Introduction to Cryptography Digital Cash (With a Central Authority) Jim Royer Jim Royer ❖ Digital Cash 1
References ◮ Chapter 11 of Introduction to Cryptography with Coding Theory , 2/e, by W. Trappe and L. Washington, Pearson, 2005. (Available from the course’s Blackboard page.) ◮ “Universal Electronic Cash,” by T. Okamoto and K. Ohta in Advances in Cryptology: CRYPTO ’91 , Springer, 1991, pp. 324–337. ◮ “Untraceable Off-Line Cash in Wallets with Observers” by S. Brands in Advances in Cryptology: CRYPTO ’93 , Springer, 1993, pp. 302–318. ◮ How to Make a Mint: The Cryptography of Anonymous Electronic Cash , by L. Law, S. Sabett, and J. Solinas, NSA Office of Information Security Research and Technology, Cryptology Division, 1996. http://groups.csail.mit.edu/mac/classes/6.805/articles/money/nsamint/nsamint.htm Jim Royer ❖ Digital Cash 2
Digital Cash Digital cash systems can be divided into two sorts: 1. Those that feature a central (trusted) authority. The central authority may be a government, a bank, or the like. 2. Those that do not include a central authority. Bitcoin is an example of one of these. Here we shall consider the first sort. Jim Royer ❖ Digital Cash 3
Okamoto and Ohta’s Criteria for Digital Cash 1. Cash can be sent securely through computer networks 2. Cash cannot be copied or reused 3. The spender can remain anonymous — Neither the merchant nor the bank can identify the spender 4. The transactions can be done off-line — The bank does not have to be involved 5. Cash can be transfered to others 6. Cash can be divided into smaller amounts Jim Royer ❖ Digital Cash 4
Brands’ Digital Cash Scheme: The Setup, I Characters Central Authority ◮ Bank ◮ Chooses a prime p ∋ q = ( p − 1 ) /2 is also prime. ◮ Chooses α , a primitive element of Z ∗ p . ◮ Spender ◮ Computes g = α 2 ( mod p ) . (So: g k 1 ≡ g k 2 ( mod p ) ⇐ ⇒ k 1 ≡ k 2 ( mod q ) ) ◮ Merchant ◮ Chooses e 1 , e 2 ∈ Z ∗ p − 1 – secret exponents. ◮ Computes g 1 = g e 1 and g 2 = g e 2 . ◮ Central ◮ Chooses H : Z 5 → Z q and H 0 : Z 4 → Z q . Authority Hash functions ◮ Eve L. Dewar Public: p , q , g , g 1 , g 2 , H , and H 0 Private: e 1 and e 2 Jim Royer ❖ Digital Cash 5
Brands’ Digital Cash Scheme: The Setup, II The Bank The Spender ran Chooses x ∈ Z q . ran Chooses u ∈ Z q . x = bank’s private ID u = spender’s private ID. Computes Computes I = g u 1 ( mod p ) . g x h ≡ Sends I to the bank. g x ( mod p ) . h 1 ≡ 1 g x h 2 ≡ 2 ( h , h 1 , h 2 ) = the bank’s public ID The Bank Saves I + info. on the spender. The Merchant Computes z ′ = ( Ig 2 ) x ( mod p ) . Chooses an ID number M . Sends z ′ to the spender. Sends M the ID number to the bank. Jim Royer ❖ Digital Cash 6
Creating a Coin: I N N UMBER T HEORY W E T RUST Coin ≡ ( A , B , z , a , b , r ) ∈ Z 6 Spender Asks bank for a coin and sends ID I . ran Bank Chooses: w ∈ Z q and computes: g w � g w ≡ ( mod p ) ⇐ Typo Correction ( Ig 2 ) w β ≡ Sends g w and β to the spender. ran ∈ Z 5 and computes: Chooses ( s , x 1 , x 2 , α 1 , α 2 ) Spender g x 1 1 g x 2 ( Ig 2 ) s A B ≡ ≡ 2 g α 1 w g α 2 β s α 1 A α 2 ( mod p ) a b ≡ ≡ ( z ′ ) s z ≡ A =1 is not allowed! r is defined on next page More . . . Jim Royer ❖ Digital Cash 7
Creating a Coin (cont.) Computes c ≡ α − 1 Spender · H ( A , B , z , a , b ) ( mod q ) . 1 Sends c to the bank. Bank Computes c 1 ≡ ( c · x + w ) ( mod q ) . Sends c 1 to the spender. Spender Computes r ≡ ( α 1 c 1 + α 2 ) ( mod q ) . The coin ( A , B , z , a , b , r ) is complete. The amount of the coin is removed from the spender’s bank account. Jim Royer ❖ Digital Cash 8
Spending the Coin Spender Gives the coin ( A , B , z , a , b , r ) to the merchant. a · h H ( A , B , z , a , b ) g r � ≡ Merchant Verifies ( mod p ) (Homework!) z H ( A , B , z , a , b ) · b A r ≡ Computes d = H 0 ( A , B , M , t ) , where t = a time stamp. Sends d to spender. � r 1 d · u · s + x 1 ≡ Spender Computes ( mod q ) d · s + x 2 r 2 ≡ Sends r 1 and r 2 to merchant. Checks: g r 1 1 · g r 2 2 ≡ A d · B ( mod p ) Merchant (See below) Accepts the coin iff this holds. ≡ g d · u · s + x 1 g r 1 1 g r 2 g d · s + x 2 1 ) d g x 1 2 ) d g x 2 2 ) d g x 1 1 g x 2 ≡ ( g u · s 1 ( g s ≡ ( g u · s 1 · g s 2 1 2 2 2 ≡ ( I s · g s 2 ) d · B ≡ (( Ig 2 ) s ) d · B ≡ A d · B ( mod p ) Jim Royer ❖ Digital Cash 9
Depositing the Coin in the Bank Merchant Sends ( A , B , z , a , b , r ) and ( r 1 , r 2 , d ) to the bank. Bank Checks that the coin has not yet be deposited. Fraud control: If it has, call the cops. a · h H ( A , B , z , a , b ) g r ≡ z H ( A , B , z , a , b ) · b A r Checks that ( mod p ) ≡ g r 1 1 · g r 2 A d · B ≡ 2 Accepts the coin iff these check out. Check of the first congruence: g r ≡ g α 1 c 1 + α 2 ≡ g α 1 ( c · x + w )+ α 2 ≡ g α 1 ( α − 1 1 · H ( − ) · x + w )+ α 2 ≡ g x · H ( − )+ α 1 w + α 2 ≡ h H ( − ) · g w · α 1 + α 2 ≡ a · h H ( − ) ( mod p ) Jim Royer ❖ Digital Cash 10
Fraud Control: I The spender tries to spend the same coin with the merchant and the vendor. If the Spender did not follow the protocol in choosing r 1 , r 2 or r ′ 1 , r ′ Spender 2 , then, with high probability, the check: g r 1 1 · g r 2 2 ≡ A d · B ( mod p ) fails . So, we assume r 1 , r 2 and r ′ 1 , r ′ 2 were determined by the protocol. Merchant Sends the coin and ( r 1 , r 2 , d ) to the bank. Sends the coin and ( r ′ 1 , r ′ 2 , d ′ ) to the bank. Vender Bank Since r 1 − r ′ us ( d − d ′ ) � ≡ 1 ( mod q ) r 2 − r ′ s ( d − d ′ ) ≡ 2 we have 2 ) − 1 � u ( r 1 − r ′ 1 )( r 2 − r ′ ≡ ( mod q ) g u I ≡ 1 I = the ID of the spender Jim Royer ❖ Digital Cash 11
Fraud Control: II The merchant tries to deposit the same coin twice ◮ Once with ( r 1 , r 2 , d ) ← legit ◮ Once with ( r ′ 1 , r ′ 2 , d ′ ) ← forged ◮ This is hard to do ◮ I.e., the merchant has to produce r ′ 1 , r ′ 2 , and d ′ ∋ ≡ A d ′ · B ( mod p ) g r ′ 1 · g r ′ 1 2 2 Jim Royer ❖ Digital Cash 12
Fraud Control: III Someone tries to make an unauthorized coin This requires finding numbers such that: g r a · h H ( A , B , z , a , b ) � � ≡ Discrete logs ( mod p ) A r z H ( A , B , z , a , b ) · b and worse! ≡ Eve L. Dewer dot com receives a coin from the spender and tries to spend the coin with the merchant Merchant: Computes d ′ for Eve, which is unlikely to equal d . Etc. see text Jim Royer ❖ Digital Cash 13
Anonymity The Spender never needs to show the merchant an ID. The Bank never sees the values of A , B , z , a , b , r until the coin is deposited. The Bank and the Merchant cannot figure out the spender’s ID unless there is double spending. See Trappe and Washington for fuller details. Jim Royer ❖ Digital Cash 14
Well-Established E-Cash Systems The Octopus card: Hong Kong public transit The Oyster card: London public transit Etc. See: http://en.wikipedia.org/wiki/List_of_smart_cards These might make good final paper topics. Jim Royer ❖ Digital Cash 15
Recommend
More recommend
