Bazargan

advertisement
Digital Cash
Mehdi Bazargan
Fall 2004
Introduction
•
•
•
•
•
•
•
Definition
Motivations
Overview
Properties
Blind Signatures
Brands Scheme
Analysis
Definition
• Since hard currency or paper cash carries total
anonymity in transactions, the term digital cash is coined
to refer to anonymous electronic token based payment
systems.
• Digital Cash is meant to work as paper cash.
• There are different implementation of Digital Cash.
• Digital Cash is a technical product of anonymous digital
commerce in strategic level.
• It is a highly political subject.
Well…
• Anonymous? How can I prove I made my payments?
• Private? What keeps the bank from stealing from me?
• If a government doesn't know who pays whom, how can
it collect an income tax?
• If the ownership of financial assets is indeterminate,
what happens to taxes on financial assets?
Motivations
• Comparing to paper
cash, paper cash is: slow,
vulnerable, costly, and
difficult to transfer.
• Compared to credit
cards, digital cash
provides more anonymity
and security.
Overview
2
1
3
4
5
1. Alice deposits cash into the bank
2. Alice receives some coins
3. Alice sends over the coins to Bob
4. Bob receives the coins
5. Bob cashes the coins and send Alice the product
Overview
• There are several approaches in implementing digital
cash: “Simple Anonymous Cash” by Fiat-Caum-Naor,
“Traceable Anonymous Cash” by Ferguson, the Brands
scheme, and “Auditable, Anonymous Electronic Cash” by
Sander-Ta-Shama.
• The introduced methods have advantages and
disadvantages. The Brands scheme provides reasonable
security and anonymity; however, it is more complicated.
Overview
• In Brands Scheme, we will mostly get benefit from a set
of algorithms and mathematical toolkits:
• Prime Factorization:
In short, it is hard to calculate prime factors of N=p.q
where p and q are large primes.
• Discrete Log Problem:
In short, if you have x= ga mod p, it is hard to find a
where x and g are known.
Overview
• Representation Issue in Groups with Prime Order
Given a prime group G and a generator tuple of G (g1,
g2,..gn), and constant h, it is hard to find a
representation of h as Πki=1 (giai) where ai belongs to Z.
However, it would be easy if you know the generator
tuple and integers ai.
• Schnorr’s Digital Signature
A method of signing messages and verifying validity of
signatures.
Properties
Some important features of the system include these:
• The on-line system is a self-contained subset of the off-line system,
and if the off-line features are not used, the remaining software-only
system still could be efficiently implemented.
• Payments are private-- i.e. untraceable and unlinkable.
• The customer is protected from fraudulent bank claims that the
customer is double-spending (i.e. protected from framing attempts by
the bank),
• There is non-repudiation-- customers cannot deny having made a
valid payment.
Restrictive Blind Signature
• Let M denote a message. This message may be
anything, including a piece of digital cash to be signed. To
sign this message, the bank will raise it to the power x
mod p, yielding
[1] z = signed(M) = M^x.
• If we raise the message M to a random power w, we will
call the result b a pseudo- signature. That is,
[2] b = pseudo-signed(M) = M^w.
Restrictive Blind Signature
•The public key of the signer is a generator g raised to the
power x. So let's call the generator g raised to a random
power w a pseudo-public key. Label this a. Thus we
have:
[3] public key h = g^x,
[4] pseudo-public
key a = g^w.
Restrictive Blind Signature
• The steps in the restrictive blind signature protocol are
as follows (all calculations in this protocol are done mod
p, unless otherwise stated):
•Step 1: The customer, Alice, sends a message M to the
bank. It is intended that the bank sign M with its secret
key x: z = M^x
•The proof is to guarantee to the customer that the bank
has signed M with a valid signature; namely with its
secret key x.
Restrictive Blind Signature
• Step 2: The bank, generates a random number w and
sends to the receiver, Alice, the following elements:
the signed message z = M^x
the pseudo-public key a = g^w
the pseudo-signed message b = M^w
• We shall see that b & a will be used in part to provide
zero-knowledge proof for Alice that the bank’s signature is
valid.
Restrictive Blind Signature
• Step 3: The receiver generates a challenge c. To do
this, the customer first generates four random numbers:
s, t and u, v. Using s and t, the customer computes
modifications of M and z, namely the blinded message M'
and the signed blinded message z':
[5] M' = M^s * g^t (blinded message)
[6] z' = z^s*h^t
= (M^x)^s*(g^x)^t
= [M^s*g^t]^x
= M'^x (signed blinded message)
Restrictive Blind Signature
• Using u and v, the receiver (customer) computes
modifications of a, and b, namely, a', and b':
[7] a' = a^u*g^v = (g^w)^u*g^v = g^w',
[8] b' = [a^(u*t)]*[b^(u*s)]*M'^v
= [(g^w)^(u*t)]*[(M^w)^(u*s)]*M'^v
= [(g^t)^(u*w)]*[(M^s)^(u*w)]*M'^v
= [M'^(u*w)]*M'^v
= M'^w'.
where
[9] w' = u*w + v mod q.
Restrictive Blind Signature
• The customer then computes the hash value
[10] c' = H(M', z', a', b'),
and sends to the bank the challenge c:
[11] c = c'/u mod q .
•Step 4: The signer (bank) responds with
[12] r = w + c*x mod q.
•Notice this is a point on a line with slope x (the secret
key) and intercept w.
Restrictive Blind Signature
• Step 5: The receiver, Alice, uses the challenge c and
the response r to check that
[13] a*h^c = g^r
and
[14] b*z^c = M^r .
• If so, the receiver accepts the signature.
Brand’s Scheme
• Uses the concepts in
signature blinding as
discussed. Brand’s
implementation of Digital
Cash considers:
• Opening an Account
• Withdrawal
• Deposit
• Payment
Opening an Account
• The user has public/private key pairs. These are not
used in the protocols that follow so will not be denoted by
individual symbols. But we require that the user be able to
send digitally signed messages to the bank.
• To open an account, the user U generates a random
number u1 from Z(q)*, and computes an identifier or
public key
[15] hu = g1^u1 mod p .
Opening an Account
•The user checks that hu*g2 is not equal to 1 mod p, and
if so sends hu to the bank, keeping u1 secret. The bank
stores hu along with any other information it requires on
U. The bank computes and returns to the user U a
signature with its secret key x as follows:
[16] z = (hu*g2)^x mod p .
Withdrawal
• Before the user U is allowed to withdraw a coin, U must
first prove ownership of his account.
•Step 1: The bank generates a random number w from
Z(q)*, and sends the pseudo-public key a and the
pseudo-signed message b to the user U:
[17] a= g^w mod p
[18] b = (hu*g2)^w mod p
Withdrawal
•Step 2: The user U
generates three random
numbers s, x1 , and x2 from
Z(q)*. These are used to
calculate:
[19] A = (hu*g2)^s mod p
[20] B = g1^x1*g2^x2 mod p
[21] z' = z^s mod p
Withdrawal
• U also generates two random numbers u, v from Z(q)*.
These are used to calculate
[22] a' = a^u*g^v mod p
[23] b' = b^(s*u)*A^v mod p
• The user U then computes the challenge c' as:
[24] c' = H(A, B, z', a', b')
then sends the blinded challenge c back to the bank:
[25] c = c'/u mod q .
Withdrawal
• The coin is the set of numbers {A, B, (z',a',b',r')}.
• (z',a',b',r') is Schnorr’s signature on A, B.
• Denominations… take different g for each different
denomination.
Withdrawal
• Step 3: The bank sends the response r :
[26] r = w + c*x mod q
and debits U's account in the amount equal to the value
of one coin.
•Step 4: U accepts the debit only if
[27] g^r = a*h^c mod p
[28] (hu*g2)^r = b*z^c mod p .
•The user U also calculates r':
[29] r' = v + r*u mod q .
Payment
• When the user U is ready to spend the coin, the
following protocol is enacted between the user and the
shop S:
•Step 1: The user sends {A, B, (z',a',b',r')} to S.
•Step 2: The shop returns the challenge d:
[30] d = Ho(A, B, SHOP-ID, DATE-TIME) .
•Step 3: The user U calculates the responses r1, r2:
[31] r1 = d*(u1*s) + x1 mod q
[32] r2 = d*s + x2 mod q
Payment
• Step 4: The shop S
accepts the coin only if:
[33] g^r' = a'*h^c' mod p
[34] A^r' = b'*z'^c' mod p
[35] A^d*B = g1^r1*g2^r2
mod p
Deposit
• When the shop S is ready to deposit the coin at the
bank, the shop sends the payment transcript consisting of
the coin {A, B, (z',a',b',r')}, along with (r1, r2) and the
DATE-TIME of the transaction. The bank already knows
the SHOP-ID, which is used in the communication.
• Step 1: The bank verifies equations [33] to [35] to see
that this is a valid coin.
Deposit
• Step 2: If the coin is valid, the bank checks its database
to see if the coin was spent previously.
• CASE A: If the coin is not in the database, then it was
not previously spent. Hence the bank credits the account
of S, and records the coin in the form
{A, B, DATE-TIME, r1, r2}.
Deposit
• CASE B: If the coin is already in the database, then a
fraud has occurred. If S previously deposited the coin,
and the DATE-TIME are the same, then S is trying to
deposit the same coin or transcript twice. The deposit is
rejected for that reason. The bank knows the identity of
the shop S responsible.
Deposit
• CASE C. Otherwise, the coin has been double-spent,
and the bank takes steps to unmask the double-spender.
The bank has two sets of information on the coin:
{A, B, DATE-TIME, r1, r2}.
{A, B, DATE-TIME', r'1, r'2}.
•Hence, the bank can calculate
•(r1 - r'1) / (r2 - r'2) = [d*(u1*s) - d'*(u1*s)] / [d*s - d's]
= u1 mod q.
•Thus it can check its database for the user identity!
Analysis
• Advantages:
Security of this system rests
on the difficulty in finding
discrete logarithmic factors.
Other systems rely on prime
factorization used in RSA.
So the ability in factoring for
large primes would not break
this system as it would be
the case in other systems.
Analysis
• Advantages:
The major advantage of this
mechanism is that the user
does not need to keep track
many copies of identity and
many different bills as is the
case in other systems.
Analysis
• Disadvantages:
This scheme is difficult to understand and is more
complex compared to other mechanisms used such as
Chaum’s system. Moreover, since we use discrete
logarithmic signatures, we have to deal with larger
signatures compared to other methods.
References
• Jahanian Farsi, Mandana. Digital Cash. Retrieved: November. 2004
www.simovits.com/archive/dcash.pdf
• Cormen, Leiserson, Rivest, and Stein. Introduction to Algorithms.
Massachussetts: McGraw Hill, 2001.
• Sander, Ta-Shama. Auditable, Anonymous Electronic Cash. Retrieved:
November. <2004 www.cs.tau.ac.il/~amnon/Papers/ST.crypto99.pdf>
• Bleumer, Gerrit. Electronic Cash. 25 April. 2004.
http://www.win.tue.nl/~henkvt/GBl.ElectronicCash.pdf
• Orlin Grabbe,J . Stefan Brands' System of Digital Cash . 1997.
http://www.aci.net/kalliste/stefbrdc.htm
Questions, Comments…
?
Download