commit b384d758b2c102f3b08ff5610902de967194ee83
parent 6f9cbf1f2bf1ef74c6147b680426b3aa726ec258
Author: Emmanuel Benoist <emmanuel.benoist@bfh.ch>
Date: Wed, 2 Jul 2025 15:53:39 +0200
First version of the Introduction for the paper comparing the blind signature schemes
Diffstat:
2 files changed, 150 insertions(+), 0 deletions(-)
diff --git a/doc/cs/article/biblio-blind-signatures.bib b/doc/cs/article/biblio-blind-signatures.bib
@@ -0,0 +1,28 @@
+@inproceedings{chaum1983blind,
+ title={Blind signatures for untraceable payments},
+ author={Chaum, David},
+ booktitle={Advances in Cryptology: Proceedings of Crypto 82},
+ pages={199--203},
+ year={1983},
+ organization={Springer}
+}
+@article{chaum2021issue,
+ title={How to issue a central bank digital currency},
+ author={Chaum, David and Grothoff, Christian and Moser, Thomas},
+ journal={arXiv preprint arXiv:2103.00254},
+ year={2021}
+}
+@inproceedings{chaum1990untraceable,
+ title={Untraceable electronic cash},
+ author={Chaum, David and Fiat, Amos and Naor, Moni},
+ booktitle={Advances in Cryptology—CRYPTO’88: Proceedings 8},
+ pages={319--327},
+ year={1990},
+ organization={Springer}
+}
+@article{poitras2013nsa,
+ title={NSA monitors financial world},
+ author={Poitras, Laura and Rosenbach, Marcel and Stark, Holger},
+ journal={Speigel Online},
+ year={2013}
+}
+\ No newline at end of file
diff --git a/doc/cs/article/blind-signatures.tex b/doc/cs/article/blind-signatures.tex
@@ -0,0 +1,120 @@
+\documentclass{article}
+
+\title{Blind signatures schemes for enhancing the privacy of payees}
+
+\author{Emmanuel Benoist, Christian Grothoff, \dots}
+\begin{document}
+
+\maketitle
+
+\section{Introduction}
+
+This article compares several blind signature techniques and their
+applications in the issuing of privacy preserving payments.
+
+The blind signature presented by Chaum \cite{chaum1983blind} corresponds to the possibility for the owner of a key pair (private / public) to sign an element without knowing the precise content of this element. The main use of this type of signature is for someone (other than the person holding the key pair) to sign a token which will then be anonymised. This enables the creation of anonymous tokens that can be used to prove authorisation independently of any authentication that takes place first.
+
+
+The main purpose of blind signing is to preserve user privacy. Whereas
+the usual signature is used to certify an element. Blind signing
+enables an element to be certified without any knowledge of it. From
+the outset, this signature system has been designed to enable e-Cash \cite{chaum1990untraceable} to be used in a variety of ways. In this article, we will show how different blind signature systems can be used to enable electronic payments that protect the privacy of payers while being totally transparent with regard to the money received by merchants. This enables a payment system that is both compatible with regulations against money laundering or the financing of terrorism and at the same time protects the privacy of citizens.
+
+
+
+\subsection{Privacy in existing Payment Systems}
+\paragraph{Traditional bank payment systems}
+The traditional banking system allows two main types of payment. On the one hand, we have payments by bank transfer, debit card or cheque. In this case, the money is transferred from one bank account to another and the two banks know the two parties involved (the one sending and the one receiving the money). The system can be more complicated with an intermediary such as SWIFT, which is used to clear transactions. At least the two banks know all the information about the transaction: origin, destination, amount, date and time of the transaction.
+
+On the other hand, we have credit card payments. In this case, an intermediary (the credit card issuer) pays the merchant directly and invoices the customer at a later date. In this case, the customer's bank, if it is not the credit card issuer, only sees one global payment. In this way, the credit card issuer knows all the expenses of each of its customers: origin, destination, amount, date and time of the transaction. Income paid by credit card is also known to the merchant's bank.
+
+The case of NSA spying on financial transactions \cite{poitras2013nsa}
+shows that the data gathered in the SWIFT system or the credit card
+institutions are very attractive to the intelligence services.
+
+\paragraph{Blockchains}
+Cryptocurrencies based on blockchain use a list of transctions that is basically shared amoung all the full nodes replicating the block chain. The most successful systems are Bitcoin and Ethereum \cite{}. For those two systems, the list of the transactions for all the actors are public. Hence, there is no intrinsec privacy in both systems. One can use tumblering servers \cite{} to hide the provenance or destination of funds. But even this has been exploited by researchers \cite{}.
+
+There exist systems based on a blockchain that can provide a pretty good privacy. For instance Monero \cite{} provides a system based on ring signature, where the provenance of money is hidden in a group of transactions and can not be differenciated. Making it practically not doable to follow the flow of money in this ledger. Monero is therefore offering anonymity for the payer and the payee. This feature has made it a mean of payment for darknet transactions \cite{}.
+
+
+
+\paragraph{Cash}
+Payment in cash can hardly be scrutinized. There is no way to see who did by what at which amount if it is payed in cash. But authorities try to limit the ability to use cash for illegal purpose. They have created anti-money laundering (AML) regulations for limiting the possibility of cash to interact with the banking system.
+
+In some countries, there are limits on how much cash someone can withdraw from their bank account \cite{}. Most countries also limit the amount that can be deposited into a bank account \cite{}. If the amount exceeds a threshold, the bank must investigate the origin of the money and verify its validity.
+
+Cash is protecting the privacy of the actors (payers and payee) and is used in illegal transactions. Therefore, connections between cash and the traditional banking systems are monitored tightly.
+
+\subsection{GNU Taler privacy model}
+GNU Taler provides privacy to the payer and no privacy for the payee. This way, people can freely spend their money. But in the same time, there is no way to use this system for the financing of crime of tax evasion.
+
+\paragraph{Technical solutions}
+Taler has been developed with a privacy by design idea. This means that the technical solution used to mint coins is basically not authorizing to access data from the different payers.
+
+The GNU Taler system is based on the blind signature schemes. In a blind signature scheme (originally the one of Chaum, now Clause-Schnorr or XXXX) the authority signing does not know the information signed, just know that the user asking for the signature has the right to do so.
+
+In the case of the payment, a user generates a proto-coin (basically a pair of private and public keys plus a ``denomination''). A denomination is one of the types of coins available (1 cent, 2 cents, 4 cents, 8 cents, \dots). This proto-coin is blinded with a random value. Then the central authority responsible for issuing the coins (called an ``Exchange'') signs the proto-coin with the private key corresponding to the right denomination. It verifies that the user did transfer that amount of money. But since the signature was blind, the exchange has no way to know which coin it signed. Once unblinded, the coin is totally anonymous.
+
+The user can spend the coin as it wants. The merchant will send the coin to the exchange and get its money from the exchange. In this case, the exchange knows exactly to whom the money goes. It also verifies that each signed coin is just spent once. So no double spent is possible. But even though, it has no way to know which user issued that coin initially.
+
+\paragraph{Organisational solutions}
+
+Privacy of payers is given by the blind signature, but it should not be used for money laundering, financing terrorism or any illegal activities.
+
+In order to prohibit illegal activities, some organisational hurdles must be put in place. It depends on the legal framework where the exchange operates. Some exchanges may restrict the amount of money that one physical person, that is known using a Know Your Customer (KYC) procedure, may withdraw in a certain period of time. The limitation can be done for each bank account, in a way to let the bank do the KYC. Some limitations on the amount a merchant can deposit may also be done.
+
+
+\subsection{Comparison of GNU Taler and traditional payment means}
+
+\begin{table}[ht]
+ \centering
+ \begin{tabular}{|l|c|c|c|c|}
+ \hline
+ &\multicolumn{2}{c|}{Privacy}&\multicolumn{2}{c|}{Mass surveillance}\\
+ &Consumer&Merchant&National&Global\\
+ \hline
+ Wire transfer&No&No&Yes&No\\
+ Credit Cards&No&No&Yes&Yes\\
+ Bitcoin and Ethereum& No &No\footnote{requires an additional step: tumblering}&complex\footnote{Surveillance of activities on bitcoin and ethereum blockchain are not possible for poor and small states.}&Yes\\
+ Monero&Yes&Yes&No&No\footnote{Evidences are lacking that a big state is able to deanonymize Monero transactions}\\
+ GNU Taler&Yes&No&Yes&No\\
+ \hline
+ \end{tabular}
+ \caption{Privacy of the different payment means}
+ \label{tab:privacy}
+\end{table}
+
+Table~\ref{tab:privacy} presents the features of the different payment systems regarding on one side the privacy, of customers or merchants, and on one other side, the possibility for law enforcement agency or global surveillance actors to monitor transactions.
+
+GNU Taler offers privacy where it is needed and no privacy where it is not needed. Customers have the possibility to spend their money without being seen. Global actors do not have access to any data of the different actors in the market. They can not see any transaction done by local customers or even merchants. But on the same time, GNU Taler allow local law enforcement agencies to fight the financing of criminal activities.
+
+\subsection{Structure of this paper}
+The blind signature is the cornerstone of the GNU Taler system, and there are different ways to implement it. We will present three ways to implement the blind signature.
+
+% FIXME : write the exact size of the keys for Clause Schnorr.
+In section~\ref{sec:rsa} we will present the blind signature for RSA designed by Chaum. Then in section~\ref{sec:cs} we will present the Clause-Schnorr blind signature that uses eliptic curve cryptography. The main advantage of eliptic curves cryptography is the size of keys and signatures. Whereas RSA uses 2048 or 4096 long keys, Clause-Schnorr will use XXX bit long keys.
+
+The next big revolution in cryptography could be Quantum computers. If quantum computers were to work properly, they could break existing cryptography protocols (like RSA or Clause-Schnorr). So, even if there is not any evidence yet of a working quantum computer that would have the capabilities to break large keys, one should prepare for such an event. In section~\ref{sec:pq} we present the solution for post quantum cryptography we have designed for GNU Taler.
+
+In the last section (Section~\ref{sec:comparison}) we compare the advantages and disadvantages of each of those blind signature schemes for our purpose of blindly sign coins in the GNU Taler framework. We see how fast they run and also how much memory or how large the databases must be.
+
+\section{RSA blind signature}\label{sec:rsa}
+
+\section{Clause Schnorr blind signature}\label{sec:cs}
+
+\section{Post-Quantum solution for blind signature}\label{sec:pq}
+
+\section{Comparisons of the different models}\label{sec:comparison}
+
+
+
+\section{Conclusion}
+
+
+\nocite{chaum2021issue}
+
+\bibliographystyle{abbrv}
+
+\bibliography{biblio-blind-signatures}
+\end{document}
+\ No newline at end of file
