Making a Nymbler Nymble Using VERBS

  • Ryan Henry
  • Kevin Henry
  • Ian Goldberg
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6205)


We propose a new system modeled after Nymble. Like Nymble, our scheme provides a privacy-preserving analog of IP address blocking for anonymizing networks. However, unlike Nymble, the user in our scheme need not trust third parties to maintain their anonymity. We achieve this while avoiding the use of trusted hardware and without requiring an offline credential issuing authority to guarantee that users do not obtain multiple credentials.

We use zero-knowledge proofs to reduce the capabilities of colluding third parties, and introduce a new cryptographic technique that we call verifier-efficient restricted blind signatures, or VERBS, to maintain efficiency. Signature verification with our VERBS are 1–2 orders of magnitude faster than existing restricted blind signatures.


Privacy anonymity authentication anonymous blacklisting revocation anonymous credentials zero-knowledge proofs 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Algesheimer, J., Camenisch, J., Shoup, V.: Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 417–432. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Bichsel, P., Binding, C., Camenisch, J., Groß, T., Heydt-Benjamin, T., Sommer, D., Zaverucha, G.: Cryptographic protocols of the Identity Mixer Library, v. 1.0. Computer Science Research Report RZ3730, IBM Research GmbH, Zurich (2009)Google Scholar
  4. 4.
    Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    Brands, S.A.: Untraceable off-line cash in wallets with observers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  6. 6.
    Brent, R.P.: Parallel Algorithms for Integer Factorisation. Number Theory and Cryptography, 26–37 (1990)Google Scholar
  7. 7.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes (1998)Google Scholar
  9. 9.
    Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp. 199–203 (1982)Google Scholar
  10. 10.
    Chaum, D.: Blind signature system. In: CRYPTO 1983, p. 153 (1983)Google Scholar
  11. 11.
    Dingledine, R.: Tor development roadmap, 2008–2011. Roadmap, The Tor Project (2008)Google Scholar
  12. 12.
    Dingledine, R., Mathewson, N., Syverson, P.: Deploying low-latency anonymity: Design challenges and social factors. IEEE Security and Privacy 5(5), 83–87 (2007)CrossRefGoogle Scholar
  13. 13.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)Google Scholar
  14. 14.
    Dingledine, R.: Re: Banned from Slashdot,, (Private e-mail message to Jamie McCarthy;June 1, 2005)
  15. 15.
    Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: FOCS, pp. 427–437. IEEE, Los Alamitos (1987)Google Scholar
  16. 16.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  17. 17.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Henry, R., Henry, K., Goldberg, I.: Making a Nymbler Nymble using VERBS. Tech. Rep. CACR 2010-05, Centre for Applied Cryptographic Research, Waterloo (2010),
  19. 19.
    Holt, J.E., Seamons, K.E.: Nym: Practical pseudonymity for anonymous networks. Internet Security Research Lab., Technical Report 2006-4, Brigham Young University, Provo, UT (2006)Google Scholar
  20. 20.
    Johnson, P.C., Kapadia, A., Tsang, P.P., Smith, S.W.: Nymble: Anonymous IP-address blocking. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 113–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Maurer, U.M., Yacobi, Y.: A non-interactive public-key distribution system. Designs, Codes and Cryptography 9(3), 305–316 (1996)MathSciNetzbMATHGoogle Scholar
  22. 22.
    Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefzbMATHGoogle Scholar
  23. 23.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with application to hash functions and discrete logarithms. In: ACM CCS, pp. 210–218 (1994)Google Scholar
  24. 24.
    Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  25. 25.
    Pollard, J.M.: Theorems on factorization and primality testing. Proceedings of the Cambridge Philosophical Society 76(03), 521 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    RSA Laboratories: RSA Laboratories - the RSA factoring challenge FAQ, accessed 11-January-2010)
  27. 27.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  28. 28.
    Syverson, P.F., Stubblebine, S.G., Goldschlag, D.M.: Unlinkable serial transactions. In: Hirschfeld, R. (ed.) FC 1997. LNCS, vol. 1318, pp. 39–56. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  29. 29.
    The Tor Project, Inc.: Tor: Overview (accessed October 21, 2009),
  30. 30.
    Tsang, P.P., Au, M.H., Kapadia, A., Smith, S.W.: Blacklistable Anonymous Credentials: Blocking misbehaving users without TTPs. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM CCS, pp. 72–81. ACM, New York (2007)Google Scholar
  31. 31.
    Tsang, P.P., Au, M.H., Kapadia, A., Smith, S.W.: PEREA: Towards practical TTP-free revocation in anonymous authentication. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS, pp. 333–344. ACM, New York (2008)Google Scholar
  32. 32.
    Tsang, P.P., Kapadia, A., Cornelius, C., Smith, S.W.: Nymble: Blocking misbehaving users in anonymizing networks. In: IEEE TDSC (2009) (to appear)Google Scholar
  33. 33.
    Wikipedia: Wikipedia talk:blocking policy/tor nodes — Wikipedia, the free encyclopedia, (accessed October 18, 2009)

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Ryan Henry
    • 1
  • Kevin Henry
    • 1
  • Ian Goldberg
    • 1
  1. 1.Cheriton School of Computer ScienceUniversity of WaterlooWaterlooCanada

Personalised recommendations