CPS 214 Bank Clearing and Settlement Quantum Key Exchange Electronic Cash
advertisement
CPS 214
Bank Clearing and Settlement
Quantum Key Exchange
Electronic Cash
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Clearing and Settling
• Clearing: determining the amount that one
party owes another
• Settling: transfer of funds from one party to
the other
• Banks clear and settle every day (or at least
on those rare days when banks are open)
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Fedwire
• Owned and operated by Federal Reserve
Banks
• 7500 participant banks keep accounts with
Federal Reserve
• Over $2,000,000,000,000 transferred per day
• FEDNET proprietary telecommunications
network
• Physical security mechanisms difficult to
uncover!
• Now permits some IP or web-based
transactions
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Quantum Cryptography
• In quantum mechanics, there is no way to
take a measurement without potentially
changing the state. E.g.
– Measuring position, spreads out the momentum
– Measuring spin horizontally, “spreads out” the spin
probability vertically
Related to Heisenberg’s uncertainty principal
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Using photon polarization
0
1
diagonal basis
rectilinear basis
measure
diagonal
measure
rectilinear
Measuring using one basis changes
polarization to that basis!
Bennet and Brassard 1984
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Quantum Key Exchange
1. Alice creates each random bit and then randomly
encodes it in one of two bases:
2. Bob measures photons in random orientations
e.g.: x + + x x x + x (orientations used)
\ | - \ / / - \ (measured polarizations)
and tells Alice in the open what orientations he used,
but not what he measured.
3. Alice tells Bob in the open which orientations are
correct
4. Bob and Alice compare a randomly chosen subset of
sent/received bits to detect eavesdropper
5. Susceptible to a man-in-the-middle attack
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
In the “real world”
• 10-node DARPA Quantum Network since
2004
• Los Alamos/NIST March 2007, 148km
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
15-853
Algorithms in the Real World
Electronic Cash
Michael I. Shamos, Ph.D., J.D.
Co-Director
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Token vs. Notational Money
• Token money
– Represented by a physical article (e.g. cash, traveler’s
check, gift certificate, coupon)
– Can be lost
– Used for instantaneous value transfer
• Notational money (account ledger entries)
–
–
–
–
Examples: bank accounts, frequent flyer miles
Can’t be lost
Transfer by order to account holder, usually not immediate
Requires “clearance” and “settlement”
WHAT IS THE NET EFFECT OF ALL THE ORDERS?
(HOW MUCH DOES EACH PARTY HAVE TO PAY?)
ELECTRONIC CASH
FALL 2000
ACTUAL PAYMENT IN “REAL” MONEY
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Online v. Offline Systems
• An online system requires access to a server for each
transaction.
– Example: credit card authorization. Merchant must get code
from issuing bank.
• An offline system allows transactions with no server.
– Example: cash transaction. Merchant inspects money. No
communication needed.
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Electronic Cash
• Electronic cash is token money in the form of bits, except unlike
token money it can be copied.
•
•
•
•
•
•
This creates a host of problems:
A copy of a real bill is a counterfeit.
A copy of an ecash string is not counterfeit (it’s a perfect copy)
How is ecash issued? How is it spent? Why would anyone
accept it?
Counterfeiting
Loss (it’s token money; it can be lost)
What prevents double spending?
Can it be used offline?
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Electronic Cash -- Idea 1
• Bank issues character strings containing:
– denomination
– serial number
– bank ID + encryption of the above
• First person to return string to bank gets the money
PROBLEMS:
• Can’t use offline. Must verify money not yet spent.
• Not anonymous. Bank can record serial number.
• Sophisticated transaction processing system required
with locking to prevent double spending.
• Eavesdropping!
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Blind Signatures
• Sometimes useful to have people sign things without
seeing what they are signing
– notarizing confidential documents
– preserving anonymity
• Alice wants to have Bob sign message M.
(In cryptography, a message is just a number.)
• Alice multiplies M by a number -- the blinding factor
• Alice sends the blinded message to Bob. He can’t
read it — it’s blinded.
• Bob signs with his private key, sends it back to Alice.
• Alice divides out the blinding factor. She now has M
signed by Bob.
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Blind Signatures
•
•
•
•
Alice wants to have Bob sign message M.
Bob’s public key is (e, n). Bob’s private key is d.
Alice picks a blinding factor k between 1 and n.
Alice blinds the message M by computing
T = M ke (mod n)
She sends T to Bob.
e • d = 1 (mod (n))
• Bob signs T by computing
Td = (M ke)d (mod n) = Md k (mod n)
• Alice unblinds this by dividing out the blinding factor:
S = Td/k = Md k (mod n)/k = Md (mod n)
• But this is the same as if Bob had just signed M,
except Bob was unable to read T
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Blind Signatures
• It’s a problem signing documents you can’t read
– But it happens. Notary public, witness, etc.
• Blind signatures are only used in special situations
• Example:
– Ask a bank to sign (certify) an electronic coin for $100
– It uses a special signature good only for $100 coins
• Blind signatures are the basis of anonymous ecash
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
eCash (Formerly DigiCash)
ALICE SEND UNSIGNED
BLINDED COINS TO THE BANK
Withdrawal
(Minting):
WALLET
SOFTWARE
ALICE BUYS DIGITAL
COINS FROM A BANK
BANK SIGNS COINS, SENDS THEM BACK. ALICE UNBLINDS THEM
BOB VERIFIES COINS
NOT SPENT
ALICE PAYS BOB
Spending:
BOB DEPOSITS
Personal
Transfer:
CINDY VERIFIES COINS
NOT SPENT
ALICE TRANSFERS COINS TO CINDY
CINDY GETS COINS BACK
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Minting eCash
• Alice requests coins from the bank where she has an
account
• Alice sends the bank
{ { blinded coins, denominations }SigAlice }PKBank
• Bank knows they came from Alice and have not been
altered (digital signature)
• The message is secret (only Bank can decode it)
• Bank knows Alice’s account number
• Bank deducts the total amount from Alice’s account
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Minting eCash, cont.
• Bank now must produce signed coins for Alice
• Each of Alice’s blinded coins has a serial#
• Bank’s public key for $5 coins is (e5, m5) (exponent
and modulus). Private key is d5.
• Alice selects blinding factor r
• Alice blinds serial# by multiplying by r e5 (mod m5)
e5 • d5 = 1 (mod m5)
(serial# r e5) (mod m5)
• Banks signs the coin with its private d5 key:
(serial# r e5)d5 (mod m5) = (serial#)d5 r (mod m5)
• Alice divides out the blinding factor r. What’s left is
(serial#)d5 (mod m5) = { serial# } SKBank5
Just as if bank signed serial#. But Bank doesn’t know serial#.
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Spending eCash
• Alice orders goods from Bob
• Bob’s server requests coins from Alice’s wallet:
payreq = { currency, amount, timestamp,
merchant_bankID, merchant_accID, description }
• Alice approves the request. Her wallet sends:
payment = { payment_info, {coins,
H(payment_info)}PKmerchant_bank }
payment_info = { Alice’s_bank_ID, amount, currency,
ncoins, timestamp, merchant_ID, H(description),
H(payer_code) }
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Depositing eCash
• Bob receives the payment message, forwards it to
the bank for deposit by sending
deposit = { { payment }SigBob }PKBank
• Bank decrypts the message using SKBank.
• Bank examines payment info to obtain serial# and
verify that the coin has not been spent
• Bank credits Bob’s account and sends Bob a deposit
receipt:
deposit_ack = { deposit_data, amount }SigBank
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Proving an eCash Payment
• Alice generates payer-code before paying Bob
• A hash of the payer_code is included in payment_info
• Bob cannot tamper with H(payer_code) since
payment_info is encrypted with the bank’s public key
• The merchant’s bank records H(payer_code) along
with the deposit
• If Bob denies being paid, Alice can reveal her
payer_code to the bank
• Otherwise, Alice is anonymous; Bob is not.
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Lost eCash
• Ecash can be “lost”. Disk crashes, passwords
forgotten, numbers written on paper are lost.
• Alice sends a message to the bank that coins have
been lost
• Banks re-sends Alice her last n batches of blinded
coins (n = 16)
• If Alice still has the blinding factor, she can unblind
• Alice deposits all the coins bank in the bank. (The
ones that were spent will be rejected.)
• Alice now withdraws new coins
• eCash demo
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Anonymous Ecash Crime
•
•
•
•
Kidnapper takes hostage
Ransom demand is a series of blinded coins
Banks signs the coins to pay ransom
Kidnapper tells bank to publish the coins in the
newspaper (they’re just strings)
• Only the kidnapper can unblind the coins (only he
knows the blinding factor)
• Kidnapper can now use the coins and is completely
anonymous
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Offline Double-Spending
• Double spending easy to stop in online systems:
System maintains record of serial numbers of spent
coins.
• Suppose Bob can’t check every coin online. How
does he know a coin has not been spent before?
• Method 1: create a tamperproof dispenser (smart
card) that will not dispense a coin more than once.
– Problem: replay attack. Just record the bits as they come
out.
• Method 2: protocol that provably identifies the doublespender but is anonymous for the single-spender.
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Double-Spending Protocol
• Alice wants 100 five-dollar coins.
• Alice sends 200 five-dollar coins to the bank (twice as
many as she needs). For each coin, she
– Combines b different random numbers with her account
number and the coin serial number (using exclusive-OR )
– Blinds the coin
• Bank selects half the coins (100), signs them, gives
them back to Alice
• Bank asks her for the random numbers for the other
100 coins and uses it to read her account number
– Bank feels safe that the blinded coins it signed had her real
account number. (It picked the 100 out of 200, not Alice.)
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Probability Cheating is Detected
• If Alice sends 2n coins to the bank but k have the
wrong account number, what is the probability it
appears among the n coins the bank picks?
k
p ( j )
j
WAYS TO PICK EXACTLY
j OF k BAD COINS
•
•
•
•
2 n k 2 n
n j n
WAYS TO PICK EXACTLY
n- j OF 2n- k GOOD COINS
WAYS TO PICK EXACTLY
n OF 2n TOTAL COINS
The probability that Alice gets away with it is p(0).
For k = 1, p(0) = 1/2
For n = 100, k = 10, p(0) ~ 8/10000
For n = 100, k = 100, p(0) ~ 10-59
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Protocol
• Alice’s account number is 12, which in hex is 0C = 00001100
• Alice picks serial number 100 and blinding number 5
• She asks the bank for a coin with serial number
100 x 5 = 500
• Alice chooses a random number b and creates b random
numbers for this coin. Say b=6
• Alice XORs each random number with her account number:
i
0
1
2
3
4
5
ELECTRONIC CASH
acct random
0C
1B
0C
13
0C
09
0C
05
0C
2B
0C
11
acct random
17
1F
05
09
27
1D
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Protocol
• Bob receives Alice’s coin. He finds out b and picks a random bbit number, say 111010 (bits numbered 5 4 3 2 1 0)
• For every bit position in which Bob’s number has a 1, he
receives Alice’s random number for that position
• For every 0-bit, Bob receives Alice’s account number XOR her
random number for that position
random acct random Bob’s bit
i
acct
Bob receives
0
0D
1B
17
0
1
0D
13
1F
1
2
0D
09
05
0
3
0D
05
09
1
05
4
0D
2B
27
1
2B
5
0D
11
1D
1
11
17
13
05
• Bob sends the last column to the bank when depositing the coin
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Protocol
• Now Alice tries to spend the coin again with Charlie. He finds
b=6 and picks random number 010000
• Charlie goes through the same procedure as Bob and sends the
numbers he receives to the bank when he deposits the coin
i
acct random acct random Charlie’s bit Charlie receives
0
0D
1B
17
0
17
1
0D
13
1F
0
1F
2
0D
09
05
0
05
3
0D
05
09
0
09
4
0D
2B
27
1
5
0D
11
1D
0
ELECTRONIC CASH
FALL 2000
2B
1D
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Protocol
• The bank refuses to pay Charlie, since the coin was deposited
by Bob
• The bank combines data from Bob and Charlie (or both) using
XOR where it has different data from the two sources:
i
0
acct random acct random random acct acct holder
random
0C
17
1
0C
13
2
0C
3
0C
05
4
0C
2B
5
0C
11
1F
0C
Alice
09
0C
Alice
1D
0C
Alice
05
• This identifies Alice as the cheater! Neither Bob nor Alice nor
the bank could do this alone
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Protocol
• Now Alice tries to spend the coin again with Charlie. He finds
b=6 and picks random number 010000
• Charlie goes through the same procedure as Bob and sends the
numbers he receives to the bank when he deposits the coin
i
acct random acct random Charlie’s bit Charlie receives
0
0C
1
0C
2
0C
3
0C
05
4
0C
2B
5
0C
11
ELECTRONIC CASH
13
17
0
17
1F
0
1F
05
0
05
09
0
09
1
1D
FALL 2000
0
2B
1D
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Chaum Protocol
• If Alice’s random number has b bits, what is the probability she
can spend a coin twice without being detected?
• Bob and Charlie’s random numbers would have to be identical.
If they differ by 1 bit, the bank can identify Alice.
• Probability that two b-bit numbers are identical p(b) = 2 -b
p(1) = 0.5
p(10) ~ .001
p(20) ~ 1/1,000,000
p(30) ~ 1/1,000,000,000
p(64) ~ 5 x 10 -20
p(128) ~ 3 x 10 -39
• Chaum protocol does not guarantee detection
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
Q&A
ELECTRONIC CASH
FALL 2000
COPYRIGHT © 2000 MICHAEL I. SHAMOS
