Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
sec2000

sec2000

Ratings: (0)|Views: 5 |Likes:
Published by postscript

More info:

Published by: postscript on Apr 23, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PS, PDF, TXT or read online from Scribd
See more
See less

06/16/2009

pdf

text

original

 
Scalable,TaxEvasion-freeAnonymousInvestin
ShouhuaiX
MotiYun
GenduZhang 
Dept.ofComputerScience,FudanUni.,P.R.China 
shxu,gdzhang 
@fudan.edu.cn 
CertCo,NY,NY,USA.moti@cs.columbia.edu revised,Jan.14,2000 
Abstract 
MotivatedbytheopenproblemsofMS99],wepro- posed
scalable 
(i.e.,onesignatureisenoughtocertifyatrading/electiontransactionindependentofthnumberofinvolvedshares),
taxevasion-fre
,anony- mousinvestingschemeviathenewnotionintroduceinthispaper,namel
anonymousaccount 
.Whileour tradingmodeli
fair 
toboththesellersandthebuy- ers,amechanismforthelawenforcerst
activel
detectabuses(i.e.,bruteforce,ination,insidertrading,andmoneylaundering)isalsoprovided.Wealsodiscusssomeusefulextensiontorealizevariouspreferred trade-os.
1Introduction 
\Anonymousinvesting"wasintroducedbyMacKen- zieandSorenseninMS99]toenableanonymoustrad- ingandsecretinvestment,thereofrealizingbetteprotectionfortheprivacyoftheinvestors.Inthe samepaper,theyalsoproposedasolutionbasedon thenewconceptcalle
eshare 
,whereastheunderly- ingcomponentsareborrowedfrome-cashschemes.Nevertheless,theirsolution,asnoticedbytheau- thorsthemselvesinMS99],isneither 
scalable 
no
taevasion-free 
.Inthispaper,weproposeanewnotion called 
anonymousaccount 
,viawhichweconstructpractical\anonymousinvesting"scheme.Whileour solutionisofscalabilityandtaxevasion-freeness,furtherobjectivesarealsoimplemented.
1.1Background 
PrivacyisincreasinglyconcernedinthedigitaleconomyofthevirtualInternetworld.Though 
customer anonymit
hasalreadybeensomehowwell-studiedithecontextofelectronicpayments(referto,C82,BGK95,CMS97,CFN88,FTY96,FTY98,JY96,M96]),privacyoftheinvestorsincapitalmarketsionlyrecentlypaidattentioninMS99].Thekeydifferencebetweenthetwoapplicationsliesinthefacthattherearenoconceptsof 
anonymousdividending 
an
anonymousvoting 
wehavetorealizeine-cascontext.Itshouldalsobenotedthat 
anonymousvotin
in\anonymousinvesting"isdierentfromthe 
securevotin
inageneralelectionscheme,becauswenotonlyneedtohidethevotesoftheindividual participants,butwewishfurthernottorevealtheiidentities.Ontheotherhand,\anonymousinvesting"hasalsothepotentialtobeabused(say,insider tradingandmoneylaundering),whichsuggestsusthe eortine-cashvSN92].Let'sbrieyreviewthesolutionproposediMS99].Intheirmodel,thecerticateauthority(CAmaintainsananonymouse-cashschemewithtrusteerevocableanonymity,fromwhomtheinvestorswith- draw 
zero-valu
\coins"thatcanonlybe 
pai
t\purchase"certiedpublickeys.Therefore,the anonymityofacerticatecanberevokedbythe trusteesindirectlyfromthecorrespondin
zero-valu
coin.
Withsuchcerticates,theinvestorscananonymouslytradeandvoteaccordingtothesharesofsomcompaniestheyhold.Actually,ashare/eshareisde- notedviaadoubly-signedcerticate,i.e.,certiedby thecompanyontheinvestor'scerticateissuedbythe CA.Thecompanieswhosellesharesneedtomaintaipublicdatabasesfortheirowneshares.Toseethedrawbacksofthesolution,weneedtgetalittleintotechniques.AssumeinvestorBob rstlywithdraws
zero-valu
coi
(i.e.,obtained fro
0
,theviewoftheCA,viathetechniquesimi
WhileitseemsmoremodulartohaveaseparateCAcertifyingidentitiesMS99],theinvestors'identitiescanbeillegallrevokedbysomeparticipant,otherthantheintendedCA,from thee-coinsusedtobuyshares.Fortunately,suchanillegallrevocationisimpossibleinoursolution.
 
lartoblindsignatureC82,FTY98])fromtheCA,andthenpay
backtotheCAwhowillcertifBob'spublicke
Bo
.Wedenotesuchacerticate 
cert 
Bode
SI
C
Bo
),anditsanonymitcanberevokedfromthe 
zero-valu
coi
,asinecash.Thisistheveryreasontoassumetheexistence ofaconditionallyanonymouse-cashsystem.Specifically,aneshareofIBMheldbyBobisdenoteda
SI
IB
cert 
Bo
),i.e.,
SI
IB
SI
C
Bo
)),ithedatabasemaintainedbyIBM.IfIBMhas10 
eshares,itsdatabasehasexactly10 
records.WheBobintendstosellthiseshare,theownershipcanbe easilyproved/checkedasheknowsthesecretkeycorrespondingtothepublicke
Bo
.Unfortunately,ithemodelofMS99],ifBobwantstosellhis100IBMeshare,1000signatureshavetobesigned(by Bob)andveried(byIBM)against(possibly)1000 certicates.Inthiscase,Bobmayhavetosetup1000 balanceaccountsatthebanktowhichheredeemthee-checks(signedbythecompanyaftersuccessfulselling),ifnotinphysicalcash.Thiscanbefurtherworsenasitisimpossible(evenBobhimself)tforetellhowmanyeshares(therefore,thecorrespond- ingcerticates)tobebought.Ontheotherhand,thefactthatBobhasmanycerticateswillmakittechnicallyimpossibletogenerateaccuratecapitalgainsreportforhim,withoutwhichtheremaybe potentialtaxevasion.Thisisfurthercomplicatedby thenormalyetfrequentbuying-and-sellingprocesses (e.g.,rstlybuying1000esharesatthepriceof$10,thenselling500esharesatthepriceof$20).Therefore,torealize 
scalable 
an
taxevasion-free 
anony- mousinvestingsystemistheopenproblemproposeinMS99].Additionally,thetradingmodelinMS99]isdisqualiedduetothe 
unfairness 
inthetransactions.Morespecically,afterBobbroadcastinganoerfor hiseshar
SI
IB
SI
C
Bo
))atpric
,Alice needstobroadcastherbiddingatpric
withrespecttoexactlyBob'soer,whatistheworstisthat whetherthistransactionwilltakeeectornotdepends 
onl
onBob'smind,andnothingelse(i.e.,eveAlice).Thisiscontrasttothefunctionofnancial marketstobringbuyersandsellerstogetherandtprovideapricediscoverymechanismfortheassetbeingtradedFSW99].
1.2OurResul
Weintroduceanewnotion,namely\anonymousaccount"(AA)withwhichamoneybalanceandasharbalanceareassociatedatthe(say,NewYork)stocexchange.Tosetupsuchanaccount,investorBob needsonlytoapplya\conditionallyanonymouscerticate"(CAC)fromthecerticateauthoritywho needsonlytotransparentlymaintainitsownproactivelysigninginfrastructurewiththetechniquesiHJJKY95,JY97]foracasestudy.OursolutionsucceedsinaddressingthetwoopenproblemsproposeinMS99]:
scalability,
onl
on
signatureisenoughtperformatrading/votingtransaction 
independent ofthenumberofshareinvolved,an
taxevasion- freeness 
.Whileourtradingmodelisalsofairtobotthesellerandthebuyer,thereofarealmarketinthe senseofFSW99],anewmechanismintroducedithispaperwillentitlethelawenforcerst
activel
detectabuses(e.g.,moneylaundering).Aswewilsee,oursolutioncanalsobeextendedtorealizevariouspreferredtrade-os.
Remarks 
:1.The\CertiedAnonymousPubliKey"(CAPK)usedinMS99],issimilartothe\con- ditionallyanonymouscerticate"(CAC)adoptedithecurrentpaper.However,theanonymityofCAPKinMS99]isindirectlyimplementedthrough someanonymouse-cashsystem,whereasitisdirectlrealizedbythecerticateauthorityinours.Moreover,itistechnicallypossibleinoursolutionforany participantotherthantheintendedcerticateau- thoritytorevoke 
illegall
theanonymityofanyin- vestor,thereforethebankinoursolutionwillnot bearthepotentiallegalrisk(refertoBa98]).2.Th
active 
detectionmechanismofthispapemaybeindependentlyinterestinginothercontext.Forexample,jewellersalwaysdarenottopublistheirrealnameandaddressforthepreventionofrob- bery,whereasthegovernmentmayhopetoknowthe advertisementsbywhomtheyareposed(say,toen- surethatthejewelsarenot\dirty").
1.3Outline
Innextsectionwewilldescribeourmodelofanonymousinvesting,whichissomewhatdierentfromthe oneinMS99].Wepresentthebasicschemeofour solutioninsection3,anditspropertiesinsection4.Extensiontothebasicscheme,andacomparisonbe- tweenitwiththeMS99]solutionisunfoldedinsection5.Weconcludewithopenprobleminsection 6.
2TheMode
Wemode
anonymousinvesting 
marketastockex- change
S
,asinFSW99]),whichdynamicall
Thevotingschememaybeindependentlyusefulianyotheranonymous,authentic,yetuniversallyveriablelections.
 
maintainsanAnonymousBulletinBoard(ABB,wherethevalidatedbids/oersoftheinvestorsarposted) 
.Thatis,weassumetheexistenceofanony- mouscommunicationchannelbetweentheinvestorandthe 
S
,similartoMS99,S96].Everyinvestor 
setupsan 
anonymousaccount 
(AA,withwhichhimoneybalanceandsharebalanceareassociated)vihis\conditionallyanonymouscerticate"(CAC)issuedbythe 
C
usingsomeproactivecryptography (forthesakeofacasestudy,weadoptthemethodsiHJJKY97,JY97]whereasmanyothertechniquescan beusedinstead)ofquorum-revocationanonymity.Functionally,thestockexchangeconsistsoffour components:
SE
(StockExchangeCenter,thecoroneresponsibleforcompletingandcancellingtrad- ingrequestspostedontheABBaccordingtocertairules),
SE
(StockExchangeElection,theoneresponsibleforhandlingvotinganddividendingaccord- ingtotheregulations),
SE
(StockExchangeTaxation,theonekeepingallthetransactiontranscripts forthesakeoftaxationandabusedetection),and 
SE
(StockExchangeVerication,theonerespon- sibleforverifyingthevalidityofcertainbids/oers,andpostingthosevalidrequestsontheABB).Weassumethatallinvestorstrustthattherenevebeaquorumserversinthe 
C
infrastructureille- gallyconspiringtorevealtheiranonymity,and 
S
(thereof,allitscomponents)honestlydoeseverythinaccordingtocertainrules/regulationsindependentof thecurrentpaper.TechnicallyweassumethatneitherDLOG(i.e.,DSSNIST91]andSchnorrS91]norRSARSA78]signatureisexistentiallyforgeablunderadaptivechosenmessageattackGMR88].Weus
SI
)todenotethesigningfunction (possiblythresheldandproactivized)ofentit
whereas 
EN
)thesecureencryptionfunctionunderthepublickeyofparticipant 
.
2.1TheGoal
Weextendtheobjectivesofananonymousinvesting systemproposedinMS99]toinclude 
taxevasion- freeness 
,an
activedetection 
(i.e.,againstbrutforce,ination,insidertrading,andmoneylaundering).Therefore,werealize:
Unforgeabilit
:The\conditionallyanonymoucerticate"(CAC)isexistentiallyunforgeable.
RefertoMS99]forfurtherdescriptionoftheproperties ofanABB.Wealsodonotrelyonanystricttimingofpost(asinMS99,S96])toguaranteesecuritybecauseanadversarseeingauser'spostmayinsertanewpostbeforeanyoneelsseeingthatpost.
Over-tradingprevention 
:Anyover-sellingor over-buyingcanbeprevented.
Over-tradingframing-freenes
:Noparticipant(includingth
S
andthe 
C
)cansuccessful frameaninvestorforanyover-tradingtransaction.
Traceability 
:Th
anonymousinvesting 
schemsupportsthreekindsofpassivetraceabilities:(1) Froma
anonymousaccount 
(AA)tothecorrespondinginvestorID;(2)FrominvestorIDtthecorresponding 
anonymousaccount 
(AA);(3) Whethera
anonymousaccoun
(AA)iscorrespondingtocertaininvestorID.
Revocabilit
:Anytrace
anonymousaccount 
(AA)canbeblacklistedorfrozen.
Anonymit
:Theprobabilityforanycoalitionof participantsnotincludingaquorum 
C
servers todeterminetheidentityoftheownerofAA/CACisnegligible.
Anonymousvoting 
:Eachanonymousinvestoshouldbeabletovoteexactlyoncepershar(i.e.,authentic),andthevotesshouldbeuniversallyveriable.
Taxevasion-freenes
:Taxevasionisimpossiblforanyinvestor.
Activedetection 
:Thesystemitselfprovidesthe lawenforcersan 
active 
detectionmechanismagainstabusesincludingbruteforce,ination,insidertrading,andmoneylaundering.
3TheBasicSchem
3.1TheIde
Eachinvestor 
appliesa\conditionallyanonymous certicate"(CAC)fromthe 
C
,viawhichhesetups 
anonymousaccount 
(AA)atthestockexchang
S
.WithsuchaAA,theinvestorcandeposithimoneyviaeitherphysicalmoneyorunconditionallanonymouse-cash.Everytim
wantstotradesomsharesatcertainprice,hesignssucharequestveri- ableagainsthisCACandsendsitt
SE
whowilvalidateorinvalidatethi
request 
accordingtothe statusofhismoneyandsharebalance.Forexample,iftheinvestorisbiddingforsomeshareswithouenoughmoneybalanceoroeringsharesmorethan hissharebalanceaordto,itisinvalidated.
request 
isvalidatedifitisnotinvalidated,andavalidatedrequestwillbepostedontheABB.
SE
wil
Double-tradingisaspecialtypeofover-trading.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->