Blind Signatures for Untraceable Payments
Planted
Tended
- Published 1982
- Author: David Chaum
Notes
Analogy: carbon (copy) paper inside an envelope
Definitions
Given the following commutative inverse functions: \begin{gathered} \textsf{invert}\\ s(s^{-1}(x)) = x\\ \textsf{where } s \textsf{ and } s^{-1} \textsf{ are the public and private keys} \\[1em] \textsf{commute inverse}\\ c^{-1}(s^{-1}(c(x))) = s^{-1}(x) \\[1em] \textsf{redundancy checker predicate}\\ r : x \to Bool\\ \textsf{...thus...}\\ \begin{aligned} \textsf{publicCheck} &: signed \to Bool\\ \textsf{publicCheck} &= r \circ s \end{aligned} \end{gathered}
Steps
- Provider chooses an x that is verifiable (r(x)), and sends the encrypted c(x) to the signer
- Signer performs the signature s^{-1}(c(x)) and sends it back to the provider
- Provider removes the encryption layer via c^{-1}(s^{-1}(c(x))) = s^{-1}(x)
- A validator can check the signature via r(s(s^{-1}(x)))
Payment Flow
- Payer generates a bunch of xs, each of which represent (eg) $1
- Forwards all c(x) to the bank
- The bank signs them: s^{-1}(c(x))
- Payer performs \cancel{c^{-1}(}s^{-1}(\cancel{c(}x))) = s^{-1}(x)
- Payer hands s^{-1}(x) to a payee
- Payee runs the public check \textsf{publicCheck}(s^{-1}(x))) = true
- Payee sends s^{-1}(x) to the bank
- Bank checks that r(\cancel{s(s^{-1}(}x))) = true
- Banks records that x was spent, and updates balances
Caveats
- The bank does know who the payer and payee are at the end
- x and s^{-1}(x) must be treated as (shared) secrets
- Payer or payee can attempt to double spend