · C)3 =
Q
1/3 3
i ∈R /
Bi
.
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 27 / 52
The protocol Spend a coin Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Alice pays Bob a coin 1
A −→ Bob : C
2
Bob −→ A: z1 , . . . , zk/2 (a random binary string) ( ai , ci , yi if zi = 1 −→ Bob : xi , ai ⊕ (u k (v + i)), di if zi = 0
Outline Blind Signatures
3
Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction
4
Bob verifies that C is of the proper form and that Alice’s responses fit C.
5
Later, Bob sends C and Alice’s responses to the bank, which verifies their correctness and credits his account.
Oblivious Communities
Conclusions 28 / 52
The protocol Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
Preventing double spending For every coin, the bank must store C the string z1 , . . . , zk the values ai (for zi = 0) the values ai ⊕ (u k (v + i)) (for zi = 1)
If Alice uses the same coin C twice, then she has a high probability of being traced. In fact, with high probability the bank has both ai and ai ⊕ (u k (v + i)).
Introduction Oblivious Communities
Conclusions 29 / 52
Further features Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Add legal significance Alice has to use a digital signature scheme and a certified copy of her public key. Alice can use different account number.
Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
Untraceable checks Instead of coins of a single amount, use checks of a certain value. Using minor and major candidates.
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Blacklisting Withdrawals To blacklist all the coins withdrawn.
Conclusions 30 / 52
Standard cryptographic techniques Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
The PKI based techniques reveal the credential of the CA that signed a certificate For example, in RSA the value of n is public, but the signature over the certificate is sensitive This results in a lack of information when two people want to mutually authenticate
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 32 / 52
Standard cryptographic techniques Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
A scenario Alice has a certificate showing that she has top-secret clearance Alice, to protect herself, will only present the certificate to other parties with a top-secret Clarence Similarly Bob Can they establish a secure session? Using automated trust negotiation techniques, neither one is willing to present their certificate first There is a cyclic interdependency between the two negotiators
Conclusions 33 / 52
Oblivious cryptographic techniques Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
A new tool Despite the existence of secret handshakes, it is not trivial to have secrecy of the membership To achieve this properties we need new cryptographic protocols We can use the Oblivious tools
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 34 / 52
Oblivious cryptographic techniques What they do Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Instead of use cryptography to prove attribute values, they make the attribute values themselves the key They allow to solve policy deadlocks about which party must be the first to disclose attributes They allow to encrypt messages against a signature of a certificate The obliviousness property Ensures that at the end of an execution of the protocol, unqualified recipients cannot learn information about the other party
Conclusions 35 / 52
Oblivious cryptographic techniques What they do Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
A short classification 1
CA-oblivious encryption
2
Oblivious signature based envelopes
3
Secret handshakes
They differ from the information that are hidden during the protocol
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 36 / 52
Oblivious cryptographic techniques What they do Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline
CA-oblivious encryption 1
Sender obliviousness
2
Receiver obliviousness
Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
OSBE 1
Sender obliviousness
2
Semantically secure against the receiver
Oblivious communities Introduction Oblivious Communities
Conclusions 37 / 52
Oblivious cryptographic techniques How they do it? Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline
Main idea In many cases, the secret information in a certificate is the signature of the CA The signature must be never disclosed
Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
They use such signature as a key for an encryption process If one of the party is cheating, the interaction with the other party will not help him in guessing his affiliation
Introduction Oblivious Communities
Conclusions 38 / 52
Oblivious cryptographic techniques What they need Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction
CA (aka Group Authority) A private key x and a private key y (Schnorr protocol) Able to sign certificates for members Notice: certificates do not reveal information about the signing CA
Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Members They use such signature as a key for an encryption process If one of the party is cheating, the interaction with the other party will not help him in guessing his affiliation
Conclusions 39 / 52
Oblivious cryptographic techniques A CA-Oblivious Encryption scheme Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Initialize Pick p, q primes and g as a generator of a subgroup in Z∗p of order q Define a hash function H : {0, 1}∗ → Zq
Outline Blind Signatures Introduction Framework
CAInit Private key x ∈ Z∗q and public key y = g x mod p
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Certify member ID Give to ID the pair (ω, t) ∈ (Z∗p , Zq ), where ω = gr t = r + xH(ω, ID) mod q
(r is random)
Conclusions 40 / 52
Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities
Recover(y, ID, ω) Output PK = ωy H(ω,ID) mod p
A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction
Encryption process: EncPK (m) Output ciphertext C = [c1 , c2 ] where 0
c1 = g r 0 c2 = m ⊕ H(PK r mod p)
(r 0 is random)
Decryption process of C = [c1 , c2 ] m = c2 ⊕ H(c1t mod p)
Skip details Skip Handshake
Oblivious Communities
Conclusions 41 / 52
Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities
Decryption process 0
0
c1t = (g r )t = (g t )r =
A. Spognardi
0
Outline
= (g r+xH(ω,ID) )r =
Blind Signatures
= (g r g xH(ω,ID) )r =
0
0
Introduction
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction
0
= (ω y H(ω,ID) )r = PK r mod p
Framework
And then 0
c2 ⊕ H(c1t ) = m ⊕ H(PK r ) ⊕ H(c1t ) = 0
0
= m ⊕ H(PK r ) ⊕ H(PK r ) = m
Oblivious Communities
Conclusions 42 / 52
Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction
Observations The receiver ID can decrypt C only if he has the trapdoor t computed by the CA for ω ω = g r does not reveal any information about the CA
Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
C = [c1 , c2 ] does not reveal any information about the CA Skip Handshake
Oblivious communities Introduction Oblivious Communities
Conclusions 43 / 52
Oblivious cryptographic techniques Secret Handshakes from CA-Oblivious Encryption Blind signatures Untraceable Electronic Cash Oblivious communities
Handshake 1
A. Spognardi
A obtains PKb = Recover(G, IDb , ωb ) A picks ra ← M and cha ← {0, 1}k A computes Ca = EncPKb (ra )
Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
(B −→ A): IDb , ωb
2
(A −→ B): IDa , ωb , Ca , cha B B B B B
obtains PKa = Recover(G, IDa , ωa ) obtains ra = Dectb (Ca ) picks rb ← M and chb ← {0, 1}k computes Cb = EncPKa (rb ) computes respb = H(ra , rb , cha )
Introduction Oblivious Communities
Conclusions 44 / 52
Oblivious cryptographic techniques Secret Handshakes from CA-Oblivious Encryption (cont’d) Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Handshake 3
Outline
A obtains rb = Decta (Cb ) if respb 6= H(ra , rb , cha ), A outputs FAIL, o.w. ACCEPT A computes respa = H(ra , rb , chb )
Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
(B −→ A): Cb , respb , chb
4
(A −→ B): respa if respa 6= H(ra , rb , chb ), B outputs FAIL, o.w. ACCEPT
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 45 / 52
Oblivious communities Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction
A family of peer-to-peer oblivious community P2P-Oblivious community A family of peer-to-peer community that uses oblivious techniques
Framework
Electronic Cash Untraceable coins with RSA
Members of the community (peers) can establish secure and oblivious channels
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 47 / 52
Oblivious communities P2P-Oblivious community Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA
Properties From the execution of sessions with any honest peer, a cheating member does not acquire any information about the community of that peer An eavesdropper that obtains a message does not acquire any information about the community
Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 48 / 52
Oblivious communities Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline
The Community Authority It delivers certificates to qualified members It is actually a server that can act as a peer (can establish secure and oblivious channels with others peers of the community)
Blind Signatures Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
The peer It can use the CA to find resources in the community and directly contact other peers Alternatively, using a DHT as sub-layer for the community, it can find resources in a completely distributed fashion
Conclusions 49 / 52
Oblivious communities Summary Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi
Properties High privacy of communitie’s members Obliviousness of communications
Outline Blind Signatures
(Using DHT) Independence from the CA
Introduction Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities
Ongoing-work Add lookup privacy Implement a prototype Add anonymity and/or unlinkability
Introduction Oblivious Communities
Conclusions 50 / 52
Conclusions Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction
Thanks
Framework
Electronic Cash Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions 51 / 52
Conclusions References Blind signatures Untraceable Electronic Cash Oblivious communities
1
A. Spognardi
3
Outline Blind Signatures
2
4
Introduction Framework
Electronic Cash
5
Untraceable coins with RSA Avoid double-spending
Oblivious communities Introduction Oblivious Communities
Conclusions
6
D. Chaum - Blind Signatures for Untraceable Payments @ CRYPTO ’82 D. Chaum, A. Fiat, M. Naor - Untraceable Electronic Cash @ CRYPTO ’88 D. Pointcheval, J. Stern - Provably Secure Blind Signature Schemes @ ASIACRYPT ’96 C. Castelluccia, S. Jarecki, G. Tsudik - Secret Handshakes from CA-Oblivious Encryption, Advances in Cryptology @ ASIACRYPT 2004 N. Li, W. Du, D. Boneh - Oblivious signature-based envelope, ACM Symposium on Principles of Distributed Computing @ PODC2003 D. Balfanz, G. Dufree, N. Shankar, D.K. Smetters, J. Staddon, H.C. Wong - Secret handshakes from pairing-based key agreements @ IEEE Symposium on Security and Privacy 2003 52 / 52