commit 03018458bdfdc2aed5a9109e2e7582044fa10fcc
parent d35a53f6b03958c065ff43246f03517ee18ad239
Author: Jonathan <ondesmartenot@riseup.net>
Date: Tue, 21 Jan 2025 23:49:19 +0800
slightly more formal definition of blind signatures
Diffstat:
1 file changed, 32 insertions(+), 26 deletions(-)
diff --git a/doc/usenix-security-2025/paper/technicaldesign.tex b/doc/usenix-security-2025/paper/technicaldesign.tex
@@ -36,8 +36,11 @@ some cryptographic background followed by the setup and usage.
% Concepts from cryptography are also explained when necessary.
%
\subsection{Background \& Terminology}\label{notation_and_definitions}
- This section gives an informal introduction to some concepts from cryptography
-which are used later in the report.
+ Digital cash makes use of \textbf{blind signatures} to issue tokens~\cite{Chaum89}. Our
+ design uses the same mechansim to unlink the donation process from the issued
+ donation receipts, thus preserving the anonymity properties of the digital
+ cash used to make a donation. This section introduces the definition and
+ security properties of blind signatures.
% \paragraph{Cryptographic Hash Function}
% A cryptographic hash function $H$ is a function that takes as input an arbitrarily
@@ -75,33 +78,36 @@ which are used later in the report.
% nobody can generate a signature that verifies for some message under a
% public key if they do not have access to the matching private key.
- \paragraph{Blind Signature}
-
- A \textbf{blind signature} is a type of digital signature where the
-signing party signs a so-called blinded message. The party requesting the signature
-hides the true message with a {\bf blinding factor}, which only they know.
-Signature schemes that support blind signatures are constructed in such a way
-that one can compute a signature that is valid on the original (not blinded)
-message from the blind signature and the blinding factor.
-Requirements on the blind signature scheme are that the
-signer does not learn anything about the message they are signing and cannot
-link the unblinded signature to the blind one they signed.
-
- The {\bf blinding} operation requires the message $m$ to blind, the
-blinding factor $b$ and the public key $K_x^{\pub}$ of the party issuing the
-blind signature, written as $\overline{m} = \blind(m, b, K_x^{\pub})$.
-We write the {\bf unblinding} operation as
-$\beta = \unblind(\overline{\beta}, b, K_x^{\pub})$,
-where $\overline{\beta}$ is the value to unblind, $b$ the blinding factor to
-apply and $K_x^{\pub}$ the public key that was used for signing.
-
+ \paragraph{Blind signatures}
+ Informally, a blind signature is a digital signature where the signer does
+ not know the message that they are signing. The party requesting the
+ signature hides the true message with a secret value called a {\bf blinding
+ factor}, which can later be used to derive a valid signature on the
+ original, unblinded message.
+
+ Like standard digital signature schemes, blind signature schemes should
+ achieve \textbf{unforgeability} --- the property that users without the
+ secret signing key should be unable to generate new, valid
+ signatures. Unlike standard digital signatures, blind signatures must also
+ achieve \textbf{blindness} --- the property that curious signers should
+ never be able to link previously issued blind signatures with their
+ unblinded counterparts.
+
+ \begin{definition}{Blind Signature}
+
+ \textrm{Slightly more formally, we define blind signatures as a quadruple of algorithms:}
+ \begin{itemize}
+ \item $ KeyGen(1^\lambda)$: Generates a verification/signing key pair $(K^{\pub}, K^{\priv})$.
+ \item $Blind(m, b, K_x^{\pub})$: Takes a message $m$, blinding factor $b$, and verification key $K_x^{\pub}$ of the signer $X$ and computes the blinded message $\overline{m}$.
+ \item $BlindSign(K_x^{\priv}, \overline{m})$: Takes secret signing key $K_x^{\priv}$ and blinded message $\overline{m}$ and computes the blind signature $\overline{\sigma}$.
+ \item $Unblind(\overline{\sigma}, b, K_x^{\pub})$: Takes blind signature $\overline{\sigma}$, blinding factor $b$ and verification key $K_x^{\pub}$ of the signer $X$, and returns the unblinded signature $\sigma$ (or $\bot$).
+ \end{itemize}
+ \end{definition}
\subsection{Key generation and initial setup}\label{key_generation_and_initial_setup}
-Digital cash makes use of blind signatures to issue
-tokens~\cite{Chaum89}. Our design uses the same mechansim to unlink the
-donation process from the issued donation receipts, thus preserving
-the anonymity properties of the digital cash used to make a donation.
+Before incognito donations to charities can be executed, all parties (Donau,
+charities, and donors) must perform an initial setup.
\subsubsection{Donau key generation}\label{donau_key_generation}
\begin{enumerate}
