commit 918f7f9c4c83e7a790a0b5d6302776b5e7850556
parent e6fe2cdbf0f841125ff44c7bd542a56ab46c081f
Author: Tanja Lange <tanja@hyperelliptic.org>
Date: Wed, 22 Jan 2025 22:18:59 +0100
adding example for blind signatures, wording
Diffstat:
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/doc/usenix-security-2025/paper/technicaldesign.tex b/doc/usenix-security-2025/paper/technicaldesign.tex
@@ -100,6 +100,21 @@ some cryptographic background followed by the setup and usage.
\item $Unblind(\overline{\sigma}, b, K^{\pub})$: Takes blind signature $\overline{\sigma}$, blinding factor $b$ and verification key $K^{\pub}$ of the signer, and returns the unblinded signature $\sigma$ on message $m$ (or $\bot$).
\end{itemize}
+It should be impossible for the signer to infer information about the message
+they sign and it should be impossible for them to trace their signature later,
+see Hoepman's recent paper~\cite{2023/hoepman} highlighting that these are two
+separate requirements.
+
+The most well-known blind signature scheme, going back to Chaum's original
+work~\cite{Chaum89}, is based on RSA. A signature on message $m$ under RSA key
+public key $(n,e)$ is $s\equiv m^d \bmod n$, where $(n,d)$ is the corresponding
+private key. Instead of asking for a signature on $m$ one can request a
+signature on the blinded value $m'\equiv m\cdot r^e \bmod n$ for some randomly
+chosen $r$, receive the blind signature $s'$, and obtain the signature on $m$
+by unblinding $s'$ by computing $s'/r \bmod n$.
+
+
+
\subsection{Key generation and initial setup}\label{key_generation_and_initial_setup}
Before incognito donations to charities can be executed, all participants in
@@ -132,18 +147,19 @@ $C^{\pub}$ is registered in the Donau database.
\subsubsection{Donor Identifier generation}
-A donor uses their Donor Identifier every time they
-make a donation and again when requesting a donation receipt from the Donau.
-
Each donor generates a personal \textbf{Donor Identifier} $\DI$ by
computing a salted hash of their taxpayer ID
\begin{align*}
\DI = H(\texttt{TAXID}, S)
\end{align*}
-where $S$ is a random salt with sufficient entropy to
-prevent guessing attacks and {\tt TAXID} is their taxpayer ID.
+where $H$ is a cryptographic hash function and
+$S$ is a random salt with sufficient entropy to
+prevent guessing attacks, and {\tt TAXID} is their taxpayer ID.
The donor stores the salt $S$ along with their $\DI$.
+A donor uses their Donor Identifier every time they
+make a donation and again when requesting a donation receipt from the Donau.
+
They need to use the salt to link the Donation Identifier to their tax
ID and claim the tax benefits for their donation. The use of the salt
ensures that the $\DI$ cannot be linked to the donor by anybody
