Anonymity Application Example: e-Cash 1 Conventional Everyday Cash - - PDF document

1

1

Anonymity Application Example: e-Cash

Conventional Everyday Cash

• Counterfeit-able
• Slow
• Costly
• Vulnerable
• Bad for Remote Transactions
• DIRTY!

2

3

Easy Fraud Little Privacy

Credit Cards, Bank Cards, Checks, other cards:

4

Off-line e-Cash is good for 2-party payment

Deposit to bank

Off-line payment

Withdrawal from bank

• Low Communication Requirements

3

5

In contrast, on-line payments:

“OK”

6

Overspending: a problem with off-line e-Cash

Step 1: Rogue user copies his money

4

7

Step 2: Pays same e-Cash to multiple people

8

Bank becomes aware of trouble only later

!!!

5

9

❖ Tamper-resistant hardware (as in smartcards)

to prevent over-spending

❖ Tracing over-spenders ❖ Blacklisting over-spenders ❖ Putting a bound on value of off-line transactions

How to contain Over-Spending

10

Minting e-Cash

Heart of each e-coin is a digital signature by the Mint

Secret Minting Key to Create Coins (Signatures)

Mint’s public key needed to verify coins

6

11

Minting a conventional coin

e-Cash withdrawer (Alice)

SN= 12345 SN = 12345 BankSig SN= 12345 SN = 12345 BankSig

The Mint

12

NOTE: need distinct signing key for each denomination, e.g., $5, $1, $10

Without anonymity, the Mint knows the serial number

One Dollar

SN 12345

the Mint e-Cash withdrawer $10 signing key

7

13

Minting an untraceable coin

e-Cash User (Alice) The Mint

SN= 12345 SN = 12345 BankSig BankSig BankSig

14

Blind signing: like signing through a veil

One Dollar

The Mint $10 signing key e-Cash Withdrawer

NOTE: need distinct signing key for each denomination, e.g., $5, $1, $10

8

Cryptographic Assumptions

• 1. Factoring:

Given composite N=pq, find primes p and q (of at least 1024 bits)

• 2. RSA assumption:

Given exponent e and me mod N, find m

• 3. Discrete log:

Given prime p (at least 1024 bits), a generator g, and gx mod p, find x

16

Example of Coin Minting

Public Information: N - large composite H() - cryptographic hash function Private Minting Information: Key = (p, q) - prime numbers: N=pq

A coin has the form: [x, H(x)d mod N], 1<x<N

e - small integer

9

17

Minting a conventional coin with RSA (traceable)

e-Cash User (Alice) The Mint

x,H(x)

x,H(x)d

x,H(x)

x,H(x)d

18

x H(x) H(x)d mod N

Anti-counterfeiting assumption:

Without knowing the key, infeasible to compute signatures

= p,q Where: d = 1/e mod phi(N) = e-1 mod phi(N) = N,e

10

Blind Digital Signatures à Payer Privacy

ECash User The Mint

chooses random: x, r x,H(x)

x,H(x)d

reH(x) [reH(x)]d

rH(x)d rH(x)d

20

Tracing double-spenders

• p1, p2: two large prime numbers such that p2 | p1-1
• G: subgroup of Zp1 such that |G| = p2
• g: generator of G
• I: the user’s identity (set up by bank),

expressed as a number

*

Coin = [ ga mod p1, gb mod p1, H(ga,gb)d mod N ] where I = ab mod p2

11

21

Tracing double-spenders

Buyer (Alice)

ga mod p1, gb mod p1, H(ga,gb)d

Seller (Bob) verifies Bank’s signature sends random challenge k verifies: gr=(ga)kgb

k

r = ak+b

r

22

Two payments with the same coin yield buyer’s identity

• 1. r = ak + b
• 2. r’ = ak’ + b

a,b

I

Tracing double-spenders

r = ak + b

a?,b?

?

But, one payment yields no information