tag:blogger.com,1999:blog-17908317.post2374372829320615..comments2024-03-15T20:20:47.934-07:00Comments on Unenumerated: Blind signaturesNick Szabohttp://www.blogger.com/profile/16820399856274245684noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-17908317.post-31420693613577017622015-07-03T12:10:52.293-07:002015-07-03T12:10:52.293-07:00Ive been doing research around cryptonote technolo...Ive been doing research around cryptonote technology and found this post. I dont know if these two are linked. I am kinda a cryptography noob. <br /><br />Maybe its of some interest to someone here: https://en.wikipedia.org/wiki/CryptoNoteAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-76719550656462062002011-07-04T03:40:24.519-07:002011-07-04T03:40:24.519-07:00good postgood postAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-57271446418872596042007-10-06T23:12:00.000-07:002007-10-06T23:12:00.000-07:00Can blind signatures be implemented with hashing? ...Can blind signatures be implemented with hashing? Alice hashes message m with a salt and have Bob sign it. Later to verify, Alice reveals the salt and the message. Does this work? It there any reason to use more complicated math?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-16842319637167796422007-09-07T15:53:00.000-07:002007-09-07T15:53:00.000-07:00Anonymous: that's right, and in fact the list of l...Anonymous: that's right, and in fact the list of long random numbers to represent issued certificates, kept on a spent list used to clear certificate transfers, means that Alice can't guess the number of a certificate to forge it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-6466136441670865332007-09-05T14:50:00.000-07:002007-09-05T14:50:00.000-07:00Well I think I've figured out the position with Al...Well I think I've figured out the position with Alice trying to get multiple signatures for the price of one.<BR/><BR/>Alice CAN get multiple signatures from each one provided by Bob, but they won't be interesting because she won't have enough control over what they are.<BR/><BR/>It's the same position that Alice is in by knowing Bob's public key - she can encrypt a blob M to produce C and then switch the C and M blobs and tell everybody "Bob signed this number here" - but because it's meaningless (and not an instruction or statement worth signing) it is easily dismissed.<BR/><BR/>At least that's the way it seems in Schneier's section 23.12. Section 5.3 which shows less detail makes the attack look workable.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-13593156671511037762007-08-25T15:06:00.000-07:002007-08-25T15:06:00.000-07:00anonymous: "Alice commutatively merges N many docu...anonymous: "Alice commutatively merges N many documents and after the signature is applied removes different sets of N-1 of them to recover N signed docs."<BR/><BR/>I don't personally know the answer to this -- perhaps a fellow reader who has kept closer track of the cryptogrpahic literature than I can chime in. I am confident that almost any of the dozens of cryptography scholars, and almost surely Chaum himself, who have tried to break digital cash, anonymous voting, blinded credentials, and other protocols based on blind signatures that have been developed over the last 20 years have thought of this kind of attack, and if it is actually a problem have figured out solution(s) to it.<BR/><BR/>BTW, I don't recommend you go out an implement digital cash simply based on my description. For one thing, there are already open source public-domain implementations out there done by experts in the field such as Ben Laurie. You should either reuse them or at least learn from them before doing your own. For another, my description is meant to be an introductory/beginner demonstration, not a complete blueprint for implementing secure blinding. The purpose of the article is to alert people to the existence of this protocol and give them some of the basic information they need to understand the literature or to understand the basics of how blind signatures work if they are looking for a privacy solution. The next step is then to either use an implementation done by an expert in the field (for example, Ben Laurie's lucre) or to become knowledgeable yourself, if you are mathematically minded, by reading some of the copious cryptographic literature on blinding. You should not go implement the sketch I have given here and call it secure based on my authority.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-88548233613857320822007-08-25T14:50:00.000-07:002007-08-25T14:50:00.000-07:00anonymous: "users have no way of knowing how many ...anonymous: "users have no way of knowing how many tokens have actually been issued (by the bank inflating the tokens, or the key being stolen)."<BR/><BR/>This is quite true for digital cash as described in the cryptographic literature, and as it has been implemented in ecash and lucre, and AFAIK as it is still currently implemented. The issuer and clearer (in my terminology a "mint" or "bank" is divided up into two potentially separate entities, the issuer and the clearer) are trusted third parties, which means that they are security holes that must be closed by means outside the digital cash protocol itself. <BR/><BR/>For digital cash or other blinded bearer certificates to be ecnomically viable users have to get value out of the system, in terms of satisfying their preferences for private and irreversible transactions, faster than the rate inflation. There are, short of the stronger methods addressed below, but just within the single-issuer/single clearer paradigm, ways for third parties to audit the issuer and clearer and track the rate of inflation simply by posing as customers or gathering sampling information from customers. This reputation system puts a practical limit on the expected rate (or risk per unit time) of inflation but is admittedly an inferior solution to those named below. Also digital cash could piggyback on the reputation and gold redemption windows of the gold currency issuers -- it would thereby be protected against inflation to the same extent that the current insecure (in terms of privacy and reversibility) gold currencies are protected.<BR/><BR/>anonymous: "engineering cannot solve this problem"<BR/><BR/>That's a preposterously strong claim given that you don't provide any evidence for it, much less the proof you would need to actually demonstrate it. In fact there are a number of candidates solutions. Google the following: "quorum systems" (or just Byzantine replication generally), "secure property titles", "remote attestation", "bit gold". <BR/><BR/>Bit gold, for example, can be tied to digital cash through a redemption window, as per the old free banking note issue and redemption system. As long as the window keeps working users can have substantial confidence that the system is working -- the temporal window you pointed out becomes much longer. <BR/><BR/>Remote attestation and Byzantine replication are alternative and complementary ways to distribute issuers and clearers and force them to run publically verifiable code, so that a single clearer or even a small conspiracy of clearers can't undetectably inflate the currency.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-44955135037101837052007-08-25T11:56:00.000-07:002007-08-25T11:56:00.000-07:00if you allow a party to hold on to their token for...if you allow a party to hold on to their token for a significant amount of time (meaning the mixing time is long, and you're approaching bearer certificates), rather than merely using this to create a temporary mix where everybody agrees to play musical chairs at a certain time, users have no way of knowing how many tokens have actually been issued (by the bank inflating the tokens, or the key being stolen). engineering cannot solve this problem, which certainly wouldn't inspire confidence in the system.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-336637181183240482007-08-24T15:40:00.000-07:002007-08-24T15:40:00.000-07:00DN: "It is not difficult to detect double spending...DN: "It is not difficult to detect double spending post factum (in the above example, whoever forks the chain of endorsements on a negotiable instrument is a fraud), but it is far more difficult to prevent it. "<BR/><BR/>I assume you are referring just to offline transfers? With online clearing preventing double-spending is trivial -- the clearer keeps a spent numbers list.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-63019674285950700262007-08-24T15:25:00.000-07:002007-08-24T15:25:00.000-07:00The number used in the blinding funtion is usually...The number used in the blinding funtion is usually random, but suppose Alice wishes to get multiple signatures for the price of one....<BR/><BR/>Alice commutatively merges N many documents and after the signature is applied removes different sets of N-1 of them to recover N signed docs.<BR/><BR/>What stops her doing this?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-17908317.post-78189050837679310982007-08-24T14:50:00.000-07:002007-08-24T14:50:00.000-07:00In my teaching practice, I found the following met...In my teaching practice, I found the following metaphors useful:<BR/><BR/>Digital signatures are actually closer to seals, in that the private key, just like the stamp, can be lost or stolen.<BR/><BR/>Blinded signatures are like embossing: you put your piece of paper into an envelope, let the notary emboss it with her stamp and then retrieve it from the envelope.<BR/><BR/>However, there is a crucial difference between paper-based and digital signatures, which has very far-reaching implications for carrying over commercial law to cyberspace:<BR/><BR/>Once a piece of paper has been signed, the unsigned version ceases to exist. In particular, once you endorse a cheque, it stays endorsed. Not true with digital signatures! Digital signatures can be removed without trace.<BR/><BR/>This results in the general problem of double spending. It is not difficult to detect double spending <I>post factum</I> (in the above example, whoever forks the chain of endorsements on a negotiable instrument is a fraud), but it is far more difficult to prevent it. <I>A posteriori</I> detection, while much better than nothing, is a poor substitute for proactive measures. In particular, the whole point of negotiable instruments is preventing insolvency by letting the recipient worry about only three things: the creditworthiness of the original issuer, the honesty of the last endorser and the anti-forgery measures of the instrument. If these are in order then there is no reason not to accept that piece of paper. Doing the same digitally is quite a challenge, because one can never know whether a fork occurred, until it surfaces, which might be too late.<BR/><BR/>Thus, we need some irreversible operation in the digital world, similar to marking a piece of paper with ink. One such operation is making a secret public. It can be done, but cannot be reversed. Public information cannot be made secret again (or, more precisely, the costs of doing so can be easily made prohibitive). This is why I expect time-stamping services publishing hashes of signed documents to play a central role in the future of cyberlaw.Daniel A. Nagyhttps://www.blogger.com/profile/03407102257008616258noreply@blogger.com