IACR Summerschool – Blockchain Technologies Cryptographic e-Cash Jan Camenisch IBM Research – Zurich @JanCamenisch ibm.biz/jancamenisch © 2016 IBM Corporation eCash scenario & requirements Bank Withdrawal Deposit User Spend Merchant Requirements ● Anonymity: Withdrawal and Deposit must be unlinkable ● No Double Spending: Coin is bit-strings, can be spend twice 2 June 1, 2016 © 2016 IBM Corporation Towards a Solution: do it like paper money Bank Withdrawal 100 User 100 100 Deposit Spend Merchant # Sign notes with digital signature scheme – Note = (serial number #, value) – Secure because • signature scheme can not be forged • bank will accepts some serial number only once → on-line e-cash – Not anonymous because (cf. paper solution) • bit-string of signature is unique • serial number is unique 3 June 1, 2016 © 2016 IBM Corporation Towards a Solution Bank Withdrawal 100 100 100 User 100 100 Deposit Spend Merchant # Use (more) cryptography – Hide serial number from bank when issuing • e.g., sign commitment of serial number – Reveal serial number and proof • knowledge of signature on • commitment to serial number – Anonymous because of commitments scheme and zero-knowledge proof 4 June 1, 2016 © 2016 IBM Corporation How to implement this? Signature Schemes Encryption Schemes Zero-Knowledge Proofs Commitment Schemes ..... challenge is to do all this efficiently! 5 June 1, 2016 © 2016 IBM Corporation mathematical setting 6 June 1, 2016 © 2016 IBM Corporation Abelian Groups A set G with operation ▫ is called a group if: – closure for all a,b, in G → a ▫ b in G – commutativity for all a,b, in G → a ▫ b = b ▫ a – associativity for all a,b,c, in G → (a ▫ b) ▫ c = a ▫ (b ▫ c) – identity there exist some e in G, s.t. for all a: a ▫ e = a – invertibility for all a in G, there exist a-1 in G: a ▫ a-1 = e # Example: integers under addition (Z,+)={...,-2,-1,0,1,2,...} or (Zn,+) = {0,1,2,...,n-1} identity: e = 0 inverse: a-1 = - a June 1, 2016 © 2016 IBM Corporation Cyclic Groups # exponentiation = repeated application of ∙ , e.g., a3 = a ∙ a ∙ a # a group is cyclic if every element is power of some fixed element: – i.e., for each a in G, there is unique i such that gi = a – g = generator of the group – define g0= 1 = identity element G = <g> = {1=g0, g1, g2, ..., ., gq-1} – q = |G|= order of group if q is a prime number then G is cyclic → computation in exponents can be done modulo q: gi= gi mod q # computing with exponents: gi+j = gi ∙ gj gij = June 1, 2016 (gi) gi-j = gi / gj = gi ∙ (gj )-1 j i g-i = (g-1) = (gi) -1 © 2016 IBM Corporation The Discrete Logarithm Problem given g and x it is easy to compute gx, g1/x, .... given gx and gy it is easy to compute gx gy = gx+y Discrete Log Assumption given gx it is hard to compute x Diffie-Hellman Assumption given gx and gy it is hard to compute gxy Decisional Diffie-Hellman Assumption given gx, gy, and gz June 1, 2016 it is hard to decide if gz = gxy © 2016 IBM Corporation commitment scheme 10 June 1, 2016 © 2016 IBM Corporation Commitment Scheme: Functionality m m m, 2-36-17 June 1, 2016 ? mє m © 2016 IBM Corporation Commitment Scheme: Security Binding m, 2-36-17 m', 3-21-11 June 1, 2016 ? m є m ? m' є m © 2016 IBM Corporation Commitment Scheme: Security Binding m, 2-36-17 m', 3-21-11 June 1, 2016 ? m є m ? m' є m © 2016 IBM Corporation Commitment Scheme: Security Hiding: for all message m, m' m m' June 1, 2016 m m' © 2016 IBM Corporation Commitment Scheme: Security Hiding: for all message m, m' m m' June 1, 2016 m m' ? m m' m m' © 2016 IBM Corporation Commitment Schemes Group G = <g> = <h> of order q To commit to element x Є Zq: • Pedersen: perfectly hiding, computationally binding choose r Є Zq and compute c = gxhr • ElGamal: computationally hiding, perfectly binding: choose r Є Zq and compute c = (gxhr, gr) To open commitment: • reveal x and r to verifier • verifier checks if c = gxhr June 1, 2016 © 2016 IBM Corporation Pedersen's Commitment Scheme Pedersen's Scheme: Choose r Є Zq and compute c = gxhr Perfectly hiding: Let c be a commitment and u= logg h Thus c = gxhr = gx+ur = g(x+ur')+u(r-r') = gx+ur'hr-r' for any r'! I.e., given c and x' here exist r' such that c = gx'hr' Computationally binding: Let c, (x', r') and (x, r) s.t. c = gx'hr' = gxhr Then gx'-x = hr-r' and u = logg h = (x'-x)/(r-r') mod q June 1, 2016 © 2016 IBM Corporation Commitment Scheme: Extended Features Proof of Knowledge of Contents m Proof m true Proof of Relations among Contents m, m' Proof m = 2 •m' June 1, 2016 m m' true © 2016 IBM Corporation Commitment Scheme: Extended Features Let C1 = gmhr and C' = gm'hr then: m Proof m true PK{(α,β): C = gβhα } m, m' Proof m = 2 •m' PK{(α,β,γ): June 1, 2016 m m' true C' = gβhα ⋀ C = (g2)βhγ } © 2016 IBM Corporation zero-knowledge proofs 20 June 1, 2016 © 2016 IBM Corporation Zero-Knowledge Proofs # interactive proof between a prover and a verifier about the prover's knowledge Commitment Challenge Response # properties: zero-knowledge verifier learns nothing about the prover's secret proof of knowledge (soundness) prover can convince verifier only if she knows the secret completeness if prover knows the secret she can always convince the verifier 21 June 1, 2016 © 2016 IBM Corporation Zero Knowledge Proofs of Knowledge of Discrete Logarithms Given group <g> and element y Є <g> . Prover wants to convince verifier that she knows x s.t. y = gx such that verifier only learns y and g. x Prover: random r t := gr t c s := r - cx y, g Verifier: s random c t = gs yc ? notation: PK{(α): y = gα } 22 June 1, 2016 © 2016 IBM Corporation Zero Knowledge Proofs: Security Proof of Knowledge Property: If prover is successful with non-negl. probability, then she “knows” x = log g y , i.e., ones can extract x from her. Assume c ∈ {0,1}k and consider execution tree: c=0 x c = 2k-1 x .. .. x x If success probability for any prover (including malicious ones) is >2 -k then there are two accepting tuples (t,c1,s1) and (t,c2,s2) for the same t. June 1, 2016 © 2016 IBM Corporation Zero Knowledge Proofs: Security Prover might do protocol computation in any way it wants & we cannot analyse code. Thought experiment: # Assume we have prover as a black box → we can reset and rerun prover # Need to show how secret can be extracted via protocol interface t x t c x s t = gs yc = gs' yc' s' → yc'-c = gs-s' → y = g(s-s')/(c'-c) → June 1, 2016 c' x = (s-s')/(c'-c) mod q © 2016 IBM Corporation Zero Knowledge Proofs: Security Zero-knowledge property: If verifier does not learn anything (except the fact that Alice knows x = log g y ) Idea: One can simulate whatever Bob “sees”. Choose random c', s' compute t := g s' c' y t c if c = c' send s' = s , otherwise restart s Problem: if domain of c too large, success probability becomes too small June 1, 2016 © 2016 IBM Corporation Zero Knowledge Proofs: Security One way to modify protocol to get large domain c: x y, g Prover: Verifier: random r random c,v h := H(c,v) t := gr h := H(c,v) ? s := r - cx h t c,v s t = gs yc ? notation: PK{(α): y = gα } 26 June 1, 2016 © 2016 IBM Corporation Zero Knowledge Proofs: Security One way to modify protocol to get large domain c: Choose random c', s' compute t' := gs' yc' after having received c “reboot” verifier Choose random s compute t := gs yc send s h t' c,v h t c,v s June 1, 2016 © 2016 IBM Corporation From Protocols To Signatures Signature SPK{(α): y = gα }(m): Signing a message m: - chose random r Є Zq and - compute - output c := H(gr||m) = H(t||m) s := r - cx mod (q) (c,s) Verifying a signature (c,s) on a message m: - check c = H(gs yc||m) ? ↔ t = gs yc ? Security: - underlying protocol is zero-knowledge proof of knowledge - hash function H(.) behaves as a “random oracle.” 28 June 1, 2016 © 2016 IBM Corporation Zero Knowledge Proofs of Knowledge of Discrete Logarithms Many Exponents: PK{(α,β,γ,δ): y = gα hβzγkδuβ } Logical combinations: PK{(α,β): y = gα ∧ z = gβ ∧ u = gβhα } PK{(α,β): y = gα ∨ z = gβ } Intervals and groups of different order (under SRSA): PK{(α): y = gα ∧ α Є [A,B] } PK{(α): y = gα ∧ z = gα ∧ α Є [0,min{ord(g),ord(g)}] } Non-interactive (Fiat-Shamir heuristic, Schnorr Signatures): PK{(α): y = gα }(m) 29 June 1, 2016 © 2016 IBM Corporation Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,β1,α2,β2, α3, β3): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3∧ C3 = gα1gα2hβ3 } mean? → Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1 , C2= gα2hβ2 and C3 = gα1gα2hβ3 = gα1 + α2 hβ3 = g α3 hβ3 α3 = a1 + a2 (mod q) And what about: PK{(α1,...,β3): → C3 = gα1gα2hβ3 = gα1 + 5 α2 hβ3 α3 = a1 + 5 a2 30 C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = gα1 (g5)α2hβ3 } June 1, 2016 (mod q) © 2016 IBM Corporation Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C3 =gα3hβ3 ∧ C3 = C2α1hβ3 } mean? PK{(α1,..,β3): → Prover knows values α1, β1, α2, β2, β3 such that C1= gα1hβ1 , C2= gα2hβ2 and C3 = C2α1hβ3 = (gα2hβ2)α1hβ3 = gα2·α1hβ3+β2·α1 C3 = gα2·α1 hβ3+β2·α1 = gα3 hβ3' a3 = a1 · a2 (mod q) And what about PK{(α1,β1 β2): → 31 C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ C2 = C1α1hβ2 } a2 = a12 (mod q) June 1, 2016 © 2016 IBM Corporation Some Example Proofs and Their Analysis Let g, h, C1, C2, C3 be group elements. Now, what does PK{(α1,..,β2): C1= gα1hβ1 ∧ C2= gα2hβ2 ∧ g = (C2/C1)α1hβ2 } mean? → Prover knows values α, β1, β2 such that C1= gα1hβ1 g = (C2/C1)α1hβ2 = (C2 g-α1h-β1)α1 hβ2 → g1/α1 = C2 g-α1h-β1 hβ2/α1 C2 = gα1 hβ1 h-β2/α1 g1/α1 = gα1 + 1/α1 hβ1-β2/α1 C2 = gα2 hβ2 α2 = α1 + a1-1 (mod q) 32 June 1, 2016 © 2016 IBM Corporation signature schemes 33 June 1, 2016 © 2016 IBM Corporation Signature Scheme: Functionality Key Generation June 1, 2016 © 2016 IBM Corporation Signature Scheme: Functionality Signing (m1,..., mk) σ = sig((m1,..., mk), ) June 1, 2016 © 2016 IBM Corporation Signature Scheme: Functionality Verification (m1,..., mk) σ σ = sig((m1,..., mk), ) ver(σ,(m1,..., mk), ) = true June 1, 2016 © 2016 IBM Corporation Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 June 1, 2016 σ1 © 2016 IBM Corporation Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 ml June 1, 2016 σ1 σl © 2016 IBM Corporation Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 ml σ1 σl σ' and m'≠ mi s.t. ver(σ', m', June 1, 2016 ) = true © 2016 IBM Corporation Signature Scheme: Security Unforgeability under Adaptive Chosen Message Attack m1 ml σ1 σl σ' and m'≠ mi s.t. ver(σ', m', June 1, 2016 ) = true © 2016 IBM Corporation signature schemes with protocols 41 June 1, 2016 © 2016 IBM Corporation Signature Scheme: Signing Hidden Messages ( m1 m,... , m m,jmj+1,..., mk) σ ver(σ,(m1,..., mk), ) = true σ = sig((( m1 mj, mj+1,..., mk), ) m,... , m Verification remains unchanged! Security requirements basically the same, but • Signer should not learn any information about m1, ..., mj • Forgery w.r.t. message clear parts and opening of commitments June 1, 2016 © 2016 IBM Corporation Proving Possession of a Signature σ on (m1,..., mk) June 1, 2016 © 2016 IBM Corporation Proving Possession of a Signature σ on (m1,..., mk) {mi | i є S} June 1, 2016 © 2016 IBM Corporation Proving Possession of a Signature σ on (m1,..., mk) {mi | i є S} σ, {mi | i є/ S} {mi | i є S}, Proof protocol true Variation: ● Send also mi to verifier and ● Prove that committed messages are signed ● Prove properties about hidden/committed m i June 1, 2016 © 2016 IBM Corporation Blind Signatures vs Signatures with Protocols can be used multiple times can be used only once Damgaard,Camenisch&Lysyanska ya Chaum, Brands, et al. Discrete Logs, RSA,.. Strong RSA, DL-ECC,.. June 1, 2016 © 2016 IBM Corporation Some signature schemes 47 June 1, 2016 © 2016 IBM Corporation RSA Signature Scheme – For Reference Rivest, Shamir, and Adlemann 1978 Secret Key: two random primes p and q Public Key: n := pq, prime e, and collision-free hash function H: {0,1}* -> {0,1}ℓ Computing signature on a message m Є {0,1}* d := 1/e mod (p-1)(q-1) s := H(m) d mod n Verification of signature s on a message m Є {0,1}* se = H(m) Correctness: se = (H(m)d)e = H(m)d·e = H(m) 48 June 1, 2016 (mod n) (mod n) © 2016 IBM Corporation RSA Signature Scheme – for reference Verification signature on a message m Є {0,1}* e s := H(m) (mod n) Wanna do proof of knowledge of signature on a message, e.g., PK{ (m,s): se = H(m) (mod n) } But this is not a valid proof expression!!!! :-( 49 June 1, 2016 © 2016 IBM Corporation CL-Signature Scheme Public key of signer: RSA modulus n and ai, b, d Є QRn, Secret key: factors of n To sign k messages m1, ..., mk Є {0,1}ℓ : ● choose random prime 2ℓ+2 > e > 2ℓ+1 and integer s ≈ n ● compute c : c = (d / (a m1·...· a mk bs ))1/e mod n 1 ● 50 k signature is (c,e,s) June 1, 2016 © 2016 IBM Corporation CL-Signature Scheme To verify a signature (c,e,s) on messages m1, ..., mk: ● m1, ..., mk Є {0,1}ℓ: ● e > 2ℓ+1 ● d = ce a m1 1 ·...· a mk k bs mod n Theorem: Signature scheme is secure against adaptively chosen message attacks under Strong RSA assumption. 51 June 1, 2016 © 2016 IBM Corporation Sign blindly with CL signatures ( m1 m,... , m m,jmj+1,..., mk) σ σ = sig((( m1 mj, mj+1,..., mk), ) m,... , m C=a m1 a 1 m2 2 bs’ m2 m1 C + PK{(m1,m2,s’): C = a1 a2 s’ b } Choose e,s” (c,e,s’’) e d= c a 52 June 1, 2016 m1 1 a 2 m2 a m3 3 b s’+s’’ c = (d/(C a 3 m3 bs”))1/e mod n mod n © 2016 IBM Corporation Proving Knowledge of a CL-signature Recall: d = ce a1m1a2m2 bs mod n Observe: # Let c' = c btmod n with randomly chosen t # Then d = c'e a1m1a2m2 bs-et (mod n), i.e., (c',e, s* = s-et) is also signature on m1 and m2 To prove knowledge of signature (c',e, s*) on m2 and some m1 # provide c' # PK{(ε, µ1, σ) : d/a2m2 := c'ε a1µ1 b σ ∧ µ Є {0,1}ℓ ∧ ε > 2ℓ+1 } → proves d := c'ε a1µ1 a2m2b σ 53 June 1, 2016 © 2016 IBM Corporation Realizing On-Line eCash 54 June 1, 2016 © 2016 IBM Corporation Recall basic idea Bank Withdrawal 100 100 100 User 100 100 Deposit Spend Merchant # Issue coin: Hide serial number from bank when issuing – sign commitment of random serial number # Spend coin: reveal serial number and proof – knowledge of signature on – commitment to serial number 55 June 1, 2016 © 2016 IBM Corporation On-line E-cash: Withdrawal Choose e,s” c = (d/(C bs”))1/e mod n choose random #, s' and compute C=a 1 # bs' p + C of o r ”) s , e (c, (c,e,s”+s') s.t. d = ce a June 1, 2016 1 # bs” + s' (mod n) © 2016 IBM Corporation On-line E-cash: Payment (c,e,s”+s') s.t. e d= c a 1 # b s” + s' (mod n) compute s' c' = c b mod n proof = PK{(ε, µ, ρ, σ) : June 1, 2016 #, c', pro of d/a # 1 = c'ε b σ (mod n) } © 2016 IBM Corporation On-line E-cash: Payment (c,e,s”+s') s.t. 1 # b s” + s' (mod n) compute s' c' = c b mod n proof = PK{(ε, µ, ρ, σ) : June 1, 2016 #, c', pro of d/a # 1 #, c', proof e d= c a # Є L? OK/ not OK = c'ε b σ (mod n) } © 2016 IBM Corporation Security # Anonymity – Bank does not learn # during withdrawal – Bank & Shop do not learn c, e when spending (c ”) s , ,e #, c', pro of June 1, 2016 #, c', proof C of o r p + # Є L? OK/ not OK © 2016 IBM Corporation Security Double Spending: # Spending = Compute –c' = c bs'mod n –proof = PK{(ε, µ, ρ, σ) : d/a # 1 = c'ε b σ (mod n) } # Can use the same # only once.... – If more #'s are presented than withdrawals: • Proofs would not sound • Signature scheme would not secure June 1, 2016 © 2016 IBM Corporation Realizing Off-Line eCash 61 June 1, 2016 © 2016 IBM Corporation Recall On-Line E-Cash On-Line Solution: 1. Coin = random serial # (chosen by user) signed by Bank 2. Banks signs blindly 3. Spending by sending # and prove knowledge of signature to Merchant 4. Merchant checks validy w/ Bank 100 5. Bank accepts each serial # only once. 100 100 Off-Line: - Can check serial # only after the fact - … but at that point user will have been disappeared... June 1, 2016 © 2016 IBM Corporation Towards off-line signatures Goal: – spending coin once: OK – spending coin twice: anonymity revoked kabl n i L t No 100 No t Lin ka b Link abl e 100 e le 100 Seems like a paradox, but crypto is all about solving paradoxical problems :-) 63 June 1, 2016 © 2016 IBM Corporation Off-line E-cash Main Idea: – Include #, id, r – Upon spending: reveal #, and t = id + r u, with c randomly chosen by merchant – t won't reveal anything about id! – However, given two equations (for the same #, id, r) t1 = id + r u1 t2 = id + r u2 one can solve for id. June 1, 2016 © 2016 IBM Corporation Off-line E-cash: Withdrawal choose random #, r, s' and compute C=a 1 # a 2 r bs' p + C of o r d = ce C a 3 nym bs” mod n ”) s , e (c, (c,e,s”+s') s.t. d = ce a June 1, 2016 1 # a 2 r a 3 nym bs” + s' (mod n) © 2016 IBM Corporation Off-line E-cash: Payment Let G=<g> be a group of order q (c,e,s”+s') s.t. e d= c a # a 1 2 r a 3 nym b s” + s' t, # , c' compute t = r + u nym mod q c' = c bs'mod n proof = PK{(ε, µ, ρ, σ) : d/a June 1, 2016 1 # (mod n) u , pr oo f = c'ε a ρa µ b σ (mod n) 2 3 choose random u ⋀ gt = gρ (gu)µ } © 2016 IBM Corporation Off-line E-cash: Payment PK{(ε, µ, ρ, σ) : d/a 1. d = c'ε a 1 # 1 = c'ε a ρa µ b σ (mod n) ⋀ gt = gρ (gu)µ } # 2 3 a ρa µ b σ (mod n) 2 => (c', ε, σ) 3 is a signature on (#, µ, ρ) 2. gt = gρ+uµ => t = ρ + u µ mod q, i.e., t was computed correctly! June 1, 2016 © 2016 IBM Corporation Off-line E-cash: Deposit # Є L? If so: 1. t = ρ + u µ (mod q) 2. t' = ρ + u' µ (mod q) solve for ρ and µ. => µ = nym because of proof u, t, #, proof June 1, 2016 © 2016 IBM Corporation Off-line E-cash: Security # Unforgeable: – no more coins than #'s, • otherwise one can forge signatures • or proofs are not sound – if coins with same # appears with different u's => reveals nym # Anonymity: – # and r are hidden from signer upon withdrawal – t does not reveal anything about nym (is blinded by r) – proof proof does not reveal anything June 1, 2016 © 2016 IBM Corporation Extensions and more e-Cash # K-spendable cash – Multiple serial numbers and randomizers per coin – Use PRF to generate serial number and randomizers from seed in coin # Money laundering preventions – Must not spend more that $10000 dollars with same party – Essentially use additional coin defined per merchant that controls this Other protocols from these building blocks, essentially anything with authentication and privacy # Anonymous credentials, eVoting, .... Alternative building blocks # A number of signatures scheme that fit the same bill # (Verifiable) encryption schemes that work along as well # Alternative framework: Groth-Sahai proofs plus “structure-preserving” schemes June 1, 2016 © 2016 IBM Corporation Thank you! # eMail: [email protected] # Links: – www.abc4trust.eu – www.futureID.eu – www.au2eu.eu – www.PrimeLife.eu – www.zurich.ibm.com/idemix – idemixdemo.zurich.ibm.com # Code – github.com/p2abcengine & abc4trust.eu/idemix 71 June 1, 2016 © 2016 IBM Corporation References # D. Chaum, J.-H. Evertse, and J. van de Graaf. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In EUROCRYPT ’87, vol. 304 of LNCS, pp. 127–141. Springer-Verlag, 1988. # S. Brands. Rapid demonstration of linear relations connected by boolean operators.In EUROCRYPT ’97, vol. 1233 of LNCS, pp. 318–333. Springer Verlag, 1997. # Mihir Bellare: Computational Number Theory http://www-cse.ucsd.edu/~mihir/cse207/w-cnt.pdf # Camenisch, Lysanskaya: Dynamic Accumulators and Applications to Efficient Revocation of Anonymous Credentials. Crypto 2002, Lecture Notes in Computer Science, Springer Verlag. # Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag. # Jan Camenisch, Natalie Casati, Thomas Gross, Victor Shoup: Credential Authenticated Identification and Key Exchange. CRYPTO 2010:255-276 # Jan Camenisch, Maria Dubovitskaya, Gregory Neven: Oblivious transfer with access control. ACM Conference on Computer and Communications Security 2009: 131-140 # Ateniese, Song, Tsudik: Quasi-Efficient Revocation of Group Signatures. In Financial Cryptography 2002, Lecture Notes in Computer Science, Springer Verlag. # M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko: The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme. Journal of Cryptology, Volume 16, Number 3. Pages 185 -215, Springer-Verlag, 2003. # E. Bangerter, J. Camenisch and A. Lyskanskaya: A Cryptographic Framework for the Controlled Release Of Certified Data. In Twelfth International Workshop on Security Protocols 2004. www.zurich.ibm.com/~jca/publications # Stefan Brands: Untraceable Off-line Cash in Wallets With Observers: In Advances in Cryptology – CRYPTO '93. Springer Verlag, 1993. June 1, 2016 © 2016 IBM Corporation References # J. Camenisch and A. Lyskanskaya: Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation. www.zurich.ibm.com/~jca/publications # David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM, Vol. 24 No. 2, pp. 84—88, 1981. # David Chaum: Blind Signatures for Untraceable Payments. In Advances in Cryptology – Proceedings of CRYPTO '82, 1983. # David Chaum: Security Without Identification: Transaction Systems to Make Big Brother obsolete: in Communications of the ACM, Vol. 28 No. 10, 1985. # Camenisch, Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. CRYPTO 2003: 126-144 # Victor Shoup: A computational introduction to Number Theory and Algebra. Available from: http://www.shoup.net/ntb/ # D. Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. In Communications of the ACM. # D. Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, 1988. # J. Camenisch and V. Shoup: Practical Verifiable Encryption and Decryption of Discrete Logarithms. In Advances in Cryptology CRYPTO 2003. # T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology CRYPTO '84. June 1, 2016 © 2016 IBM Corporation

- Similar pages