Achieving Electronic Privacy A cryptographicinvention known as a permits numbers to serve as electronic cash or to replace conventional identification. The author hopes it may return control of personal information to the individual

by

very time you make a telephone murderers have tracked down their tar­ cessors capable of carrying out the nec­ call, purchase goods using a cred­ gets by consulting government-main­ essary algorithms have already been it card, subscribe to a magazine tained address records. On another lev­ embedded inpocket computers the size or pay your taxes, that information goes el, the U.S. Internal Revenue Service has and thickness of a credit card. Such sys­ intoE a data base somewhere. Further­ attempted to single out taxpayers for tems have been tested on a small scale more, all these records can be linked audits based on estimates of house­ and could be in widespread use by the so that they constitute in effect a sin­ hold income compiled by mailing-list middle of this decade. gle dossier on your life-not only your companies. medical and financial history but also The growing amounts of information he starting point for this ap­ what you buy, where you travel and that different organizations collect proach is the , whom you communicate with. It is al­ about a person can be linked because first proposed in 1976 by Whit­ most impossible to learn the full extent all of them use the same key-in the field Diffie, then at Stanford University. of the filesthat various organizations U.S. the sodal security number-to iden­ AT digital signature transforms the mes­ keep on you, much less to assure their tify the individualin question. This iden­ sage that is signed so that anyone who accuracy or to control who may gain ac­ tifier-based approach perforce trades reads it can be sure of who sent cess to them. off security against individualliberties. it [see "The Mathematics of Public-Key Organizations link records from dif­ The more information that organiza­ ," by Martin E. Hellman; ferent sources for their own protec­ tions have (whether the intent is to pro­ SCIENTIFIC AMERICAN, August 1979l. tion. Certainly it is in the interest of tect them from fraud or simply to tar­ These signatures employ a secret key a bank looking at a loan application get marketing efforts), the less privacy used to sign messages and a public one to know that John Doe has defaulted and control people retain. used to verify them. Only a message on four similar loans in the past two Over the past eight years, my col­ signed with the private key can be ver­ years. The bank's possession of that leagues and I at CWI (the Dutch na­ ified by means of the public one. Thus, information also helps its other cus­ tionally funded Center for Mathemat­ if Alicewants to send a signed message tomers, to whom the bank passes on ics and Computer Science in Amster­ to Bob (these two are the cryptographic the cost of bad loans. In addition, these dam) have developed a new approach, community's favorite hypothetical char­ records permit Jane Roe, whose pay­ based on fundamental theoretical and acters), she transforms it using her pri­ ment history is impeccable, to establish practical advances in cryptography, vate key, and he applies her public key a charge account at a shop that has that makes this trade-off unnecessary. to make sure that it was she who sent never seen her before. Transactions employing these tech­ it. The best methods known for produc­ That same information in the wrong niques avoid the possibility of fraud ing forged signatures would require hands, however, provides neither pro­ while maintaining the privacy of those many years, even using computers bil­ tection for businesses nor better service who use them. lions of times faster than those now for consumers. Thieves routinely use a In our system, people would in ef­ available. stolen credit card number to trade on fect give a different (but definitively To see how digital signatures can their victims' good payment records; verifiable) pseudonym to every organi­ provide all manner of unforgeable cre­ zation they do business with and so dentials and other services, consider make dossiers impossible. They could how they might be used to provide an pay for goods in untraceable electronic electronic replacement for cash. The DAVII) CHAUM is head of the Cryptog­ cash or present digital credentials that First Digital Bank would offer electron­ raphy Group at the Center for Mathe­ serve the function of a banking pass­ ic bank notes: messages signed using matics and Computer Science (CWI) in Amsterdam. He is also a founder of Digi­ book, driver's license or voter registra­ a particular private key. All messages Cash, which develops electronic payment tion card without revealing their iden­ bearing one key might be worth a dol­ systems. Chaum received his Ph.D. in tity. At the same time, organizations lar, all those bearing a different key five computer science from the University of would benefit from increased security dollars, and so on for whatever denom­ California, Berkeley, in 1982 and joined and lower record-keeping costs. inations were needed. These electronic CWI in 1984. He helped to found the Recent innovations in microelectron­ bank notes could be authenticated using International Association for Cryptolog­ ics make this vision practical by pro­ the corresponding public key, which the ic Research and remains active on its board; he also consults internationally viding personal "representatives" that bank has made a matter of record. First on cryptology. store and manage their owners' pseud­ Digital would also make public a key onyms, credentials and cash. Micropro- to authenticate electronic documents

96 SCIENTIFIC AMERICAN August 1992

© 1992 SCIENTIFIC AMERICAN, INC sent from the bank to its customers. When Alice wants to pay for a pur­ This system is secure, but it has no . To withdraw a dollar from the bank, chase at Bob's shop, she connects her privacy. If the bank keeps track of note Alice generates a note number (each "smart" card with his card reader and numbers, it can link each shop's de­ note bears a different number, akin to transfers one of the signed note num­ posit to the corresponding withdrawal the serial number on a bill); she choos­ bers the bankhas given her. After veri­ and so determine precisely where and es a lOO-digit number at random so fying the bank's digital signature, Bob when Alice (or any other account hold­ that the chance anyone else would gen­ transmits the note to the bank, much as er) spends her money. The resulting erate the same one is negligible. She a merchant verifies a credit card trans­ dossier is far more intrusive than those signs the number with the private key action today. The bank reverifies its now being compiled. Furthermore, rec­ corresponding to her "digital pseud­ signature, checks the note against a list ords based on digital signatures are onym" (the public key that she has pre­ of those already spent and credits Bob's more vulnerable to abuse than conven­ viously established for use with her ac­ account. It then transmits a "deposit tional files. Not only are they self-au­ count). The bank verifies Alice's signa­ slip," once again unforgeably signed thenticating (even if they are copied, ture and removes it from the note with the appropriate key. Bob hands the information they contain can be number, signs the note number with its the merchandise to Alice along with his verified by anyone), but they also per­ worth-one-dollar signature and debits own digitally signed receipt, complet­ mit a person who has a particular kind her account. It then returns the signed ing the transaction. of information to prove its existence note along with a digitally signed with­ This system provides security for all without either giving the information drawal receipt for Alice's records. In three parties. The signatures at each away or revealing its source. For exam­ practice, the creation, signing and trans­ stage prevent any one from cheating ple, someone might be able to prove in­ fer of note numbers would be carried either of the others: the shop cannot controvertibly that Bob had telephoned out by Alice's card computer. The pow­ deny that it received payment, the bank Alice on 12 separate occasions without er of the cryptographic protocols, how­ cannot deny that it issued the notes or having to reveal the time and place of ever, lies in the fact that they are se­ that it accepted them from the shop any of the calls. cure regardless of physical medium: for deposit, and the customer can nei­ I have developed an extension of digi­ the same transactions could be carried ther deny withdrawing the notes from tal signatures, called blind signatures, out using only pencil and paper. her account nor spend them twice. that can restore privacy. Before send-

CREDIT MERCH ANT'S ACCOUNT $1; BALANCE $100.001 �613rc0375293 7349432 0269 3154J MERCHANT'S7 390621 ACCOUNT43616 NO. 040682759

5 �734613rc' 31540375 j3 7 3906219432 436160269 DIGITAL CASH flows tracelessly from bank through con­ signature indicating its value. The bank credits the merchant's sumer and merchant before returning to the bank. Using a account when the note is presented for payment. A technique small computer "representative," a person creates a random known as a blindsignature prevents the bank fromseeing the number to serve as a bank note. The bank debits the appro­ note number so the bank will be unable to correlate withdraw­ priate account and signs the note with an unforgeable digital als from one account with deposits to another.

SCIENTIFIC AMERICANAugust 1992 97

© 1992 SCIENTIFIC AMERICAN, INC How to Create Secure Digital Pseudonyms The observer signs the pseudonyms with a special built-in key.

000000 000000 000000 00000o 000000 000000 000000 00000o 000000 000000 The representative checks the pseudonyms to make Each personal repre­ The representative and the sure they do not disclose sentative contains an observer generate numbers any illicit information and embedded observer that the observer uses to passes them to a validating REPRESENTATIVE in addition to its own produce a set of blinded authority. microprocessor. digital pseudonyms.

ing a note number to the bank for sign­ ability, but spending it twice reveals at will(or, in prinCiple, build it from ing, Alice in essence multiplies it by a enough information to make the pay­ scratch). Organizations are protected by random factor. Consequently, the bank er's account easily traceable. In fact, it the and so do knows nothing about what it is signing can yield a digitally signed confession not have to trust the representatives. except that it carries Alice's digital sig­ that cannot be forged even by the bank. The prototypical representative is a nature. After receiving the blinded note Cards capable of such anonymous smart credit-card-size computer con­ signed by the bank, Alice divides out payments already exist. Indeed, Digi­ taining memory and a microprocessor. the blinding factor and uses the note Cash, a company with which I am as­ It also incorporates its own keypad and as before. sociated, has installed equipment in display so that its owner can control the The blinded note numbers are "un­ two office buildings in Amsterdam that data that are stored and exchanged. If conditionally untraceable"-that is, even permits copiers, fax machines, cafete­ a shop provided the keypad and dis­ if the shop and the bank collude, they ria cash registers and even coffee vend­ play, it could intercept passwords on cannot determine who spent which ing machines to accept digital "bank their way to the card or show one price notes. Because the bank has no idea of notes." We have also demonstrated a to the customer and another to the the blinding factor, it has no way of system for automatic toll collection in card. Ideally, the card would communi­ linking the note numbers that Bob de­ which automobiles carry a card that re­ cate with terminals in banks and shops posits with Alice's withdrawals. Where­ sponds to radioed requests for pay­ by a short-range communications link as the security of digital signatures is ment even as they are traveling at high­ such as an infrared transceiver and so dependent on the difficultyof partic­ way speeds. need never leave its owner's hands. ular computations, the anonymity of When asked to make a payment, the blinded notes is limited only by the un­ y colleagues and I call a com­ representative 'would present a sum­ predictability of Alice's random num­ puter that handles such cryp­ mary of the particulars and await ap­ bers. If she wishes, however, Alice can tographic transactions a "rep­ proval before releasing funds. It would reveal these numbers and permit the resentative." A person might use dif­ also insist on electronic receipts from notes to be stopped or traced. ferentM computers as representatives organizations at each stage of all trans­ Blinded electronic bank notes protect depending on which was convenient: actions to substantiate its owner's po­ an individual's privacy, but because Bob might purchase software (trans- sition in case of dispute. By requiring each note is simply a number, it can be . mitted to himover a network) by using a password akinto the PIN (personal copied easily. To prevent double spend­ his home computer to produce the req­ identifying number) now used for bank ing, each note must be checked on-line uisite digital signatures, go shopping cards, the representative could safe­ against a central list when it is spent. with a "palm-top" personal computer guard itself from abuse by thieves. In­ Such a verification procedure might be and carry a smart credit card to the deed, most people would probably keep acceptable when large amounts of mon­ beach to pay for a drink or crab cakes. backup copies of their keys, electronic ey are at stake, but it is far too expen­ Any of these machines could represent bank notes and other data; they could sive to use when someone is just buying Bob in a transaction as long as the digi­ recover their funds if a representative a newspaper. To solve this problem, my tal signatures each generates are under were lost or stolen. colleagues and and his control. Personal representatives offerexcel­ I have proposed a method for generat­ Indeed, such computers can act as lent protection for individual privacy, ing blinded notes that requires the pay­ representatives for their owners in vir­ but organizations might prefer a mecha­ er to answer a random numeric query tually any kind of transaction. Bob nism to protect their interests as strong­ about each note when making a pay­ can trust his representative and Alice ly as possible. For example, a bank ment. Spending such a note once does hers because they have each chosen might want to prevent double spending not compromise unconditional untrace- their own machine and can reprogram it of bank notes altogether rather than

98 SCIENTIFIC AMERICAN August 1992

© 1992 SCIENTIFIC AMERICAN, INC leak any information and passes it to Bob. The observer is programmed to VALIDATING sign only one such statement for any AUTHORITY given note. Many transactions do not simply re­ quire a transfer of money. Instead they involve credentials-information about an individual's relationship to some or­ ganization. In today's identifier-based world, all of a person's credentials are easily linked. If Alice is deciding wheth­ er to sell Bob insurance, for example, The validating authority The representative re­ she can use his name and date of birth checks the observer's moves the blinding from to gain access to his credit status, medi­ special key, removes it the validated pseudonyms cal records, motor vehicle file and crim­ and attaches its own and stores them for future inal record, if any. unforgeable signature. use by the observer. Using a representative, however, Bob would establish relationships withdif­ ferent organizations under different dig­ ital pseudonyms. Each of them can rec­ ognize him unambiguously, but none of their records can be linked. In order to be of use, a digital cre­ simply detecting it after the fact. Some card. The observer does not reveal its dential must serve the same function organizations might also want to en­ numbers but reveals enough informa­ as a paper-based credential such as a sure that certain digital signatures are tion about them so that the card can driver's license or a credit report. It not copied and widely disseminated later check whether its numbers were must convince someone that the per­ (even though the copying could be de­ in fact used to produce the resulting son attached to it stands in a particular tected afterward). keys. The card also produces random relation to some issuing authority. The Organizations have already begun data that the observer will use to blind name, photograph, address, physical de­ issuing tamperproof cards (in effect, each key. scription and code number on a driv­ their own representatives) programmed Then the observer blinds the public er's license, for example, serve merely to prevent undesirable behavior. But keys, signs them with a special built-in to link it to a particular person and to these cards can act as "Little Brothers" key and gives them to the card. The the corresponding record in a data base. in everyone's pocket. card verifies the blinding and the signa­ Just as a bank can issue unforgeable, We have developed a system that ture and checks the keys to make sure untraceable electronic cash, so too could satisfies both sides. Anobserver-a they were correctly generated. It pass­ a university issue signed digital diplo­ tamper-resistant computer chip, issued es the blinded, signed keys to the vali­ mas or a credit-reporting bureau issue by some entity that organizations can dating authority, which recognizes the signatures indicating a person's ability trust -acts like a notary and certifies observer's built-in signature, removes to repay a loan. the behavior of a representative in it and signs the blinded keys with its When the young Bob graduates with which it is embedded. Philips Indus­ own key. The authority passes the keys honors in medieval literature, for ex­ tries has recently introduced a tamper­ back to the card, which unblinds them. ample, the university registrar gives his resistant chip that has enough comput­ These keys, bearing the signature of representative a digitally signed mes­ ing power to generate and verify digital the validating authority, serve as digital sage asserting his academic credentials. signatures. Since then, Siemens, Thom­ pseudonyms for future transactions; When Bob applies to graduate school, son CSF and Motorola have announced Alice can draw on them as needed. however, he does not show the admis­ plans for similar circuits, any of which sions committee that message. Instead could easily serve as an observer. observer could easily prevent his representative asks its observer to The central idea behind the protocol (rather than merely detect) dou­ sign a statement that he has a B. A. cum for observers is that the observer does A:ble spending of electronic bank laude and that he qualifies for finan­ not trust the representative in which notes. When Alice withdraws money cial aid based on at least one of the it resides, nor does the representative from her bank, the observer witnesses university's criteria (but without reveal­ trust the observer. Indeed, the repre­ the process and so knows what notes ing which ones). The observer, which sentative must be able to control all she received. At Bob's shop, when Alice has verified and stored each of Bob's data passing to or from the observer; hands over a note from the bank, she credentials as they come in, simply otherwise the tamperproof chip might also hands over a digital pseudonym checks its memory and signs the state­ be able to leak information to the world (which she need use only once) signed ment if it is true. at large. by the validating authority. Then the ob­ In addition to answering just the When Alice first acquires an observ­ server, using the secret key correspond­ right question and being more reli­ er, she places it in her smart-card rep­ ing to the validated pseudonym, signs able than paper ones, digital credentials resentative and takes it to a validat­ a statement certifying that the note will would be both easier for individuals ing authority. The observer generates a be spent only once, at Bob's shop and to obtain and to show and cheaper for batch of public and private key pairs at this particular time and date. Alice's organizations to issue and to authen­ from a combination of its own random card verifies the signed statement to ticate. People would no longer need to numbers and numbers supplied by the make sure that the observer does not fill out long and revealing forms. In-

SCIENTIFIC AMERICANAugust 1992 99 © 1992 SCIENTIFIC AMERICAN, INC stead their representatives would con­ might simply take the lack of a posi­ ations the card reveals to the observer vince organizations that they meet par­ tive credential as a negative one. If Bob how it encoded the responses; the ob­ ticular requirements without disclosing signs up for skydiving lessons, his in­ server signs a statement including the any more than the simple fact of qual­ structors may assume that he is medi­ challenges and encoded responses only ification. Because such credentials re­ cally unfitunless they see a credential if it has been a party to that challenge­ veal no unnecessary information, peo­ to the contrary. response sequence. This process con­ ple would be willing to use them even For most credentials, the digital sig­ vinces the organization of the observ­ in contexts where they would not will­ nature of an observer is sufficientto er's presence without allowing the ob­ ingly show identification, thus enhanc­ convince anyone of its authenticity. Un­ server to leak information. ing security and giving the organiza­ der some circumstances, however, an Organizations can also issue cre­ tion more useful data than it would organization might insist that an ob­ dentials using methods that depend otherwise acquire. server demonstrate its physical pres­ on cryptography alone rather than on Positive credentials, however, are not ence. Otherwise, for example, any num­ observers. Although currently practical the only kind that people acquire. They ber of people might be able to gain approaches can handle only relatively may also acquire negative credentials, access to nontransferable credentials simple queries, of the which they would prefer to conceal: (perhaps a health club membership) by University of Montreal, Claude Crepeau felony convictions, license suspensions using representatives connected by of the E cole Normale Superieure and I or statements of pending bankruptcy. concealed communications links to an­ have shown how to answer arbitrary In many cases, individuals willgive or­ other representative containing the de­ combinations of questions about even ganizations the right to inflict negative sired credential. the most complex credentials while credentials on them in return for some Moreover, the observer must carry maintaining unconditional unlinkabil­ service. For instance, when Alice bor­ out this persuasion while its input and ity. The concealment of purely crypto­ rows books from a library, her observ­ output are under the control of the graphic negative credentials could be er would be instructed to register an representative that contains it. When detected by the same kinds of tech­ overdue notice unless it had received a Alice arrives at her gym, the card read­ niques that detect double spending of receipt for the books' returnwithin er at the door sends her observer a se­ electronic bank notes. And a combina­ some fixedtime. ries of single-bit challenges. The ob­ tion of these cryptographic methods Once the observer has registered a server immediately responds to each with observers would offer accountabil­ negative credential, an organization can challenge with a random bit that is en­ ity after the f

1 , 3 : ..: : ... ; , , . : - �: I P2004631I 7 • • • P2004631 HAS �• •••••• • BA IN ELECTRICA l:::-=o ==--___� ENGINEERING REPRESENTATIVE UNIVERSITY

Q37981409 •• DO YOU HAVE ANY OF THE FOLLOWING: �!!������ =i�I-•• � A) B.A. AND 3 YEARS' EXPERIENCE? F, , , 3 :.. '": E B) 10 YEARS' EXPERIENCE? , , . �: ::� C) Ph.D. AND RECOMMENDATIONS? 7 a •

EMPLOYER

DIGITAL CREDENTIALS put personal information under the her a digitally signed degree. Later, her observer can use its control of an individual's representative and its observ­ knowledge of the degree to answer questions about her qual­ er. When Alice (one of the author's two hypothetical charac­ ifications without revealing any more information about her ters) finishes her undergraduate work, the university gives than absolutely necessary.

100 SCIENTIFIC AMERICAN August 1992

© 1992 SCIENTIFIC AMERICAN, INC phone or cash withdrawals from an au­ �omatic teller machine (ATM). The bur­ den of proof is on the bank to show that no one else could have made the pur­ chase or withdrawal. If computerized . representatives become widespread, owners will establish all their own pass­ words and so control access to their representatives. They will be unable to disavow a representative's actions. Current tamper-resistant systems such as ATMs and their associated cards typically rely on weak, inflexible security procedures because they must be used by people who are neither highly competent nor overly concerned about security. If people supply their own representatives, they can program them for varying levels of security as they see fit. (Those who wish to trust their assets to a single four-digit code are free to do so, of course.) Bob might use a short PIN (or none at all) to au­ thorize minor transactions and a long­ er password for major ones. To protect himself from a robber who might force

him to give up his passwords at gun­ COMPUTERIZED CREDIT CARD developed by Toshiba and Visa International con­ point, he could use a "duress code" tains a microprocessor, memory, keypad and display. Although this card identifies that would cause the card to appear to its user during transactions, the same hardware could be reprogrammed as a per­ operate normally while hiding its more sonal representative for spending digital cash. important assets or credentials or per­ haps alerting the authorities that it had been stolen. bids for a system that would commu­ mate needs of those with whom they A personal representative could also nicate with cars and charge their smart do business. recognize its owner by methods that cards as they pass various points on The choice between keeping informa­ most people would consider unreason­ a road (as opposed to the simple ve­ tion in the hands of individuals or of or­ ably intrusive in an identifier-based hicle identification systems already in ganizations is being made each time any system; a notebook computer, for ex­ use in the U.S. and elsewhere). And ca­ government or business decides to au­ ample, might verify its owner's voice or ble and satellite broadcasters are ex­ tomate another set of transactions. In even fingerprints. A supermarket check­ perimenting with smart cards for deliv­ one direction lies unprecedented scruti­ out scanner capable of recognizing a ering pay-per-view television. All these ny and control of people's lives, in the person's thumbprint and debiting the systems, however, are based on cards other, secure parity between individu­ cost of groceries from their savings that identify themselves during every als and organizations. The shape of so­ account is Orwellian at best. In con­ transaction. ciety in the next century may depend trast, a smart credit card that knows its If the trend toward identifier-based on which approach predominates. owner's touch and doles out electron­ smart cards continues, personal priva­ ic bank notes is both anonymous and cy will be increasingly eroded. But in safer than cash. In addition, incorporat­ this conflict between organizationalse­ FURTHER READING ing some essential part of such iden­ curity and individual liberty, neither SECURITY WITHOUT IDENTIFICATION: tification technology into the tamper­ side emerges as a clear winner. Each TRANSACTION SYSTEMS TO MAKE BIG proof observer would make such a round of improved identification tech­ BROTHER OBSOLETE, David Chaum in card suitable even for very high securi­ niques, sophisticated data analysis or Communications of the ACM, Vol. 28, ty applications. extended linking can be frustrated by No. 10, pages 1030-1044; October 1985. widespread noncompliance or even leg­ THE DINING CRYPTOGRAPHERS PROBLEM: omputerized transactions of all islated limits, which in turnmay engen­ UNCONDmONAL SENDER ANDRECIPIENT UNTRACEABILITY, David Chaum in Jour­ kinds are becoming ever more der attempts at further control. nal of Cryptology,Vol. 1, No. 1, pages pervasive. More than half a doz­ Meanwhile, in a system based on rep­ 65-75; 1988, en countries have developed or are test­ resentatives and observers, organiza­ MODERN CRYPTOLOGY: A TU TORIAL. ingC chip cards that would replace cash. tions stand to gain competitive and po­ Gilles Brassard in Lecture Notes in Com­ In Denmark, a consortium of banking, litical advantages from increased pub­ puter SCience, Vol. 325. Springer-Verlag, utility and transport companies has lic confidence(in addition to the lower 1988. announced a card that would replace costs of pseudonymous record-keep-, PRIVACY PROTECTED PAYMENTS: UNCON' coins and small bills; in France, the tele­ ing). And individuals, by maintaining DITIONAL PAYER AND/OR PAYEE UN ' TRACEABIUTY. David Chaum in Smart communications authorities have pro­ their own cryptographically guaranteed Card 2000: The Future onC Cards. Edit­ posed general use of the smart cards records and making only necessary dis­ ed by David Chaum and Ingrid Sehau­ now used at pay telephones. The gov­ closures, will be able to protect their mUller-Biehl, North-Holland, 1989. ernment of Singapore has requested privacy without infringing on the legiti-

SCIENTIFIC AMERICAN August 1992 101

© 1992 SCIENTIFIC AMERICAN, INC