Anonymous Money Orders and Blind Signatures: Ensuring Privacy in Digital Transactions, Study notes of Advanced Computer Architecture

Various protocols for anonymous money orders and blind signatures, which are essential for maintaining privacy in digital transactions. The authors, b. Warinschi and n.p. Smart, explore the problems with previous protocols and propose solutions using identity encoding, blind signatures, and commitment schemes. They also introduce zk-proofs for identification and non-interactive zk-proofs. The document also covers schnorr signatures and rsa-fdh, as well as key encapsulation and data encapsulation mechanisms.

Typology: Study notes

2010/2011

Uploaded on 09/07/2011

home-alone
home-alone 🇬🇧

4

(1)

18 documents

1 / 97

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
COMSM2004 : Proofs
B. Warinschi and N.P. Smart
Department of Computer Science,
University Of Bristol,
Merchant Venturers Building,
Woodland Road,
Bristol, BS8 1UB
United Kingdom.
January 30, 2009
B. Warinschi and N.P. Smart
COMSM2004 : Proofs Slide 1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61

Partial preview of the text

Download Anonymous Money Orders and Blind Signatures: Ensuring Privacy in Digital Transactions and more Study notes Advanced Computer Architecture in PDF only on Docsity!

COMSM2004 : Proofs

B. Warinschi and N.P. Smart

Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.

January 30, 2009

B. Warinschi and N.P. Smart

Outline

Overview

e-Cash

Commitment Schemes

Zero Knowledge Proofs

Proofs of Security and Random Oracles

Advanced ZK-Protocols

B. Warinschi and N.P. Smart

Money

Locations for money: I (^) in your bank account, I (^) under your mattress, I (^) in your pocket, I (^) in cheques, I (^) in money orders,....

There are various definitions of what money is. I (^) One of the main problems of certain areas of economics is to define money.

B. Warinschi and N.P. Smart

Digital Money

Digital money is the term that we use for the money in your bank account.

Your bank knows a great deal about it: I (^) how much you have; I (^) where it comes from; I (^) where it’s going next.

Digital money can help to I (^) reduces fraud and it I (^) gives a complete audit trail.

B. Warinschi and N.P. Smart

e-Cash

It would be nice to have an electronic form of cash with I (^) all the benefits of cash itself.

There have been a number of digital cash systems proposed over the last twenty years. I (^) Many are based on constructs such as digital signatures, hash function and zero-knowledge proofs. There are a number of design issues: I (^) anonymity versus auditability; I (^) single use tokens (to detect copying); I (^) payment across the Internet need to be made securely; I (^) scalability demands off line processing; In the next few slides we discuss a philosophical protocol which forms the basis of a number of real protocols.

B. Warinschi and N.P. Smart

Anonymous Money Orders - 1

  1. : Alice prepares an anonymous money order (MO) for 100 pounds and puts it in an envelope with a piece of carbon paper.
  2. : The bank signs the envelope, and hence the MO, and deducts 100 pounds from Alice’s account.
  3. : Alice opens the envelope and gives the signed MO to Bob.
  4. : Bob checks the signature of the bank and takes the money order to the bank.
  5. : The bank checks the signature and gives Bob 100 pounds.

Note: The bank, in step 5, cannot trace the MO back to Alice. I (^) This is because it never saw what it was signing. Problem: How does the bank know it is signing a MO for 100 pounds and not 200 pounds?

B. Warinschi and N.P. Smart

Anonymous Money Orders - 3

  1. : Alice prepares 100 anonymous MOs for 100 pounds, each with a separate serial number and puts them in envelopes containing pieces of carbon paper.
  2. : The bank opens 99 of the envelopes and checks they are all for 100 pounds and that they all have separate serial numbers.
  3. : The bank signs the envelope, and hence the MO, and deducts 100 pounds from Alice’s account.
  4. : Alice opens the envelope and gives the signed MO to Bob.
  5. : Bob checks the signature of the bank and takes the money order to the bank.
  6. : The bank checks the signature and gives Bob 100 pounds after checking that the bank has not seen that serial number before.

Problem: If duplicate serial numbers are obtained by the bank, who does the bank accuse of cheating, Alice or Bob?

B. Warinschi and N.P. Smart

Anonymous Money Orders - 4

  1. : Alice prepares 100 anonymous MOs for 100 pounds, each with a separate serial number and puts them in envelopes containing pieces of carbon paper.
  2. : The bank opens 99 of the envelopes and checks them as before.
  3. : The bank signs the remaining envelope and deducts 100 pounds from Alice’s account.
  4. : Alice opens the envelope and gives the signed MO to Bob.
  5. : Bob asks Alice to write a random identity string on the MO.
  6. : Bob checks the bank’s signature and presents the money order to the bank.
  7. : The bank opens the envelope, checks the signature and gives Bob 100 pounds after checking that the bank has not seen that serial number before. Note: If the serial number is a duplicate and the identity strings are the same then Bob cheated, otherwise Alice must have cheated.

B. Warinschi and N.P. Smart

Identity Splitting

We need a method in which I (^) Alice’s identity is kept secret unless I (^) she cheats when it is revealed. This is done using a variant of a zero-knowledge protocol.

Alice creates an identity string containing her details: name, address, etc. I (^) This is split into two (or many) pieces. Each piece is committed to on the money order before she sends it to the bank for signing. I (^) Alice cannot change her details (hence commitment). I (^) She can reveal (de-commit) what she committed to and it can be verified that she has not cheated.

B. Warinschi and N.P. Smart

A Commitment Scheme

On the previous slide we required a method for Alice to commit to a string. Here we use a commitment scheme based on a hash function; we will see more details of commitment schemes in general later in the course. Suppose we have a bit string b to which Alice wishes to commit. I (^) Alice generates a random strings P. I (^) Alice computes h = H(P‖b), where H is a cryptographic hash function. I (^) Alice publishes h.

For Alice to open the commitment or de-commit she proceeds as follows. I (^) Alice supplies P and b to Bob. I (^) Bob can then check that h in the commitment equals H(P‖b).

B. Warinschi and N.P. Smart

Identity Revealing

If Alice spends the same money order twice the bank will detect this and want to recover Alice’s identity.

With two such money order’s there is a high probability that, for some i, the bank obtains both Li and Ri - since for the two money orders with the same serial number Bob will have given two distinct bit vectors.

For example I (^) Li from the first use of the money order and I (^) Ri from the second use of the money order.

In this case the bank recovers Alice’s identity: ID = Li ⊕ Ri.

B. Warinschi and N.P. Smart

Blind Signatures

The only thing we have not discussed is how one implements, digitally, an envelope with carbon paper for the bank to sign.

This is accomplished using a blind signature scheme. I (^) This allows the bank to sign something without knowing what that something is.

To do this we exploit the homomorphic property of RSA signatures. I (^) Notice that homomorphic property is often considered to be a bad thing.

B. Warinschi and N.P. Smart

Alice, Bob and Anonymous Money Orders

Now go back to our protocol and look what we have achieved.

Alice remains anonymous to the bank in the sense that where she spends her money cannot be traced.

If Alice cheats her identity is revealed - notice that we do not stop her from cheating.

Bob cannot cheat since if he copies a money order and presents it to the bank he will not get his money.

Alice and Bob cannot collude to defraud the bank.

B. Warinschi and N.P. Smart

Eve and Anonymous Money Orders

How about a malicious outsider, Eve.

Eave can cheat! I (^) Suppose Eve eavesdrops on the communication between Alice and Bob and goes to the bank before Bob does. I (^) Then, when Bob arrives, he is identified as a cheater! I (^) Suppose Eve spends Alice’s money before Alice can. I (^) Then Alice will be identified as a cheater.

Hence Alice and Bob need to protect their data just as they would do with paper money.

B. Warinschi and N.P. Smart