No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Practical Approach Defeating Blackmailing
Abstract
To simulate the functionalities of the real cash, one of the important requirements of electronic cash systems is the anonymity
of users. Unconditional anonymity, however, is also very well suited to support criminals in blackmailing. Recently Kügler
and Vogt [6] proposed a payment system based on the blind undeniable signature that protects the privacy of the users and defeats blackmailing
with the assumption that the victim of a blackmailing can inform the Bank of a blackmailing before delivering the money and
transfer the decryption key(i.e. the secret key of the victim) used in confirmation protocol without being detected by a blackmailer.
But the assumption that the victim is always able to inform the bank of blackmailing is very impractical in such cases as
kidnapping and special impersonation. In this paper, we propose two practical methods that gives the Bank the information
about blackmailing and decryption key without any unpractical assumptions.
Aggregate signature scheme was recently proposed by Boneh, Gentry, Lynn and Shacham, which presented a method for combining
n signatures from n different signers on n different messages into one signature. In this paper, we propose an identity-based aggregate signature scheme based on the
bilinear pairings. This enhances the efficiency of communication and signature verification process. We show that the security
of our scheme is tightly related to the computational Diffie-Hellman assumption in the random oracle model.
The bilinear pairings such as Weil pairing or Tate pairing over elliptic curves and hyperelliptic curves have been found various
applications in cryptography very recently. Ring signature is a very useful tool to provide the user’s anonymity and the signer’s
privacy. In this paper, we propose a ring signature scheme based on the bilinear pairings, which is secure against chosen
message attacks without random oracles. Moreover, we use this ring signature scheme to construct a concurrent signature scheme
for fair exchange of signatures.
A mobile payment is a business driven transaction to pay for goods, services or digital content using a combination of mobile devices, mobile
delivery networks, and the Internet. Secure mechanism must be provided in mobile payment system. However, the anonymity and
privacy of transaction is a serious problem on existing mobile secure mechanism, because anonymity on mobile payment transaction
can be misused by attacker. Therefore, we propose tamper-proof smart card based efficient secure mobile e-coins with fairness revocation mechanism.
Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced. Here we suggest the notion of Indirect Discourse Proofs with which one can prove indirectly yet efficiently that a third party has a certain future capability (i.e., assure Trustees can trace). The efficient proofs presented here employ algebraic properties of exponentiation (or functions of similar homomorphic nature). Employing this idea we present the concept of "Fair Off-Line e-Cash" (FOLC) system which enables tracing protocols for identifying either the coin or its owner. Recently, the need to trace and identify coins with owners/withdrawals was identified (to av...
Electronic cash, and other cryptographic payment systems, offer a level of user anonymity during a purchase, in order to emulate electronically the properties of physical cash exchange. However, it has been noted that there are crime-prevention situations where anonymity of notes is undesirable; in addition there may be regulatory and legal constraints limiting anonymous transfer of funds. Thus pure anonymity of users may be, in certain settings, unacceptable and thus a hurdle to the progress of electronic commerce.
The conceptual contribution of this work is based on the claim that given the legal, social, technical and efficiency constraints that are imposed, anonymity should be treated as a Control Parameter facilitating flexibility of the level of privacy of note holders (determined by the dynamic conditions and constraints).
In light of this parameterization, we review recently developed technical tools for tracing and anonymity revocation (e.g., owner tracing and coin tracing). We elaborate on the differences in the various technologies with respect to security assumptions and we discuss practical considerations of computational, bandwidth and storage requirements for user, shop, bank and trustees as well as whether the trustees must be on-line or off-line. We also claim that while anonymity revocation can potentially reduce crime it can also produce instances where the severity of the crime is increased as criminals try to social engineer around tracing revocation. To prevent this we suggest the notion of “distress cash.” the technical side, we provide efficiency improvements to a protocol for coin tracing and point at a technical solution for distress cash.
. Electronic cash, and other cryptographic payment systems, offer some level of user anonymity during a purchase, in order to emulate electronically the properties of physical cash exchange. However, it has been noted that there are crime-prevention situations where anonymity of notes is undesirable; in addition there may be regulatory and legal constraints limiting anonymous transfer of funds. Thus pure anonymity to users may be, in certain settings, unacceptable and thus a hurdle to the progress of electronic commerce. The conceptual contribution of this work is based on the claim that given the legal, social, technical and efficiency constraints that are imposed, anonymity should be treated as a Control Parameter facilitating flexibility of the level of privacy of note holders (determined by the dynamic conditions and constraints). We review "anonymity control" which provides the balance between strong anonymity for the user and anonymity revocation for crime preventio...
The physical analog of “blind signatures” of Chaum is a document and a carbon paper put into an envelope, allowing the signer to transfer his signature onto the document by signing on the envelope, and without opening it. Only the receiver can present the signed document while the signer cannot “unblind” its signature and get the document signed.
When an authority signs “access tokens”, “electronic coins”, “credentials” or “passports”, it makes sense to assume that whereas the users can typically enjoy the disassociation of the blindly signed token and the token itself (i.e. anonymity and privacy), there may be cases which require “unblinding” of a signature by the signing authority itself (to establish what is known as “audit trail” and to “revoke anonymity” in case of criminal activity).
This leads us to consider a new notion of signature with the following physical parallel: The signer places a piece of paper with a carbon paper on top in an envelope as before (but the document on the paper is not yet written). The receiver then writes the document on the envelope using magic ink, e.g., ink that is only visible after being “developed”. Due to the carbon copy, this results in the document being written in visible ink on the internal paper. Then, the signer signs the envelope (so its signature on the document is made available). The receiver gets the internal paper and the signer retains the envelope with the magic ink copy. Should the signer need to unblind the document, he can develop the magic ink and get the document copy on the envelope. Note that the signing is not blinded forever to the signer. We call this new type of signature a magic ink signature.
We present an efficient method for distributively generating magic ink signatures, requiring a quorum of servers to produce a signature and a (possibly different) quorum to unblind a signature. The scheme is robust, and the unblinding is guaranteed to work even if a set of up to a threshold of signers refuses to cooperate, or actively cheats during either the signing or the unblinding protocol. We base our specific implementation on the DSS algorithm. Our construction demonstrates the extended power of distributed signing.
The physical analog of "blind signatures" of Chaum is a document and a carbon paper put into an envelope, allowing the signer to transfer his signature onto the document by signing on the envelope, and without opening it. Only the receiver can present the signed document while the signer cannot "unblind" its signature and get the document signed. When an authority signs "access tokens", "electronic coins", "credentials" or "passports", it makes sense to assume that whereas the users can typically enjoy the disassociation of the blindly signed token and the token itself (i.e. anonymity and privacy), there may be cases which require "unblinding" of a signature by the signing authority itself (to establish what is known as "audit trail" and to "revoke anonymity" in case of criminal activity). This leads us to consider a new notion of signature with the following physical parallel: The signer places a piece of paper with a carbon paper on top in an envelope as before (but the document on the paper is not yet written). The receiver then writes the document on the envelope using magic ink, e.g., ink that is only visible after being "developed". Due to the carbon copy, this results in the document being written in visible ink on the internal paper. Then, the signer signs the envelope (so its signature on the document is made available). The receiver gets the internal paper and the signer retains the envelope with the magic ink copy. Should the signer need to unblind the document, he can develop the magic ink and get the document copy on the envelope. Note that the signing is not blinded forever to the signer. We call this new type of signature a magic ink signature. We present an efficient method for distributively generating magic ink signatures, requiring a quorum of servers to produce a signature and a (possibly different) quorum to unblind a signature. The scheme is robust, and the unblinding is guaranteed to work even if a set of up to a threshold of signers refuses to cooperate, or actively cheats during either the signing or the unblinding protocol. We base our specific implementation on the DSS algorithm. Our construction demonstrates the extended power of distributed signing.
This paper introduces the XTR public key system. XTR is based on a new method to represent elements of a subgroup of a multiplicative
group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication
and computational overhead without compromising security.
Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced.
Here we suggest the notion of Indirect Discourse Proofs with which one can prove indirectly yet efficiently that a third party has a certain future capability (i.e., assure Trustees can trace). The efficient proofs presented here employ algebraic properties of exponentiation (or functions of similar homomorphic nature).
Employing this idea we present the concept of Fair Off-Line e-Cash (FOLC) system which enables tracing protocols for identifying either the coin or its owner. Recently, the need to trace and identify coins with owners/withdrawals was identified (to avoid blackmailing and money laundering). Previous solutions that assured this traceability (called fair e-cash as they balance the need for anonymity and the prevention of criminal activities) involved third parties at money withdrawals. In contrast, FOLC keeps any third party uninvolved, thus it is fully off-line e-cash even when law enforcement is added (i.e., it is off-line w.r.t. law enforcement at withdrawals and off-line w.r.t. the bank at payments).
This paper describes improved methods for XTR key rep- resentation and parameter generation (cf. (4)). If the fleld characteristic is properly chosen, the size of the XTR public key for signature appli- cations can be reduced by a factor of three at the cost of a small one time computation for the recipient of the key. Furthermore, the para- meter set-up for an XTR system can be simplifled because the trace of a proper subgroup generator can, with very high probability, be com- puted directly, thus avoiding the probabilistic approach from (4). These non-trivial extensions further enhance the practical potential of XTR.
Electronic payment systems based on anonymous coins have been invented as a digital equivalent for physical banknotes. However, von Solms and Nac- cache discovered that such anonymous coins are also very well suited to support criminals in blackmailing. In this paper we present a payment system, which has an efficie nt tracing and revocation mechanism for blackmailed coins. In contrast to previous solutions our payment system is completely anonymous and thus protects the privacy of the users. The used tracing method is based on the idea of marking coins similar to marking banknotes with an invisible color.
David Chaum has introduced the idea of blind signatures, an extension of the concept of digital signatures, as a way to protect the identity and privacy of a user in electronic payment and service networks. Blind signatures also prevent so-called “dossier creation” about users by organizations.While the concept of blind signatures still allows authorities to distinguish between valid and false data, it prevents these authorities from connecting specific data or actions to specific users.With the growing emphasis on the protection of the privacy of user data and user actions in electronic systems, blind signatures seem to be a perfect solution. This paper however, discusses a problematic aspect of blind signatures, showing that this perfect solution can potentially lead to perfect crime.We use a real crime case as an example.
)Markus JakobssonMoti YungyAbstractWe present an e-money system where both value of fundsand user anonymity can be revoked or suspended unconditionally,but only by the cooperation of banks and consumerrights organizations. We introduce the "ultimate crime,"where an active attacker gets the bank's key or forces thebank to give "unmarked bank notes". Our system, unlike allcurrent anonymous systems, can prevent such a crime fromsuccessfully being perpetrated, and employs...
Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in conflict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design systems in which a trustee or a set of trustees can selectively revoke the anonymity of the participants involved in a suspicious transaction. From an operational point of view, it can be an important requirement that such trustees are neither involved in payment transactions nor in the opening of an account, but only in case of a justified suspicion. In this paper we present an efficient anonymous digital payment systems satisfying this requirement. The described basic protocol for anonymity revocation can be used in on-line or off-line payment systems.
. Anonymity of the participants is an important requirement for some applications in electronic commerce, in particular for payment systems. Because anonymity could be in con#ict with law enforcement, for instance in cases of blackmailing or money laundering, it has been proposed to design systems in which a trustee or a set of trustees can selectively revoke the anonymity of the participants involved in suspicious transactions. From an operational point of view, it can be an important requirement that such trustees are neither involved in payment transactions nor in the opening of an account, but only in case of a justi#ed suspicion. In this paper we propose the #rst e#cient anonymous digital payment systems satisfying this requirement. The described basic protocol for anonymity revocation can be used in on-line or o#-line payment systems. Keywords: Digital payment systems, electronic money, cryptography, privacy, anonymity revocation. 1 Introduction In most presently-...
Electronic payment systems based on anonymous coins have been invented as a digital equivalent to physical banknotes. However, von Solms and Naccache discovered that such anonymous coins are also very well suited to support criminals in blackmailing. In this paper we present a payment system, which has an ecient tracing and revocation mechanism for blackmailed coins. The used tracing method is based on the idea of marking coins similar to marking banknotes with an invisible color. In contrast to previous solutions our payment system is unconditionally anonymous and thus protects the privacy of the users. 1
Anonymity control in e-cash systems
- G Davide
- Y Tsiounis
- M Young
- G. Davide
Indirect discourse proofs”; Achieving efficient fair off-line e-cash
- Y Frankel
- Y Tsiounis
- M Young
- Y. Frankel