## Making a Nymbler Nymble using VERBS (Extended Version). Computer Science (2010)

### Cached

### Download Links

Citations: | 6 - 6 self |

### BibTeX

@TECHREPORT{Henry10makinga,

author = {Ryan Henry and Kevin Henry and Ian Goldberg},

title = {Making a Nymbler Nymble using VERBS (Extended Version). Computer Science},

institution = {},

year = {2010}

}

### OpenURL

### Abstract

Abstract. In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of the non-abusive users. Our system provides a privacy-preserving analog of IP address banning, and is modeled after the well-known Nymble system [29,47,48]. However, while we solve the same problem as the original Nymble scheme, we eliminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third parties. Unlike other approaches that have been considered in the literature [10,44,45,46], we avoid the use of trusted hardware devices or unrealistic assumptions about offline credential issuing authorities who are responsible for ensuring that no user is able to obtain multiple credentials. Thus, our scheme combines the strong privacy guarantees of [10,44,45,46] with a simple infrastructure as in [29,47,48]. To prevent malicious third parties from trivially colluding to reveal the identities of anonymous users we make use of a number of standard zeroknowledge proofs, and to maintain efficiency we introduce a new cryptographic technique which we call verifier efficient restricted blind signatures, or VERBS. Our approach allows users to perform all privacy-sensitive computations locally, and then prove in zero-knowledge that the computations were performed correctly in order to obtain efficiently verifiable signatures on the output — all without revealing neither the result of the computation, nor any potentially identifying information, to the signature issuing authority. Signature verification in our proposed VERBS scheme is 1–2 orders of magnitude more efficient than verification in any known restricted blind signature scheme.

### Citations

2466 | S.: Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1996 |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... those groups.) This proof works the same way as the ordinary proof of equality of discrete logarithms: the prover chooses v and outputs gv and tv ; the verifier (or a hash function if the FiatShamir =-=[25]-=- method is used) chooses a challenge c; the prover outputs r = v − cx; the verifier accepts if G c g r = g v and B c t r = t v . The twist in our scenario is that G is not available to the verifier; o... |

771 | Tor: the secondgeneration Onion router
- Dingledine, Mathewson, et al.
(Show Context)
Citation Context ...on, anonymous credentials, zero-knowledge proofs, restricted blind signatures.1 Introduction Anonymity networks provide users with a means to communicate privately over the Internet. The Tor network =-=[22]-=- is the largest deployed anonymity network; it aims to defend users against traffic analysis attacks by encrypting users’ communications and routing them through a worldwide distributed network of vol... |

424 |
Blind signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ...ing statistics and a set of tables summarizing our notation and the various system parameters are included in the appendices. 2 Related Work 2.1 Restricted Blind Signature Schemes In his seminal work =-=[17]-=-, Chaum introduced the notion of a blind signature scheme; the idea was later elaborated in [18], where the first construction (based on RSA signatures) was given. Chaum’s scheme allows a user to obta... |

372 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...an efficient verification protocol. Our scheme makes use of commitments, which can be Feldman commitments [24] (the commitment to x is CF(x) = s x for a known group element s) or Pedersen commitments =-=[38]-=- (the commitment to x is CP(x) = s x r γ for known group elements s, r where log s r is unknown, and γ is random). We use several standard zero-knowledge proofs from the literature; in particular, we ... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...s unknown, and γ is random). We use several standard zero-knowledge proofs from the literature; in particular, we use the standard proof of knowledge of a committed value (i.e., a discrete logarithm) =-=[40]-=-, proof that a commitment opens to a product of committed values (mult. proof) [16], and proof of knowledge of a committed value that lies in a particular range (range proof) [4]. We note that no proo... |

231 |
practical scheme for non-interactive verifiable secret sharing
- Feldman, “A
- 1987
(Show Context)
Citation Context ...ifier-efficient restricted blind signatures (VERBS), a restricted blind signature scheme with an efficient verification protocol. Our scheme makes use of commitments, which can be Feldman commitments =-=[24]-=- (the commitment to x is CF(x) = s x for a known group element s) or Pedersen commitments [38] (the commitment to x is CP(x) = s x r γ for known group elements s, r where log s r is unknown, and γ is ... |

226 | Untraceable off-line cash in wallets with observers
- Brands
(Show Context)
Citation Context ...on (based on RSA signatures) was given. Chaum’s scheme allows a user to obtain a cryptographic signature on a message without revealing any information about the message to the signer. Later, Brands (=-=[5,7,6]-=- and [8, Chap. 4]) proposed restricted blind signatures in which a user obtains a blind signature on a message, while the signer gets to see certain parts of the structure of the message before signin... |

213 | Rethinking Public Key Infrastructures and Digital Certificates; Building in Privacy - Brands - 2000 |

207 | An efficient system for non-transferable anonymous credentials with optional anonymity revocation
- Camenisch, Lysyanskaya
- 2001
(Show Context)
Citation Context ... is essentially random (modulo a large prime) and depends on the message to be signed. In particular, they cannot be fixed to a small value, such as 3, as in Chaum’s scheme. Camenisch and Lysyanskaya =-=[13,14,15]-=- presented a versatile signature scheme (CL-signatures) that allows a re-randomizable restricted blind signature to be issued. The well-known CLcredential [3,13,14] scheme is based on CL-signatures. I... |

186 | A.: Signature schemes and anonymous credentials from bilinear maps
- Camenisch, Lysyanskaya
- 2004
(Show Context)
Citation Context ... is essentially random (modulo a large prime) and depends on the message to be signed. In particular, they cannot be fixed to a small value, such as 3, as in Chaum’s scheme. Camenisch and Lysyanskaya =-=[13,14,15]-=- presented a versatile signature scheme (CL-signatures) that allows a re-randomizable restricted blind signature to be issued. The well-known CLcredential [3,13,14] scheme is based on CL-signatures. I... |

156 | A.: A signature scheme with efficient protocols
- Camenisch, Lysyanskaya
- 2002
(Show Context)
Citation Context ... is essentially random (modulo a large prime) and depends on the message to be signed. In particular, they cannot be fixed to a small value, such as 3, as in Chaum’s scheme. Camenisch and Lysyanskaya =-=[13,14,15]-=- presented a versatile signature scheme (CL-signatures) that allows a re-randomizable restricted blind signature to be issued. The well-known CLcredential [3,13,14] scheme is based on CL-signatures. I... |

152 | Efficient proofs that a committed number lies in an interval
- Boudot
- 2000
(Show Context)
Citation Context ...ay function that admits efficient zero-knowledge proofs of knowledge of preimages [16]. We fix a, b ∈ QR N, the set of quadratic residues modulo N, so that log a b mod N is unknown. Choosing (a, b) = =-=(4, 9)-=- is fine. Since IP addresses tend to change frequently, the system-wide parameter ∆t specifies the maximum time period for which an issued credential is valid. That is, after a time period of ∆t has e... |

123 | Proving in zero-knowledge that a number is the product of two safe primes
- Camenisch, Michels
- 1999
(Show Context)
Citation Context ... literature; in particular, we use the standard proof of knowledge of a committed value (i.e., a discrete logarithm) [40], proof that a commitment opens to a product of committed values (mult. proof) =-=[16]-=-, and proof of knowledge of a committed value that lies in a particular range (range proof) [4]. We note that no proof is necessary for addition or scalar multiplication of committed values, as those ... |

102 |
signatures system
- Chaum, “Blind
- 1983
(Show Context)
Citation Context ...e included in the appendices. 2 Related Work 2.1 Restricted Blind Signature Schemes In his seminal work [17], Chaum introduced the notion of a blind signature scheme; the idea was later elaborated in =-=[18]-=-, where the first construction (based on RSA signatures) was given. Chaum’s scheme allows a user to obtain a cryptographic signature on a message without revealing any information about the message to... |

72 |
Theorems on factorization and primality testing
- Pollard
(Show Context)
Citation Context ... 1 and P = 64 we get ℓB ≈ 52. On the other hand, it takes at least about 3 5 · 2ℓB modular multiplications to factor ρ, taking advantage of its special form by using Pollard’s p−1 factoring algorithm =-=[39]-=-. However, this algorithm is inherently sequential [9]; only a small speedup can be obtained, even with a very large degree of parallelism. 10 This means it will take about 3 5 · 2ℓB minutes to factor... |

70 | Efficient non-interactive proof systems for bilinear groups
- Groth, Sahai
(Show Context)
Citation Context ...the cost of verifying a signature is effectively one exponentiation and one multi-exponentiation, with each exponent approximately equal in size to the message to be signed. Recently, Groth and Sahai =-=[26]-=- presented a zero-knowledge proof system based on bilinear pairings. Belenkiy et al. [2] proposed a restricted blind signature scheme called P-signatures and noninteractive anonymous credential system... |

63 | Shining light in dark places: Understanding the Tor network
- Mccoy, Bauer, et al.
(Show Context)
Citation Context ...e were 1,532 running Tor relays, operating in 57 different countries, with an estimated 90,000 to 130,000 users (depending mostly on the time of day), connecting from 126 countries, at any given time =-=[32,34]-=-. The ability to communicate without fear of network surveillance makes it possible for many users to express ideas or share knowledge that they might otherwise not be willing to reveal for fear of pe... |

60 | Parallel collision search with application to hash functions and discrete logarithms
- Oorschot, Wiener
- 1994
(Show Context)
Citation Context ...f the factorization of p − 1 and q − 1, computing discrete logs modulo p and q (and hence, modulo ρ) is feasible (but costly) using a technique like the parallel rho method of van Oorschot and Wiener =-=[37]-=-. g is a generator of QRρ, and r and s are generators of the order-ρ subgroup of Z ∗ R such that log r s is unknown. The NM’s private key is then (p, q) and the factorization of φ(ρ) (into ℓB-bit prim... |

55 | How to win the clonewars: efficient periodic n-times anonymous authentication
- Camenisch, Hohenberger, et al.
(Show Context)
Citation Context ...and all subsequent connections from that external IP address would then become banned. It might be possible to accomplish this by incorporating ideas from K-time anonymous authentication schemes (see =-=[12]-=-, for example). Allow banning of entire subnets. It would be useful to allow an SP to ban an entire subnet instead of a single IP address (on a case-by-case basis). There does not appear to be any str... |

49 | Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products
- Algesheimer, Camenisch, et al.
- 2002
(Show Context)
Citation Context ...as a publicly known modulus n, where n is the product of two unknown (to anyone) large safe primes, and N = 2n+1 is prime. Such a modulus can be generated using a distributed protocol as described in =-=[1,36]-=-, or with one-time trust in an entity which generates it, such as used in the erstwhile RSA Factoring Challenge [30]. Under the assumption that n is hard to factor, squaring modulo n is a one-way func... |

41 | P-signatures and noninteractive anonymous credentials
- Belenkiy, Chase, et al.
- 2008
(Show Context)
Citation Context ...tiation, with each exponent approximately equal in size to the message to be signed. Recently, Groth and Sahai [26] presented a zero-knowledge proof system based on bilinear pairings. Belenkiy et al. =-=[2]-=- proposed a restricted blind signature scheme called P-signatures and noninteractive anonymous credential system based on the Groth-Sahai framework. The cost of verification in their scheme is about o... |

41 | Parallel Algorithms for Integer Factorization
- Brent
(Show Context)
Citation Context ...es at least about 3 5 · 2ℓB modular multiplications to factor ρ, taking advantage of its special form by using Pollard’s p−1 factoring algorithm [39]. However, this algorithm is inherently sequential =-=[9]-=-; only a small speedup can be obtained, even with a very large degree of parallelism. 10 This means it will take about 3 5 · 2ℓB minutes to factor ρ. M Assuming M = 23100000, then ℓB = 50 yields over ... |

32 |
Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities “,IEEE transactions on dependable and secure computing 3. Generic Website
- Brickell, Li
(Show Context)
Citation Context ...liminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third parties. Unlike other approaches that have been considered in the literature =-=[10,44,45,46]-=-, we avoid the use of trusted hardware devices or unrealistic assumptions about offline credential issuing authorities who are responsible for ensuring that no user is able to obtain multiple credenti... |

29 | A non-interactive public-key distribution system - Maurer, Yacobi - 1996 |

24 | Nymble: Anonymous ip-address blocking
- Johnson, Kapadia, et al.
- 2007
(Show Context)
Citation Context ...eir privacy, and while preserving the privacy of all of the non-abusive users. Our system provides a privacy-preserving analog of IP address banning, and is modeled after the well-known Nymble system =-=[29,47,48]-=-. However, while we solve the same problem as the original Nymble scheme, we eliminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third... |

24 |
Measuring the Tor network: Evaluation of client requests to directories
- Loesing
- 2009
(Show Context)
Citation Context ...e were 1,532 running Tor relays, operating in 57 different countries, with an estimated 90,000 to 130,000 users (depending mostly on the time of day), connecting from 126 countries, at any given time =-=[32,34]-=-. The ability to communicate without fear of network surveillance makes it possible for many users to express ideas or share knowledge that they might otherwise not be willing to reveal for fear of pe... |

21 |
Restrictive blinding of secret-key certificates
- Brands
- 1995
(Show Context)
Citation Context ...on (based on RSA signatures) was given. Chaum’s scheme allows a user to obtain a cryptographic signature on a message without revealing any information about the message to the signer. Later, Brands (=-=[5,7,6]-=- and [8, Chap. 4]) proposed restricted blind signatures in which a user obtains a blind signature on a message, while the signer gets to see certain parts of the structure of the message before signin... |

18 |
Nym: Practical Pseudonymity for Anonymous Networks
- Holt, Seamons
- 2006
(Show Context)
Citation Context ...be willing to provide the infrastructure necessary to realize such a system, a situation that would greatly reduce the burden on service providers and lead to greater adoption. Several schemes (e.g., =-=[10,11,28,29,44,45,46,47,48]-=-) have been proposed with the goal of allowing anonymous blacklisting of Tor users. The original systems (e.g., [28,29,47,48]) attempt to recreate the common practice of IP address banning, without ac... |

10 | Enhanced privacy ID from bilinear pairing for Hardware Authentication and Attestation
- Brickell, Li
- 2011
(Show Context)
Citation Context ...be willing to provide the infrastructure necessary to realize such a system, a situation that would greatly reduce the burden on service providers and lead to greater adoption. Several schemes (e.g., =-=[10,11,28,29,44,45,46,47,48]-=-) have been proposed with the goal of allowing anonymous blacklisting of Tor users. The original systems (e.g., [28,29,47,48]) attempt to recreate the common practice of IP address banning, without ac... |

8 |
Deploying lowlatency anonymity: Design challenges and social factors
- Dingledine, Mathewson, et al.
- 2007
(Show Context)
Citation Context ... users, but it might also be a boon to wider acceptance of Tor [31]. Indeed, the need for an anonymous blacklisting mechanism has been acknowledged by several key people involved with The Tor Project =-=[20,21,31]-=-. Thus, it is reasonable to expect that the operators of Tor might be willing to provide the infrastructure necessary to realize such a system, a situation that would greatly reduce the burden on serv... |

2 |
Tor development roadmap, 2008–2011. Roadmap, The Tor Project (2008
- Dingledine
(Show Context)
Citation Context ... users, but it might also be a boon to wider acceptance of Tor [31]. Indeed, the need for an anonymous blacklisting mechanism has been acknowledged by several key people involved with The Tor Project =-=[20,21,31]-=-. Thus, it is reasonable to expect that the operators of Tor might be willing to provide the infrastructure necessary to realize such a system, a situation that would greatly reduce the burden on serv... |

2 | Optimizing robustness while generating shared secret safe primes
- Ong, Kubiatowicz
- 2005
(Show Context)
Citation Context ...as a publicly known modulus n, where n is the product of two unknown (to anyone) large safe primes, and N = 2n+1 is prime. Such a modulus can be generated using a distributed protocol as described in =-=[1,36]-=-, or with one-time trust in an entity which generates it, such as used in the erstwhile RSA Factoring Challenge [30]. Under the assumption that n is hard to factor, squaring modulo n is a one-way func... |

1 |
Restricted Blind Signatures. World Intellectual Property Organization
- Brands
- 1995
(Show Context)
Citation Context ...on (based on RSA signatures) was given. Chaum’s scheme allows a user to obtain a cryptographic signature on a message without revealing any information about the message to the signer. Later, Brands (=-=[5,7,6]-=- and [8, Chap. 4]) proposed restricted blind signatures in which a user obtains a blind signature on a message, while the signer gets to see certain parts of the structure of the message before signin... |

1 |
arma@freehaven.net〉: Re: Banned from Slashdot, http://archives.seul.org/or/talk/ Jun-2005/msg00002.html, [Private e-mail message to Jamie McCarthy; 01-June-2005
- Dingledine
(Show Context)
Citation Context ... users use the veil of anonymity as a license to perform mischievous deeds such as trolling forums or cyber-vandalism. For this reason, some popular websites (for example, Wikipedia [50] and Slashdot =-=[19,23]-=-) proactively ban any user connecting from a known anonymous communications network from contributing content, thus limiting freedom of expression. 2 The privacy offered by Tor is directly related to ... |

1 |
Rsa laboratories - the RSA factoring challenge FAQ, http://www.rsa.com/rsalabs/node.asp? id=2094, [Online; accessed 11-January-2010
- Laboratories
(Show Context)
Citation Context ...ime. Such a modulus can be generated using a distributed protocol as described in [1,36], or with one-time trust in an entity which generates it, such as used in the erstwhile RSA Factoring Challenge =-=[30]-=-. Under the assumption that n is hard to factor, squaring modulo n is a one-way function. Thus, squaring modulo n is a one-way function that admits efficient zero-knowledge proofs of knowledge of prei... |

1 |
andrew@torproject.org〉: Re: Talking w/local service CEOs [LJ, goog...], http://marc.info/?l= tor-talk&m=126137307104914&w=2, [Private e-mail message to 〈grarpamp@gmail.com〉; 21-December-2009
- Lewman
(Show Context)
Citation Context ...dual users without compromising their anonymity. Not only would such a system benefit the estimated hundreds of thousands of existing Tor users, but it might also be a boon to wider acceptance of Tor =-=[31]-=-. Indeed, the need for an anonymous blacklisting mechanism has been acknowledged by several key people involved with The Tor Project [20,21,31]. Thus, it is reasonable to expect that the operators of ... |