[ Pobierz całość w formacie PDF ]

every organization they do business with and so make dossiers impossible. They could pay for
goods in untraceable electronic cash or present digital credentials that serve the function of a
banking passbook, driver's license or voter registration card without revealing their identity. At
the same time, organizations would benefit from increased security and lower record-keeping
costs.
Recent innovations in microelectronics make this vision practical by providing personal
"representatives" that store and manage their owners' pseudonyms, credentials and cash.
Microprocessors capable of carrying out the necessary algorithms have already been embedded
in pocket computers the size and thickness of a credit card. Such systems have been tested on a
small scale and could be in widespread use by the middle of this decade.
The starting point for this approach is the digital signature, first proposed in 1976 by Whitfield
Diffie, then at Stanford University. A digital signature transforms the message that is signed so
that anyone who reads it can be sure of who sent it [see "The Mathematics of Public-Key
Cryptography", by Martin E. Hellman; Scientific American, August 1979]. These signatures
employ a secret key used to sign messages and a public one used to verify them. Only a
message signed with the private key can be verified by means of the public one. Thus, if Alice
wants to send a signed message to Bob (these two are the cryptographic community's favorite
hypothetical characters), she transforms it using her private key, and he applies her public key
to make sure that it was she who sent it. The best methods known for producing forged
signatures would require many years, even using computers billions of times faster than those
now available.
To see how digital signatures can provide all manner of unforgeable credentials and other
services, consider how they might be used to provide an electronic replacement for cash. The
First Digital Bank would offer electronic bank notes: messages signed using a particular private
key. All messages bearing one key might be worth a dollar, all those bearing a different key five
dollars, and so on for whatever denominations were needed. These electronic bank notes could
be authenticated using the corresponding public key, which the bank has made a matter of
record. First Digital would also make public a key to authenticate electronic documents sent
from the bank to its customers.
To withdraw a dollar from the bank, Alice generates a note number (each note bears a different
number, akin to the serial number on a bill); she chooses a 100-digit number at random so that
the chance anyone else would generate the same one is negligible. She signs the number with
the private key corresponding to her "digital pseudonym" (the public key that she has
previously established for use with her account). The bank verifies Alice's signature and
removes it from the note number, signs the note number with its worth-one-dollar signature and
debits her account. It then returns the signed note along with a digitally signed withdrawal
receipt for Alice's records. In practice, the creation, signing and transfer of note numbers would
be carried out by Alice's card computer. The power of the cryptographic protocols, however,
lies in the fact that they are secure regardless of physical medium: the same transactions could
be carried out using only pencil and paper.
When Alice wants to pay for a purchase at Bob's shop, she connects her "smart" card with his
card reader and transfers one of the signed note numbers the bank has given her. After verifying
the bank's digital signature, Bob transmits the note to the bank, much as a merchant verifies a
credit card transaction today. The bank reverifies its signature, checks the note against a list of
those already spent and credits Bob's account. It then transmits a "deposit slip," once again
unforgeably signed with the appropriate key. Bob hands the merchandise to Alice along with
his own digitally signed receipt, completing the transaction.
This system provides security for all three parties. The signatures at each stage prevent any one
from cheating either of the others: the shop cannot deny that it received payment, the bank
cannot deny that it issued the notes or that it accepted them from the shop for deposit, and the
customer can neither deny withdrawing the notes from her account nor spend them twice.
This system is secure, but it has no privacy. If the bank keeps track of note numbers, it can link
each shop's deposit to the corresponding withdrawal and so determine precisely where and
when Alice (or any other account holder) spends her money. The resulting dossier is far more
intrusive than those now being compiled. Furthermore, records based on digital signatures are
more vulnerable to abuse than conventional files. Not only are they self-authenticating (even if
they are copied, the information they contain can be verified by anyone), but they also permit a
person who has a particular kind of information to prove its existence without either giving the
information away or revealing its source. For example, someone might be able to prove
incontrovertibly that Bob had telephoned Alice on 12 separate occasions without having to
reveal the time and place of any of the calls.
I have developed an extension of digital signatures, called blind signatures, that can restore
privacy. Before sending a note number to the bank for signing, Alice in essence multiplies it by
a random factor. Consequently, the bank knows nothing about what it is signing except that it
carries Alice's digital signature. After receiving the blinded note signed by the bank, Alice
divides out the blinding factor and uses the note as before.
The blinded note numbers are "unconditionally untraceable" that is, even if the shop and the
bank collude, they cannot determine who spent which notes. Because the bank has no idea of
the blinding factor, it has no way of linking the note numbers that Bob deposits with Alice's
withdrawals. Whereas the security of digital signatures is dependent on the difficulty of
particular computations, the anonymity of blinded notes is limited only by the unpredictability
of Alice's random numbers. If she wishes, however, Alice can reveal these numbers and permit
the notes to be stopped or traced.
Blinded electronic bank notes protect an individual's privacy, but because each note is simply a
number, it can be copied easily. To prevent double spending, each note must be checked on-line
against a central list when it is spent. Such a verification procedure might be acceptable when
large amounts of money are at stake, but it is far too expensive to use when someone is just
buying a newspaper. To solve this problem, my colleagues Amos Fiat and Moni Naor and I
have proposed a method for generating blinded notes that requires the payer to answer a random
numeric query about each note when making a payment. Spending such a note once does not
compromise unconditional untraceability, but spending it twice reveals enough information to
make the payer's account easily traceable. In fact, it can yield a digitally signed confession that
cannot be forged even by the bank.
Cards capable of such anonymous payments already exist. Indeed, DigiCash, a company with
which I am associated, has installed equipment in two office buildings in Amsterdam that [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • sulimczyk.pev.pl