Digital Cash Systems

Transcription

1 Digital Cash Systems Xiang Yin Department of Computer Science McMaster University December 1, 2010

2 Outline 1 Digital Cash

3 Digital Cash Overview Properties Digital Cash Systems Digital Cash Digital cash offers a solution to the problems of paper cash and today s credit cards; it is secure and protects people s privacy. The customer can use digital cash to pay over the Internet without the involvement of a bank during their payments. It is tightly relative to a system that allows a person to pay for goods or services by transmitting a number from one computer to another. Like the serial numbers on real dollar bills, the digital cash numbers are unique. Each one is issued by a bank and represents a specified sum of real money.

4 Properties - Security Overview Properties Digital Cash Systems With security we mean that digital cash cannot be copied and reused. The most obvious risk with any payment system is forgery. There are two kinds of forgery in a digital cash system. Forgery Multiple spending: using the same token over again. Token forgery: to create a valid-looking coin without making a corresponding bank withdrawal.

5 Properties - Security Overview Properties Digital Cash Systems To protect against multiple spending, the bank maintains a database of spent electronic coins. Coins already in the database are to be rejected for deposit. To protect against token forgery, one relies on the usual authenticity functions of user identification and message integrity.

6 Properties - Privacy Overview Properties Digital Cash Systems Here the privacy means anonymity for the payer during payment and untraceability of the payment such that the bank cannot tell whose money was used in a particular payment. Privacy Just as cash is anonymous, digital cash is anonymous in that it cannot be traced back to a particular individual, it is considered to be unconditionally untraceable. Also, we know in the credit card system, the service provider is assured of its authenticity, all that is missing is the ability to link the transaction with a particular person. Since a user s coin is linkable, we can identify the user by finding a single payment in which the user has identified himself. Then a digital cash system will protect user s privacy if it is both unlinkable and untraceable.

7 Properties - Portablility Overview Properties Digital Cash Systems Portablility Convenience and with lower transaction fees, which increases the efficiency of transactions. The security and use of digital cash is not dependent on any physical location. The cash can be transferred through computer networks into storage devices and vice versa.

8 Overview Properties Digital Cash Systems Properties - Online & Off-line Payment Online Payment On-line payment means that Bob calls the bank and verifies the validity of Alice s token by a simple question like have you already seen this coin before accepting her payment and delivering his merchandise. (This resembles many of today s credit card transactions.) On-line payment remains necessary for transactions that need a high value of security. With an on-line system, the payment and deposit are not separate steps. On-line systems require communication with the bank during each payment, which costs more money and time (communication costs, database-maintenance costs and turn-around time), however the protocols are just simplification of off-line protocols.

9 Overview Properties Digital Cash Systems Properties - Online & Off-line Payment Off-line Payment Off-line payment means that Bob submits Alice s electronic coin for verification and deposit sometime after the payment transaction is completed. It means that with an offline system Alice can freely pass value to Bob at any time of the day without involving any third party like a bank. Although off-line systems are preferable from a practical viewpoint, they are however susceptible to the multi-spending problem and therefore suitable for low value transactions.

10 Properties Overview Properties Digital Cash Systems Defects of Digital Cash 1 Anonymity increases the danger with money laundering, illegal purchasing, blackmailing and counterfeiting that are far more serious than with paper cash. Anonymity would increase the danger of these problems. More anonymity means less security and vice versa. 2 Another issue is related to computer crime, in which computer criminals may actually alter computer databases to steal electronic money or by reducing an account s amount of electronic money.

11 Properties Overview Properties Digital Cash Systems Defects of Digital Cash 1 Anonymity increases the danger with money laundering, illegal purchasing, blackmailing and counterfeiting that are far more serious than with paper cash. Anonymity would increase the danger of these problems. More anonymity means less security and vice versa. 2 Another issue is related to computer crime, in which computer criminals may actually alter computer databases to steal electronic money or by reducing an account s amount of electronic money.

12 Digital Cash Systems Overview Properties Digital Cash Systems Digital Cash Systems 1 Most digital cash systems start with a participating bank that issues cash numbers or other unique identifiers that carry a given value, such as five dollars. 2 To obtain such a certificate, you must have an account at the bank; when you purchase digital cash certificates, the money is withdrawn from your account. You transfer the certificate to the vendor to pay for a product or service, and the vendor deposits the cash number in any participating bank or retransmits it to another vendor. For large purchases, the vendor can check the validity of a cash number by contacting the issuing bank.

13 Overview Properties Digital Cash Systems General Structure of Digital Cash Transactions There are three different types of transactions during a digital cash procedure: 1 Withdrawal, in which Alice transfers some of her money from her bank account to her wallet (it could be a smart card or a personal computer). 2 Payment, in which Alice transfers money from her wallet to Bob s. 3 Deposit, in which Bob transfers the money he has received to his bank account.

14 Overview Properties Digital Cash Systems General Structure of Digital Cash Transactions In a digital cash system we have three kind of actors: 1 A financial network (The bank) 2 A payer or consumer (Alice) 3 A payee or a shop (Bob) Figure: Life-cycle of Electronic Coins

15 Blind Signatures Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme A digital signature is the electronic equivalent of a hand-written signature which guarantees that anyone reading a digitally signed message can be certain of who sent it. A blind digital signature is a special kind of digital signature. The difference does not lie in the signature itself, but in the document to which it is attached. Blind signatures provide the same authentication as digital signatures but do so in a non-identifiable manner. The recipient will be assured of the fact that the transmission is authentic and reliable, but will not know who sent it.

16 Blind Signatures Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme How Does Blind Signatures Work? General Case: A user brings a document to a notary. The user does not want anyone(including the notary), to know the contents of the document. He seals the document in an envelope. A portion of the document is visible through the envelope. The notary places a wax seal on the portion, which is proof of the document s authenticity. Blind Digital Signature: Cryptography techniques replace the envelope and wax seal. The user enciphers the digital document, which is comparable to putting the document in an envelope. The notary places a digital signature on the document in the envelope. When the document is checked for authenticity, the signature is validated.

17 Blind RSA Signatures I Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme 1 Alice chooses a blinding factor r such that gcd(r, n) = 1, where (n, e) is the bank s public key and (n, d) is the private key and she presents her bank with: m = mr e (mod n) where m is her original message. 2 Alice s bank signs it with private key d and send the result to Alice: s = (m ) d mod n = (mr e ) d mod n 3 Alice divides out the blinding factor: s = s /r mod n

18 Blind RSA Signatures II Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme 4 Since r ed r mod n, then s s /r (m ) d /r m d r ed /r m d r/r m d mod n so Alice can use s = m d for paying her bills. Remarks: Since r is random, Alice s bank cannot determine m. Therefore, it cannot connect the signing with Alice s payment. This signature scheme is secure provided that the factoring and root extractions remain difficult.

19 Cut-and-Choose Method Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme In problems of fair division, cut-and-choose is a two-party proportional envy-free allocation protocol, which is similar as the classic protocol for dividing anything fairly: 1 Alice cuts the thing in half. 2 Bob chooses one of the halves for himself. 3 Alice takes the remaining half. Remarks: Alice has to divide fairly in step (1), because she doesn t know which half will Bob choose in step (2).

20 Discrete Logarithm Problem Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme This problem is used as the basis for digital cash system. Let p and q be the primes and q (p 1). Let g be a generator. Then given p, q, g and y, find the unique integer a, 0 a q 1, such that g a y mod p The discrete logarithm assumption states that there is no polynomial-time algorithm which solves the Discrete Logarithm Problem with overwhelming probability of success.

21 Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme Discrete Logarithms Signature Scheme Discrete Logarithms Signature Scheme The idea for this signature is that if someone receives g a mod p where p is a large prime number, g is a generator, and a is an integer, then determining a is very hard. In this scheme, the private key is a and public key is y = g a mod p.

22 Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme Discrete Logarithms Signature Scheme - Details I 1 Alice wants to sign a document m, she just computes m a mod p. Her signature is a list of g, p, m a mod p and g a mod p. 2 If Bob wants to verify Alice s signature. Alice has to create a random number w and compute m w mod p and g w mod p, and sends them to Bob. 3 Bob generates a random number c, as a challenge and sends it to Alice. 4 Alice sends back the response: r = ca + w. (a new c and w for each time verification)

23 Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme Discrete Logarithms Signature Scheme - Details II 5 Finally, Bob computes g r mod p and compares it with (g a ) c (g w ) mod p. (They should be the same.) Also, m r mod p should be the same as (m a ) c (m w ) mod p. Proof that signature verification works. If the signature is correct and no one has been cheating then: 1 Since r = ca + w, then we have g r = g ca+w = (g a ) c (g w ) (mod p). 2 Since r = ca + w, then we have (m a ) c (m w ) = m ca+w = m r (mod p).

24 Schnorr Signature Scheme I Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme Schnorr signature scheme is based on the difficulty of calculating discrete logarithms. All users of the signature scheme agree on a group G with generator g of prime order q in which the discrete logarithm problem is hard. All users agree on a cryptographic hash function H. The private key is a, 0 a q 1. If p and q are prime numbers such that q (p 1) (q is a prime factor of (p 1)). And an element g is chosen, 1 g p 1. The public key is y = g a mod p.

25 Schnorr Signature Scheme II Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme Assume that Alice wants to sign message M. The signature protocol is: 1 Alice chooses a random number k, 1 k p 1, and computes r = g k mod p. Then Alice sends r to Bob. 2 Alice concatenates the message M and r, and hashes the result to get e = H(M, r) or e = H(M r). Here, H() is a one-way hash function. 3 Then Alice computes v = (k ae) mod p. Then Alice sends the signature (e, v) to Bob. 4 Now, Bob computes r = g v y e mod p.

26 Schnorr Signature Scheme III Blind Signatures Cut-and-Choose Method Discrete Logarithm Problem Schnorr Signature Scheme 5 Finally, Bob controls that the concatenation of M and r hashes to e. (e = H(M r )) If e = e, then the signature is valid. In the whole process, we have used: Public Elements: G, g, q, y, v, e, r; Private Elements: k, a. Proof that signature verification works To prove e = e, we need to prove r = r. Since r = g v y e, v = (k ae) and y = g a, then we have: r = g v y e = g k ae (g a ) e = g k ae+ae = g k = r

27 Building Blocks (Protocol P) I Building Blocks Blind Schnorr Signature Protocol Building blocks based on the computational difficulty of the discrete logarithm problem. 1 According to Schnorr Signature Scheme: Let G be a finite group of order q and let g G be a generator of G, such that computing discrete logarithms to the base g is infeasible. Let H l : {0, 1} {0, 1} l (l 128) denote a cryptographically strong hash function. Then, a public key is constructed by computing y = g x for a private key x chosen at random from Z q. 2 Since a Schnorr signature for a message m is a pair (c, s) with c {0, 1} l and s Z q, which is satisfying the verification equation: c = H l (m g s y c ).

28 Building Blocks (Protocol P) II Building Blocks Blind Schnorr Signature Protocol 3 Such a signature can be generated only if one knows the secret key x, by choosing r at random from Z q and computing c and s according to: c = H l (m g r ) and s r cx (mod q). 4 A proof of knowledge of the discrete logarithm of a group element h to the base g, denoted PKLOG(g, h) consists of a Schnorr signature with respect to a public-key (g, h) for the message g h, i.e., PKLOG(g, h) = (c, s) with c = H l (g h g s h c ).

29 Blind Schnorr Signature Protocol Building Blocks Blind Schnorr Signature Protocol Figure: Blind Schnorr Signature Protocol

30 Blind Schnorr Signature Protocol I Building Blocks Blind Schnorr Signature Protocol This protocol is called blind Schnorr signature protocol. When a message m is signed by this protocol, the signer B learns neither m nor the resulting signature (c, s). If both C and B follow the protocol, C obtains a valid Schnorr signature (c, s) of the message m (that is the signature: c = H l (m g s y c )). Such signature is valid if we can prove g s y c = t.

31 Blind Schnorr Signature Protocol II Building Blocks Blind Schnorr Signature Protocol The following is the whole prove process: 1 Since s = s + γ and c = c + δ, then we have g s y c = g s +γ y c +δ. 2 Since y = g x and s = r c x, then we have g s +γ y c +δ = g r c x+γ g c x y γ = g r c x+γ+c x y δ = g r +γ y δ. 3 Since t = g r, then we have g r +γ y δ = g r g γ y δ = t g γ y δ = t.

32 Building Blocks Blind Schnorr Signature Protocol Blind Schnorr Signature Protocol III Remarks: B s output of the protocol is the entire view consisting of r, t, c, and s. Note that the pair (c, s) is statistically independent of the pair (c, s ) because γ and δ are randomly and uniformly chosen from Z q, and that therefore the message-signature pair and B s view are unlinkable.

33 Anonymity Revocation Anonymity Revocation by A Trustee Why does Anonymity Revocation is important? I Since in digital cash system, the customer s privacy cannot be compromised by the bank nor by the payee. However, while protecting the honest customers privacy, the anonymity also opens the door for misuse by criminals, for instance for perfect blackmailing or for money laundering. In order to make anonymous payment systems acceptable to governments and banks, they must provide mechanisms for revoking a participant s anonymity under certain well-defined conditions.

34 Anonymity Revocation Anonymity Revocation by A Trustee Why does Anonymity Revocation is important? II Such anonymity revocation must be possible only for an authorised trusted third party or a set of such parties. In a concrete scenario a trustee could be a judge or a law enforcement agency. Therefore, the trustee or a specified set of trustees can (in cooperation with the bank) revoke a customer s anonymity. It is understood that the trustee(s) answer a request only if there exists sufficient evidence that a transaction is not lawful.

35 Anonymity Revocation Anonymity Revocation by A Trustee Anonymity Revocation by A Trustee I Anonymity revocation by a trustee means that, when the need arises, the trustee can link a withdrawal transaction with the corresponding deposit transaction. There are two types of anonymity revocation, depending on which kind of information is available to the trustee: 1 Withdrawal-Based Anonymity Revocation: Based on the bank s view of a withdrawal transaction, the trustee can compute a piece of information that can be used (by the bank or a payee) to recognize the money when it is spent later.

36 Anonymity Revocation Anonymity Revocation by A Trustee Anonymity Revocation by A Trustee II This type of anonymity revocation can for instance be used in case of blackmailing. When the owner of an account is forced to withdraw money and to transfer it to an anonymous criminal, the account owner could secretly inform the bank and the trustee could be asked to compute a value that can be put on a black list and linked with the money when it is deposited. 2 Payment-Based Anonymity Revocation: Based on the bank s view of a deposit transaction, the trustee determines the identity of the person who had withdrawn the money. This may for instance be needed when the suspicion of money laundering arises.

37 Anonymity Revocation Anonymity Revocation by A Trustee Anonymity Revocation by A Trustee III It it possible to distinguish three different approaches to achieving the above goals according to the type of the trustee s involvement. 1 The trustee is involved in every withdrawal. 2 The trustee is involved in the opening of accounts, but not in transactions. 3 The trustee is not involved in any protocols of the payment system but is needed only for anonymity-revocation.

38 CyberCash I CyberCash First Virtual Presently many companies are in the process of implementing and developing digital cash systems, such as DigiCash, Open Market, Cybercash, PayPal, First Virtual, NetBill, Mondex and so on. The CyberCash company is located in U.S.A and was founded in It offers a product called Wallet to its customers. The users who have a Wallet have access to credit card and Cyber coin payment. Cyber coin act like cash and are used on the Internet for small transactions, less than $10.

39 CyberCash II CyberCash First Virtual The customers open an Wallet by down loading the software from CyberCash and filling a form. The customers include their credit card number on the form, since CyberCash is not a bank then they take the withdrawal money from user s credit card. Then each user will receive a 768-bit RSA key and she locks her RSA key by using a password.

40 Protocol of CyberCash I CyberCash First Virtual How does the payment protocol work? 1 Alice lets Bob know she wants to buy something from Bob. 2 Bob s Wallet sends an invoice to Alice. 3 Alice s Wallet hashes Alice s credit card number, her identification data (like her name) and the price and asks Alice to sign. The Wallet then encrypts the signed message with a public key of CyberCash server and sends it (m) to Bob.

41 Protocol of CyberCash II CyberCash First Virtual 4 Bob adds his identification data and the price to the m and signs the result, then sending it to CyberCash server. 5 CyberCash unblinds this message and checks if Bob and Alice wrote same price. It then sends this information to the bank and the bank reveals Alice s credit card number to Bob. Bob gets paid and sends the item to Alice. Remarks: CyberCash system offers a higher security than credit cards. Both Alice and Bob s privacy are protected in the above system. This system is Online and Bob can not send the item to Alice before he gets the bank s response.

42 First Virtual I CyberCash First Virtual The First Virtual company is one of the first companies to offer a digital money transfer system created for the Internet. How does the payment protocol work? 1 The customer (Alice) opens an account. This can be done if the customer has an address and is reading to provide a credit card number because all bills will be sent to the buyer as a charge against this card. 2 When Alice wants to buy something, she and the seller (Bob) negotiates the price and then she gives a copy of her account id to Bob.

43 First Virtual II CyberCash First Virtual 3 Bob sends a transfer request including his and Alice s account id and a description of the transaction to First Virtual through an message. 4 First Virtual sends a request for a conformation to the Alice s account. 5 Alice can answer it with three different responses: 1 YES: All is well. Alice authorizes First Virtual to bill the credit card on file for the amount.

44 First Virtual III CyberCash First Virtual 2 NO: Alice is refusing to pay. This is a significant event and First Virtual keeps records of this. If Alice does this too often, the First Virtual may terminate her account. First Virtual will make this determination because it doesn t want people to take advantage of sellers by refusing payment. 3 FRAUD: Alice declare that she never authorized the transaction and First Virtual should investigate. 6 When Alice responses Yes and pay the credit card company, First Virtual deposits the correct amount in the checking account of Bob. Then Bob can send the item to Alice.

45 First Virtual IV CyberCash First Virtual Remarks: First Virtual uses no encryption. They replace the security of using encryption with a centralized transaction machine that confirms all transactions. Their argument is that if a buyer s electronic mail is secure then anyone committing fraud will be stopped when the customer refuses to confirm the transaction. Sensitive information like credit card number never has to travel over the Internet. Transactions are all handled with the customer s unique First Virtual account identity.

46 Summary CyberCash First Virtual 1 Digital Cash: 2 Techniques: Blind Signatures Discrete Logarithm Problem Schnorr Signature Schemes 3 Digital Cash Systems 4 Anonymity-Revoking Trustees 5 CyberCash First Virtual

47 Appendix References I Hans Delfs, Helmut Knebl. Introduction to Cryptography Printed in Germany. Jan Camenisch, Ueli Maurer, Markus Stadler. Digital Payment Systems with Passive Anonymity-Revoking Trustees. Computer Security (ESORICS 96), volume 1146 of Lecture Notes in Computer Science, Markus Stadler, Jean-Marc Piveteau, Jan Camenisch. Fair Blind Signatures. Advances in Cryptology (Eurocrypt 95), volume 921 of Lecture Notes in Computer Science, 1995.

48 Appendix References II Mandana Jahanian Farsi Digital Cash. Wikipedia. Electronic money. Available:http: //en.wikipedia.org/wiki/digital_cash Wikipedia. Blind Signature. Available:http: //en.wikipedia.org/wiki/blind_signature

49 Appendix Thank You! Question?