The proposed vault system lays out a plan for achieving consensus state between nodes, chaining the history of consensus in blocks, and immutably time-stamping the chained data. The paper also lays out the specific code to implement such a protocol. Digital cash[ edit ] Chaum is credited as the inventor of secure digital cash for his paper, which also introduced the cryptographic primitive of a blind signature. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Since signers may refuse to participate in the verification process, signatures are considered valid unless a signer specifically uses a disavowal protocol to prove that a given signature was not authentic. Once the server has a batch of messages, it will reorder and obfuscate the messages so that only this server knows which message came from which sender.
|Published (Last):||14 May 2005|
|PDF File Size:||6.97 Mb|
|ePub File Size:||9.42 Mb|
|Price:||Free* [*Free Regsitration Required]|
Uses[ edit ] Blind signature schemes see a great deal of use in applications where sender privacy is important. This includes various " digital cash " schemes and voting protocols. For example, the integrity of some electronic voting system may require that each ballot be certified by an election authority before it can be accepted for counting; this allows the authority to check the credentials of the voter to ensure that they are allowed to vote, and that they are not submitting more than one ballot.
An unlinkable blind signature provides this guarantee, as the authority will not see the contents of any ballot it signs, and will be unable to link the blinded ballots it signs back to the un-blinded ballots it receives for counting.
Blind signature schemes[ edit ] Blind signature schemes exist for many public key signing protocols. Some examples are provided below. In each example, the message to be signed is contained in the value m.
As an analogy, consider that Alice has a letter which should be signed by an authority say Bob , but Alice does not want to reveal the content of the letter to Bob. She can place the letter in an envelope lined with carbon paper and send it to Bob. Bob will sign the outside of the carbon envelope without opening it and then send it back to Alice. Alice can then open it to find the letter signed by Bob, but without Bob having seen its contents.
More formally a blind signature scheme is a cryptographic protocol that involves two parties, a user Alice that wants to obtain signatures on her messages, and a signer Bob that is in possession of his secret signing key. This intuition of not learning anything is hard to capture in mathematical terms. The usual approach is to show that for every adversarial signer, there exists a simulator that can output the same information as the signer.
This is similar to the way zero-knowledge is defined in zero-knowledge proof systems. A traditional RSA signature is computed by raising the message m to the secret exponent d modulo the public modulus N. The blind version uses a random value r, such that r is relatively prime to N i.
Blind Signatures for Untraceable Payments