Three party signing protocol providing non-linkability
First Claim
1. A three-party signing method that protects the privacy of the signer and prevents verifiers from colluding to cross-link information signed by the signer, the method comprising the steps of:
- generating by a signer A a signature S1 on a representation of at least data D;
sending by A the representation of at least the data D with the signature S1 to a trusted third party T;
verifying by T the signature S1 on the representation of at least data D, and if the signature S1 on the representation of at least data D is valid, then generating by T a signature S2 on the representation of at least data D;
sending by T a representation of signature S1 together with the representation of at least data D and the signature S2 to an intended receiver B, or else sending by T a representation of signature S1 together with the representation of at least data D and the signature S2 to A, who in turn sends the representation of signature S1 totether with the representation of at least data D and the signature S2 to B, whereby the representation of signature S1 is such that it cannot be used by B to cross-link information signed by A; and
verifying by B the signature S2, and if the signature S2 on the representation of at least the data D is valid, then escrowing by B at least a copy of the representation of at least the data D, the representation of signature S1, and the signature S2 in case a dispute arises in which B must later prove to an impartial party that A indeed signed the representation of at least the data D, whereby B is assured that A'"'"'s signature S1 generated on the representation of at least data D was also valid, in which case B can trust that A did indeed sign the representation of at least data D, even though B does not verify A'"'"'s signature S1 directly.
4 Assignments
0 Petitions
Accused Products
Abstract
A three-party signing protocol uses a Trusted Third Party (denoted T) to simulate a two-party protocol in which a sender, designated party A, anonymously signs data intended for a particular receiver, designated party B, such that B can verify the signature on the data without learning A'"'"'s true identity, and data and signatures received by different receivers cannot be cross-linked, aggregated, or associated with a single sender. In this three-party signing protocol, A has only one public/private signature key-pair. In the three-party signing protocol, T is permitted to “see” signatures generated by A, but B is not permitted to “see” signatures generated by A, unless they are randomized or encrypted, since doing so would permit A'"'"'s generated signatures and signed data to be cross-linked. Thus, in the three-party signing protocol, T is used to “vouch to B on behalf of A” that signatures generated by A are valid.
-
Citations
27 Claims
-
1. A three-party signing method that protects the privacy of the signer and prevents verifiers from colluding to cross-link information signed by the signer, the method comprising the steps of:
-
generating by a signer A a signature S1 on a representation of at least data D;
sending by A the representation of at least the data D with the signature S1 to a trusted third party T;
verifying by T the signature S1 on the representation of at least data D, and if the signature S1 on the representation of at least data D is valid, then generating by T a signature S2 on the representation of at least data D;
sending by T a representation of signature S1 together with the representation of at least data D and the signature S2 to an intended receiver B, or else sending by T a representation of signature S1 together with the representation of at least data D and the signature S2 to A, who in turn sends the representation of signature S1 totether with the representation of at least data D and the signature S2 to B, whereby the representation of signature S1 is such that it cannot be used by B to cross-link information signed by A; and
verifying by B the signature S2, and if the signature S2 on the representation of at least the data D is valid, then escrowing by B at least a copy of the representation of at least the data D, the representation of signature S1, and the signature S2 in case a dispute arises in which B must later prove to an impartial party that A indeed signed the representation of at least the data D, whereby B is assured that A'"'"'s signature S1 generated on the representation of at least data D was also valid, in which case B can trust that A did indeed sign the representation of at least data D, even though B does not verify A'"'"'s signature S1 directly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A three-party signing method that protects the privacy of the signer and prevents verifiers from colluding to cross-link information signed by the signer, the method comprising the steps of:
-
generating by a sender A a value M1 containing information identifying the sender A to a trusted third party T, information identifying an intended receiver B to the trusted third party T, information specifying data D, a signature S1 on at least a sub-portion of M1 containing at least the information specifying the data D;
sending by A the value M1 containing the information specifying the data D with the signature S1 to the trusted third party T;
validating by T the value M1, and if the value M1 is validated, then generating by T a psuedonymous identifier A1 for the sender A and a value M2 containing psuedonymous identifier A1 permitting A'"'"'s psuedonymous identity to be determined by the receiver B, a copy of the information specifying the data D, a copy of A'"'"'s signature S1 encrypted in a key that will allow only the trusted third party T to decrypt and recover it, a copy of T'"'"'s signature S2 on at least a sub-portion of the value M2 containing at least a copy of the information specifying the data D that sender A provided to trusted third party T in value M1;
sending by T the value M2 to the A, who in turn sends M2 to the intended receiver B, or else sending by T the value M2 directly to B; and
validating by B the value M2, and if the value M2 is valid, then B is assured that A'"'"'s signature S1 generated on data D was also valid, in which case B can trust that A did indeed sign D, even though B does not verify A'"'"'s signature directly, or even “
see”
A'"'"'s signature. - View Dependent Claims (24)
-
-
25. A three-party signing method that protects the privacy of the signer and prevents verifiers from colluding to cross-link information signed by the signer, the method comprising the steps of:
-
creating and transmitting protocol information between a sender A, a trusted third party T and an intended receiver B, which includes generating and verifying of digital signatures S1 for the sender A and S2 for the trusted third party T in a manner that prevents the signature S1 from being cross-linked to data signed by the sender A;
escrowing the protocol information; and
resolving disputes between the sender A and the receiver B using an impartial party IP which accesses the escrowed protocol information. - View Dependent Claims (26, 27)
-
Specification