Anonymous Remailers - Disappearing Cryptography

Cryptography Reference

In-Depth Information

m

, chosen by the newly arriving user who wants to be anonymous in

the future. When registering for the service, the user doesn't present

m

after being modified by some blinding factor ,avalue

that is chosen differently depending on the digital signature algo-

rithm that will be used to certify the coin. In the case of an RSA signa-

ture, this would be another random value

per se, just

encrypted by the public

key. The signature will reverse this encryption allowing the blinding

factor to be stripped out later:

b

1. Alice wants to register for anonymous access to the server- a

process through which the server might ask for a real identity.

This happens outside the TOR cloud.

2. Alicedownloadstheserver'spublickey.InthecaseofRSA,this

would be a modulus

n

and an exponent

e

.

3. Alice chooses a random blinding factor

b

and a random serial

e

number for the coin,

m

,computes

b

m

mod

n

and sends this to

the server while registering.

4. The server responds by signing this value. In the case of RSA,

that means computing (

e

) d mod

de

d mod

b

m

mod

n

=

b

m

n

=

d mod

bm

is the corresponding private exponent. The

server returns this to Alice.

n

where

d

5. Alice strips out the blinding factor.

In the case of RSA, this

b −1 mod

d mod

means multiplying by

n

.Thisproduces

m

n

,a

valid digital signature on

m

that was produced without reveal-

ing

m

to the server.

Alice is free to use this anonymous token at any time by submit-

ting both

d mod

at any time. (The server might impose

time limits by changing the values of the public and private keys,

d, e

m

and

m

n

, from time to time.) If Alice behaves well, she can get

another anonymous token by working through the same algorithm

again with a new serial number,

,and

n

m . The server would keep track of

the spent serial numbers to prevent reuse.

There are limitations to this approach too. The server must make

a decision about Alice's behavior before giving her a new coin for

another visit. If Alice's misbehavior comes to light after this coin is

generated, well, there's nothing that can be done. The chain of abuse

will continue.

A more robust algorithm called Nymble proposes a way of con-

structing the coins so they can be linked together. It adds, in essence,

a trap door to the blinding mechanism that is minded by a separate

Disappearing Cryptography

Search WWH ::

Custom Search

Home