Digital%20Cash - PowerPoint PPT Presentation

About This Presentation
Title:

Digital%20Cash

Description:

Auditable, Anonymous Electronic Cash. Retrieved: November. ... Electronic Cash. 25 April. 2004. http://www.win.tue.nl/~henkvt/GBl.ElectronicCash.pdf ... – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 39
Provided by: earthun
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Digital%20Cash


1
Digital Cash
  • Mehdi Bazargan
  • Fall 2004

2
Introduction
  • Definition
  • Motivations
  • Overview
  • Properties
  • Blind Signatures
  • Brands Scheme
  • Analysis

3
Definition
  • Since hard currency or paper cash carries total
    anonymity in transactions, the term digital
    cash is coined to refer to anonymous electronic
    token based payment systems.
  • Digital Cash is meant to work as paper cash.
  • There are different implementation of Digital
    Cash.
  • Digital Cash is a technical product of
    anonymous digital commerce in strategic level.
  • It is a highly political subject.

4
Well
  • Anonymous? How can I prove I made my payments?
  • Private? What keeps the bank from stealing from
    me?
  • If a government doesn't know who pays whom, how
    can it collect an income tax?
  • If the ownership of financial assets is
    indeterminate, what happens to taxes on financial
    assets?

5
Motivations
  • Comparing to paper cash, paper cash is slow,
    vulnerable, costly, and difficult to transfer.
  • Compared to credit cards, digital cash provides
    more anonymity and security.

6
Overview
1. Alice deposits cash into the bank 2. Alice
receives some coins 3. Alice sends over the coins
to Bob 4. Bob receives the coins 5. Bob cashes
the coins and send Alice the product
7
Overview
  • There are several approaches in implementing
    digital cash Simple Anonymous Cash by
    Fiat-Caum-Naor, Traceable Anonymous Cash by
    Ferguson, the Brands scheme, and Auditable,
    Anonymous Electronic Cash by Sander-Ta-Shama.
  • The introduced methods have advantages and
    disadvantages. The Brands scheme provides
    reasonable security and anonymity however, it is
    more complicated.

8
Overview
  • In Brands Scheme, we will mostly get benefit
    from a set of algorithms and mathematical
    toolkits
  • Prime Factorization
  • In short, it is hard to calculate prime factors
    of Np.q
  • where p and q are large primes.
  • Discrete Log Problem
  • In short, if you have x ga mod p, it is hard
    to find a
  • where x and g are known.

9
Overview
  • Representation Issue in Groups with Prime Order
  • Given a prime group G and a generator tuple of
    G (g1,
  • g2,..gn), and constant h, it is hard to find a
  • representation of h as ?ki1 (giai) where ai
    belongs to Z.
  • However, it would be easy if you know the
    generator
  • tuple and integers ai.
  • Schnorrs Digital Signature
  • A method of signing messages and verifying
    validity of
  • signatures.

10
Properties
  • Some important features of the system include
    these
  • The on-line system is a self-contained subset
    of the off-line system, and if the off-line
    features are not used, the remaining
    software-only system still could be efficiently
    implemented.
  • Payments are private-- i.e. untraceable and
    unlinkable.
  • The customer is protected from fraudulent bank
    claims that the customer is double-spending (i.e.
    protected from framing attempts by the bank),
  • There is non-repudiation-- customers cannot
    deny having made a valid payment.

11
Restrictive Blind Signature
  • Let M denote a message. This message may be
    anything, including a piece of digital cash to be
    signed. To sign this message, the bank will raise
    it to the power x mod p, yielding
  • 1 z signed(M) Mx.
  • If we raise the message M to a random power w,
    we will call the result b a pseudo- signature.
    That is,
  • 2 b pseudo-signed(M) Mw.

12
Restrictive Blind Signature
  • The public key of the signer is a generator g
    raised to the power x. So let's call the
    generator g raised to a random power w a
    pseudo-public key. Label this a. Thus we have
  • 3 public key h gx,
  • 4 pseudo-public
  • key a gw.

13
Restrictive Blind Signature
  • The steps in the restrictive blind signature
    protocol are as follows (all calculations in this
    protocol are done mod p, unless otherwise
    stated)
  • Step 1 The customer, Alice, sends a message M to
    the bank. It is intended that the bank sign M
    with its secret key x z Mx
  • The proof is to guarantee to the customer that
    the bank has signed M with a valid signature
    namely with its secret key x.

14
Restrictive Blind Signature
  • Step 2 The bank, generates a random number w
    and sends to the receiver, Alice, the following
    elements
  • the signed message z Mxthe pseudo-public key
    a gwthe pseudo-signed message b Mw
  • We shall see that b a will be used in part to
    provide zero-knowledge proof for Alice that the
    banks signature is valid.

15
Restrictive Blind Signature
  • Step 3 The receiver generates a challenge c. To
    do this, the customer first generates four random
    numbers s, t and u, v. Using s and t, the
    customer computes modifications of M and z,
    namely the blinded message M' and the signed
    blinded message z'
  • 5 M' Ms gt (blinded message)
  • 6 z' zsht
  • (Mx)s(gx)t
    Msgtx M'x (signed blinded
    message)

16
Restrictive Blind Signature
  • Using u and v, the receiver (customer) computes
    modifications of a, and b, namely, a', and b'
  • 7 a' augv (gw)ugv gw',
  • 8 b' a(ut)b(us)M'v
  • (gw)(ut)(Mw)(us)M'v
    (gt)(uw)(Ms)(uw)M'v
    M'(uw)M'v M'w'.
  • where
  • 9 w' uw v mod q.

17
Restrictive Blind Signature
  • The customer then computes the hash value
  • 10 c' H(M', z', a', b'),
  • and sends to the bank the challenge c
  • 11 c c'/u mod q .
  • Step 4 The signer (bank) responds with
  • 12 r w cx mod q.
  • Notice this is a point on a line with slope x
    (the secret key) and intercept w.

18
Restrictive Blind Signature
  • Step 5 The receiver, Alice, uses the challenge
    c and the response r to check that
  • 13 ahc gr
  • and
  • 14 bzc Mr .
  • If so, the receiver accepts the signature.

19
Brands Scheme
  • Uses the concepts in signature blinding as
    discussed. Brands implementation of Digital
    Cash considers
  • Opening an Account
  • Withdrawal
  • Deposit
  • Payment

20
Opening an Account
  • The user has public/private key pairs. These
    are not used in the protocols that follow so will
    not be denoted by individual symbols. But we
    require that the user be able to send digitally
    signed messages to the bank.
  • To open an account, the user U generates a
    random number u1 from Z(q), and computes an
    identifier or public key
  • 15 hu g1u1 mod p .

21
Opening an Account
  • The user checks that hug2 is not equal to 1 mod
    p, and if so sends hu to the bank, keeping u1
    secret. The bank stores hu along with any other
    information it requires on U. The bank computes
    and returns to the user U a signature with its
    secret key x as follows
  • 16 z (hug2)x mod p .

22
Withdrawal
  • Before the user U is allowed to withdraw a coin,
    U must first prove ownership of his account.
  • Step 1 The bank generates a random number w from
    Z(q), and sends the pseudo-public key a and the
    pseudo-signed message b to the user U
  • 17 a gw mod p 18 b (hug2)w mod p

23
Withdrawal
  • Step 2 The user U generates three random numbers
    s, x1 , and x2 from Z(q). These are used to
    calculate
  • 19 A (hug2)s mod p 20 B g1x1g2x2
    mod p 21 z' zs mod p

24
Withdrawal
  • U also generates two random numbers u, v from
    Z(q). These are used to calculate
  • 22 a' augv mod p 23 b' b(su)Av
    mod p
  • The user U then computes the challenge c' as
  • 24 c' H(A, B, z', a', b')
  • then sends the blinded challenge c back to the
    bank
  • 25 c c'/u mod q .

25
Withdrawal
  • The coin is the set of numbers A, B,
    (z',a',b',r').
  • (z',a',b',r') is Schnorrs signature on A, B.
  • Denominations take different g for each
    different denomination.

26
Withdrawal
  • Step 3 The bank sends the response r
  • 26 r w cx mod q
  • and debits U's account in the amount equal to the
    value of one coin.
  • Step 4 U accepts the debit only if
  • 27 gr ahc mod p
  • 28 (hug2)r bzc mod p .
  • The user U also calculates r'
  • 29 r' v ru mod q .

27
Payment
  • When the user U is ready to spend the coin, the
    following protocol is enacted between the user
    and the shop S
  • Step 1 The user sends A, B, (z',a',b',r') to
    S.
  • Step 2 The shop returns the challenge d
  • 30 d Ho(A, B, SHOP-ID, DATE-TIME) .
  • Step 3 The user U calculates the responses r1,
    r2
  • 31 r1 d(u1s) x1 mod q 32 r2 ds x2
    mod q

28
Payment
  • Step 4 The shop S accepts the coin only if
  • 33 gr' a'hc' mod p 34 Ar' b'z'c'
    mod p
  • 35 AdB g1r1g2r2 mod p

29
Deposit
  • When the shop S is ready to deposit the coin at
    the bank, the shop sends the payment transcript
    consisting of the coin A, B, (z',a',b',r'),
    along with (r1, r2) and the DATE-TIME of the
    transaction. The bank already knows the SHOP-ID,
    which is used in the communication.
  • Step 1 The bank verifies equations 33 to
    35 to see that this is a valid coin.

30
Deposit
  • Step 2 If the coin is valid, the bank checks
    its database to see if the coin was spent
    previously.
  • CASE A If the coin is not in the database, then
    it was not previously spent. Hence the bank
    credits the account of S, and records the coin in
    the form
  • A, B, DATE-TIME, r1, r2.

31
Deposit
  • CASE B If the coin is already in the database,
    then a fraud has occurred. If S previously
    deposited the coin, and the DATE-TIME are the
    same, then S is trying to deposit the same coin
    or transcript twice. The deposit is rejected for
    that reason. The bank knows the identity of the
    shop S responsible.

32
Deposit
  • CASE C. Otherwise, the coin has been
    double-spent, and the bank takes steps to unmask
    the double-spender. The bank has two sets of
    information on the coin
  • A, B, DATE-TIME, r1, r2.A, B, DATE-TIME',
    r'1, r'2.
  • Hence, the bank can calculate
  • (r1 - r'1) / (r2 - r'2) d(u1s) - d'(u1s)
    / ds - d's u1 mod q.
  • Thus it can check its database for the user
    identity!

33
Analysis
  • Advantages
  • Security of this system rests on the difficulty
    in finding discrete logarithmic factors. Other
    systems rely on prime factorization used in RSA.
    So the ability in factoring for large primes
    would not break this system as it would be the
    case in other systems.

34
Analysis
  • Advantages
  • The major advantage of this mechanism is that the
    user does not need to keep track many copies of
    identity and many different bills as is the case
    in other systems.

35
Analysis
  • Disadvantages
  • This scheme is difficult to understand and is
    more complex compared to other mechanisms used
    such as Chaums system. Moreover, since we use
    discrete logarithmic signatures, we have to deal
    with larger signatures compared to other methods.

36
References
  • Jahanian Farsi, Mandana. Digital Cash.
    Retrieved November. 2004
  • www.simovits.com/archive/dcash.pdf
  • Cormen, Leiserson, Rivest, and Stein.
    Introduction to Algorithms.
  • Massachussetts McGraw Hill, 2001.
  • Sander, Ta-Shama. Auditable, Anonymous
    Electronic Cash. Retrieved
  • November. lt2004 www.cs.tau.ac.il/amnon/Pape
    rs/ST.crypto99.pdfgt
  • Bleumer, Gerrit. Electronic Cash. 25 April.
    2004.
  • http//www.win.tue.nl/henkvt/GBl.ElectronicCa
    sh.pdf
  • Orlin Grabbe,J . Stefan Brands' System of
    Digital Cash . 1997.
  • http//www.aci.net/kalliste/stefbrdc.htm

37
Questions, Comments
  • ?

38
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com