E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Similar documents
Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Lecture 10, Zero Knowledge Proofs, Secure Computation

Solution to Problem Set 8

Fair exchange and non-repudiation protocols

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Computer Security Spring 2010 Paxson/Wagner HW 4. Due Thursday April 15, 5:00pm

A simple approach of Peer-to-Peer E-Cash system

The Design of an Anonymous and a Fair Novel E-cash System

Digital Multi Signature Schemes Premalatha A Grandhi

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Introduction to Modern Cryptography. Benny Chor

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

CS 161 Computer Security

CPSC 467b: Cryptography and Computer Security

2 Handout 20: Midterm Quiz Solutions Problem Q-1. On-Line Gambling In class, we discussed a fair coin ipping protocol (see lecture 11). In it, Alice a

Digital Cash Systems

Algorithms (III) Yijia Chen Shanghai Jiaotong University

More crypto and security

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Applied cryptography

Zero Knowledge Protocol

Public Key Cryptography and the RSA Cryptosystem

Other Topics in Cryptography. Truong Tuan Anh

Secure Multiparty Computation

CS 161 Computer Security

An Overview of Secure Multiparty Computation

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

An efficient implementation of Monero subaddresses. 1 Introduction. Sarang Noether and Brandon Goodell Monero Research Lab October 3, 2017

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

Lecture 3 Algorithms with numbers (cont.)

Key Establishment and Authentication Protocols EECE 412

Algorithms (III) Yijia Chen Shanghai Jiaotong University

ENEE 457: E-Cash and Bitcoin

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CS 161 Computer Security

Senior Math Circles Cryptography and Number Theory Week 1

Cryptography Worksheet

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

ASYMMETRIC CRYPTOGRAPHY

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Cryptography and Cryptocurrencies. Intro to Cryptography and Cryptocurrencies

1 A Tale of Two Lovers

Chapter 9 Public Key Cryptography. WANG YANG

Math236 Discrete Maths with Applications

Privacy Enhancing Technologies CSE 701 Fall 2017

Oblivious Transfer(OT)

CS 425 / ECE 428 Distributed Systems Fall 2017

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Applied Cryptography Protocol Building Blocks

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Ensimag - 4MMSR Network Security Student Seminar. Bitcoin: A peer-to-peer Electronic Cash System Satoshi Nakamoto

CPSC 467b: Cryptography and Computer Security

ECEN 5022 Cryptography

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

EFFICIENT OFFLINE ELECTRONIC CHECKS (Extended Abstract)

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

CPSC 467: Cryptography and Computer Security

Cryptographic proof of custody for incentivized file-sharing

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Diffie-Hellman. Part 1 Cryptography 136

1 Identification protocols

The Implementation of Blind Signature in Digital Cash

Encrypted Data Deduplication in Cloud Storage

Activity Guide - Public Key Cryptography

CS 161 Computer Security

11:1 Anonymous Internet Access Method for Wireless Systems

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

CSC 474/574 Information Systems Security

CS Computer Networks 1: Authentication

INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

An Introduction to How PGP Works

P2_L8 - Hashes Page 1

Overview. Public Key Algorithms I

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

CS 161 Computer Security

Homomorphic encryption (whiteboard)

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Study Guide for the Final Exam

CS61A Lecture #39: Cryptography

Number Theory and RSA Public-Key Encryption

Zero-Knowledge Proofs of Knowledge

Introduction to Elliptic Curve Cryptography

Dawn Song

Eating from the Tree of Ignorance Part 2

Uzzah and the Ark of the Covenant

Blind Signatures and Their Applications

Blind Signature Scheme Based on Elliptic Curve Cryptography

Key Management and Distribution

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Transcription:

Cryptography E-cash Professor: Marius Zimand e-cash Benefits of cash: anonymous difficult to copy divisible (you can get change) easily transferable There are several protocols for e-cash. We will discuss a relatively simple one that provides anonymity. 1

Protocol 1. 1. Alice prepares an anonymous money order (MO) for 1oo $ and puts it in an envelope with a piece of carbon paper. 2. The bank signs the envelope, and hence the MO, and deducts $100 from Alice s account. 3. Alice opens the envelope and gives the signed MO to Bob. 4. Bob checks the bank s signature and takes the money order to the bank. 5. The bank checks the signature and gives Bob $100. Note: The bank, in step 5, cannot trace the MO back to Alice. This is so because it never saw what it was signing. Problem: How does the bank know that it is signing a MO for $ 100 and not $ 200? 2

Protocol 2 - many copies of the MO. 1. Alice prepares 100 anonymous MOs for $ 100 and puts them in envelopes, each with a piece of carbon paper. 2. The bank opens 99 envelopes and checks they are all for $ 100. 3. The bank signs the remaining envelope, and hence the MO, and deducts $100 from Alice s account. 4. Alice opens the envelope and gives the signed MO to Bob. 5. Bob checks the bank s signature and takes the money order to the bank. 6. The bank checks the signature and gives Bob $100. The previous problem is solved, because if Alice attempts to have written a different amount on the MO, she will very likely be caught. But there is another problem. above. Problem: Alice or Bob could create duplicate MOs by copying the MO produced 3

Protocol 3. - adding a serial number. 1. Alice prepares 100 anonymous MOs for $ 100, each with a separate serial number, and puts them in envelopes, each with a piece of carbon paper. 2. The bank opens 99 envelopes and checks they are all for $ 100. 3. The bank signs the remaining envelope, and hence the MO, and deducts $100 from Alice s account. 4. Alice opens the envelope and gives the signed MO to Bob. 5. Bob checks the bank s signature and takes the money order to the bank. 6. The bank checks the signature and gives Bob $100 after checking that the bank has not seen that serial number before. In this way, the bank will never accept a check that has been used before. Problem: If the bank has seen the serial number before, who does does the bank accuse: Alice or Bob? 4

Protocol 4 - adding identity strings, and splitting them. 1. Alice prepares 100 anonymous MOs for $ 1oo, each with a separate serial number, and puts them in envelopes, each with a piece of carbon paper. She also commits to splittings of her identity string (to be explained later). 2. The bank opens 99 envelopes and checks they are all for $ 100. 3. The bank signs the remaining envelope, and hence the MO, and deducts $100 from Alice s account. 4. Alice opens the envelope and gives the signed MO to Bob. 5. Bob asks Alice to open randomly chosen halves of the identity strings written on the MO (to be explained later). 6. Bob checks the bank s signature and takes the money order to the bank. 7. The bank checks the signature, and the disclosed identity strings, and gives Bob $100 after checking that the bank has not seen that serial number before. Note: If bank sees a duplicate serial number and the identity strings are the same then Bob has cheated; if the identity strings are different then Alice has cheated. Problem: This assumes that Bob checks that he has not seen the identity string before; otherwise Alice could frame him. We need a method that determines Alice s identity if and only if she is cheating. 5

Identity Splitting We need a method in which: Alice s identity is secret, if she is honest Alice s identity is revealed, if she cheats This is done using a variant of a zero-knowledge protocol. Alice creates an identity string containing her details: name, address, etc. This is split into two pieces. This operation will be done in several ways. Each piece is committed on the MO before she sends it to the bank for signing. Alice cannot change later her details (commitment). The bank does not get any information from the committed info. 6

A commitment scheme What follows is a raw commitment scheme based on hash functions. There are other more rigorous such schemes. Suppose we have a binary string b to which Alice wishes to commit. Alice generates a random string P. Alice computes h = H(P b), where H is a hash function. Alice publishes h. h represents her commitment to b. Given h, it is not possible to find b, however Alice cannot claim later (when she opens the commitment) that she committed to anything else than b. It is like putting b inside an envelope, so that b is hidden till the envelope is opened, but b cannot be changed to a different string. Alice can later open the commitment or de-commit as follows: Alice supplies P and b to Bob. Bob can check that h equals H(P b). 7

Identity encoding We return to how Alice handles her ID info. Alice splits her identity, ID, n times by choosing random L i, i = 1,..., n, and ID = L i R i Alice commits to L i and R i (without revealing them). The commitments are placed on the MO s inside the envelopes. When the bank opens the 99 envelopes it asks Alice to reveal L i and R i to check that she did not cheat during her commitment. When Bob asks Alice to produce an identity string he produces a random n bit vector b 1 b 2... b n. For each i if b i = 1, Alice reveals L i if b i = 0, Alice reveals R i the identity string on the money order is the data revealed by Alice. 8

If Alice cheats, her identity is reconstructed Suppose Alice spends the same MO twice. Then there is a high probability that for some i {1,..., n}, the bank obtains both L i and R i (it is unlikely that Bob will chose the same n bit vector twice). For example L 7 from the first utilization of the MO R 7 from the second utilization of the MO In this case the bank recovers Alice s identity: ID = L 7 R 7. 9

Blind signatures We still need to discuss how to implement digitally the envelope with carbon paper. This is accomplished using a blind signature scheme. This allows the bank to sign something without knowing that something. RSA-based blind signature 1. the bank has the RSA private key d and the corresponding public key (n, e). 2. you want the bank to sign m (in other words, you need to have m d mod n), but you don t want the bank to see m. 3. choose a blinding factor B at random, a non-zero residue mod n. 4. compute s = m b e ( mod n). 5. ask the bank to sign s. 6. the bank computes t = s d ( mod n) and sends t to you. 7. you then compute r = t b 1 ( mod n). 10

What we have achieved: Alice remains anonymous to the bank in the sense that the bank cannot trace where she used her MO. If Alice cheats using the MO twice, her identity is revealed. Bob cannot cheat because if copies the MO and presents it to the bank twice, the bank will catch that. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback