Cryptography E-cash Professor: Marius Zimand e-cash Benefits of cash: anonymous difficult to copy divisible (you can get change) easily transferable There are several protocols for e-cash. We will discuss a relatively simple one that provides anonymity. 1
Protocol 1. 1. Alice prepares an anonymous money order (MO) for 1oo $ and puts it in an envelope with a piece of carbon paper. 2. The bank signs the envelope, and hence the MO, and deducts $100 from Alice s account. 3. Alice opens the envelope and gives the signed MO to Bob. 4. Bob checks the bank s signature and takes the money order to the bank. 5. The bank checks the signature and gives Bob $100. Note: The bank, in step 5, cannot trace the MO back to Alice. This is so because it never saw what it was signing. Problem: How does the bank know that it is signing a MO for $ 100 and not $ 200? 2
Protocol 2 - many copies of the MO. 1. Alice prepares 100 anonymous MOs for $ 100 and puts them in envelopes, each with a piece of carbon paper. 2. The bank opens 99 envelopes and checks they are all for $ 100. 3. The bank signs the remaining envelope, and hence the MO, and deducts $100 from Alice s account. 4. Alice opens the envelope and gives the signed MO to Bob. 5. Bob checks the bank s signature and takes the money order to the bank. 6. The bank checks the signature and gives Bob $100. The previous problem is solved, because if Alice attempts to have written a different amount on the MO, she will very likely be caught. But there is another problem. above. Problem: Alice or Bob could create duplicate MOs by copying the MO produced 3
Protocol 3. - adding a serial number. 1. Alice prepares 100 anonymous MOs for $ 100, each with a separate serial number, and puts them in envelopes, each with a piece of carbon paper. 2. The bank opens 99 envelopes and checks they are all for $ 100. 3. The bank signs the remaining envelope, and hence the MO, and deducts $100 from Alice s account. 4. Alice opens the envelope and gives the signed MO to Bob. 5. Bob checks the bank s signature and takes the money order to the bank. 6. The bank checks the signature and gives Bob $100 after checking that the bank has not seen that serial number before. In this way, the bank will never accept a check that has been used before. Problem: If the bank has seen the serial number before, who does does the bank accuse: Alice or Bob? 4
Protocol 4 - adding identity strings, and splitting them. 1. Alice prepares 100 anonymous MOs for $ 1oo, each with a separate serial number, and puts them in envelopes, each with a piece of carbon paper. She also commits to splittings of her identity string (to be explained later). 2. The bank opens 99 envelopes and checks they are all for $ 100. 3. The bank signs the remaining envelope, and hence the MO, and deducts $100 from Alice s account. 4. Alice opens the envelope and gives the signed MO to Bob. 5. Bob asks Alice to open randomly chosen halves of the identity strings written on the MO (to be explained later). 6. Bob checks the bank s signature and takes the money order to the bank. 7. The bank checks the signature, and the disclosed identity strings, and gives Bob $100 after checking that the bank has not seen that serial number before. Note: If bank sees a duplicate serial number and the identity strings are the same then Bob has cheated; if the identity strings are different then Alice has cheated. Problem: This assumes that Bob checks that he has not seen the identity string before; otherwise Alice could frame him. We need a method that determines Alice s identity if and only if she is cheating. 5
Identity Splitting We need a method in which: Alice s identity is secret, if she is honest Alice s identity is revealed, if she cheats This is done using a variant of a zero-knowledge protocol. Alice creates an identity string containing her details: name, address, etc. This is split into two pieces. This operation will be done in several ways. Each piece is committed on the MO before she sends it to the bank for signing. Alice cannot change later her details (commitment). The bank does not get any information from the committed info. 6
A commitment scheme What follows is a raw commitment scheme based on hash functions. There are other more rigorous such schemes. Suppose we have a binary string b to which Alice wishes to commit. Alice generates a random string P. Alice computes h = H(P b), where H is a hash function. Alice publishes h. h represents her commitment to b. Given h, it is not possible to find b, however Alice cannot claim later (when she opens the commitment) that she committed to anything else than b. It is like putting b inside an envelope, so that b is hidden till the envelope is opened, but b cannot be changed to a different string. Alice can later open the commitment or de-commit as follows: Alice supplies P and b to Bob. Bob can check that h equals H(P b). 7
Identity encoding We return to how Alice handles her ID info. Alice splits her identity, ID, n times by choosing random L i, i = 1,..., n, and ID = L i R i Alice commits to L i and R i (without revealing them). The commitments are placed on the MO s inside the envelopes. When the bank opens the 99 envelopes it asks Alice to reveal L i and R i to check that she did not cheat during her commitment. When Bob asks Alice to produce an identity string he produces a random n bit vector b 1 b 2... b n. For each i if b i = 1, Alice reveals L i if b i = 0, Alice reveals R i the identity string on the money order is the data revealed by Alice. 8
If Alice cheats, her identity is reconstructed Suppose Alice spends the same MO twice. Then there is a high probability that for some i {1,..., n}, the bank obtains both L i and R i (it is unlikely that Bob will chose the same n bit vector twice). For example L 7 from the first utilization of the MO R 7 from the second utilization of the MO In this case the bank recovers Alice s identity: ID = L 7 R 7. 9
Blind signatures We still need to discuss how to implement digitally the envelope with carbon paper. This is accomplished using a blind signature scheme. This allows the bank to sign something without knowing that something. RSA-based blind signature 1. the bank has the RSA private key d and the corresponding public key (n, e). 2. you want the bank to sign m (in other words, you need to have m d mod n), but you don t want the bank to see m. 3. choose a blinding factor B at random, a non-zero residue mod n. 4. compute s = m b e ( mod n). 5. ask the bank to sign s. 6. the bank computes t = s d ( mod n) and sends t to you. 7. you then compute r = t b 1 ( mod n). 10
What we have achieved: Alice remains anonymous to the bank in the sense that the bank cannot trace where she used her MO. If Alice cheats using the MO twice, her identity is revealed. Bob cannot cheat because if copies the MO and presents it to the bank twice, the bank will catch that. 11