# SECURITY WITHOUT IDENTIFICATION: TRANSACTION SYSTEMS TO MAKE BIG BROTHER OBSOLETE - 1985 ###### tags: `Tag(HashCloak - DC Net Readings)` Authors: DAVID CHAUM Paper: http://www.cs.ru.nl/~jhh/pub/secsem/chaum1985bigbrother.pdf Definitions: ### Table of Contents [toc] :::info >Abstract: The large-scale automated transaction systems of the near future can be designed to protect the privacy and maintain the security of both individuals and organizations. ::: ### Introduction > Computerization is robbing individuals of the ability to monitor and control the ways information about them is used. On the other hand, organizations are vulnerable to abuses by individuals. Everyone pays inldirectly when cash, checks, consumer credit, insurance, and social services are misused. The obvious solution for organizations is to devise more pervasive, efficient, and interlinked computerized record-keeping systems, perhaps in combination with national identity cards or even fingerprints. However, this would exacerbate the problem of individuals’ loss of monitoribility and control, and would likely be unacceptable to many. > The new approach presented here offers an effective and practical solution to these problems. #### The New Approach and How It Differs Three major differences define the new approach. 1. With the new approach, an individual uses a different account number or “digital pseudonym” with each organization. 2. Individuals conduct transactions under the new approach using personal card computers. (private/public key system) 3. The new approach allows all parties to protect their own interests. #### COMMUNICATION TRANSACTIONS > As more communication travels in electromagnetic and digital form, it becomes easier to learn more about individuals from their communication. Exposure of message content is one obvious danger that is already addressed by well-known cryptographic coding techniques. A more subtle and difficult problem with current communication systems, however, is the exposure of “tracing information.” Individuals’ addresses, which are often required by organizations and are commonly sold freely by them as mailing lists, are one kind of tracing information. So long as communication systems allow system providers, organizations, or eavesdroppers to obtain tracing information, they are a growing threat to individuals’ ability to determine how information about themselves is used. The other side of the issue is that current systems provide inadequate protection against individuals who forge messages, or falsely disavow having sent or received messages. With paper communication, handwritten signatures are easily forged well enough to pass routine checking against signature samples and cannot be verified with certainty, even by expert witnesses. As computerized systems come into wider use, potential for such abuse by individuals will increase, but such solutions under the current approach rely on tracing information and thus are in fundamental conflict with individuals’ ability to control access to information about themselves. > Personal Note: Seems as though this issue was well though out for many years. Interesting that tech did not move in this direction, why? What are the incentives not to? How are those altered? #### Unconditional Untraceability > The problem of preventing messages from being traced to the sender is now considered. The essential concept of the solution can be illustrated by a hypothetical situtation. Suppose you were invited to dine at a restaurant by two of your friends. After dinner, the waiter comes to your table and mentions that one of the three of you has already paid for the dinner-but he does not say which one. If you paid, your friends want to know since they invited you, but if one of them paid, they do not want you to be able to learn which of the two of them has paid. The probl’em is solved at the table in the following The problem of preventing messages from being traced simple way:  * Your friends flip a coin behind a menu so that they can see the outcome, but you cannot. * It is agreed that each of them will say aloud which side the coin falls on, but that if one of them paid that one should say the opposite side. Cases: 1. The uninteresting case is when they both say heads or both say tails: Then everyone knows you paid. 2. If one of them says heads and the other says tails, however, then you know that one of the two of them paid-but you have absolutely no information as to which one. The system described allows the friend who paid to send you an unconditionally untraceable message; even though you know who says what, you cannot trace the “I paid” message, no matter how clever or time consuming your analysis. Converting this two-sender single-recipient system to a more general system requires several extensions. Increasing the number of potential senders beyond two can prevent even cooperating subsets of potential senders from tracing transmissions to particular senders. > Just as many other people may overhear the statements made at the table; actual systems would, in effect, broadcast each transmission to all participants, preventing anyone from knowing who receives which message. #### Digital Signatures > Now consider the problem of preventing senders of messages from later disavowing their messages. The immensely useful property of digital signatures is their resistance to “forgery.” No one-not even the organization that has your digital pseudonym-can easily forge a digital signature of yours. If an organization cannot forge a digital signature of yours, then it cannot successfully claim that you sent it a message that you in fact did not send. A third-party arbiter would decide in favor of the organization only if that organization could show a digital signature that yielded the disputed message when translated with your digital pseudonym. But, because forgery is infeasible, the organization can only show such a message if you created it. Naturally, organizations would save copies of all digital signatures in anticipation of such disputes. #### Digital Signatures in Practice > A standard public mathematical procedure allows anyone with a private key to form a corresponding digital signature from a message, and a similar procedure allows recovery of the original message using the corresponding digital pseudonym. Message confidentiality during transmission is obtained by using digital pseudonyms and private keys in a different way: After signing a message, but before transmitting it, the sender encodes it using the digital pseudonym of the intended recipient. Thus, the signed message can be recovered only by decoding the transmission using the intended recipient’s private key. Currently, there are two strategies for preventing false disavowal of message receipt: 1. One imitates the approach currently used to certify paper mailsages are only given to the recipient if the recipient provides a digitally signed receipt of delivery. sages are only given to the recipient if the recipient provides a digitally signed receipt of delivery. 2. The other holds all potential recipients responsible for messages made available as a matter of public record. This allows either party to present the signed message and point to the corresponding doubly encoded transmission in the public record as evidence that the message was available for receipt. #### Payment Transactions > Abuses of payment systems by individuals, as well as abuses facilitated by payment systems, are also substantial and growing problems. These problems are solved with the new systems since no organization, not even the payment system provider who maintains the accounts, is able to trace the flow of money between accounts. The system provider naturally knows the balance of each account, and if funds were to transfer between accounts instantaneously, the simultaneous but opposite changes in balance would make tracing easy. The new system prevents such tracing in practice by allowing funds to be withdrawn and held as multidenomination notes, in some ways like “unmarked bills,” before they are deposited to other accounts. > Personal Note: blockchain assets could act at this unmarked currency? The systems differ from paper currency, however, in part because individuals, but not organizations, can allow transfers to be traced and audited whenever needed, making stolen funds unusable and these systems unattractive for many kinds of illicit payments. **Blind Signatures for Untraceable Payments** > The payment system introduced is based on an extension of digital signatures known as blind signatures. This concept is easily understood by an analogy to carbon paper-lined envelopes. If you put a piece of paper inside such an envelope and a signature mark is later made on the outside of the envelope, the carbon paper in the envelope transfers the signature onto the slip. Consider how you might use such envelopes to make payments: * Suppose a bank had a special signature mark that it guaranteed to be worth one dollar, in the sense that the bank would pay one dollar for any piece of paper with that mark on it. * You take a carbon-lined envelope containing a plain slip of paper to the bank and ask to withdraw one dollar from your account. * The bank then deducts one dollar from your account, makes the signature mark on the outside of your envelope, and returns it to you. * The signature is “blind” since the bank cannot see the slip through the envelope. * Upon getting the unopened envelope back, you verify that the proper signature mark has been made on it. * When you remove the slip from the envelope, it bears the carbon image of the bank’s signature mark. * You can then go out and buy something for one dollar from a shop, using the signed slip to make payment. The shop verifies the carbon image of the bank’s signature on the slip before accepting it as payment. The bank uses exactly the same signature mark to sign many such envelopes each day for all its account holders, and since all slips were hidden in envelopes during signing, the bank cannot know which envelope,the slip was in. Therefore it cannot learn which account the funds were withdrawn from. More generally, the bank cannot determine which withdrawal corresponds with which deposit-the payments are untraceable.  **Leaving the Analogy** > Actual payment systems would work very much along the lines of the paper analogy, except that they would use numbers. 1. A note number is first created by a physical random process within the individual’s card computer (like the note number chosen at random and written on the slip of paper by the payer). 2. Next, the card computer transforms this note number into the numeric equivalent of the message “this is note number: 416 . . . .” The card computer then “blinds” this numeric note by combining it with a second random number (corresponding to the payer choosing an envelope at random and placing the slip in it). 3. During withdrawal, the bank uses the private key of the desired denomination to form a digital signature on the numeric note (like the signature mark formed on envelopes by the bank). 4. When the signed blinded note is ultimately returned, the card computer is able to unblind the note by a process that removes the random blinding number from the digital signature while leaving the signature on the note (like the payer removing the envelope). 5. The organization receiving payment uses the digital pseudonym of the bank to decode the signature and verify that the numeric note contains an appropriate message and is thus a valid digital signature. There might seem to be danger in that numbers, unlike paper, can be copied easily and exactly. * A solution is for the bank to maintain a list of note numbers accepted, and to consult the list before accepting a note for deposit. Another conceivable danger is that the bank’s digital signature could be forged, which would allow counterfeiting. * The security against this kind of threat derives from the underlying digital-signature cryptographic technique, which is currently being proposed as an international standard and being used by banks and even to protect nuclear materials. The odds of someone guessing a valid signed numeric note or of any two independently chosen two-hundred-digit note numbers being the same are on the order of 1 in 10 to the 75thpower. The correspondence between withdrawals and deposit:3 cannot be learned by the bank from the numbers. In the untraceable communication system described in the last section, the possible outcomes of the coin tosses were both equally likely, which meant that every correspondence between senders and messages was equally likely. Similarly, because all suitable numbers are equally likely to be used for the independent blinding of each note, all correspondences between withdrawals and deposits are equally likely. More specifically, a unique random blinding number is implied by the correspondence between any particular blinded note and any particular signed note. > Personal Note: Seems to elude to validators not being able to be discerned because there is always an equal probability of either state T or F? ### Credential Transactions > There are legitimate needs for individuals to show credentials in relationships with many organizations. Problems arise when unnecessary data are revealed in the process. The solution is based on an individual’s ability to take a specially coded credential issued under one pseudonym and to transform it into a similarly coded form of the same credential that can be shown under the individual’s other pseudonyms. Since these coded credentials are maintained and shown only by individuals, they provide control similar to that provided by certificates. Individuals can also tailor the coded form shown so that it provides only the necessary information and can ensure that obsolete information becomes unlinkable to current pseudonyms. Abuses by individuals, such as forgery, improper modification, and sharing, are prevented by the cryptographic coding and by the protocols for such coding. Each person is able to use at most one pseudonym with any organization requiring such protection, thereby effectively preventing use of multiple complete identities. Extensions ensure accountability for abuses created under any of an individual’s pseudonyms. **The Basic Credential System** > The essential concept again is presented by analogy to carbon-lined envelopes. 1. First, you make up your pseudonyms at random and write them on a plain slip of paper. 2. When you want to get a credential from an organization, you put the slip of paper in a carbon-lined envelope with a window exposing only the part of the slip bearing the pseudonym you will use with that organization. 3. Upon receiving the envelope from you, the organization makes a special signature in a repeating pattern across the outside of the envelope. 4. The kind of signature pattern indicates the kind of credential the issuing organization decides to give the person whose pseudonym they see through the window; the signature pattern serves as the credential. 5. When you get the envelope back from the issuing organization, you verify the signature pattern. 6. Before showing the credential to an organization, you place the slip in an envelope with a window position exposing only the pseudonym you use with that organization and some of the adjacent credential signature pattern. 7. The receiving organization checks that the appropriate pseudonym and credential signature pattern are recognizable through the window. > This approach naturally allows a variety of credentials to be obtained and shown. You need not show all of your credentials to every organization: You can restrict that which is revealed to only what is necessary. Because of the way the signature patterns repeat across the slip, a recognizable part of every signature pattern appears adjacent to each pseudonym. In providing an envelope to an organization, though, you can limit the view through the window so that only necessary signatures are visible. An organization can ensure that no individual is able to transact with it under more than one pseudonym. One way an individual could attempt to use more than one pseudonym with an organization is to use different pseudonyms on the same slip of paper. This is prevented by a standard division of the slip into zones, where each zone is assigned to a particular organization; envelopes are accepted by an organization only if the window exposes the organization’s zone, which bears a single indelibly written pseudonym. A second way of attempting to use more than one pseudonym per organization is t.o use more than one slip. ‘This is prevented by the establishment of an “is-a-person” organization that restricts each person to at most one is-a person signature. Other organizations only accept envelopes with this signature recognizable through the windows. This is-a-person organization might ensure that it issues no more than one signature per person by taking a thumbprint and checking before giving a signature that the print is not already on file. > The collection of thumbprints poses little danger to individuals, since the is-a-person organization cannot link the prints with anything.  **Credential Clearinghouses** > When individuals have similar relationships with marq organizations, there is often need for the centralized control provided by a credential clearinghouse, an organization that develops credential information about individuals’ relationships with its member organizations and provides this information to these organizations. In current practice, clearinghouse functions are performed by such major organizations as credit agencies, bank associations, insurance industry associations, national criminal information systems, and tax authorities. Member organizations typically exchange information with clearinghouses during initiations and terminations of relationships. Security against abuse by individuals requires that the enabling credential be prevented from being shown to more than one shop. Otherwise someone could obtain too much credit from a single enabling credential. Similarly, it should not be possible to show a single resolution credential more than once to the clearing house, since otherwise someone could convince the clearinghouse that more debt had been repaid than was in fact repaid. **Structuring Clearinghouses** > Further restrictions on the information available to clearinghouses, as well as better control of abuses by individuals, can be achieved by a partially hierarchical structuring of clearinghouses. Hierarchical structuring can also be used to enforce sanctions against individuals perpetrating abuses with even a single organization. Within a hierarchy of clearinghouses, each would expect to learn of serious abuses against organizations below it by a lack of special periodic “no serious abuse” credentials (or by a lack of resolution credentials); if a clearinghouse receives a complete set of such credentials, it also periodically issues a “no serious abuse” credential. Someone lacking such a credential from the highest level clearinghouses might be refused service by member organizations. A more practical variation allows the same transfers of credentials to be conducted only once in advance, with each organization attaching, in terms of the envelope analogy, a locked padlock. Only when the individual receives the corresponding key to the lock from every organization that attached a lock can all the locks be removed and the credential be shown in the required form without locks. If the keys were required to be made available by organizations at a set interval before the credential is required, time might be provided for clearing up errors and misunderstandings, or even for more formal grievance procedures if needed. #### Preventing the Use of Obsolete Information** If individuals, change pseudonyms periodically, they cannot be linked to obsolete information. Pseudonyms might be changed on a yearly basis. The initial information associated with new pseudonyms would be provided through the transfer of credentials from previous pseudonyms. The changeovers might be staggered to allow time for completion of pending business. There are additional benefits to changing pseudonyms aside from the weeding out of obsolete information. The periodic reduction to essential information also prevents organizations from gradually accumulating information that might ultimately be used to link pseudonyms. Another consequence of individuals transferring all the initial information for a period is that they must then know the requirements for information by each organization, must know where each piece of information comes from, and must consent to each such transfer. Thus, such arrangements ensure that information linkable by each organization is known to and agreed on-that is, that it can be monitored and controlled by individuals. ### BROADER ISSUES #### Advantages to Individuals >Individuals will be free to obtain their card computers from any source, to use whatever other hardware or software they choose, and to interface into the communication system wherever they please. A convenient and reliable arrangement for maintaining the key involves dividing it into parts and giving different parts to various trustees. Unconditionally secure techniques allow various designated subsets of trustees to completely recover the key; other insufficient subsets would thus be unable to learn anything about the key. A sufficient subset of trustees could provide the key to its owner, if so requested. Other subsets might be sufficient to recover the key, the backup data, and the owner’s secret authorizing number, enabling the trustees in such subsets to take over the owner’s affairs when needed. More generally, such an approach illustrates how an individual’s right to designate proxies, a right that is of course enjoyed by organizations, is ensured. Even assuming that sophisticated criminals could extract the information content of tamper-resistant parts of the card, a great many actual trial uses of guessed authorizing numbers with organizations might still be required before the actual number could be determined, making such attacks quite likely to be detected and to fail. Individuals can always sacrifice their protection by revealing linking information. Of course, the systems discussed here can provide secure relationships without requiring such disclosures. It is even possible under exceptional circumstances for persons accused of abuses under pseudonyms to demonstrate that the pseudonyms are not theirs, without revealing linking information. For example, in communication transactions, people could show that their physical entry to the system was not used for a particular message; in payment transactions, they could show that a payment did not involve their account; and in credential transactions, they could show that a pseudonym was not among the set obtainable under their thumbprint. > Personal Note: Important for fighting against gov't reg. so validators can prove that they DIDN'T do something wrong? Pseudonyms would be used only for the computerized part of ordinary consumer transactions, in a way that would provide acceptable protection against linking. Pseudonym use might be transparent to anyone conducting transactions: People never need to actually see pseudonyms and could usually forget that thky were being used. > Personal Note: If the pseudonyms of validators changed, users would never have to notice. If the main goal is to provide anti-linkability. Might be useful enough to simply allow users to be seen as a validator, but for a GPA to not be able to uncover that validator's identity. #### Advantages to Organizations > Organizations also have much to gain: Transaction systems under the new approach will bring all the advantages of advanced computerization, improve security, and he a force for improved goodwill from the public. Not only do organizations generally have an interest in maintaining good relations with individuals; in making transactions, they have many of the same interests and concerns as individuals. Thus, the advantages to individuals considered above apply in part to organizations as well. ### Conclusion Economic centralization may be furthered under the current approach. Computerization has already allowed organizations to grow to unprecedented size and influence. Further computerization could increase aggregation and centralization by allowing service providers and other major actors to obtain far-reaching information about individuals. If this information were partitioned into separate unlinkable relationships, such aggregation and centralization might be reversed. The new approach offers individuals and small organizations the same access to such services as large organizations.