Professional Documents
Culture Documents
Privacy is increasingly concerned in the digital econ- 1 While it seems more modular to have a separate CA certi-
omy of the virtual Internet world. Though customer fying identities [MS99], the investors' identities can be illegally
revoked by some participant, other than the intended CA, from
anonymity has already been somehow well-studied in the e-coins used to buy shares. Fortunately, such an illegally
the context of electronic payments (refer to, [C82, revocation is impossible in our solution.
1
lar to blind signature [C82, FTY98]) from the CA, ticate" (CAC) from the certicate authority who
and then pays c back to the CA who will certify needs only to transparently maintain its own proac-
Bob's public key pBob . We denote such a certi- tively signing infrastructure with the techniques in
cate certBob def = SIGCA (pBob ), and its anonymity [HJJKY95, JY97] for a case study. Our solution suc-
can be revoked from the zero-value coin c, as in e- ceeds in addressing the two open problems proposed
cash. This is the very reason to assume the existence in [MS99]: scalability, only one signature is enough to
of a conditionally anonymous e-cash system. Specif- perform a trading/voting transaction2 independent
ically, an eshare of IBM held by Bob is denoted as of the number of share involved, and tax evasion-
SIGIBM (certBob ), i.e., SIGIBM (SIGCA (pBob )), in freeness. While our trading model is also fair to both
the database maintained by IBM. If IBM has 108 es- the seller and the buyer, thereof a real market in the
hares, its database has exactly 108 records. When sense of [FSW99], a new mechanism introduced in
Bob intends to sell this eshare, the ownership can be this paper will entitle the law enforcers to actively
easily proved/checked as he knows the secret key cor- detect abuses (e.g., money laundering). As we will
responding to the public key pBob . Unfortunately, in see, our solution can also be extended to realize var-
the model of [MS99], if Bob wants to sell his 1000 ious preferred trade-os.
IBM eshare, 1000 signatures have to be signed (by
Bob) and veried (by IBM) against (possibly) 1000 Remarks: 1. The \Certied Anonymous Public
certicates. In this case, Bob may have to setup 1000 Key" (CAPK) used in [MS99], is similar to the \con-
balance accounts at the bank to which he redeems ditionally anonymous certicate" (CAC) adopted in
the e-checks (signed by the company after success- the current paper. However, the anonymity of a
ful selling), if not in physical cash. This can be fur- CAPK in [MS99] is indirectly implemented through
ther worsen as it is impossible (even Bob himself) to some anonymous e-cash system, whereas it is directly
foretell how many eshares (therefore, the correspond- realized by the certicate authority in ours. More-
ing certicates) to be bought. On the other hand, over, it is technically possible in our solution for any
the fact that Bob has many certicates will make participant other than the intended certicate au-
it technically impossible to generate accurate capi- thority to revoke illegally the anonymity of any in-
tal gains report for him, without which there may be vestor, therefore the bank in our solution will not
potential tax evasion. This is further complicated by bear the potential legal risk (refer to [Ba98]).
the normal yet frequent buying-and-selling processes 2. The active detection mechanism of this paper
(e.g., rstly buying 1000 eshares at the price of $10, may be independently interesting in other context.
then selling 500 eshares at the price of $20). There- For example, jewellers always dare not to publish
fore, to realize scalable and tax evasion-free anony- their real name and address for the prevention of rob-
mous investing system is the open problem proposed bery, whereas the government may hope to know the
in [MS99]. advertisements by whom they are posed (say, to en-
Additionally, the trading model in [MS99] is dis- sure that the jewels are not \dirty").
qualied due to the unfairness in the transactions.
More specically, after Bob broadcasting an oer for
his eshare SIGIBM (SIGCA (pBob )) at price d, Alice
1.3 Outline.
needs to broadcast her bidding at price d with re-
0 In next section we will describe our model of anony-
spect to exactly Bob's oer, what is the worst is that mous investing, which is somewhat dierent from the
whether this transaction will take eect or not de- one in [MS99]. We present the basic scheme of our
pends only on Bob's mind, and nothing else (i.e., even solution in section 3, and its properties in section 4.
Alice). This is contrast to the function of nancial Extension to the basic scheme, and a comparison be-
markets to bring buyers and sellers together and to tween it with the [MS99] solution is unfolded in sec-
provide a price discovery mechanism for the assets tion 5. We conclude with open problem in section
being traded [FSW99]. 6.
2
maintains an Anonymous Bulletin Board (ABB, Over-trading prevention: Any over-selling or
where the validated bids/oers of the investors are over-buying can be prevented.4
posted)3 . That is, we assume the existence of anony- Over-trading framing-freeness: No participants
mous communication channel between the investors (including the SE and the CA) can successful
and the SE, similar to [MS99, S96]. Every investor frame an investor for any over-trading transac-
I setups an anonymous account (AA, with which his tion.
money balance and share balance are associated) via
his \conditionally anonymous certicate" (CAC) is- Traceability: The anonymous investing scheme
sued by the CA using some proactive cryptography supports three kinds of passive traceabilities: (1)
(for the sake of a case study, we adopt the methods in From an anonymous account (AA) to the corre-
[HJJKY97, JY97] whereas many other techniques can sponding investor ID; (2) From investor ID to
be used instead) of quorum-revocation anonymity. the corresponding anonymous account (AA); (3)
Functionally, the stock exchange consists of four Whether an anonymous account (AA) is corre-
components: SEC (Stock Exchange Center, the core sponding to certain investor ID.
one responsible for completing and cancelling trad-
ing requests posted on the ABB according to certain Revocability: Any traced anonymous account
rules), SEE (Stock Exchange Election, the one re- (AA) can be blacklisted or frozen.
sponsible for handling voting and dividending accord- Anonymity: The probability for any coalition of
ing to the regulations), SET (Stock Exchange Tax- participants not including a quorum CA servers
ation, the one keeping all the transaction transcripts to determine the identity of the owner of a
for the sake of taxation and abuse detection), and AA/CAC is negligible.
SEV (Stock Exchange Verication, the one respon-
sible for verifying the validity of certain bids/oers, Anonymous voting: Each anonymous investor
and posting those valid requests on the ABB). should be able to vote exactly once per share
We assume that all investors trust that there never (i.e., authentic), and the votes should be univer-
be a quorum servers in the CA infrastructure ille- sally veriable.
gally conspiring to reveal their anonymity, and SE Tax evasion-freeness: Tax evasion is impossible
(thereof, all its components) honestly does everything for any investor.
according to certain rules/regulations independent of
the current paper. Technically we assume that nei- Active detection: The system itself provides the
ther DLOG (i.e., DSS [NIST91] and Schnorr [S91]) law enforcers an active detection mechanisms
nor RSA [RSA78] signature is existentially forgeable against abuses including brute force, in
ation,
under adaptive chosen message attack [GMR88]. insider trading, and money laundering.
We use SIGY () to denote the signing function
(possibly thresheld and proactivized) of entity Y
whereas ENCX () the secure encryption function un- 3 The Basic Scheme
der the public key of participant X.
3.1 The Idea
2.1 The Goals Each investor I applies a \conditionally anonymous
certicate" (CAC) from the CA, via which he setups
We extend the objectives of an anonymous investing a anonymous account (AA) at the stock exchange
system proposed in [MS99] to include tax evasion- SE. With such a AA, the investor can deposit his
freeness, and active detection (i.e., against brute money via either physical money or unconditionally
force, in
ation, insider trading, and money launder- anonymous e-cash. Every time I wants to trade some
ing). Therefore, we realize: shares at certain price, he signs such a request veri-
able against his CAC and sends it to SEV who will
validate or invalidate this request according to the
Unforgeability: The \conditionally anonymous status of his money and share balance. For exam-
certicate" (CAC) is existentially unforgeable. ple, if the investor is bidding for some shares without
enough money balance or oering shares more than
3 Refer to [MS99] for further description of the properties his share balance aord to, it is invalidated. A re-
of an ABB. We also do not rely on any strict timing of posts quest is validated if it is not invalidated, and a vali-
(as in [MS99, S96]) to guarantee security because an adversary
seeing a user's post may insert a new post before anyone else
dated request will be posted on the ABB. SEC will
seeing that post. 4 Double-trading is a special type of over-trading.
3
be responsible for performing all the transactions in- 3.4 Buying Shares
dicated by the validated requests posted on the ABB Protocol 4. An investor I signs a buying request
(e.g., if there is a match in price for a pair of selling
and buying requests), therefore transferring money SIGI (buying; AA; name; price; quantity) with inten-
for such a successful transaction. SET generates the tion to buy quantity (say, 100) shares of name (say,
capital gains reports for all anonymous investors via IBM) at the price (say, $10 per share) at the payment
their anonymous accounts respectively, and SEE is of the anonymous account AA.
in power for all voting processes (e.g., assuring one 1. I sends a request,
vote per share). SIGI (buying; AA; name; price; quantity), to
SEV.
3.2 Investor's Setting Up 2. SEV checks the semantics of the signature
The following two protocols are necessary for every (i.e., if it is valid against the \conditionally
investor, but only once. anonymous certicate" (CAC) associated with
the claimed AA, and if price quantity
Protocol 1: Investor I obtains a \condition- mbalanceAA , where mbalanceAA is money bal-
ally anonymous certicate" (CAC) from the CA ance at AA. If ok, SEV posts it on the ABB.
who transparently maintains a proactive cryptogra- 3. SEC will decide honestly whether this buying
phy based signing infrastructure [HJJKY97, JY97]. request being done or not. If there is a success-
1. I shows his normal certicate (alternatively, any ful trading, it will perform all the corresponding
valid ID) to the CA. work (i.e., debiting the buyer's money balance
and crediting the his share balance), whereas
2. After checking the validity of that certicate (or SET will record the transaction transcripts.
ID), I and CA engage in a protocol to obtain a
CAC (key; r; s) on his public key (say, Schnorr 3.5 Selling Shares
public key key def
= gx in certain mathematical Protocol 5. I signs a selling request
group [S91]). SIGI (selling; AA; name; price; quantity) with inten-
Protocol 2. The investor opens an anonymous tion to sell quantity (say, 100) shares of name (say,
account (AA) at the stock exchange, SE. IBM) at the price ($10 per share) at the anonymous
account AA.
1. I shows his CAC (key; r; s) to SE. 1. I sends his request,
2. SE checks the validity and ownership of this SIGI (selling; AA; name; price; quantity), to the
anonymous certicate (e.g., via a signature on SE.
a fresh challenge). 2. SEV checks the semantics of the signature (i.e.,
3. SE associates that CAC to that AA randomly if it is valid against the CAC associated with
chosen by I (or SE). Every time now on, if any the claimed AA, and if quantity sbalanceAA ,
one claims that he is the owner of some AA, au- where sbalanceAA is the share balance at AA. If
thentication is requested. ok, SEV posts it on the ABB.
3. SEC will decide honestly whether this selling re-
3.3 Depositing at the Anonymous Ac- quest being done or not. If there is a success-
ful trading, it will perform all the corresponding
count work (i.e., crediting the seller's money balance
Protocol 3. The investor deposits physical money and debiting his share balance), whereas SET
or e-money obtained from certain unconditionally will record the transaction transcripts.
anonymous payment system independent of the cur-
rent paper at his anonymous account, AA. 3.6 Dividending
1. I deposits directly some physical money (alterna- Protocol 6. Dividending can be realized by SEE
tively, unconditionally anonymous e-money) at who will retrieve all the shareholders of the intended
his AA. shares of certain company (say, IBM).
4
1. SEE lists all the shareholders with the corre- 3.9 The Active Detection Mechanism
sponding quantities from the account database
(maintained by the SE rather than by the com- This technique is introduced to entitle the law en-
pany, IBM, in [MS99]) and dividends according forcers to actively detect certain abuses (i.e., brute
to the given process (say, $0:5 per share, there- force, in
ation, insider trading, and money launder-
fore crediting the money balance of all the cor- ing), therefore implementing fail-stop [P96] at the
responding anonymous accounts). system level.
3.9.1 Detection Brute Force
3.7 Voting
As the stock exchange (SE) maintains a central
As mentioned in the introduction, the voting scheme database for the investors, we assume there are sat-
should be anonymous, authentic, and universally ver- isfactory mechanisms to protect the integrity of the
iable. database. If the signing key of the CA is brute
forced (i.e., via either brute force attack or social
Protocol 7: Investor I posts a signed ballot to engineering, even it is protected through the proac-
SEE who will check and validate/invalidate it. We tive cryptography mechanism), it may be abused to
assume there are m candidates. P
launder money by opening many anonymous
that are traced to nobody. Let CAC denote the
accounts
1. I posts the signed Pnumber of anonymous certicates having been issued,
revocation the number of the certicates having been
vote SIGI (voting; AA; candidate1; quantity1 ; CAC P the number of anonymous ac-
; candidatem; quantitym ), to the SEE imply-
ing that he intends to support candidatei with
revoked, and
counts. If CAC
P AA Prevocation
CAC
P
< AA , there must
quantityi , where i = 1; ; m. be some counterfeiting of certicates.
2. SEE checks the semantics of this signed vot- 3.9.2 Detection In
ation
ing paper, i.e., the freshness, the validity of the
signature against the \conditionally anonymous There are two types of in
ation attacks, namely issu-
certicate" (CAC) associated P with the claimed ing extra \conditionally anonymous certicates" (i.e.,
anonymous account AA, and m i=1 quantityi the CA may illegally issue CACs to criminal organi-
sbalanceAA , where sbalanceAA is the share bal- zations to launder money) and issuing extra \credit"
ance at AA. If ok, it is a valid ballot, and is (e.g., some investor can buy shares more than his
posted on the anonymous bulletin board (ABB) money balance aord to pay). It is rather simple to
or broadcasted. activelyPblock such two serious attacks in our model.
Let application be the total number of applications
3.8 Taxing P after cancelling a compro-
(including re-application
mised certicate), CAC the number of \condition-
The basic process for taxation, though dierent from ally anonymous certicates" having ever been issued
here to there, may be that the tax agency will go to P alsoPthe certicates having been revoked).
(including
If CAC > application , then there exists a certi-
the stock exchange (alternatively, the investors them-
selves declare their incomes) to impose duties. The cate in
ation attack.
specic tax law is independent of the current paper, If the investor is allowed by the SE to buy shares
and we only focus on the calculation of precise du- more than his money balance aord to pay, or to sell
tiable income. shares more than his share balance, this will result
sever problems in the economy. A natural approach
to address this is to audit periodically the transaction
Protocol 8: The stock exchange taxation (SET) records against the involved money/shares balances.
prepares all the precise reports for the dutiable in-
comes based on the transaction transcripts for the 3.9.3 Detection Inside Trading and Money
taxation agency (TA). Laundering
1. SET prepares the dutiable incomes for all anony- All the monitoring and audit techniques adopted in
mous investors for TA. the physical world can be seamlessly integrated into
our scheme, though anonymously. For example, if
2. TA imposes duties according to the law. one (anonymous) investor always gains a high prot
5
margin (say, 1000%), there may be some inside trad- twice. In this case, such a lost is inevitably due to
ing. On the other hand, the records of the transac- the unlinkability among the transactions performed
tions transcripts can be used to assure the income of by the same person.
any investor from the stock market. Such transcripts
is useful for the law enforcers to detect laundering
[MW98]. 5.1 Related Work: A Closer Look
Now, it is interesting to compare our solution with
4 The Claims the one in [MS99]. The obvious cursor is the scale,
i.e., how many certicates/accounts one is allowed to
We claim the properties of the basic scheme in the fol- hold.
lowing theorems, and the sketched proof of Theorem Our basic scheme can be viewed as an instance
1 is presented in Appendix A, whereas Theorem 2 at the one extreme end of the ruler because every
can be directly deduced from the discussion in section one is allowed to hold exactly one certicate/account.
3.8. While we realize the best control, eciency, and scal-
ability, the transactions are linkable. If such linka-
Theorem 1 The basic anonymous investing scheme bility is the principal concern, our extension can be
achieves unforgeability, over-trading prevention, adopted instead while almost nothing is lost.
over-trading framing-freeness, traceability, revocabil- The totally unlinkable anonymity of [MS99] is lo-
ity, anonymity, anonymous voting, and tax evasion- cated at the other extreme end as each share is as-
freeness. sociated with a dierent certicate. As mentioned in
the introduction, such a solution is bound to be non-
Theorem 2 The basic anonymous investing scheme scalable. Though this solution can still be extended
entitles the law enforcers to actively detect abuses to let one hold m > 1 certicates5 , with similar to
including brute force, in
ation, insider trading, and our extension at rst glance, such an extension is still
money laundering. disadvantageous over ours in the following senses.
6
an investor are associated, we have proposed a scal- [HJJKY97] A. Herzberg, M. Jakobsson, S. Jarecki,
able (e.g., one signature is enough to certify a trad- H. Krawczky, and M. Yung, Proactive
ing/election transaction independent of the number Public Key and Signature Systems, ACM
of involved shares), tax evasion-free, fair (to both the CCS'97
sellers and the buyers) anonymous investing scheme
with a mechanism for the law enforcers to actively de- [JY96] M. Jakobsson and M. Yung, Revokable
tect abuses (i.e., brute force, in
ation, insider trading, and Versatile Electronic Money, ACM
and money laundering). CCS'96
An interesting challenge for future work is to in-
vestigate how much the aection is the anonymous [JY97] M. Jakobsson and M. Yung, Distributed
linkability on privacy? Hopefully, data mining may \Magic Ink" Signature, Eurocrypt'97
play an important role in this direction.
[M96] D. M'Raihi, Cost-Eective Payment
Schemes with Privacy Regulations, Asi-
acrypt'96
References
[Ba98] Basle Committee on Banking Supervi- [MW98] D. A. Mussington and P. Wilson, Cy-
sion, Risk Management for Electronic berpayments and Money Laundering,
Banking and Electronic Money Activi- http://www.rand.org, 1998
ties, http://www.bis.org, 1998
[MS99] P. MacKenzie and J. Sorensen, Anony-
[BGK95] E. F. Brickell, P. Gemmell, and D. mous Investing: Hiding the Identities
Kravitz, Trustee-Based Tracing Exten- of the Stockholder, Financial Cryptogra-
sions to Anonymous Cash and the Mak- phy, 1999
ing of Anonymous Change, SODA'95
[NIST91] National Institute for Standards and
[C82] D. Chaum, Blind Signatures for Untrace- Technology, Digital Signature Standards,
able Payments, Crypto'82 1991
[CFN88] D. Chaum, A. Fiat, and M. Naor, Un-
traceable Electronic Cash (Extended Ab- [OECD96] Organization for Economic Co-operation
stract), Crypto'88 and Development, OECD Workshops on
the Economics of the Information Soci-
[CMS97] J. Camenisch, U. Maurer, and M. ety, 1997
Stadler, Digital Payment Systems with
Passive Anonymity-Revoking Trustees, [P96] B. Ptzmann, Digital Signature Scheme-
Journal of Computer Security, 5(1), 69- General Framework and Fail-Stop Signa-
89, 1997 tures, LNCS 1100, 1996
[FSW99] M. Fan, J. Stallaert, and A. B. Whinston, [RSA78] R. L. Rivest, A. Shamir, and L. Adle-
A Web-Based Financial Trading System, man, A Method for Obtaining Digital
IEEE Computer, April 1999, 64-70 Signatures and Public-Key Cryptosys-
[FTY96] Y. Frankel, Y. Tsiounis, and M. Yung, tem, CACM, Vol. 21, No. 2, 1978
Indirect Discourse Proofs: Achieving Ef-
cient O-Line E-Cash, Asiacrypt'96 [S91] C. P. Schnorr, Ecient Signature Gen-
eration by Smart Cards, J. Cryptology,
[FTY98] Y. Frankel, Y. Tsiounis, and M. Yung, 4(3), 1991, 161-174
Fair O-Line E-Cash Made Easy, Asi-
acrypt'98 [S96] D. Simon, Anonymous Communication
[GMR88] S. Goldwasser, S. Micali, and R. L. and Anonymous Cash, Crypto'96
Rivest, A Digital Signature Scheme Se-
cure Against Adaptive Chosen-Message [vSN92] B. von Solms and D. Naccache, On Blind
Attacks, SIAM J. Computing, 17(2):281- Signatures and Perfect Crimes, Com-
308, 1988 puter & Security, 11(6), 1992, 581-583
7
A Proof for Theorem 1 same way as in [JY97], i.e., via the underlying magic-
ink signature primitive.
Theorem 1. Our system achieves unforgeability (2) This can done by rstly tracing from an
(Lemma 1.1), over-trading prevention (Lemma investor's ID to the corresponding \conditionally
1.2), over-trading framing-freeness (Lemma 1.3), anonymous certicate" (CAC) according the tech-
traceability (Lemma 1.4), revocability (Lemma niques depicted in [JY97], and then from CAC to the
1.5), anonymity (Lemma 1.6), anonymous voting corresponding AA, thereof the money/share balance
(Lemma 1.7), and tax evasion-freeness (Lemma attached to it.
1.8). (3) This is equal to decide whether certain CAC is
issued in certain signing session, which can be done
Lemma 1.1. The \conditionally anonymous certi- via the technique in [JY97]. 2
cate" is existentially unforgeable.
Lemma 1.5. Any traced share/money can be black-
proof: (sketch) This can be directly concluded listed or frozen implying revocability.
from the assumption of the existential unforgeabil-
ity of the underlying (threshold) magic-ink signature proof: (sketch) As any \anonymous account"
scheme in [JY97] and the security of the underlying (AA) can be traced, thus the stock exchange can
proactivization scheme in [HJJKY97]. 2 blacklist or freeze the share/money attached to the
AA. 2
Lemma 1.2. Any over-trading can be prevented.
Lemma 1.6. The probability for any coalition of
proof: (sketch) On one hand, as the stock ex- participants not including a quorum servers of the
change verication (SEV) will check the validity of certicate authority to determine the identity of the
the buying and selling requests against the database owner of a AA is negligible.
maintained by the stock exchange, and then decide
whether such a claim is valid (thereby posting on the proof: (sketch) If there exists such as adver-
anonymous bulletin board, ABB) or not (i.e., omit- sary succeeding in doing this with probability non-
ting it), either over-buying or over-selling can pre- negligible, it can be used as an oracle to reveal the
vented unless the SEV is dishonest. 2 identity of the investor holding the corresponding
\conditionally anonymous certicate" (CAC), which
is contrast to the conclusion proved in [JY97]. 2
Lemma 1.3. No participants can falsely frame an
investor participating in over-trading.
Lemma 1.7. Our scheme implementing anonymous
voting.
proof: (sketch) According to the buying and sell-
ing protocols, a successful trading must be witnessed proof: (sketch) (1) No participants can imperson-
by the investor's signed request which can be veried ate an investor in voting as a signature is necessary
by the stock exchange verication (SEV) against the to certify it. (2) It is impossible for an investor to
corresponding \conditionally anonymous certicates" vote more than his share balance aord to as the
(CAC). Therefore, no parties (including even SEV) stock exchange election (SEE) knows the quantity of
are able to frame the investor in any trading or over- the shares he holds. (3) The election scheme is uni-
trading process as the underlying signature scheme is versally veriable whereas anonymity for the voter is
assumed existentially unforgeable. 2 preserved. 2
Lemma 1.4. The anonymous investing scheme sup- Corollary 1.8. Our scheme is tax evasion-free.
ports three kinds of passive traceability: (1) From
anonymous account (AA) to investor's ID; (2) From
an investor ID to the corresponding AA; (3) Whether proof: (sketch) As all capital gains are precisely
an AA is corresponding to certain investor ID. recorded, the tax agency can calculate the taxes
(anonymously) with similar to the process in the
physical world (non-anonymously). The taxes can be
proof: (sketch) (1) This is in nature to trace from a paid directly from the AAs of the investors. 2
\conditionally anonymous certicate" (CAC) to the
corresponding investor's ID. It can be done via the