1 / 54

David Evans cs.virginia/~evans

Lecture 14: Digital Cash, Randomness. David Evans http://www.cs.virginia.edu/~evans. CS588: Security and Privacy University of Virginia Computer Science. Menu. Randomness Cannibalistic Voting Protocols Digital Cash. Random Numbers.

landis
Télécharger la présentation

David Evans cs.virginia/~evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 14: Digital Cash, Randomness David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science

  2. Menu • Randomness • Cannibalistic Voting Protocols • Digital Cash University of Virginia CS 588

  3. Random Numbers For numbers in range 0...2n-1, an observer with the first m - 1 numbers, cannot guess the mth with probability better than 1/2n. University of Virginia CS 588

  4. Good Random Numbers • Lava Lamps (http://www.lavarnd.org) • Gieger Counter and Radioactive stuff University of Virginia CS 588

  5. Pseudo-Random Number Generators • Start in a hard-to-guess state • Run an algorithm that generates an unpredictable sequence from that state University of Virginia CS 588

  6. Typical Random Numbers • srandom (time (NULL)); • for (...) random (); Doesn’t satisfy either property! • random () • Doesn’t give cryptographic random numbers • Using system clock in milliseconds to seed (even a good PRNG) • There are only 24*60*60*1000 = 86.4M • Fine for video games, not fine for protecting nuclear secrets. University of Virginia CS 588

  7. Jefferson Wheel Key Generator long key[NUMWHEELS]; int i, j; srandom ((unsigned)time (NULL)); for (i = 0; i < NUMWHEELS; i++) key[i] = random (); for (i = 0; i < NUMWHEELS; i++) { long highest = -1; int highindex = -1; for (j = 0; j < NUMWHEELS; j++) { if (key[j] > highest) { highindex = j; highest = key[j]; } } fprintf (stdout, "%d\n", highindex); key[highindex] = -1; } Reduces key space from 36! (3.7 * 1041) to 86M! Challenge is now 2.3 * 1034 easier! University of Virginia CS 588

  8. Tiny, Yarrow-160 • Accumulate Entropy • Unspecified how: implementer decides • Recent Linux systems have /dev/random • User keystrokes, disk seek times, network activity (be careful!), etc. • Use entropy and SHA1 hash function produce unpredictable K. • Calculate random numbers: C = (C + 1) mod 2n R = EK (C) • EK is AES (Tiny); 3DES (Yarrow-160) University of Virginia CS 588

  9. Jon Erdman University of Virginia CS 588

  10. Erdman Sand Encryption Or, Why I Don’t Need to Take the Midterm

  11. Problem • Our survivors need to reveal their public keys without revealing who owns which key. • All messages must be exchanged through a public forum (the sand). University of Virginia CS 588

  12. The solution • Players encrypt their message with the public keys of two other players. • Secretly pass the encrypted message at random through the group until the two encryptions are removed. University of Virginia CS 588

  13. Before we get started: • Each pair of people needs to establish a secret key to communicate with each other. • They could use the Diffie-Hellman key exchange or … the Erdman Key Exchange University of Virginia CS 588

  14. Erdman Key Exchange • Each player generates a RSA key pair. • Encrypt secret key using their private key followed by player X’s public key. • Send encrypted message to player X by writing it in the sand. • Decrypt using your private key and other player’s public key. • Each player sends a key to every other player using this method: the pair key is the xor of the keys the players sent to each other. University of Virginia CS 588

  15. Erdman Key Exchange (ctd.) • Encrypting with your private key verifies to the other person that the message is coming from you. • Encrypting with their public key verifies to you that only the other person can read the message. • Can add check bits to the end to ensure message was not tampered with. University of Virginia CS 588

  16. Step 1: Encryption • Player generates a random bit string (which I’ll call the messer) equal in length to the RSA keys. • Player does a RSA encryption on their public key,KUx, xored with the messer. • Concatenate result with the messer and the check bits (CB) corresponding to the word “final”. • Encrypt result using the public key (KU2y) of a random player of their choosing. C1 = EKU2y[(M xor messer1) || messer1 || CB] University of Virginia CS 588

  17. Step 2: More Encryption • Repeat step one using C1 instead of M, choosing a different person, different messer, and using the check bits for “middle.” C2 = E KU2z[C1 xor messer2 || messer2 || CB] University of Virginia CS 588

  18. Step 3: Passing • Each player does a 3DES encryption on the resulting messages and some check bits, using the unique key they made with yet another random player • Write the result in the sand for all to see C3 = 3DES (C2 || CB, Kxq) University of Virginia CS 588

  19. Step 4: Gathering • Players need to find messages sent to them • Decrypt the messages in the sand using the Kxy established earlier. If the check bits are valid they know the message was ment for them. University of Virginia CS 588

  20. Step 5: Decrypting (maybe) • Players take messages sent to them and attempt to decrypt using their private key. • If they see the check bits “middle” they know they have C1. If they see the check bits “final” they have one of the keys. • If they have one of the keys, they can write it in the sand for all to see. University of Virginia CS 588

  21. Mathematical Interlude • C = E KUz[M xor messer || messer || CB] • attempt to decrypt using E KRz D KRz[C] = D KRz[E KUz[M xor messer || messer || CB]] = M xor messer || messer || CB • CB will only be valid if the decryption key is the pair to the encryption key. • M = M xor messer xor messer University of Virginia CS 588

  22. Step 6: Repeat • If the messages players received are not a final message, send it to another random player. • Repeat until all keys have been found. University of Virginia CS 588

  23. Why the messer? • What if there is no messer? • The first person is being passed a message encrypted with two public keys. • After final messages are revealed they can try encrypting the messages with various public key combinations and find the one that produces the same message they got on the first pass. • Only N choose 2 combinations! • The messer introduces a random factor into the encryption so this will not be possible. University of Virginia CS 588

  24. Shortest Path Example • A encrypts the message with the keys of C then B. • A then passes to D • D who passes to B who takes of one lock • B passes to C who takes off other lock • Each person knows who passed it to them and who they passed it to. University of Virginia CS 588

  25. Shortest Path (continued) • Path: A -> D -> B -> C • D does not know who B passed to so can not know the message C writes is A’s. • B does not know that it was A that passed to D. • C does not know the identity of D or A. University of Virginia CS 588

  26. Shortest Path (continued) • Path: A -> D -> B -> C • If D and B decide to share information they can figure out A’s message. • This depends on the random passes being very lucky. • Can improve the algorithm by adding more encryptions at the beginning. University of Virginia CS 588

  27. Questions?

  28. Digital Cash University of Virginia CS 588

  29. Properties of Physical Cash • Universally recognized as valuable • Easy to transfer • Anonymous • Big and Heavy • Average bank robbery takes $4552 • 500 US bills / pound • Bill Gates net worth would be 400 tons in $100 bills • Moderately difficult to counterfeit in small quantities • Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) University of Virginia CS 588

  30. M EKRTB[H(M)] M = “The Trusty Bank owes the holder of this message $100.” Bank IOU Protocol Trusty Bank Alice {KUA, KRA} {KUTB, KRTB} University of Virginia CS 588

  31. M EKRTB[H(M)] Bank IOU Protocol Trusty Bank M EKRTB[H(M)] Alice {KUTB, KRTB} {KUA, KRA} Bob’s secret curry recipe EKUA[Bob’s secret curry recipe] Bob University of Virginia CS 588

  32. M M EKRTB[H(M)] EKRTB[H(M)] Bank IOU Protocol M EKRTB[H(M)] Trusty Bank Bob University of Virginia CS 588

  33. Bank IOU Protocol • Universally recognized as valuable • Easy to transfer • Anonymous • Heavy • Moderately difficult to counterfeit in small quantities • Extremely difficult to get away with counterfeiting large quantities University of Virginia CS 588

  34. Bank Identifiers • Bank adds a unique tag to each IOU it generates • When someone cashes an IOU, bank checks that that IOU has not already been cashed • Can’t tell if it was Alice or Bob who cheated • Alice loses her anonymity – the bank can tell where she spends her money University of Virginia CS 588

  35. Digital Cash, Protocol #1 • Alice prepares 100 money orders for $1000 each. • Puts each one in a different sealed envelope, with a piece of carbon paper. • Gives envelopes to bank. • Bank opens 99 envelopes and checks they contain money order for $1000. • Bank signs the remaining envelope without opening it (signature goes through carbon paper). University of Virginia CS 588

  36. Digital Cash, Protocol #1 cont. • Bank returns envelope to Alice and deducts $1000 from her account. • Alice opens envelope, and spends the money order. • Merchant checks the Bank’s signature. • Merchant deposits money order. • Bank verifies its signature and credits Merchant’s account. University of Virginia CS 588

  37. Digital Cash, Protocol #1 • Is it anonymous? • Can Alice cheat? • Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud. • Better make the penalty for this high (e.g., jail) • Copy the signed money order and re-spend it. • Can Merchant cheat? • Copy the signed money order and re-deposit it. University of Virginia CS 588

  38. Digital Cash, Protocol #2 • Idea: prevent double-spending by giving each money order a unique ID. • Problem: how do we provide unique IDs without losing anonymity? • Solution: let Alice generate the unique IDs, and keep them secret from bank. University of Virginia CS 588

  39. Digital Cash, Protocol #2 • Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note. • Puts each one in a different sealed envelope, with a piece of carbon paper. • Gives envelopes to bank. • Bank opens 99 envelopes and checks they contain money order for $1000. • Bank signs the remaining envelope without opening it. University of Virginia CS 588

  40. Digital Cash, Protocol #2 cont. • Bank returns envelope to Alice and deducts $1000 from her account. • Alice opens envelope, and spends the money order. • Merchant checks the Bank’s signature. • Merchant deposits money order. • Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant’s account, and records the unique random ID. University of Virginia CS 588

  41. Digital Cash, Protocol #2 • Is it anonymous? • Can Alice cheat? • Can Merchant cheat? • Can bank catch cheaters? University of Virginia CS 588

  42. Mimicking Carbon Paper • How does bank sign the envelope without knowing what it contains? • Normal signatures Alice sends bank M Bank sends Alice, SM = EKRBank (M) Alice shows SM to Bob who decrypts with banks public key. University of Virginia CS 588

  43. Blind Signatures • Alice picks random k between 1 and n. • Sends bank t = mke mod n. (e from Bank’s public key). • Bank signs t using private key d. Sends Alice: td = (mkemod n)d mod n = (mke)dmod n  mdkedmod n = (mke)dmod n  mdkedmod n What do we know about kedmod n? University of Virginia CS 588

  44. Blind Signatures • Alice gets td mdkmod n • Alice divides by k to get sm mdk/ k  md mod n. • Hence: bank can sign money orders without opening them! University of Virginia CS 588

  45. Digital Cash Protocol #2 • Instead of envelopes, Alice blinds each money order using a different randomly selected ki. • The bank asks for any 99 of the ki’s. The bank unblinds the messages (by dividing) and checks they are valid. • The bank signs the other money order. • Still haven’t solved the catching cheaters problem! University of Virginia CS 588

  46. Anonymity for Non-Cheaters • Spend a bill once – maintain anonymity • Spend a bill twice – lose anonymity • Have we seen anything like this? University of Virginia CS 588

  47. Digital Cash • Alice prepares n money orders each containing: Amount Uniqueness String: X Identity Strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) Each In pair reveals Alice’s identity (name, address, etc.). I = IiL IiR. h is a secure, one-way hash function. University of Virginia CS 588

  48. Digital Cash, cont. • Alice blinds (multiplies by random k) all n money orders and sends them to bank. • Bank asks for any n-1 of the random kis and all its corresponding identity strings. • Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice’s account. University of Virginia CS 588

  49. Digital Cash, cont. • Alice unblinds the signed note, and spends it with a Merchant. • Merchant asks Alice to randomly reveal either IiL or IiR for each i. (Merchant chooses n-bit selector string.) • Alice sends Merchant corresponding IiL’s or IiR’s. • Merchant uses h to confirm Alice didn’t cheat. University of Virginia CS 588

  50. Digital Cash, cont. • Merchant takes money order and identity string halves to bank. • Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves. University of Virginia CS 588

More Related