Mar 20, 2006 - A. Spognardi. Outline. Blind. Signatures. Introduction. Framework. Electronic ... It is a kind of cryptography which allows an automated payment ...
Blind signatures Untraceable Electronic Cash Oblivious communities

A survey on how to obtain more privacy on Internet

Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Angelo Spognardi Department of Computer Science University of Rome "La Sapienza"

March 20 2006

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA

Variety of electronic banking services may have substantial impact on personal privacy on the nature and extent of criminal use of payments A payment system should address both of these seemingly conflicting sets of concerns.

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Electronic payments system (cont'd)

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

Knowledge by a third party of information like payee, amount and time of payment can reveal a great deal about the individual’s whereabouts, associations and lifestyle. On the other hand, an anonymous payments system like bank notes and coins suffers from lack of controls and security. Lack of proof of payments, theft of payments media, black payments for bribes, tax evasion and black markets.

Introduction Oblivious Communities

Blind signature

It is a kind of cryptography which allows an automated payment system with these proprieties: 1

Inability of third parties to determine payee, time or amount of payments made by an individual


Ability of individuals to provide proof of payment, or to determine the identity of the payee under exceptional circumstances


Ability to stop use of payments media reported stolen.

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Basic Idea An analogy

A blind signature from the world of paper documents.

A. Spognardi

Take an envelope carbon paper lined.


Insert a slip of paper and close the envelope.

Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Send the envelope to a third party that signs the envelope from the outside and sends it back. Extract the signed slip from the envelope. Give the signed slip to someone. The third party will recognize its signature.

Oblivious communities Introduction Oblivious Communities

Basic Idea Elections by secret ballot

Ballot Slips + Carbon paper lined envelopes 1

Every elector sends to the trustee a special envelope inside a normal envelope, with the return address. Inside the special envelope there is the ballot slip for the vote.


The trustee signs the special envelopes without look the ballot slip inside and sends it back to the elector.


The elector extracts the signed ballot slip and write down its preference.


The elector anonymously sends its signed/with preference ballot slip in a normal envelope.


The trustee receives the ballots and can put them on public display.

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities


Basic Idea Elections by secret ballot (cont'd)

The trustee signs only the envelopes of authorized electors. Every elector must check the trustee signature on the slip. Anyone can count the displayed ballots and check the signatures on them.

Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

If electors remember some identifying aspect of their ballot, they can check that their ballot is on display. The trustee never actually saw the ballot slip while signing them.

Introduction Oblivious Communities

Every trustee signature must be identical.

Basic Idea Elections by secret ballot (cont'd)



The trustee can not know anything about the correspondence between the ballot containing envelopes signed and the ballots made public. Thus, the trustee can not determine how anyone voted.

Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Functions

Electronic Cash

Signing function s 0 and its inverse s s 0 is known only to the signer. s is publicly known. s(s 0 (x)) = x. Commutating function c and its inverse c 0 Both are known only to the provider. c 0 (s 0 (c(x))) = s 0 (x), and c(x) and s 0 give no clue about x.

Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Redundancy checking predicate r It checks for sufficient redundancy to make search for valid signatures impractical.

Protocol


Provider chooses x at random such that r(x), forms c(x) and supplies c(x) to the signer.


Signer signs c(x) by applying s 0 and returns the signed matter s 0 (c(x)) to provider.


Provider strips signed matter by application of c 0 , yielding c 0 (s 0 (c(x))) = s 0 (x).


Anyone can check that the stripped matter s 0 was formed by the signer, by applying the signer’s public key s and checking that r(s(s 0 (x))).

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Properties

Electronic Cash

Digital signature Anyone can check that a stripped signature s 0 (x) was formed using signer’s private key s 0 Blind signature Signer knows nothing about the correspondence between the elements of the set of stripped signed matter s 0 (xi ) and the element of the set of unstripped signed matter s 0 (c(xi )).

Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities


Conservation of signatures Provider can create at most one stripped signature for each thing signed by signer. That is: even with s 0 (c(x1 )) . . . s 0 (c(xn )) and choice of c, c 0 and xi , it is impractical to produce s 0 (y) such that r(y) and y 6= xi .

Paper cash vs Electronic Cash

Electronic Cash Untraceable coins with RSA Avoid double-spending

Paper cash has the advantage over credit cards to respect to privacy (although the serial numbers on cash make it traceable in principle). Blind signature make possible the use of unconditionally untraceable electronic money. But anyone can make several copies of an electronic coin and use them at different shops. Paper cash don’t have this problem, since making exact copies of them is thought to be infeasible.

Oblivious communities Introduction Oblivious Communities

Untraceable coins with RSA

Setup The bank publishes an RSA modulus n, whose factorization is kept secret. The bank chooses its secret exponent d, such that it is able to compute x 1/3 mod n.


Electronic Cash Untraceable coins with RSA Avoid double-spending

f is a suitable one way function. Alice has an account u with the bank. The bank stores a list of all the deposited coins.

Oblivious communities Introduction Oblivious Communities

Untraceable coins with RSA (cont'd)

The protocol

A (Alice) choose random x and r. A −→ Bank: B = r 3 · f (x)(mod n).


Bank −→ A: r · f (x)1/3 (mod n), and withdraws one dollar from Alice’s account.


Alice extracts C = f (x)1/3 (mod n) from B.


To pay Bob one dollar: A −→ Bob: (x, f (x)1/3 )

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities


(all mod n).

Bob calls the bank and verifies that the coin has not already been deposited.

Introduction Oblivious Communities

The protocol Why does it work?

(x, f (x)1/3 ) (mod n) Alice uses (x, f (x)1/3 ). Why not simply (x, x 1/3 )? Because it’s easy to forge this by first choosing a random y and taking the pair (y 3 , y). To forge (x, f (x)1/3 ) (mod n) without taking the cube root, Alice should produce (f −1 (y 3 ), y).


Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

B = r 3 · f (x)(mod n) Alice uses r 3 · f (x). Why not simply f (x)? Because it would not be blind!! The product r 3 · f (x) “blinds” the factors.

About the protocol

Everyone can easily verify that the coin has the right structure and that has been signed by the bank.

A. Spognardi

The bank cannot link a specific coin to Alice account.

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

But... 1

The protocol is an on-line protocol.


Alice privacy is protected unconditionally (also in case of double spending).

Introduction Oblivious Communities

The protocol Setup

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

The bank publishes an RSA modulus n, whose factorization is kept secret and for which φ(n) has no small factors. The bank also sets come security parameter k. Let f and g be two-argument collision-free functions. g also has the property that fixing the first argument gives a 1-to-1 (or c-to-1) map from the second argument onto the range. Alice has an account u with the bank and v is a counter associated with it.

Introduction Oblivious Communities

The protocol Withdraw a coin

Step 1: Alice withdraws the coin

Alice chooses ai , ci , di , ri , 1 ≤ i ≤ k, independently and uniformly at random from the residues (mod n).


Alice forms k blinded candidates of the form

Outline Blind Signatures Introduction Framework

Bi = ri3 · f (xi , yi ) mod n for 1 ≤ i ≤ k

Electronic Cash Untraceable coins with RSA

where xi = g(ai , ci )

Avoid double-spending

Oblivious communities


yi = g(ai ⊕ (u k (v + i)), di )

A −→ Bank: B = B1 , B2 , . . . , Bk

Introduction Oblivious Communities

The protocol Withdraw a coin

Step 2: The bank asks for candidates

The bank chooses a random subset of k/2 blinded candidate indices R = {ij }, 1 ≤ ij ≤ k for 1 ≤ j ≤ k/2.


Bank −→ A: R

Blind Signatures Introduction Framework

Electronic Cash

Assume that R = {k/2 + 1, k/2 + 2, . . . , k}

Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

The protocol Withdraw a coin

Step 3: Alice reveals its parameters

Blind Signatures

For each i ∈ R A −→ Bank : ri , ai , ci , di

Introduction Framework

Electronic Cash Untraceable coins with RSA


The bank (that knows u k (v + i)) can check the values (cut-and-choose methodology).

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

The protocol Withdraw a coin

Step 4: The Bank gives the coin

Bank −→ A :

Blind Signatures

Y i ∈R /








mod n



Electronic Cash Untraceable coins with RSA


The bank charges Alice’s account one dollar and increments the counter v of u by k.

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

The protocol Withdraw a coin

Step 5: Alice extracts the coin

A. Spognardi

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA



f (xi , yi )1/3 mod n

i ∈R /

and can verify that (r · C)3 =


 1/3 3

i ∈R /



Avoid double-spending

Oblivious communities Introduction Oblivious Communities

The protocol Spend a coin

Alice pays Bob a coin

A −→ Bob : C


Bob −→ A: z1 , . . . , zk/2 (a random binary string) ( ai , ci , yi if zi = 1 −→ Bob : xi , ai ⊕ (u k (v + i)), di if zi = 0

Outline Blind Signatures


Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction


Bob verifies that C is of the proper form and that Alice’s responses fit C.


Later, Bob sends C and Alice’s responses to the bank, which verifies their correctness and credits his account.

Oblivious Communities

The protocol

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

Preventing double spending For every coin, the bank must store C the string z1 , . . . , zk the values ai (for zi = 0) the values ai ⊕ (u k (v + i)) (for zi = 1)

If Alice uses the same coin C twice, then she has a high probability of being traced. In fact, with high probability the bank has both ai and ai ⊕ (u k (v + i)).

Introduction Oblivious Communities

Further features

Add legal significance Alice has to use a digital signature scheme and a certified copy of her public key. Alice can use different account number.

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA

Untraceable checks Instead of coins of a single amount, use checks of a certain value. Using minor and major candidates.

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Blacklisting Withdrawals To blacklist all the coins withdrawn.

Standard cryptographic techniques

Electronic Cash Untraceable coins with RSA

The PKI based techniques reveal the credential of the CA that signed a certificate For example, in RSA the value of n is public, but the signature over the certificate is sensitive This results in a lack of information when two people want to mutually authenticate

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Standard cryptographic techniques

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

A scenario Alice has a certificate showing that she has top-secret clearance Alice, to protect herself, will only present the certificate to other parties with a top-secret Clarence Similarly Bob Can they establish a secure session? Using automated trust negotiation techniques, neither one is willing to present their certificate first There is a cyclic interdependency between the two negotiators

Oblivious cryptographic techniques

Electronic Cash Untraceable coins with RSA

A new tool Despite the existence of secret handshakes, it is not trivial to have secrecy of the membership To achieve this properties we need new cryptographic protocols We can use the Oblivious tools

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Oblivious cryptographic techniques What they do

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Instead of use cryptography to prove attribute values, they make the attribute values themselves the key They allow to solve policy deadlocks about which party must be the first to disclose attributes They allow to encrypt messages against a signature of a certificate The obliviousness property Ensures that at the end of an execution of the protocol, unqualified recipients cannot learn information about the other party

Oblivious cryptographic techniques What they do

Electronic Cash Untraceable coins with RSA

A short classification

CA-oblivious encryption


Oblivious signature based envelopes


Secret handshakes

They differ from the information that are hidden during the protocol

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Oblivious cryptographic techniques What they do

CA-oblivious encryption

Sender obliviousness


Receiver obliviousness

Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending


Sender obliviousness


Semantically secure against the receiver

Oblivious communities Introduction Oblivious Communities

Oblivious cryptographic techniques How they do it?

Main idea

Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

They use such signature as a key for an encryption process If one of the party is cheating, the interaction with the other party will not help him in guessing his affiliation

Introduction Oblivious Communities

Oblivious cryptographic techniques What they need

CA (aka Group Authority)


Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Members

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme

Initialize Pick p, q primes and g as a generator of a subgroup in Z∗p of order q Define a hash function H : {0, 1}∗ → Zq

Outline Blind Signatures Introduction Framework

CAInit Private key x ∈ Z∗q and public key y = g x mod p

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Certify member ID Give to ID the pair (ω, t) ∈ (Z∗p , Zq ), where ω = gr t = r + xH(ω, ID) mod q

(r is random)

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont'd)

Recover(y, ID, ω) Output PK = ωy H(ω,ID) mod p

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction

Encryption process: EncPK (m) Output ciphertext C = [c1 , c2 ] where 0

c1 = g r 0 c2 = m ⊕ H(PK r mod p)

(r 0 is random)

Decryption process of C = [c1 , c2 ] m = c2 ⊕ H(c1t mod p)

Skip details Skip Handshake

Oblivious Communities

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont'd)

Decryption process


c1t = (g r )t = (g t )r =

A. Spognardi



= (g r+xH(ω,ID) )r =

Blind Signatures

= (g r g xH(ω,ID) )r =




Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction


= (ω y H(ω,ID) )r = PK r mod p


And then 0

c2 ⊕ H(c1t ) = m ⊕ H(PK r ) ⊕ H(c1t ) = 0


= m ⊕ H(PK r ) ⊕ H(PK r ) = m

Oblivious Communities

Oblivious cryptographic techniques A CA-Oblivious Encryption scheme (cont'd)

Observations


Electronic Cash Untraceable coins with RSA Avoid double-spending

C = [c1 , c2 ] does not reveal any information about the CA Skip Handshake

Oblivious communities Introduction Oblivious Communities

Oblivious cryptographic techniques Secret Handshakes from CA-Oblivious Encryption

Handshake

A. Spognardi

A obtains PKb = Recover(G, IDb , ωb ) A picks ra ← M and cha ← {0, 1}k A computes Ca = EncPKb (ra )

Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

(B −→ A): IDb , ωb


(A −→ B): IDa , ωb , Ca , cha B B B B B

obtains PKa = Recover(G, IDa , ωa ) obtains ra = Dectb (Ca ) picks rb ← M and chb ← {0, 1}k computes Cb = EncPKa (rb ) computes respb = H(ra , rb , cha )

Introduction Oblivious Communities

Oblivious cryptographic techniques Secret Handshakes from CA-Oblivious Encryption (cont'd)

Handshake


A obtains rb = Decta (Cb ) if respb 6= H(ra , rb , cha ), A outputs FAIL, o.w. ACCEPT A computes respa = H(ra , rb , chb )

Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RS

(B −→ A): Cb , respb , chb


(A −→ B): respa if respa 6= H(ra , rb , chb ), B outputs FAIL, o.w. ACCEPT

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Oblivious communities Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction

A family of peer-to-peer oblivious community P2P-Oblivious community A family of peer-to-peer community that uses oblivious techniques


Electronic Cash Untraceable coins with RSA

Members of the community (peers) can establish secure and oblivious channels

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Oblivious communities P2P-Oblivious community Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA

Properties From the execution of sessions with any honest peer, a cheating member does not acquire any information about the community of that peer An eavesdropper that obtains a message does not acquire any information about the community

Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Oblivious communities Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline

The Community Authority It delivers certificates to qualified members It is actually a server that can act as a peer (can establish secure and oblivious channels with others peers of the community)

Blind Signatures Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

The peer It can use the CA to find resources in the community and directly contact other peers Alternatively, using a DHT as sub-layer for the community, it can find resources in a completely distributed fashion

Oblivious communities Summary Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi

Properties High privacy of communitie’s members Obliviousness of communications

Outline Blind Signatures

(Using DHT) Independence from the CA

Introduction Framework

Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities

Ongoing-work Add lookup privacy Implement a prototype Add anonymity and/or unlinkability

Introduction Oblivious Communities

Conclusions Blind signatures Untraceable Electronic Cash Oblivious communities A. Spognardi Outline Blind Signatures Introduction



Electronic Cash Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities

Conclusions References Blind signatures Untraceable Electronic Cash Oblivious communities


A. Spognardi


Outline Blind Signatures



Introduction Framework

Electronic Cash


Untraceable coins with RSA Avoid double-spending

Oblivious communities Introduction Oblivious Communities



