Introduction Traditional Cryptographic Approach to Privacy Privacy is more complex than just using a cryptographic function. = ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...) It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal: Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc. Together with those primitives, standard techniques to compose them are used: Challenge/response schemes. Use of nounces and randomness in general. Cut and choose. Etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 5 / 48
Data Integrity, Secure Hash Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 6 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 7 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. The idea is that if h ( x ) = y and y is securily stored. Then if x is changed into x ′ , h ( x ′ ) = y ′ � = y . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 7 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. The idea is that if h ( x ) = y and y is securily stored. Then if x is changed into x ′ , h ( x ′ ) = y ′ � = y . Actually families of keyed hash functions are used. The simplest way to make a MAC: A and B share k , A sends ( x , y = h k ( x )) to B. A third party C cannot alter x into x ′ and sends ( x ′ , h k ( x ′ )) without knowing k . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 7 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y 1 Preimage: In h : X → Y , and y ∈ Y Out x ∈ X s.t. h ( x ) = y F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y 1 Preimage: In h : X → Y , and y ∈ Y Out x ∈ X s.t. h ( x ) = y 2 Second Preimage: In h : X → Y , and x ∈ § Out x ′ ∈ X s.t. h ( x ) = h ( x ′ ) and x � = x ′ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48
Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y 1 Preimage: In h : X → Y , and y ∈ Y Out x ∈ X s.t. h ( x ) = y 2 Second Preimage: In h : X → Y , and x ∈ § Out x ′ ∈ X s.t. h ( x ) = h ( x ′ ) and x � = x ′ 3 Collision: In h : X → Y Out x , x ′ ∈ X s.t. h ( x ) = h ( x ′ ) and x � = x ′ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48
Data Integrity, Secure Hash The properties of Hash functions: Random Oracle Model Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function: h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 9 / 48
Data Integrity, Secure Hash The properties of Hash functions: Random Oracle Model Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function: h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle. We can try to analyze hash functions independently from the particularities of the hash function considered. Algorithms are randomized algorithms . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 9 / 48
Data Integrity, Secure Hash The properties of Hash functions: Random Oracle Model Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function: h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle. We can try to analyze hash functions independently from the particularities of the hash function considered. Algorithms are randomized algorithms . Notion of ǫ average-case success probability relatively to the number Q of queries to the oracle: ( ǫ, Q ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 9 / 48
Data Integrity, Secure Hash Pre-image Find_PreImage(h,y,Q): choose X0 subset of X, |X0|=Q for all x in X0 do if h(x)=y then return (x) return (fail) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 10 / 48
Data Integrity, Secure Hash Pre-image Find_PreImage(h,y,Q): choose X0 subset of X, |X0|=Q for all x in X0 do if h(x)=y then return (x) return (fail) Theorem If | X | = M the average-case success of Find Preimage is: ǫ = 1 − (1 − 1 / M ) Q F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 10 / 48
Data Integrity, Secure Hash Second Pre-image Find_Second_PreImage(h,x,Q): y := h(x) choose X0 subset of X\{x}, |X0|=Q-1 for all x0 in X0 do if h(x0)=y then return (x0) return (fail) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 11 / 48
Data Integrity, Secure Hash Second Pre-image Find_Second_PreImage(h,x,Q): y := h(x) choose X0 subset of X\{x}, |X0|=Q-1 for all x0 in X0 do if h(x0)=y then return (x0) return (fail) Theorem If | X | = M average-case success of Find Second Preimage is: ǫ = 1 − (1 − 1 / M ) Q − 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 11 / 48
Data Integrity, Secure Hash Collision Find_Collision(h,x,Q): Choose X0 subset of X\{x}, |X0|=Q-1 for all x in X0 do y[x] := h(x) if y[x]=y[x’] for some x <> x’ then return (x,x’) else return (fail) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 12 / 48
Data Integrity, Secure Hash Collision Find_Collision(h,x,Q): Choose X0 subset of X\{x}, |X0|=Q-1 for all x in X0 do y[x] := h(x) if y[x]=y[x’] for some x <> x’ then return (x,x’) else return (fail) Theorem The average-case success probability of Find Collision is, supposing that | X | = M ǫ = 1 − ( M − 1 )( M − 2 ) . . . ( M − Q + 1 ) M M M F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 12 / 48
Data Integrity, Secure Hash Some numbers Birthday paradox and Find Second Preimage . In a group of 23 there is probability 1 / 2 that two persons have the same age: Q = 23 and M = 365. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 13 / 48
Data Integrity, Secure Hash Some numbers Birthday paradox and Find Second Preimage . In a group of 23 there is probability 1 / 2 that two persons have the same age: Q = 23 and M = 365. Analysis of Find Collision . Theorem 4 gives the probability of no collisions: i =1 (1 − i Π Q − 1 M ) when x → 0 1 − x ≃ exp − x , thus − i Π Q − 1 i =1 (1 − i Π Q − 1 M ) ≃ i =1 exp M exp − Σ Q − 1 i = i =1 M − Q ( Q − 1) = exp 2 M We can express Q in terms of ǫ (probability to find a collision) and M . � 1 Q ≃ 2 M log( 1 − ǫ ) √ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 13 / 48 Thus for ǫ = 1 / 2 we have Q ≃ 1 . 17 M .
Data Integrity, Secure Hash Collision using Second Preimage It is easy to find collision using the second preimage algorithm: choose random x in X if Find_Second_Preimage h(x)=x’ then return (x,x’) else return failure Hence because of the birthday paradox we have to take care of the size of the digest ! With probability 1 / 2 a 40-bits message digest only needs 2 20 random hashes. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 14 / 48
Proving Oneself’s Identity Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 15 / 48
Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48
Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48
Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48
Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email Something you are: biometrics. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48
Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email Something you are: biometrics. Each of these three ways have advantages/drawbacks. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48
Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48
Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48
Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( r ) and sends y to Bob. 2 Bob computes y ′ = h K ( r ). If y = y ′ Bob accepts, otherwise rejects. 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48
Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( r ) and sends y to Bob. 2 Bob computes y ′ = h K ( r ). If y = y ′ Bob accepts, otherwise rejects. 3 Attack (parallel session) of the insecure scheme: Bob chooses a random challenge r , sends it to Alice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48
Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( r ) and sends y to Bob. 2 Bob computes y ′ = h K ( r ). If y = y ′ Bob accepts, otherwise rejects. 3 Attack (parallel session) of the insecure scheme: Bob chooses a random challenge r , sends it to Alice. 1 Oscar intercepts r and sends it to Bob 2 Bob thinking it has received an id request from Alice computes 3 y = h K ( r ) and sends y back. Oscar can impersonate Alice by sending back the y he received from 4 Bob. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48
Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48
Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48
Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing h K ( ID ( Bob ) , r ) does not help to compute h k ( ID ( Alice ) , r ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48
Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing h K ( ID ( Bob ) , r ) does not help to compute h k ( ID ( Alice ) , r ). What about other attacks ?? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48
Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing h K ( ID ( Bob ) , r ) does not help to compute h k ( ID ( Alice ) , r ). What about other attacks ?? = ⇒ What are the assumptions made ? Secret Key. Random Challenges. MAC Security. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48
Proving Oneself’s Identity Conclusion There are full books of MAC/identification/signature schemes/protocols. Different protocols for different usage: One time passwords. Tickets with limited time limit. With or without central authority. etc. It is very hard to have “convincing proofs” of their correctness. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 19 / 48
Anonymous communications Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 20 / 48
Anonymous communications Communicating without Revealing one’s Identity Everyday life concern: Confession at church, Anonymous disease testing, Anonymous medical consultation, Etc. Seems paradoxical at first: it appears that one should know where to send the data and where to return the answer. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 21 / 48
Anonymous communications Communicating without Revealing one’s Identity Everyday life concern: Confession at church, Anonymous disease testing, Anonymous medical consultation, Etc. Seems paradoxical at first: it appears that one should know where to send the data and where to return the answer. Many point of views: Sender anonymity. Receiver anonymity. External vs Internal observer. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 21 / 48
Anonymous communications Sender Anonymity Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 22 / 48
Anonymous communications Sender Anonymity Sender Anonymity How to achieve sender’s anonymity allowing return adresses for the answer ? Useful in anonymous referee process. Web surfing under political watch. Etc. Seems paradoxical since the return adress should reveal the senders identity. Uses asymetric encryptions in layers for which encryption and decrytion commutes: K ( K ( M )) = K ( K ( M )) = M F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 23 / 48
Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], the Idea The idea is to put many envelopes around the message in order for each intermediary to know only two links of the message path. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 24 / 48
Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], the Specifications Let us name the public key of actor A with its name, and the private key with A . Relays are called “mixes” they receive many messages and shuffle them before sending them back. The structure of a message sent to a mix K is K ( R , K next ( R next , M ) , K next ) The mix K can decypher it and sends the second part of the message ( K next ( R next , M )) to K next F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 25 / 48
Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], the Specifications Let us name the public key of actor A with its name, and the private key with A . Relays are called “mixes” they receive many messages and shuffle them before sending them back. The structure of a message sent to a mix K is K ( R , K next ( R next , M ) , K next ) The mix K can decypher it and sends the second part of the message ( K next ( R next , M )) to K next The procedure can be repeteadly nested: K n ( R n , K n − 1 ( R n − 1 , . . . K 2 ( R 2 , K 1 ( R 1 , B ( R 0 , M ) , B ) , K 1 ) . . . ) , K n − 1 ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 25 / 48
Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], Return Adress The anonymous return adress can be added to the message: K 1 ( R 1 , A ) , K A where K A is a session key, A is Alice’s adress. Bob sends: K 1 ( R 1 , A ) , K A ( R 0 , M ) and the mix K 1 decrypts the first part of the message and sends: R 1 ( K A ( R 0 , M )) to A using R 1 as an encryption key. This construction can be nested as well: K 1 ( R 1 , K 2 ( R 2 , . . . K n ( R n , A ) . . . )) , K A ( R 0 , M ) In the end Alice receives: R n ( R n − 1 ( . . . R 2 ( R 1 ( K A ( R 0 , M )) . . . ))) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 26 / 48
Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48
Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48
Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. Timing attacks between entry and output nodes. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48
Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. Timing attacks between entry and output nodes. Earning a lot of relays. etc. ref http://freehaven.net/anonbib/ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48
Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. Timing attacks between entry and output nodes. Earning a lot of relays. etc. ref http://freehaven.net/anonbib/ Mix nets in practice: The Onion routing, aka Tor. Not exactly mix nets but same ideas. NSAproof (they try other attacks). More than 2 Million Users and 6,500 relays: https://metrics.torproject.org/ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48
Anonymous communications Sender and Receiver Anonymity Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 28 / 48
Anonymous communications Sender and Receiver Anonymity Sender and Receiver Anonymity [Golle and Juels, 2004] Dining Cryptographers networks (DC-Networks) [Chaum, 1988] In a DC-net the anonymous message transmission may be accomplished by players in a non-interactive manner, i.e., in a single broadcast round. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 29 / 48
Anonymous communications Sender and Receiver Anonymity Sender and Receiver Anonymity [Golle and Juels, 2004] Dining Cryptographers networks (DC-Networks) [Chaum, 1988] In a DC-net the anonymous message transmission may be accomplished by players in a non-interactive manner, i.e., in a single broadcast round. Problem: DC-nets are easily breakable with non cooperative players (honnest but curious is the limit). The problem is to be able to publish a message without knowing who has sent the message. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 29 / 48
Anonymous communications Sender and Receiver Anonymity Basic Protocol A and B possesses k -bits messages m A , m B . A and B shares two keys of length k : k AB (0) , k AB (1) and a random bit b . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 30 / 48
Anonymous communications Sender and Receiver Anonymity Basic Protocol A and B possesses k -bits messages m A , m B . A and B shares two keys of length k : k AB (0) , k AB (1) and a random bit b . A and B publishes pairs of messages as follows: if b=0 then Alice: M A , 0 = k AB (0) ⊕ m A , M A , 1 = k AB (1) Bob: M B , 0 = k AB (0) , M B , 1 = k AB (1) ⊕ m B if b=1 then Alice: M A , 1 = k AB (0) , M A , 1 = k AB (1) ⊕ m A Bob: M B , 0 = k AB (0) ⊕ m B , M B , 1 = k AB (1) An observer can compute M A , 0 ⊕ M b , 0 and M A , 1 ⊕ M b , 1 yielding the unordered pair ( m A , m B ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 30 / 48
Anonymous communications Sender and Receiver Anonymity Extension to multiple players Suppose there are n players P 1 , P 2 , . . . , P n . Each pair ( P i , P j ) shares a set of keys k i , j ( w ) for i , j , w ∈ { 1 , 2 , . . . , n } where K i , j ( w ) = k j , i ( w ). Each players P i computes a vector: W i = { W i (1) = ⊕ n j =1 k i , j (1) , . . . , W i ( n ) = ⊕ n j =1 k i , j ( n ) } Notice that ⊕ n j =1 W i ( w ) = 0 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 31 / 48
Anonymous communications Sender and Receiver Anonymity Extension to multiple players Suppose there are n players P 1 , P 2 , . . . , P n . Each pair ( P i , P j ) shares a set of keys k i , j ( w ) for i , j , w ∈ { 1 , 2 , . . . , n } where K i , j ( w ) = k j , i ( w ). Each players P i computes a vector: W i = { W i (1) = ⊕ n j =1 k i , j (1) , . . . , W i ( n ) = ⊕ n j =1 k i , j ( n ) } Notice that ⊕ n j =1 W i ( w ) = 0 To broadcast a message each players P i chosses a random position c i and XORs the message m i with W i ( c i ) obtaining V i = { V i (1) , . . . , V i ( n ) } that differ in position c i . If all players select a different c i the vector V = ⊕ n j =1 V j will consists in the set of messages posted by all players. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 31 / 48
Anonymous communications Sender and Receiver Anonymity Extension to multiple players Suppose there are n players P 1 , P 2 , . . . , P n . Each pair ( P i , P j ) shares a set of keys k i , j ( w ) for i , j , w ∈ { 1 , 2 , . . . , n } where K i , j ( w ) = k j , i ( w ). Each players P i computes a vector: W i = { W i (1) = ⊕ n j =1 k i , j (1) , . . . , W i ( n ) = ⊕ n j =1 k i , j ( n ) } Notice that ⊕ n j =1 W i ( w ) = 0 To broadcast a message each players P i chosses a random position c i and XORs the message m i with W i ( c i ) obtaining V i = { V i (1) , . . . , V i ( n ) } that differ in position c i . If all players select a different c i the vector V = ⊕ n j =1 V j will consists in the set of messages posted by all players. Receiver anonymity can be achieved through public key encryption of messages. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 31 / 48
Electronic Cash Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 32 / 48
Electronic Cash Anonymous Money Payment mechanism without audit trail (typically the opposite of BitCoin) ... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 33 / 48
Electronic Cash Anonymous Money Payment mechanism without audit trail (typically the opposite of BitCoin) ... Raw issues to solve: false money. double spending. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 33 / 48
Electronic Cash Anonymous Money Payment mechanism without audit trail (typically the opposite of BitCoin) ... Raw issues to solve: false money. double spending. Political issue as well: governments are reluctant. Complicated protocols using many cryptographic ingredients: bit commitment, secret sharing and Blind signatures. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 33 / 48
Electronic Cash Blind Signature Normally the signer knows what he is signing... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 34 / 48
Electronic Cash Blind Signature Normally the signer knows what he is signing... In order to respect privacy it could be a good idea that it is not the case ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 34 / 48
Electronic Cash Blind Signature Normally the signer knows what he is signing... In order to respect privacy it could be a good idea that it is not the case ! Completely blind signature: Alice takes the message to be signed and multiply it by a random value 1 (blinding factor). Alice sends the blinded document to Bob. 2 Bob signs the blinded document. 3 Alice divides by the blinding factor. 4 = ⇒ The signature function and multiplication must be commutative (eg RSA). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 34 / 48
Electronic Cash Bit Commitment Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 35 / 48
Electronic Cash Bit Commitment Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. Solution with symmetric cryptography: Bob generates R , sends it to Alice 1 Alice makes her prediction (one bit) b and sends K ( R , b ) 2 When the time has come to make the prediction public Alice sends Bob 3 K . Bob decrypts it to reveal her bit and checks the random string. 4 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 35 / 48
Electronic Cash Bit Commitment Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. Solution with symmetric cryptography: Bob generates R , sends it to Alice 1 Alice makes her prediction (one bit) b and sends K ( R , b ) 2 When the time has come to make the prediction public Alice sends Bob 3 K . Bob decrypts it to reveal her bit and checks the random string. 4 Solution with secure hash functions: Alice generates R 1 , R 2 and sends H ( R 1 , R 2 , b ) , R 1 to Bob. 1 When time has come to reveal the prediction Alice sends Bob 2 ( R 1 , R 2 , b ) Bob computes the Hash and compares it and R 1 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 35 / 48
Electronic Cash Secret Sharing Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 36 / 48
Electronic Cash Secret Sharing Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. Definition Let t , w be positive integers, t ≤ w . A ( t , w )-threshold scheme is a method of sharing a key K among w participants in such a way that any subset of size t can compute K but no group of a lesser size can. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 36 / 48
Electronic Cash Secret Sharing Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. Definition Let t , w be positive integers, t ≤ w . A ( t , w )-threshold scheme is a method of sharing a key K among w participants in such a way that any subset of size t can compute K but no group of a lesser size can. The Shamir scheme is unconditionnaly secure (no limit on the amount of computation that can be performed by any subset of participants). Many cryptographic applications. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 36 / 48
Electronic Cash Secret Sharing [Shamir, 1979], definition D is the dealer. P i , 1 ≤ i ≤ w are the participants. K ∈ Z p is the secret to be shared ( p > w ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 37 / 48
Electronic Cash Secret Sharing [Shamir, 1979], definition D is the dealer. P i , 1 ≤ i ≤ w are the participants. K ∈ Z p is the secret to be shared ( p > w ). Definition (Shamir ( t , w )-Threshold Scheme) 1 Initialization Phase: D chooses w distinct, non-zero elements of Z p : x i , 1 ≤ i ≤ w . For i ∈ { 1 , . . . , w ), D gives x i to P i . x i are public values. 2 Share Distribution: D secretely and randomly choose t − 1 elements of Z p : a 1 , . . . , a t − 1 . 3 For 1 ≤ w ≤ w , D computes t − 1 � a j x j y i = a ( x i ) = K + mod p i j =1 4 For 1 ≤ i ≤ w , D gives the share y i to P i F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 37 / 48
Electronic Cash Secret Sharing [Shamir, 1979], geometric interpretation The scheme relies on the Lagragian polynomial interpolation: there is only one polynomial curve of degree t − 1 groing through t different points ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 38 / 48
Electronic Cash Secret Sharing [Shamir, 1979], recovering the secret Suppose P i 1 , . . . , P i t want to recover the secret. They know y i j = a ( x i j ) Since a ( x ) ahs degree at most t − 1: a ( x ) = a 0 + a 1 x + . . . + a t − 1 t − 1 There are t linear equations in the t unknowns a 0 + . . . + a t − 1 , there is a unique solution and a 0 is the key ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 39 / 48
Electronic Cash Secret Sharing [Shamir, 1979], recovering the secret Suppose P i 1 , . . . , P i t want to recover the secret. They know y i j = a ( x i j ) Since a ( x ) ahs degree at most t − 1: a ( x ) = a 0 + a 1 x + . . . + a t − 1 t − 1 There are t linear equations in the t unknowns a 0 + . . . + a t − 1 , there is a unique solution and a 0 is the key ! Easier way to compute is to use the formula of Lagrangian interpolation (we just need to compute a (0)): t x i k � � K = y i j x i k − x i j j =1 1 ≤ k ≤ t , k � = j F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 39 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. 4 The Bank blindly signs the last envelope and sends it back to Alice. The Bank deducts 1000$ from Alice’s account. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. 4 The Bank blindly signs the last envelope and sends it back to Alice. The Bank deducts 1000$ from Alice’s account. 5 Alice opens the envelope and spends it with a Merchant. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. 4 The Bank blindly signs the last envelope and sends it back to Alice. The Bank deducts 1000$ from Alice’s account. 5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature is correct and takes it to the Bank. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48
Recommend
More recommend