Digital Cash (With a Central Authority) Jim Royer Jim Royer - - PowerPoint PPT Presentation

digital cash
SMART_READER_LITE
LIVE PREVIEW

Digital Cash (With a Central Authority) Jim Royer Jim Royer - - PowerPoint PPT Presentation

Nov 08, 2023 342 likes •509 views

Introduction to Cryptography Digital Cash (With a Central Authority) Jim Royer Jim Royer Digital Cash 1 References Chapter 11 of Introduction to Cryptography with Coding Theory , 2/e, by W. Trappe and L. Washington, Pearson, 2005.

slide-1
SLIDE 1

Introduction to Cryptography

Digital Cash

(With a Central Authority)

Jim Royer

Jim Royer ❖ Digital Cash 1

slide-2
SLIDE 2

References

◮ Chapter 11 of Introduction to Cryptography with Coding Theory, 2/e, by W. Trappe and

  • L. Washington, Pearson, 2005. (Available from the course’s Blackboard page.)

◮ “Universal Electronic Cash,” by T. Okamoto and K. Ohta in Advances in Cryptology: CRYPTO ’91, Springer, 1991, pp. 324–337. ◮ “Untraceable Off-Line Cash in Wallets with Observers” by S. Brands in Advances in Cryptology: CRYPTO ’93, Springer, 1993, pp. 302–318. ◮ How to Make a Mint: The Cryptography of Anonymous Electronic Cash, by L. Law, S. Sabett, and J. Solinas, NSA Office of Information Security Research and Technology, Cryptology Division, 1996.

http://groups.csail.mit.edu/mac/classes/6.805/articles/money/nsamint/nsamint.htm

Jim Royer ❖ Digital Cash 2

slide-3
SLIDE 3

Digital Cash

Digital cash systems can be divided into two sorts:

  • 1. Those that feature a central (trusted) authority.

The central authority may be a government, a bank, or the like.

  • 2. Those that do not include a central authority.

Bitcoin is an example of one of these. Here we shall consider the first sort.

Jim Royer ❖ Digital Cash 3

slide-4
SLIDE 4

Okamoto and Ohta’s Criteria for Digital Cash

  • 1. Cash can be sent securely through computer networks
  • 2. Cash cannot be copied or reused
  • 3. The spender can remain anonymous

— Neither the merchant nor the bank can identify the spender

  • 4. The transactions can be done off-line

— The bank does not have to be involved

  • 5. Cash can be transfered to others
  • 6. Cash can be divided into smaller amounts

Jim Royer ❖ Digital Cash 4

slide-5
SLIDE 5

Brands’ Digital Cash Scheme: The Setup, I

Characters

◮ Bank ◮ Spender ◮ Merchant ◮ Central Authority ◮ Eve L. Dewar

Central Authority

◮ Chooses a prime p ∋ q = (p − 1)/2 is also prime. ◮ Chooses α, a primitive element of Z∗

p.

◮ Computes g = α2 (mod p). (So: gk1 ≡ gk2 (mod p) ⇐ ⇒ k1 ≡ k2 (mod q)) ◮ Chooses e1, e2 ∈ Z∗

p−1 – secret exponents.

◮ Computes g1 = ge1 and g2 = ge2. ◮ Chooses H: Z5 → Zq and H0 : Z4 → Zq. Hash functions Public: p, q, g, g1, g2, H, and H0 Private: e1 and e2

Jim Royer ❖ Digital Cash 5

slide-6
SLIDE 6

Brands’ Digital Cash Scheme: The Setup, II

The Bank

Chooses x

ran

∈ Zq. x = bank’s private ID Computes h ≡ gx h1 ≡ gx

1

h2 ≡ gx

2

   (mod p). (h, h1, h2) = the bank’s public ID

The Merchant

Chooses an ID number M. Sends M the ID number to the bank.

The Spender

Chooses u

ran

∈ Zq. u = spender’s private ID. Computes I = gu

1 (mod p).

Sends I to the bank.

The Bank

Saves I + info. on the spender. Computes z′ = (Ig2)x (mod p). Sends z′ to the spender.

Jim Royer ❖ Digital Cash 6

slide-7
SLIDE 7

Creating a Coin: IN NUMBER THEORY WE TRUST

Coin ≡ (A, B, z, a, b, r) ∈ Z6

Spender Asks bank for a coin and sends ID I. Bank Chooses: w

ran

∈ Zq and computes: gw ≡ gw β ≡ (Ig2) w

  • (mod p)

⇐Typo Correction Sends gw and β to the spender. Spender Chooses (s, x1, x2, α1, α2)

ran

∈ Z5 and computes: A ≡ (Ig2)s B ≡ gx1

1 gx2 2

a ≡ gα1

w gα2

b ≡ βsα1Aα2 z ≡ (z′)s    (mod p) A=1 is not allowed! r is defined on next page More . . .

Jim Royer ❖ Digital Cash 7

slide-8
SLIDE 8

Creating a Coin (cont.)

Spender Computes c ≡ α−1

1

· H(A, B, z, a, b) (mod q). Sends c to the bank. Bank Computes c1 ≡ (c · x + w) (mod q). Sends c1 to the spender. Spender Computes r ≡ (α1c1 + α2) (mod q). The coin (A, B, z, a, b, r) is complete. The amount of the coin is removed from the spender’s bank account.

Jim Royer ❖ Digital Cash 8

slide-9
SLIDE 9

Spending the Coin

Spender Gives the coin (A, B, z, a, b, r) to the merchant. Merchant Verifies gr ≡ a · hH(A,B,z,a,b) Ar ≡ zH(A,B,z,a,b) · b

  • (mod p) (Homework!)

Computes d = H0(A, B, M, t), where t = a time stamp. Sends d to spender. Spender Computes r1 ≡ d · u · s + x1 r2 ≡ d · s + x2

  • (mod q)

Sends r1 and r2 to merchant. Merchant Checks: gr1

1 · gr2 2 ≡ Ad · B (mod p)

(See below) Accepts the coin iff this holds. gr1

1 gr2 2

≡ gd·u·s+x1

1

gd·s+x2

2

≡ (gu·s

1 )dgx1 1 (gs 2)dgx2 2

≡ (gu·s

1 · gs 2)dgx1 1 gx2 2

≡ (Is · gs

2)d · B ≡ ((Ig2)s)d · B ≡ Ad · B (mod p)

Jim Royer ❖ Digital Cash 9

slide-10
SLIDE 10

Depositing the Coin in the Bank

Merchant Sends (A, B, z, a, b, r) and (r1, r2, d) to the bank. Bank Checks that the coin has not yet be deposited. Fraud control: If it has, call the cops. Checks that gr ≡ a · hH(A,B,z,a,b) Ar ≡ zH(A,B,z,a,b) · b gr1

1 · gr2 2

≡ Ad · B    (mod p) Accepts the coin iff these check out. Check of the first congruence: gr ≡ gα1c1+α2 ≡ gα1(c·x+w)+α2 ≡ gα1(α−1

1 ·H(−)·x+w)+α2

≡ gx·H(−)+α1w+α2 ≡ hH(−) · gw·α1+α2 ≡ a · hH(−) (mod p)

Jim Royer ❖ Digital Cash 10

slide-11
SLIDE 11

Fraud Control: I

The spender tries to spend the same coin with the merchant and the vendor. Spender If the Spender did not follow the protocol in choosing r1, r2 or r′

1, r′ 2,

then, with high probability, the check: gr1

1 · gr2 2 ≡ Ad · B (mod p) fails.

So, we assume r1, r2 and r′

1, r′ 2 were determined by the protocol.

Merchant Sends the coin and (r1, r2, d) to the bank. Vender Sends the coin and (r′

1, r′ 2, d′) to the bank.

Bank Since r1 − r′

1

≡ us(d − d′) r2 − r′

2

≡ s(d − d′)

  • (mod q)

we have u ≡ (r1 − r′

1)(r2 − r′ 2)−1

I ≡ gu

1

  • (mod q)

I = the ID of the spender

Jim Royer ❖ Digital Cash 11

slide-12
SLIDE 12

Fraud Control: II

The merchant tries to deposit the same coin twice ◮ Once with (r1, r2, d) ← legit ◮ Once with (r′

1, r′ 2, d′) ← forged

◮ This is hard to do ◮ I.e., the merchant has to produce r′

1, r′ 2, and d′

∋ gr′

1

1 · gr′

2

2

≡ Ad′ · B (mod p)

Jim Royer ❖ Digital Cash 12

slide-13
SLIDE 13

Fraud Control: III

Someone tries to make an unauthorized coin This requires finding numbers such that: gr ≡ a · hH(A,B,z,a,b) Ar ≡ zH(A,B,z,a,b) · b

  • (mod p)
  • Discrete logs

and worse! Eve L. Dewer dot com receives a coin from the spender and tries to spend the coin with the merchant Merchant: Computes d′ for Eve, which is unlikely to equal d.

  • Etc. see text

Jim Royer ❖ Digital Cash 13

slide-14
SLIDE 14

Anonymity

The Spender

never needs to show the merchant an ID.

The Bank

never sees the values of A, B, z, a, b, r until the coin is deposited.

The Bank and the Merchant

cannot figure out the spender’s ID unless there is double spending. See Trappe and Washington for fuller details.

Jim Royer ❖ Digital Cash 14

slide-15
SLIDE 15

Well-Established E-Cash Systems

The Octopus card: Hong Kong public transit The Oyster card: London public transit

  • Etc. See: http://en.wikipedia.org/wiki/List_of_smart_cards

These might make good final paper topics.

Jim Royer ❖ Digital Cash 15