Electronic Cash

R. Newman

Topics

Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

Barter Cash Check Wire transfer Credit/debit card E-cash

Payment forms

Barter Earliest form of payment Value intrinsic in the bartered good/service Physical presence of good/service Not flexible, not easily divisible

Cash Check Wire transfer Credit/debit card E-cash

Payment forms

Barter Cash

Difficult to trace Hard to forge Physical presence of coins, notes May or may not have intrinsic value

Check Wire transfer Credit/debit card E-cash

Payment forms

Barter Cash Check

Easy to trace, can be revoked Flexible amounts Slow – hard to verify immediately Can be mailed or used electronically

Wire transfer Credit/debit card E-cash

Payment forms

Barter Cash Check Wire transfer

Easy to verify Fast Expensive

Credit/debit card E-cash

Payment forms

Barter Cash Check Wire transfer Credit/debit card

Easy to verify quickly Less expensive than wire transfer Easy to trace, cards can be revoked Convenient for electronic use (remote payment)

E-cash

Payment forms

Credentials can be stolen Account number, name on card Address, zip code easy to find PIN revealed during use

Smart cards Alleviate some of the issues above Still, can be traced – privacy is lost

Electronic Payment Problems

Easy to use electronically Convenience

Easy to verify Inexpensive Reliable Detect forgeries easily Easy for bank to generate, hard for others

Hard to trace (for payer) Privacy

Easy to determine if used twice (for bank)

Electronic Cash Requirements

Form of currency:

(x, f(x)1/3 mod n)

n is large composite whose factors known only to bank

f is a one-way function

Chaum Electronic Cash

1. Alice choses random x, r, sends Bank

B = r3 f(x) % n

2. Bank computes and returns cube root to Alice,

r f(x)1/3 % n

withdraws a dollar from Alice’s account

3. Alice extracts C = f(x)1/3 % n

4. To pay Bob one dollar, Alice give him (x, f(x)1/3 % n)

5. Bob immediately verifies coin with bank

ensures coin has not been spent already

Chaum Electronic Cash

All can verify correct structure

Bank cannot associate coin with Alice’s account

But Bob must contact Bank immediately

Newer protocol removes this requirement

Allows bank to reveal Alice’s identity if coin spent twice

Chaum Electronic Cash

Bank publishes an RSA modulus n such that phi(n) has no small odd factors, sets security parameter k

k used for cut-and-choose verification

Let f and g be two-arguement, collision-free functions – i.e., computationally infeasible to find two inputs that map to the same output

Alice has bank account number u

Bank associates counter v with account u

Untraceable Coins

To get a coin:

1. Alice chooses ai, ci, di, and ri independently and uniformly from residues modulo n, for 1 <= i <= k

2. Alice sends Bank blinded candidates:

Bi = ri3 f(xi, yi) % n

where xi = g(ai, ci) and

yi = g(ai XOR (u || (v + i), di)

3. Bank chooses half of the candidates at random

4. Alice provides Bank with ai, ci, di, and ri for the selected candidates (cut-and-choose)

Untraceable Coins

To get a coin (con’t):

5. Bank verifies Alice was honest with those candiates, then sends Alice

Bi1/3 for the remaining candidates,

charges account u a dollar, increments v by k

6. Alice extracts C = f(xi, yi)1/3 % n

Note: Bank catches Alice with high probability if she cheats with her blinded candidates

Untraceable Coins

To use a coin

1. Alice sends C to Bob

2. Bob chooses k/2 random bits zi

3. If zi = 1, Alice sends Bob ai, ci, and yi

else Alice sends Bob xi, ai XOR (u || (v + i), and di

4. Bob verifies form of C and Alice’s responses fit

5. Bob later sends C and Alice’s responses to Bank

6. Bank verifies correctness of spent coin and credits Bob’s account, stores C, zis, and responses

Untraceable Coins

If Alice spends a coin twice,

It is likely that for some i, zi XOR zi’ = 1

Bank can search for C’s to see if coin was spent

If C was used twice, it is likely that Bank has both

ai and ai XOR (u || (v + i), for some i

So Bank can determine u and catch Alice

Untraceable Coins

If Alice colludes with a second vendor Charlie,

After spending her coin with Bob, they can arrange for Charlie to use the same zis as Bob

Bank knows that one cheated, but not which one!

And Bank can’t identify Alice!

Remedy: Force each vendor to use distinct z is for some portion of them, random zis for the rest (sufficient number to allow for many purchases by Alice)

Untraceable Coins

Bank can frame Alice! (how?)

Hence, won’t hold up in court

To prevent this, Alice uses public key signatures

Computational security only

Alice uses pseudonymous account for each coin

Proving Multiple Spending

Alice chooses for each i random zi’, zi’’

ui is of the form [Alice’s acct number || zi’ || zi’’]

Along with Bi’s, Alice gives Bank signature for

g(z1’, z1’’) || g(z2’, z2’’) || ... || g(zk’, zk’’)

During cut-and-choose, Bank verifies correctness of form of ui for each of the k/2 Bi’s it examines

Bank has proof of multiple spending of a coin whenever it can present preimage of at least k/2+1 of the g(zi’, zi’’)

Proving Multiple Spending

Untraceable checks – issued with maximum value

Use coins of with power of 2 values to express arbitrary value as sum of powers of two

Retrieve unspent coins from check

Central Bank always an issue

Solved with Byzantine agreement in Bitcoin

Very different approach to valuation....

Other Results