1 / 20

Digital Cash

Digital Cash. OUTLINE. Properties Scheme Initialization Creating a Coin Spending the Coin Depositing the Coin Fraud Control Anonymity. Properties. Security The cash can be sent securely through computer network. Can’t be copied and reused Privacy (Untraceability or Anonymity)

akiva
Télécharger la présentation

Digital Cash

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Cash

  2. OUTLINE • Properties • Scheme • Initialization • Creating a Coin • Spending the Coin • Depositing the Coin • Fraud Control • Anonymity

  3. Properties • Security The cash can be sent securely through computer network. • Can’t be copied and reused • Privacy (Untraceability or Anonymity) If the cash is spent legitimately, neither the recipient nor the bank can identify the spender. • Offline payment No communication with the bank is needed during the transaction. • Transferability The cash can be transferred to others. • Dividability A piece of cash can be divided into smaller amounts.

  4. T. Okamoto and K. Ohta, "Universal electronic cash," Advances in Cryptology-CRYPTO'91, LNCS 576, Springer-Verlag, pp. 324-337, 1991. (satisfies 1 ~ 6) • S. Brands, "Untraceable off-line cash in wallets with observers," Advances in Cryptology-CRYPTO'93, LNCS 773, Springer-Verlag, pp. 302-318, 1994. (satisfies 1 ~ 4)

  5. Bank 1. Withdraw 6. Results 2. Coin 5. Deposit 3. Payment Spender 4. Receipt Merchant Scheme

  6. Initialization (1/2) • Publish: • p: a large prime, s.t. q = (p – 1) / 2 is also prime. • g: the square of a primitive root mod p. • g1 =g a mod p • g2 =g b mod p • H : a hash function H : Z  Z  Z  Z  Z  Zq* • H0: a hash function H0: Z  Z  Z  Z  Zq* (a and b are secretly chosen and discarded immediately)

  7. Bank 2. Register M 3. Send I 4. Send z’ (Ig2)x (mod p) Spender Merchant Initialization (2/2) 1. Choose a secret number x 2. Compute h gx, h1 g1x, h2 g2x (mod p) 3. Publish h, h1, and h2 1. Choose an ID number M 1. Choose a secret number u 2. Compute I g1u (mod p)

  8. Withdraw Bank Choose a secret random 5-tuple of integers (s, x1, x2, 1, 2), s 0 (mod q) gw gw,  (Ig2)w(mod p) c1  cx + w (mod q) Compute Spender C = (A, B, z, a, b, r) Creating a Coin Choose a random number w Computer 1 c1 + 2 (mod q)

  9. Pay (A, B, z, a, b, r) d = H0(A, B, M, Timestamp) Accept or reject r1  dus + x1, r2  ds + x2 (mod q) Check whether Spender Merchant Spending the Coin Check whether gr ahH(A, B, z, a, b) (mod p),Ar zH(A, B, z, a, b)b (mod p)

  10. Deposit (A, B, z, a, b, r), (r1, r2, d) Bank Results gr ahH(A, B, z, a, b) (mod p),Ar zH(A, B, z, a, b)b (mod p), Merchant Depositing the Coin Check whetherthe coin has been previously deposited or not, and

  11. Fraud Control (1/7) Case 1: The Spender spends the coin twice. Merchant 1 C, (r1, r2, d) Spender Merchant 2

  12. Bank Merchant Fraud Control (2/7) Case 2: The Merchant tries submitting the coin twice. C, (r1, r2, d) forged Impossible! Since it is very difficult to produce numbers such that (since the Merchant does not know u).

  13. Fraud Control (3/7) Case 3: Someone try to make an unauthorized coin. Impossible! Since this requires finding numbers such that gr ahH(A, B, z, a, b) (mod p), andAr zH(A, B, z, a, b)b (mod p),

  14. 2. Deposit C, (r1, r2, d) Merchant 1 1. Spend C Bank 3. Spend C Spender Merchant 2 Fraud Control (4/7) Case 4: evil Impossible! The Merchant 2 computes d’ (very likely != d). It is very difficult for the evil merchant to produce numbers such that

  15. Fraud Control (5/7) Case 5: Someone working in the Bank tries to forge a coin. It is possible to make a coin satisfied gr ahH(A, B, z, a, b) (mod p), andAr zH(A, B, z, a, b)b (mod p), but he does not know u , thus unable to produce a suitable r1. So, he cannot spend it.

  16. Fraud Control (6/7) Case 6: Someone steal the coin from the Spender and try to spend it. Impossible! The thief does not know u, thus unable to produce r1.

  17. Fraud Control (7/7) Case 7: An evil merchant steals the coin and (r1, r2, d) before they are submitted to the Bank, and then deposits them to the Bank. Possible! This is a flaw of ordinary cash, too.

  18. Anonymity (1/3) • During the entire transaction with the Merchant, the Spender never needs to provide any identification.

  19. Anonymity (2/3) • Is it possible for the Bank to extract the Spender’s identity from knowledge of the coin (A, B, z, a, b, r) and the triple (r1, r2, d) ? No. • A, B, z, a, b look like random numbers to everyone except the Spender. • The Bank never sees A, B, z, a, b, r until the coin is deposited.

  20. Anonymity (3/3) • When creating the coin, the Bank provides only gw and c1, and has seen only c  1–1H(A, B, z, a, b)(mod q). the Bank cannot compute H(A, B, z, a, b) and deduce 1 at that time. • The Bank can keep a list of all values c it has received, along with values of H for every coin that is deposited, and then try all combinations to find 1. (impractical for a system of millions of coins)

More Related