cs 134 cs 134 wi winter 2016 anonymity applica cation
play

CS 134 CS 134 Wi Winter 2016 Anonymity Applica cation Example: - PowerPoint PPT Presentation

Apr 10, 2024 •493 likes •1.04k views

CS 134 CS 134 Wi Winter 2016 Anonymity Applica cation Example: Elect ctronic c Cash (E-Cash) and Bitco coin 1 Motivation For E-Cash Conventional Cash is: Counterfeitable Slow Costly Vulnerable Bad for Remote

  1. CS 134 CS 134 Wi Winter 2016 Anonymity Applica cation Example: Elect ctronic c Cash (E-Cash) and Bitco coin 1

  2. Motivation For E-Cash Conventional Cash is: • Counterfeitable • Slow • Costly • Vulnerable • Bad for Remote Transactions 2

  3. Credit Cards, Bank Cards, Checks, and Phone/Subway cards: Easy Fraud Little Privacy 3

  4. Off-line Electronic Cash is for 2-Party (Payer à Payee) Payment Withdrawal Payment Deposit • Low Communication Requirements 4

  5. In Contrast, On-line Payments: “ OK ” 5

  6. E-Cash in 1970s Stephen Wiesner‘s (graduate student at Columbia) paper “Conjugate Coding • and Quantum Money” sent in 1970 to IEEE Transactions on Information Theory Paper immediately rejected • Published in 1983 as is in ACM SIGACT • Proposed design of unforgaeble bank notes based on quantum properties • Influenced Quantum (Cryptographic) Key Distribution (QKD) •

  7. E-Cash in 1980s and 1990s Chaum’s “Blind Signatures for Untraceable Payments” paper is the • first to propose (realizable) E-Cash using blind digital signatures Based on RSA (Rivest Shamir and Adelman) signatures • 1990s 1970s 2000s RSA breaks if one can factor large composite numbers (100s of • decimal digits, 1000s of bits) DigiCash (anonymous ecash) launched by Chaum in 1990. • DigiCash declared bankruptcy in 1998.

  8. Requirements for Anonymous Payments (afterwards known as E-Cash) From Chaum’s “Blind Signatures for Untraceable Payments” paper: Unlinkability: third parties can not determine payee (amount • and time of payment) Provability: individuals can provide (unforgaeble) proof of • payment, or determine identity of payee under exceptional circumstance (e.g., by courts) Revocation: revoke stolen coins or payment media •

  9. Anonymous Payments user 1 user 2

  10. Anonymous Payments user 1 user 2

  11. Anonymous Payments withdraw coins user 1 withdraw coins user 2

  12. Anonymous Payments user 1 user 2

  13. Anonymous Payments transfer coins user 2

  14. Anonymous Payments Was it user 1 or user 2? user 2

  15. Overspending: Problem with Off-line E-Cash Step 1: The bad user copies his money 15

  16. Step 2: The bad user gives copied cash to multiple people 16

  17. !!! The Bank is aware of trouble only later 17

  18. Techniques to Contain Over-Spending Use tamper-resistant hardware to prevent over- 1. spending (e.g., MONDEX in Europe) Trace over-spenders 2. Blacklist over-spenders 3. Put a bound on dollar-value for off-line transactions 4. 18

  19. Tracing be used to fight big-time international crime But, tracing could be abused on many levels 19

  20. Minting the Money/Coins Secret Minting Key to Create Coins (Signatures) Heart of Each Coin is a Digital Signature Public Verification Key to Recognize Coins 20

  21. Minting a Conventional Coin E-Cash Withdrawer The Mint SN= SN= 12345 12345 SN = SN = 12345 12345 BankSig BankSig 21

  22. Without Anonymity Mint Knows Serial Number E-Cash $1 signing key Withdrawer The Mint One Dollar SN 12345 22

  23. Minting an Untraceable Coin E-Cash User The Mint SN= 12345 SN = 12345 BankSig BankSig BankSig 23

  24. Blind Signing is (Like) Signing Through a Veil E-Cash $1 signing key Withdrawer The Mint One Dollar 24

  25. Minting a Trustee-Traceable Coin E-Cash User The Mint SN= 12345 SN = 12345 BankSig BankSig BankSig 25

  26. Escrowing Trustee-Traceable Coins Trustee 1 E-Cash User escrow key1 escrow key2 Trustee 2 SN= 12345 26

  27. Recall: Cryptographic Assumptions Infeasible Tasks 1. Factoring. Given a number N = pq, find p and q primes of at least 2048 bits 1a. RSA assumption . Given exponent e and m e (mod N), find m 27

  28. Recall: Cryptographic Assumptions Infeasible Tasks (continued) of at least 2048 bits 2. Discrete log . Given a prime p, a generator g, and g x (mod p), find x 28

  29. Example of Coin Minting Public Information: N -- Large Composite Number H() -- Cryptographic hash function Private Minting Information: Key = p,q prime numbers such that N=pq A coin has the form: (x,H(x) d mod N), 1 < x < N 29

  30. Minting a Conventional Coin with RSA (Traceable) E-Cash User The Mint x,H(x) x,H(x) x,H(x) d x,H(x) d 30

  31. Anti-counterfeiting Assumption : Without knowing the key, it is difficult to find pre-images that map to the same point H(x) = p,q x H(x) d mod N Where: d = e -1 mod phi(N) 31

  32. Blind (Digital) Signatures Message is blinded (disguised or randomized) before it is signed • Signature can be publicly verified against the original message • (unblinded one) similar to a standard digital signature Typically employed in privacy-preserving protocols where signer • and author of message are different entities Main goal is to provide unlinkability : prevent signer from linking • the blinded message it signs to a later un-blinded version that it may be called upon to verify

  33. Anonymous Payments via Blind Signatures (6) Not sure!? I (to withdraw coins: obtain saw a random Bank’s signature on a coin (m)) value: m’ (1) send blinded coin/message (m’) (6) I got this coin: sig(m) for coin m Was it M? (2) sign coin: sig(m’) (3) unblind the coin to obtain sig(m) (4) transfer coins: sig(m) (5) receive goods or services

  34. Blind Digital Signatures à Payer’s Privacy [Chaum] E-Cash User The Mint chooses random x,r r e H(x) x,H(x) r e H(x) x, H(x) d rH(x) d rH(x) d 34

  35. RSA-based Blind Signatures Public key (e, N) and corresponding private key (d, p, q), such that N =p*q • and e*d = 1 mod Φ(N) Choose a random r coprime to N, i.e., GCD(r, N) = 1. r e mod N is then used • as a blinding factor. (GCD = greatest common divisor) m’ = m * r e mod N ( m’ is random, does not leak any info about m) • m’ is sent to the signing authority who signs it as • s’ = (m’) d mod N = m d * r ed mod N = m d * r mod N • s’ is sent back to the message owner who unblinds it by multiplying by r -1 to • obtain the signature s = m d mod N

  36. Anonymous Payments via RSA-based Blind Signatures (6) Not sure!? I (to withdraw coins: obtain saw a random Bank’s signature on a coin (m)) value: s’ = m d * r modN (1) m’ = m * r e modN (6) I got this coin: s = m d * modN Was it M? (2) s’ = m d * r modN (3) s = s’ * r -1 modN = m d * modN (4) transfer coins: send coin s (5) receive goods or services

  37. Tracing Double-Spenders • p 1 , p 2 : two large prime numbers such that p 2 | p 1 -1 • G: subgroup of Z p 1 such that |G| = p 2 * • g: generator of G • I: the user’s identity (set up by bank), expressed as a number = Coin = (g a mod p 1 , g b mod p 1 , H(g a ,g b ) d mod N) where I = ab mod p 2 37

  38. Tracing Double-Spenders Seller Buyer g a mod p 1 , g b mod p 1 , • verify Bank’s signature H(g a ,g b ) 1/3 k • send random challenge k r r = ak+b • verify g r =(g a ) k g b 38

  39. Tracing Double-Spenders Two Payments with the same coin yield Buyer’s Identity I r = ak + b a,b r’ = ak’ + b ? a?,b? r = ak + b 39

  40. A lot of E-Cash and anonymous payment schemes followed similar blueprints in the 1990s and early 2000s

  41. 2009-2016 2009: Bitcoin paper by Satoshi Nakamoto • Pseudonym for individual or a group • 2009-2011: slow start … • 2011-2013: Silk Road and Dread Pirate Roberts • End 2013: Bitcoin price skyrockets • a lot of people notice • 2014-2015: Price drops by 75% • 2016: Price up again •

  42. In 2016 Large Ecosystem Market Capitalization over $4 Billion ($8.2 Billion a year ago) Number of transactions growing steadily

  43. Bitcoin (BTC) Preliminaries Cryptographic Hash Function: a hash function that is hard to • invert, i.e., computationally infeasible to recreate data from hash value alone, e.g., the secure hash algorithm (SHA) Required properties of a Cryptographic Hash Function: • i. easy to compute hash value h( ) of any message m ii. given h(m) it is (computationally) infeasible to recover m iii. infeasible to modify m without h(m) being also modified iv. infeasible to find two different m with same hash (collision resistance) Proof-of-Work Schemes/Protocols: originally invented as an • economic measure to prevent denial-of-service and spam by requiring clients to solve computationally-demanding puzzles, e.g., find a number that has a certain preamble (say 3 zeros) in its hash

  44. Stepping Back Stepping back: most physical and digital currencies today effectively exist in the form of a ledger . Electronic Blockcain in Bitcoin Accounts in Banks (BTC)

  45. Questions Answered by Bitcoin (BTC) How to maintain integrity of a public ledger in a distributed manner (BTC answer: longest chain of verified transactions) How to use such a ledger for transactions (BTC answer: transferring coins via signatures) How to incentivize people to allocate CPU power to ensure integrity of the longest chain (BTC answer: reward with new minted coins when verifying transactions, also called mining)

  46. Bitcoin’s Peer-to-Peer Network A peer-to-peer network without any “central” authority • for ensuring integrity of transactions and keeping track of ownership of (Bit)coins (and minting them) Ledger and history of ALL transactions are public and • available for anyone to inspect

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu

Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu

August 21, 2019 Web App Log Analytics www.roykim.ca roy@roykim.ca Op Open Web Applica cation tion Secu curity rity Project ject OWASP ModSecurity Core Rule Set (CRS) OWASP Top 10 Most Critical Web Application Security Risks

490 views • 21 slides
Applica cation Tra ransition, Legacy cy System Retirement, and Data Arch rchival A

Applica cation Tra ransition, Legacy cy System Retirement, and Data Arch rchival A

healthsystemCIO.com All Stars Panel: Applica cation Tra ransition, Legacy cy System Retirement, and Data Arch rchival A Webinar/TweetChat Combo from healthsystemCIO.com Sponsored by Galen Healthcare Solutions Your Line Will Be Silent Until

284 views • 24 slides
ICS 275 Winter 2016 Winter 2016 Winter 2016 Conflict Analysis: Implication Grpahs The

ICS 275 Winter 2016 Winter 2016 Winter 2016 Conflict Analysis: Implication Grpahs The

Boolean Satisfiability ICS 275 Winter 2016 Winter 2016 Winter 2016 Conflict Analysis: Implication Grpahs The combination of these techniques makes sure that unit resolution is empowered every time a conflict arises and that the solver

695 views • 56 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

551 views • 44 slides
STAY-cation A collaboration between HART &amp; Hillsborough County Public Schools STAY-cation

STAY-cation A collaboration between HART &amp; Hillsborough County Public Schools STAY-cation

STAY-cation A collaboration between HART &amp; Hillsborough County Public Schools STAY-cation Middle and High School Students Ride HART for Free with School ID Ages 18 and under March 1 June 10, 2016 Includes HART Local,

689 views • 7 slides
Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how often, and how much data is

764 views • 54 slides
Vote/Veto Classi fi cation, Ensemble Clustering and Sequence Classi fi cation for Author Identi fi

Vote/Veto Classi fi cation, Ensemble Clustering and Sequence Classi fi cation for Author Identi fi

Vote/Veto Classi fi cation, Ensemble Clustering and Sequence Classi fi cation for Author Identi fi cation Roman Kern 1 , 2 Stefan Klamp fl 2 Mario Zechner 2 1 Knowledge Management Institute - Graz University of Technology 2 Know-Center

371 views • 15 slides
Towards an Independent Semantics and Veri fi cation Technology for the HLPSL Speci fi cation

Towards an Independent Semantics and Veri fi cation Technology for the HLPSL Speci fi cation

Towards an Independent Semantics and Veri fi cation Technology for the HLPSL Speci fi cation Language ARSPA05 Workshop, Lisbon, 16 July 2005 Alexey Gotsman joint work with Fabio Massacci and Marco Pistore University of Trento (Italy)

430 views • 27 slides
Dialog in NLP applica.ons VELJKO MILJANIC Overview Applica(ons in S2S

Dialog in NLP applica.ons VELJKO MILJANIC Overview Applica(ons in S2S

Dialog in NLP applica.ons VELJKO MILJANIC Overview Applica(ons in S2S systems Overview of S2S system architecture Modeling contextual informa(on in S2S

977 views • 75 slides
Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous = Nameless, unidentifiable pseudonymous = Fake name, still traceable Tracing Bitcoin transactions Normal redeem script: Provide public key pk and proof

438 views • 33 slides
Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not given or known - Anonymity != Privacy != Security - Anonymity: they can see what you do, but not who you are - Privacy: they can see

379 views • 33 slides
Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Miller and Baileys ECE 422 Anonymity Anonymity: Concealing your identity In the context of the Internet, we

860 views • 61 slides
11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity Being on-line without giving up everything about you Ensuring collected data doesnt reveal its users data Privacy in Structured Data:

766 views • 49 slides
Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice

821 views • 40 slides
Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder*

Round Optimal Blind Signatures Sanjam Garg Vanishree Rao Amit Sahai UCLA Dominique Schroeder* Dominique Unruh University of Maryland University of Tartu (http://eprint.iacr.org/2011/264) *Postdoctoral Fellow of the DAAD Blind

1.15k views • 22 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern

New Blind Signatures Equivalent to Factorization David Pointcheval Jacques Stern David.Pointcheval@info.unicaen.fr Jacques.Stern@ens.fr Universit e de Caen Ecole Normale Sup erieure GREYC Laboratoire dInformatique F 14000

378 views • 10 slides
Computer Networks 1 (Mng My Tnh 1) Lectured by: Nguyn c Thi 1 Lecture 10:

Computer Networks 1 (Mng My Tnh 1) Lectured by: Nguyn c Thi 1 Lecture 10:

Computer Networks 1 (Mng My Tnh 1) Lectured by: Nguyn c Thi 1 Lecture 10: Application Layer 2 Application Layer Where our applications are running Using services provided by layers below We will look at: Domain

772 views • 55 slides
Fast one-4me signatures and applica4ons Dan Boneh

Fast one-4me signatures and applica4ons Dan Boneh

Online Cryptography Course

1.21k views • 57 slides
Fair E-cash: Be Compact, Spend Faster Sbastien Canard, Orange Labs R&amp;D, France Ccile

Fair E-cash: Be Compact, Spend Faster Sbastien Canard, Orange Labs R&amp;D, France Ccile

Fair E-cash: Be Compact, Spend Faster Sbastien Canard, Orange Labs R&amp;D, France Ccile Delerable, UVSQ, France Aline Gouget, Gemalto, France Emeline Hufschmitt, Thals Communications, France Fabien Laguillaumie, Universit de Caen, France

601 views • 24 slides
Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May 18, 2018 1 / 11 Mimblewimble and Scriptless Scripts Mimblewimble, proposed in 2016 by Tom Elvis Jedusor No scripts, only signatures. What

509 views • 11 slides
David Chaums Voter Verification using Encrypted Paper Receipts Poorvi Vora In this document,

David Chaums Voter Verification using Encrypted Paper Receipts Poorvi Vora In this document,

David Chaums Voter Verification using Encrypted Paper Receipts Poorvi Vora In this document, we provide an exposition of David Chaums voter verification method [1] that uses encrypted paper receipts. 1 Players We assume the following

286 views • 17 slides

More recommend