Hello, Ed here, and I want to take you through, in this video, an interesting protocol and concept that was introduced in the 1980s by a guy named David Chaum. And it's called blinding, and the blinding purpose is to introduce some degree of anonymity in interaction between client and server. I want to tell you what the, really, idea here is, and this is David Chaum's work, a wonderful mathematician. Spent quite a bit of time at University California, Berkeley, and founded a company called DigiCash on the basis of what we're going to be talking about here. So I think it's a marvelous algorithm, it's something I like to show students, because it's so easy to conceptualize. So here's the idea, the client would like to provide to the server, now think customer and bank maybe, or buyer and seller, whatever. I'd like to provide, to the server, an envelope that's sealed, and inside the envelope is the equivalent of a paper check where I've written out an amount. It has a number, all checks are numbered, paper checks, it's signed, it's valid, and let's say I've put the amount at $25 US, okay? So I want to send the envelope to you, have you not open it or read inside it. But trust me that I said, hey, there's $25 in there, and it's got a valid serial number. But don't look inside, because I don't want you to see the serial number. And just, here's the check, deposit the $25 and send it back, or debit my account, give me $25, or whatever i'm trying to do. What do you think about that? So you might say the bank, or the recipient, or the authorizer of this, the signer of the envelope, is going to say, what are you, crazy? Maybe you say it's $25, but maybe you put $2,500 in there. I'm not going to sign it without reading what's inside that, that's crazy. So Chaum set about coming up with a way to solve this, and it turns out there's actually a trivial way to solve it. You could say that all interactions are always, say, $10, then okay. Now, maybe you put multiple of them inside, there's still ways you might cheat that. But setting that aside, if I want something that's the equivalent of anonymous, say, cash, where I can make the number whatever I want the number to be. On the outside of the envelope, I write a number, and you trust that that number is reasonable, came up with a scheme that's kind of cool. And again, sort of these multiple steps that sort of involves Bob sending to the encrypted server, or an encrypted, secret number to the server. The server then does something, it's going to attest to that and send something back encrypted. That's sort of the idea of what we've done through a network. And let's go through the Alice network in Bob's steps, or at least the purpose, and then I'll explain how the protocol works. So there's sort of a create, send, sign, respond, and then assign certificate aspect to this. Where I'm creating kind of an encrypted, you could think of it, I guess in some sense, as a certificate. It's got a serial number, has an amount, and it has some key, say key K1, that I then send across to Bob, the server. I'm asking Bob then, without key K1, I don't want Bob to have the key, I want him to then, quote-unquote, sign it with his secret key. So without reading it, he doesn't have key K1, I want him to sign it with SB, respond back. And now I now have a signed certificate from Bob that has my original amount in there, it has $2 US with a serial number. And it was encrypted key K1, which I still have, and now I have it signed by SB. Now if I want to spend that, say with a merchant, I just provide the merchant with key K1 and this whole certificate. Because the merchant will have the public key of Bob, can validate the public key of Bob, good, this is real. I've given you key K1, they take key K1, they decrypt the message, and now they see the $2 and I can spend this. But as you can see, how do I solve the problem of having you trust that it's really $2 and not $2 million in there? So here's what Chaum came up with. Now as you look at this, this is the blinding protocol implementation, on your first glance, you may not get this. I'll describe it a couple of time, because it's a really crazy scheme. When I'm doing this with graduate students in, say, a classroom, about half of them get it the first try, and than the second try, more get it. You may have to stare at this a few times, but here's the idea. In step 1, according to the Chaum blinding protocol, Alice creates, say, 1,000 essentially duplicate notes. Could be 10,000, could be 100,000, could be 100, but let's just say it's 1,000 for now. The only place they're different is that the serial numbers are different, and the keys are different. The amount is the same, it's still a valid, I sort of set up the way the message is constructed, the way the note is constructed is the same. Serial number, the amount which, in this case, is $2 and a key. Serial number, different one, amount, same amount, different key. Serial number, amount, key, all the way down from 1 to 1,000. So they're all the same in structure, they all say $2, but they have different serial numbers, different keys. I send that whole blob over to Bob, I send all 1,000 to Bob, he just got the whole group of them. Now what Bob does is, at random, picks a number between 1 and 1,000. So Alice couldn't possibly have known in advance what that number is going to be, well, she guesses it. That's why it could be 10,000, it could be a million, but let's say it's 1,000. He pick some number, eh, whatever, 53 or 327 or some number, we'll just call it some Kn. And says to Alice, give me all of the keys except, let's say the number is 317, give me from 1 to 316. Don't give me 317, that's the random number I picked, but then give me 318 to 1,000. So I'm asking you for every key, except one random key for one random number that I picked, that you couldn't possibly have known about in advance. So you get this request now for 999 keys, which you then provide to Bob. But you hold back the one that Bob said to hold back, hold back 317, don't give that to me. So now Bob takes all these keys and starts reading all the notes, to see if you cheated on any of them. And if they all look reasonable, serial number, $2, all the way down? Then he concludes, well, I asked for 999, I picked one at random. If these 999 look good, then the chances are pretty good that the one I didn't look at looks like the others. He signs the note and sends it back to you. What do you think of that, you follow? It's like I give you a batch of envelopes, you make this big batch of them, there's a thousand there, sitting in a big bucket somewhere. And I'm asking you to sign one of them, I don't care which one. They're all $2 notes, I'm telling you they're all $2 notes. And you go, well, all right, so you open all of them. But one, now, the way you open them is you ask me for the keys, but the one that you don't open, you don't get the key for. You rip them all open, they all look exactly the same, throwing them all out. Until there's one envelope sitting there in the basket that you haven't opened, every other one looks the same. And you go, all right, I'll sign that, I'm pretty confident that you did that right, boom. You sign it, send it back, and you have anonymous signings, is that interesting? It's kind of a form of anonymous cash on the Internet. I always thought that was one of the most clever schemes I've ever seen. It's different from onion routing, right, onion routing is weaving a routing path, this is a different kind of anonymity. This is using applied cryptography, in a sense, to produce a very similar effect. You can use blinding for a lot of different things. It always surprises me that a protocol was introduced, I think it was 1983 or something, that this came out, hasn't seen a bigger run. So hopefully this will inspire you to take your understanding now of how blinding works, apply it to something. Auctions, elections, banking, all kinds of different things could benefit from David Chaum's fine work, which we refer to as blinding, or blinding signatures. Now, as sort of an additional consideration, I would like you to sit and think about, what are some applications, in your own mind, besides banking, auction, and so on. What are some things you may be involved in, where some anonymity would be useful? Where would sort of signing something blindly be useful? Try to think it through, I gave you a few of the obvious ones, see if you can come with some that are little less obvious. I will see you in a subsequent video.
