Digital Cash
description
Transcript of Digital Cash
![Page 1: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/1.jpg)
Digital Cash
![Page 2: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/2.jpg)
p2.
OUTLINE
Properties
Scheme
Initialization
Creating a Coin
Spending the Coin
Depositing the Coin
Fraud Control
Anonymity
![Page 3: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/3.jpg)
p3.
Properties
1. SecurityThe cash can be sent securely through computer network.
2. Can’t be copied and reused3. Privacy (Untraceability or Anonymity)
If the cash is spent legitimately, neither the recipient nor the bank can identify the spender.
4. Offline paymentNo communication with the bank is needed during the transaction.
5. TransferabilityThe cash can be transferred to others.
6. DividabilityA piece of cash can be divided into smaller amounts.
![Page 4: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/4.jpg)
p4.
T. Okamoto and K. Ohta, "Universal electronic cash," Advances in Cryptology-CRYPTO'91, LNCS 576, Springer-Verlag, pp. 324-337, 1991. (satisfies 1 ~ 6)
S. Brands, "Untraceable off-line cash in wallets with observers," Advances in Cryptology-CRYPTO'93, LNCS 773, Springer-Verlag, pp. 302-318, 1994. (satisfies 1 ~ 4)
![Page 5: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/5.jpg)
p5.
Scheme
Bank
Spender
Merchant
1. Withdraw
2. Coin
3. Payment
4. Receipt
5. Deposit
6. Results
![Page 6: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/6.jpg)
p6.
Initialization (1/2)
Publish: p : a large prime, s.t. q = (p – 1) / 2 is also
prime. g : the square of a primitive root mod p. g1 = g a mod p g2 = g b mod p H : a hash function
H : Z Z Z Z Z Zq*
H0 : a hash function
H0 : Z Z Z Z Zq*
(a and b are secretly chosen and discarded immediately)
![Page 7: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/7.jpg)
p7.
Initialization (2/2)
Bank
Spender
Merchant
3. Send I4. Send z’ (Ig2)x (mod p)
2. Register M
1. Choose an ID number M
1. Choose a secret number x2. Compute h gx, h1 g1
x, h2 g2x (mod p)
3. Publish h, h1, and h2
1. Choose a secret number u
2. Compute I g1
u (mod p)
![Page 8: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/8.jpg)
p8.
Creating a Coin
Bank Spender
Withdraw
Choose a random number w
gw gw , (Ig2) w(mod p)
Compute
) (mod ,
,',,)(
2121
21212
pAbgga
zzggBIgAs
w
sxxs
),,,,(1
1 bazBAHc
c1 cx + w (mod q)Compute r 1 c1 + 2 (mod q)
C = (A, B, z, a, b, r)
Choose a secret random 5-tuple of integers (s, x1, x2, 1, 2), s 0 (mod q)
![Page 9: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/9.jpg)
p9.
Spending the Coin
Spender
MerchantCheck whether
gr ahH(A, B, z, a, b) (mod p), Ar zH(A, B, z, a, b)b (mod p)d = H0(A, B, M, Timestamp)
r1 dus + x1, r2 ds + x2 (mod q)Check whether
) (mod 2121 pBAgg drr
Accept or reject
(A, B, z, a, b, r)Pay
![Page 10: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/10.jpg)
p10.
Depositing the Coin
Merchant
Bank
Check whetherthe coin has been previously deposited or not, and
) (mod 2121 pBAgg drr
gr ahH(A, B, z, a, b) (mod p),
Ar zH(A, B, z, a, b)b (mod p),
(A, B, z, a, b, r), (r1, r2, d)Deposit
Results
![Page 11: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/11.jpg)
p11.
Fraud Control (1/7)
Case 1: The Spender spends the coin twice.
Merchant 1
Merchant 2
Spender
C, (r1, r2, d)
)',','(, 21 drrC
), (mod )'('11 qddusrr ) (mod )'('22 qddsrr
) (mod )')('( 12211 qrrrru ) (mod 1 pgI u
![Page 12: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/12.jpg)
p12.
Fraud Control (2/7)
Case 2: The Merchant tries submitting the coin twice.
C, (r1, r2, d)
)',','(, 21 drrC
) (mod ''2
'1
21 pBAgg drr
Merchant
Bank
forged
Impossible! Since it is very difficult to produce numbers such that (since the Merchant does not know u).
![Page 13: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/13.jpg)
p13.
Fraud Control (3/7)
Case 3: Someone try to make an unauthorized coin.
Impossible! Since this requires finding numbers such that
gr ahH(A, B, z, a, b) (mod p), and
Ar zH(A, B, z, a, b)b (mod p),
![Page 14: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/14.jpg)
p14.
Fraud Control (4/7)
Case 4:
Impossible!
Bank
Merchant 1
Merchant 2
Spender
1. Spend C 3. Spend C
2. Deposit C, (r1, r2, d)
evil
The Merchant 2 computes d’ (very likely != d).
It is very difficult for the evil merchant to produce numbers such that
) (mod ''2
'1
21 pBAgg drr
![Page 15: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/15.jpg)
p15.
Fraud Control (5/7)
Case 5: Someone working in the Bank tries to forge a coin.
It is possible to make a coin satisfied
gr ahH(A, B, z, a, b) (mod p), and
Ar zH(A, B, z, a, b)b (mod p),
but he does not know u , thus unable to produce a suitable r1. So, he cannot spend it.
![Page 16: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/16.jpg)
p16.
Fraud Control (6/7)
Case 6: Someone steal the coin from the Spender and try to spend it.
Impossible! The thief does not know u, thus unable to produce r1.
![Page 17: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/17.jpg)
p17.
Fraud Control (7/7)
Case 7: An evil merchant steals the coin and (r1, r2, d) before they are submitted to the Bank, and then deposits them to the Bank.
Possible! This is a flaw of ordinary cash, too.
![Page 18: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/18.jpg)
p18.
Anonymity (1/3)
During the entire transaction with the Merchant, the Spender never needs to provide any identification.
![Page 19: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/19.jpg)
p19.
Anonymity (2/3)
Is it possible for the Bank to extract the Spender’s identity from knowledge of
the coin (A, B, z, a, b, r) and the triple (r1, r2, d) ?
No.
A, B, z, a, b look like random numbers to everyone except the Spender.
The Bank never sees A, B, z, a, b, r until the coin is deposited.
![Page 20: Digital Cash](https://reader035.fdocuments.us/reader035/viewer/2022062409/56814c1f550346895db9219c/html5/thumbnails/20.jpg)
p20.
Anonymity (3/3)
When creating the coin, the Bank provides only gw and c1, and has seen only
c 1–1H(A, B, z, a, b) (mod q).
the Bank cannot compute H(A, B, z, a, b)
and deduce 1 at that time.
The Bank can keep a list of all values c it has received, along with values of H for every coin that is deposited, and then try all combinations to find 1. (impractical for a
system of millions of coins)