Anonymity Application Example: e-Cash 1 Conventional Everyday Cash • Counterfeit-able • Slow • Costly • Vulnerable • Bad for Remote Transactions • DIRTY! 1
Credit Cards, Bank Cards, Checks, other cards: Easy Fraud Little Privacy 3 Off-line e-Cash is good for 2-party payment Withdrawal from bank Off-line payment Deposit to bank • Low Communication Requirements 4 2
In contrast, on-line payments: “ OK ” 5 Overspending: a problem with off-line e-Cash Step 1: Rogue user copies his money 6 3
Step 2: Pays same e-Cash to multiple people 7 Bank becomes aware of trouble only later !!! 8 4
How to contain Over-Spending ❖ Tamper-resistant hardware (as in smartcards) to prevent over-spending ❖ Tracing over-spenders ❖ Blacklisting over-spenders ❖ Putting a bound on value of off-line transactions 9 Minting e-Cash Secret Minting Key to Create Coins (Signatures) Heart of each e-coin is a digital signature by the Mint Mint’s public key needed to verify coins 10 5
Minting a conventional coin e-Cash withdrawer (Alice) The Mint SN= SN= 12345 12345 SN = SN = 12345 12345 BankSig BankSig 11 Without anonymity, the Mint knows the serial number e-Cash $10 signing key withdrawer the Mint One Dollar SN 12345 NOTE: need distinct signing key for each denomination, e.g., $5, $1, $10 12 6
Minting an untraceable coin e-Cash User (Alice) The Mint SN= 12345 SN = 12345 BankSig BankSig BankSig 13 Blind signing: like signing through a veil $10 signing key e-Cash Withdrawer The Mint One Dollar NOTE: need distinct signing key for each denomination, e.g., $5, $1, $10 14 7
Cryptographic Assumptions 1. Factoring: Given composite N=pq, find primes p and q (of at least 1024 bits) 2. RSA assumption: Given exponent e and m e mod N, find m 3. Discrete log: Given prime p (at least 1024 bits), a generator g, and g x mod p, find x Example of Coin Minting Public Information: N - large composite e - small integer H() - cryptographic hash function Private Minting Information: Key = (p, q) - prime numbers: N=pq A coin has the form: [x, H(x) d mod N], 1<x<N 16 8
Minting a conventional coin with RSA (traceable) e-Cash User (Alice) The Mint x,H(x) x,H(x) x,H(x) d x,H(x) d 17 Anti-counterfeiting assumption : Without knowing the key, infeasible to compute signatures H(x) = p,q = N,e x H(x) d mod N Where: d = 1/e mod phi(N) = e -1 mod phi(N) 18 9
Blind Digital Signatures à Payer Privacy The Mint ECash User chooses random: x, r r e H(x) [r e H(x)] d x,H(x) x,H(x) d rH(x) d rH(x) d Tracing double-spenders • p 1 , p 2 : two large prime numbers such that p 2 | p 1 -1 • G: subgroup of Z p 1 such that |G| = p 2 * • g: generator of G • I: the user ’ s identity (set up by bank), expressed as a number Coin = [ g a mod p 1 , g b mod p 1 , H(g a ,g b ) d mod N ] where I = ab mod p 2 20 10
Tracing double-spenders Buyer (Alice) Seller (Bob) g a mod p 1 , g b mod p 1 , verifies Bank ’ s signature H(g a ,g b ) d k sends random challenge k r r = ak+b verifies: g r =(g a ) k g b 21 Tracing double-spenders Two payments with the same coin yield buyer ’ s identity I 1. r = ak + b a,b 2. r’ = ak’ + b But, one payment yields no information ? r = ak + b a?,b? 22 11
Recommend
More recommend
