BLIND SIGNATURES: AN EFFORT TO PROTECT CONTENT USERS’ PRIVACY
Prepared by Antonius Cahya Prihandoko
Blind signature mechanism, introduced by David Chaum in 1982, allows a user to have another party sign something without the signer knowing what it is signing. This mechanism involves three actors: signer, user, and verifier, and three functions:
- A signing function s’ known only to the signer, and its corresponding public function s. The function s is the inverse of s‘, but giving no hint about s’.
- A computing function c and its inverse c’, both known only to the user.
- A verifying function r, which is public.
Let the user has document x and needs the signer’s signature for x, the signing protocol is below.
- the user computes c(x) and sends it to the signer;
- the signer signs c(x) by applying s’ and sends s'(c(x)) to the user;
- the user applies c’ and yields c'(s'(c(x)))=s'(x), the signer’s signature on the user’s document.
- anyone can verify the signed document using the verification function r and the signer’s public function s. If r(s(s'(x)))=r(x) then the signature is valid.
With this mechanism, the user has the signer’s signature without the signer knowing what it is signing. The following steps illustrate how the blind signature can be applied in an untraceable payment system. The actors are bank (signer), buyer (user), and seller (verifier).
- Buyer chooses x at random such that r(x), forms note c(x) and supplies c(x) to bank.
- Bank signs the note and forms s'(c(x)), debits buyer’s account, and return the signed note, s'(c(x)), to buyer.
- Buyer strips note by forming c'(s'(c(x)))=s'(x), and gets bank’s signature in his original note x.
- When purchasing a content, buyer provides note s'(x) to seller.
- Seller checks note by forming r(s(s'(x))) and stops if false.
- Seller forwards s'(x) to bank.
- Bank checks note by forming r(s(s'(x))) and stops if false.
- Bank credits seller’s account and informs seller of acceptance.
Obviously, buyer is able to purchase something without release his identity to the seller. This concept is looked upon a potential approach to develop a user’s privacy protection scheme.
Implementation of Blind Signatures for Users’ Privacy Protection
In technological aspect, the privacy issues are mostly approached by minimizing the personal information acquisition. For instance, the anonymous cash scheme, which is based on the blind signature concept : a mechanism that allows a user to get another party to sign something without the signer knowing what it is signing. In this scheme, a user firstly acquires general purpose tokens, either from third party, such as a bank, or content provider, that can be spent with multiple merchants. When purchasing content, the user presents the token together with the metadata of the requested content and the content provider returns the content key. Thus, purchasing is done anonymously: the content provider will know which content is being requested and must not know who is requesting it. Although this scheme allows content provider to determine the royalties signed to the copyright holder, its implementation is costly as different infrastructures: for acquiring token and for purchasing content, have to be provided separately, as well as an anonymization network.
The blind decryption mechanism is more efficient and less expensive than the anonymous cash one as the blind decryption scheme does not require an anonymization infrastructure. In this mechanism, when purchasing a content key, a user send the content provider a message containing its identity along with an encrypted blob, consisting of the blinded encrypted key. The content provider decrypts the blob. The decrypted blob is then decrypted using the blinding function’s inverse by the user to obtain the key. The content provider know the user identity, so that it can debit the user’s account, but does not know which content is being requested by the user, and thus unable to compute item based royalty.
Townsville, 3 March 2013