Digital Cash

p2.

OUTLINE

Properties

Scheme

Initialization

Creating a Coin

Spending the Coin

Depositing the Coin

Fraud Control

Anonymity

p3.

Properties

1. SecurityThe cash can be sent securely through computer network.

2. Can’t be copied and reused3. Privacy (Untraceability or Anonymity)

If the cash is spent legitimately, neither the recipient nor the bank can identify the spender.

4. Offline paymentNo communication with the bank is needed during the transaction.

5. TransferabilityThe cash can be transferred to others.

6. DividabilityA piece of cash can be divided into smaller amounts.

p4.

T. Okamoto and K. Ohta, "Universal electronic cash," Advances in Cryptology-CRYPTO'91, LNCS 576, Springer-Verlag, pp. 324-337, 1991. (satisfies 1 ~ 6)

S. Brands, "Untraceable off-line cash in wallets with observers," Advances in Cryptology-CRYPTO'93, LNCS 773, Springer-Verlag, pp. 302-318, 1994. (satisfies 1 ~ 4)

p5.

Scheme

Bank

Spender

Merchant

1. Withdraw

2. Coin

3. Payment

4. Receipt

5. Deposit

6. Results

p6.

Initialization (1/2)

Publish: p : a large prime, s.t. q = (p – 1) / 2 is also

prime. g : the square of a primitive root mod p. g1 = g a mod p g2 = g b mod p H : a hash function

H : Z Z Z Z Z Zq*

H0 : a hash function

H0 : Z Z Z Z Zq*

(a and b are secretly chosen and discarded immediately)

p7.

Initialization (2/2)

Bank

Spender

Merchant

3. Send I4. Send z’ (Ig2)x (mod p)

2. Register M

1. Choose an ID number M

1. Choose a secret number x2. Compute h gx, h1 g1

x, h2 g2x (mod p)

3. Publish h, h1, and h2

1. Choose a secret number u

2. Compute I g1

u (mod p)

p8.

Creating a Coin

Bank Spender

Withdraw

Choose a random number w

gw gw , (Ig2) w(mod p)

Compute

) (mod ,

,',,)(

2121

21212

pAbgga

zzggBIgAs

w

sxxs

),,,,(1

1 bazBAHc

c1 cx + w (mod q)Compute r 1 c1 + 2 (mod q)

C = (A, B, z, a, b, r)

Choose a secret random 5-tuple of integers (s, x1, x2, 1, 2), s 0 (mod q)

p9.

Spending the Coin

Spender

MerchantCheck whether

gr ahH(A, B, z, a, b) (mod p), Ar zH(A, B, z, a, b)b (mod p)d = H0(A, B, M, Timestamp)

r1 dus + x1, r2 ds + x2 (mod q)Check whether

) (mod 2121 pBAgg drr

Accept or reject

(A, B, z, a, b, r)Pay

p10.

Depositing the Coin

Merchant

Bank

Check whetherthe coin has been previously deposited or not, and

) (mod 2121 pBAgg drr

gr ahH(A, B, z, a, b) (mod p),

Ar zH(A, B, z, a, b)b (mod p),

(A, B, z, a, b, r), (r1, r2, d)Deposit

Results

p11.

Fraud Control (1/7)

Case 1: The Spender spends the coin twice.

Merchant 1

Merchant 2

Spender

C, (r1, r2, d)

)',','(, 21 drrC

), (mod )'('11 qddusrr ) (mod )'('22 qddsrr

) (mod )')('( 12211 qrrrru ) (mod 1 pgI u

p12.

Fraud Control (2/7)

Case 2: The Merchant tries submitting the coin twice.

C, (r1, r2, d)

)',','(, 21 drrC

) (mod ''2

'1

21 pBAgg drr

Merchant

Bank

forged

Impossible! Since it is very difficult to produce numbers such that (since the Merchant does not know u).

p13.

Fraud Control (3/7)

Case 3: Someone try to make an unauthorized coin.

Impossible! Since this requires finding numbers such that

gr ahH(A, B, z, a, b) (mod p), and

Ar zH(A, B, z, a, b)b (mod p),

p14.

Fraud Control (4/7)

Case 4:

Impossible!

Bank

Merchant 1

Merchant 2

Spender

1. Spend C 3. Spend C

2. Deposit C, (r1, r2, d)

evil

The Merchant 2 computes d’ (very likely != d).

It is very difficult for the evil merchant to produce numbers such that

) (mod ''2

'1

21 pBAgg drr

p15.

Fraud Control (5/7)

Case 5: Someone working in the Bank tries to forge a coin.

It is possible to make a coin satisfied

gr ahH(A, B, z, a, b) (mod p), and

Ar zH(A, B, z, a, b)b (mod p),

but he does not know u , thus unable to produce a suitable r1. So, he cannot spend it.

p16.

Fraud Control (6/7)

Case 6: Someone steal the coin from the Spender and try to spend it.

Impossible! The thief does not know u, thus unable to produce r1.

p17.

Fraud Control (7/7)

Case 7: An evil merchant steals the coin and (r1, r2, d) before they are submitted to the Bank, and then deposits them to the Bank.

Possible! This is a flaw of ordinary cash, too.

p18.

Anonymity (1/3)

During the entire transaction with the Merchant, the Spender never needs to provide any identification.

p19.

Anonymity (2/3)

Is it possible for the Bank to extract the Spender’s identity from knowledge of

the coin (A, B, z, a, b, r) and the triple (r1, r2, d) ?

No.

A, B, z, a, b look like random numbers to everyone except the Spender.

The Bank never sees A, B, z, a, b, r until the coin is deposited.

p20.

Anonymity (3/3)

When creating the coin, the Bank provides only gw and c1, and has seen only

c 1–1H(A, B, z, a, b) (mod q).

the Bank cannot compute H(A, B, z, a, b)

and deduce 1 at that time.

The Bank can keep a list of all values c it has received, along with values of H for every coin that is deposited, and then try all combinations to find 1. (impractical for a

system of millions of coins)