Digital Cash

20
Digital Cash

description

Digital Cash. OUTLINE. Properties Scheme Initialization Creating a Coin Spending the Coin Depositing the Coin Fraud Control Anonymity. Properties. Security The cash can be sent securely through computer network. Can’t be copied and reused Privacy (Untraceability or Anonymity) - PowerPoint PPT Presentation

Transcript of Digital Cash

Page 1: Digital Cash

Digital Cash

Page 2: Digital Cash

p2.

OUTLINE

Properties

Scheme

Initialization

Creating a Coin

Spending the Coin

Depositing the Coin

Fraud Control

Anonymity

Page 3: Digital Cash

p3.

Properties

1. SecurityThe cash can be sent securely through computer network.

2. Can’t be copied and reused3. Privacy (Untraceability or Anonymity)

If the cash is spent legitimately, neither the recipient nor the bank can identify the spender.

4. Offline paymentNo communication with the bank is needed during the transaction.

5. TransferabilityThe cash can be transferred to others.

6. DividabilityA piece of cash can be divided into smaller amounts.

Page 4: Digital Cash

p4.

T. Okamoto and K. Ohta, "Universal electronic cash," Advances in Cryptology-CRYPTO'91, LNCS 576, Springer-Verlag, pp. 324-337, 1991. (satisfies 1 ~ 6)

S. Brands, "Untraceable off-line cash in wallets with observers," Advances in Cryptology-CRYPTO'93, LNCS 773, Springer-Verlag, pp. 302-318, 1994. (satisfies 1 ~ 4)

Page 5: Digital Cash

p5.

Scheme

Bank

Spender

Merchant

1. Withdraw

2. Coin

3. Payment

4. Receipt

5. Deposit

6. Results

Page 6: Digital Cash

p6.

Initialization (1/2)

Publish: p : a large prime, s.t. q = (p – 1) / 2 is also

prime. g : the square of a primitive root mod p. g1 = g a mod p g2 = g b mod p H : a hash function

H : Z Z Z Z Z Zq*

H0 : a hash function

H0 : Z Z Z Z Zq*

(a and b are secretly chosen and discarded immediately)

Page 7: Digital Cash

p7.

Initialization (2/2)

Bank

Spender

Merchant

3. Send I4. Send z’ (Ig2)x (mod p)

2. Register M

1. Choose an ID number M

1. Choose a secret number x2. Compute h gx, h1 g1

x, h2 g2x (mod p)

3. Publish h, h1, and h2

1. Choose a secret number u

2. Compute I g1

u (mod p)

Page 8: Digital Cash

p8.

Creating a Coin

Bank Spender

Withdraw

Choose a random number w

gw gw , (Ig2) w(mod p)

Compute

) (mod ,

,',,)(

2121

21212

pAbgga

zzggBIgAs

w

sxxs

),,,,(1

1 bazBAHc

c1 cx + w (mod q)Compute r 1 c1 + 2 (mod q)

C = (A, B, z, a, b, r)

Choose a secret random 5-tuple of integers (s, x1, x2, 1, 2), s 0 (mod q)

Page 9: Digital Cash

p9.

Spending the Coin

Spender

MerchantCheck whether

gr ahH(A, B, z, a, b) (mod p), Ar zH(A, B, z, a, b)b (mod p)d = H0(A, B, M, Timestamp)

r1 dus + x1, r2 ds + x2 (mod q)Check whether

) (mod 2121 pBAgg drr

Accept or reject

(A, B, z, a, b, r)Pay

Page 10: Digital Cash

p10.

Depositing the Coin

Merchant

Bank

Check whetherthe coin has been previously deposited or not, and

) (mod 2121 pBAgg drr

gr ahH(A, B, z, a, b) (mod p),

Ar zH(A, B, z, a, b)b (mod p),

(A, B, z, a, b, r), (r1, r2, d)Deposit

Results

Page 11: Digital Cash

p11.

Fraud Control (1/7)

Case 1: The Spender spends the coin twice.

Merchant 1

Merchant 2

Spender

C, (r1, r2, d)

)',','(, 21 drrC

), (mod )'('11 qddusrr ) (mod )'('22 qddsrr

) (mod )')('( 12211 qrrrru ) (mod 1 pgI u

Page 12: Digital Cash

p12.

Fraud Control (2/7)

Case 2: The Merchant tries submitting the coin twice.

C, (r1, r2, d)

)',','(, 21 drrC

) (mod ''2

'1

21 pBAgg drr

Merchant

Bank

forged

Impossible! Since it is very difficult to produce numbers such that (since the Merchant does not know u).

Page 13: Digital Cash

p13.

Fraud Control (3/7)

Case 3: Someone try to make an unauthorized coin.

Impossible! Since this requires finding numbers such that

gr ahH(A, B, z, a, b) (mod p), and

Ar zH(A, B, z, a, b)b (mod p),

Page 14: Digital Cash

p14.

Fraud Control (4/7)

Case 4:

Impossible!

Bank

Merchant 1

Merchant 2

Spender

1. Spend C 3. Spend C

2. Deposit C, (r1, r2, d)

evil

The Merchant 2 computes d’ (very likely != d).

It is very difficult for the evil merchant to produce numbers such that

) (mod ''2

'1

21 pBAgg drr

Page 15: Digital Cash

p15.

Fraud Control (5/7)

Case 5: Someone working in the Bank tries to forge a coin.

It is possible to make a coin satisfied

gr ahH(A, B, z, a, b) (mod p), and

Ar zH(A, B, z, a, b)b (mod p),

but he does not know u , thus unable to produce a suitable r1. So, he cannot spend it.

Page 16: Digital Cash

p16.

Fraud Control (6/7)

Case 6: Someone steal the coin from the Spender and try to spend it.

Impossible! The thief does not know u, thus unable to produce r1.

Page 17: Digital Cash

p17.

Fraud Control (7/7)

Case 7: An evil merchant steals the coin and (r1, r2, d) before they are submitted to the Bank, and then deposits them to the Bank.

Possible! This is a flaw of ordinary cash, too.

Page 18: Digital Cash

p18.

Anonymity (1/3)

During the entire transaction with the Merchant, the Spender never needs to provide any identification.

Page 19: Digital Cash

p19.

Anonymity (2/3)

Is it possible for the Bank to extract the Spender’s identity from knowledge of

the coin (A, B, z, a, b, r) and the triple (r1, r2, d) ?

No.

A, B, z, a, b look like random numbers to everyone except the Spender.

The Bank never sees A, B, z, a, b, r until the coin is deposited.

Page 20: Digital Cash

p20.

Anonymity (3/3)

When creating the coin, the Bank provides only gw and c1, and has seen only

c 1–1H(A, B, z, a, b) (mod q).

the Bank cannot compute H(A, B, z, a, b)

and deduce 1 at that time.

The Bank can keep a list of all values c it has received, along with values of H for every coin that is deposited, and then try all combinations to find 1. (impractical for a

system of millions of coins)