Blind signatures with DSA/ECDSA?

[An Metet]

Here is the blind DSA signature based on MacKenzie and Reiter,
http://www.ece.cmu.edu/~reiter/papers/2001/CRYPTO.pdf, in graphical form.
Recall that a DSA public key is p, q, g, y; private key x; signature on
hash h is:

Choose k < q
r = g^k mod p mod q
s = rx/k + h/k mod q
Output (r,s)

Here is the blind signature protocol, with Alice, the recipient, on
the left and Bob, the signer, on the right:


Alice (recipient)   Bob (signer)

Choose k2 < q
z2 = 1/k2 mod q
Send r2 = g^k2 mod p
<---
Choose k1 < q
r = r2^k1 mod p mod q
   Send a=E(r/k1 mod q) and
b = E(h/k1 mod q) and
ZKP
-->
Check ZKP
Choose d < q^5
Send c = a '*' x*z2  '+'  b '*' z2  '+' E(d*q)
<---
s = D(c) mod q
Output (r,s)


Here, E() and D() represent encryption and decryption in a homomorphic
encryption system like the Paillier encryption.  Only Alice knows the
private key, but Bob is able to multiply encrypted values by scalars
(indicated by '*' above) and to add encrypted values (indicated by
'+' above).

ZKP sent by Alice in the 2nd step is a zero knowledge proof that the
two encrypted values are known and are < q^3.  (Actually the values are
less than q but the standard ZKP for this has some slop in it, which is
OK for this purpose.)

Bob operates on the two homomorphic encryptions of r/k1 and h/k1.
He multiplies the first by x/k2 and the second by 1/k2 and adds them
to get rx/k + h/k mod q (where k = k1*k2), exactly as required for
the signature.  Then he adds the large multiple of q to fully hide his
secret x value.

One interesting thing about this protocol is that it may escape the Chaum
blind signature patent, US 4759063, for two reasons.  First, the Chaum
patent covers three step blinding, while this is a four step process.
In the regular Chaum blind signature there is no need for the initial
step where the signer sends an initial r2 value.  That step is crucial
here; k2 must be fresh for every signature or the signer's key is leaked.

Second, the Chaum patent describes the signer's operation as performing
a public key digital signature operation.  This is in fact how the Chaum
blind signature works; the signer does do an ordinary RSA signature
operation.  But in this case, the signer performs a completely different
transformation, working with two homomorphically encrypted values in an
unusual way.  This is not a conventional digital signature operation.
Therefore this type of blind signature should escape the patent.

Of course the patent expires in a little over a year so it is largely
moot now anyway.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: traffic analysis

[An Metet]

Jim McCoy writes:

> While IANL, it seems that the whole anonymity game has a flaw that 
> doesn't even require a totalitarian regime. I would direct you to the 
> various laws in the US (to pick a random example :) regarding 
> conspiracy. Subscribing to an anonymity service might not become 
> illegal, but if anyone in your "crowd" was performing an illegal action 
> you may be guilty of conspiracy to commit this action.  You were 
> explicitly trying to assist someone to avoid lawful detection of 
> illegal activity, therefore you are in danger of being charged with 
> conspiracy to commit the illegal act (even if the overt act was never 
> successfully completed, which is where things could get really surreal 
> for the remailer/crowds/proxy groups.) It is also worth noting that the 
> burden of proof in a conspiracy trial is substantially lower than for 
> other cases...

This is from http://www.lawnerds.com/testyourself/criminal_rules.html:

A person is guilty of conspiracy if:
   - Two or more people agree to commit a crime, and
   - the people intended to enter into the agreement, and
   - at least one of the conspirators commits some overt act (such as some
 act of preparation) that furthers the conspiracy.

I don't see how using an anonymity service, or any internet service
whose activities are not forbidden by law, could fall into this category.
You would fail to achieve the first element of the crime, the agreement
to commit a crime.

Now, if it were made illegal to use an anonymizing service then you
might also be charged with conspiracy, if you used it.  But the mere
fact that people might use the service to commit crimes does not imply
that uninvolved users have agreed to commit a crime.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]