Presentation on theme: "Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories."— Presentation transcript:
Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories
The Web provides an excellent means of communication with all kinds of people... Yeah! ``Hi. My name is Darlene. sometime? Im a model. Want to meet
Darlene He fell for it! Ha ha! …you know nothing about. The Web provides an excellent means of communication with all kinds of people...
The Web provides an excellent means of communication and commerce... Cool! ``Hi. Id like to buy your OK? car. Ill pay $106,000. For sale
Another sucker! …with people you know nothing about. The Web provides an excellent means of communication and commerce...
Aim: Flexible commerce with minimal trust ? Internet You
Two Ideas Today u X-cash : Executable financial instruments u MicroMint Outsourcing A $ $
MicroMint Want a scheme that mimics economics of physical mint u Verifying validity of a coin is easy u Base minting cost is high so... u Forgery is expensive
The minting process 1. Throw balls (jellybeans) into bins using random function h 2. Any bin with two balls (jellybeans) is a coin
Minting in MicroMint Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9 Collision = Coin h
Checking a coin Bin 2 h Valid coin?
Features u Many bins, so need to throw many balls (jellybeans) to mint successfully u Minting requires very intensive computation
Minting requires special, e.g., $250,000 computer Deep Crack
Another characteristic: Most balls are invalid Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9 h In fact, >99% of work goes to missed balls!
Idea: Make three stage process 1. Create valid balls, i.e., balls that wont miss (>99% of work) 2. Throw balls into bins usingrandom function h (<1% of work) 3. Any bin with two balls is a coin
Have many other (untrusted) people do Step 1
Now... u 99%+ of work is done for minter u No participant will get enough balls to do minting himself/herself ( or else participants know validity h but notthrowing h ) u Minting is cheap for minter!
Minter can use ordinary server
Application III: Secure multiparty computation
Questions? + ?
X-cash: Executable Digital Cash Ari Juels RSA Laboratories joint work with Markus Jakobsson, Bell Labs 23rd February 1998
The Internet: Many entities wishing to trade with one another Internet $
Peer-to-peer trading can be problematic Peer-to-peer interaction can create communications bottlenecks Peer-to-peer interaction can create communications bottlenecks Anonymity (both ways) is hard to protect in a peer-to-peer setting Anonymity (both ways) is hard to protect in a peer-to-peer setting Would like computational load involved with trading to be handled by servers, not clients Would like computational load involved with trading to be handled by servers, not clients
Therefore, we would like trade to occur in a distributed fashion.
A vehicle for distributed trade: Mobile agents Program + Documentation To Internet
A problem: Pick-pocketing Program
Other problems: u Maliciously modified code u Intercepted purchases u A different scenario than digital cash: multiple spending may be permissible
A solution: X-cash Idea: Make redemption of cash conditional on delivery of desired goods
First tool: A program that knows what it wants Mobile Agent includes a code segment P u P takes as input potential purchase items u P outputs amount user is willing to pay Paris P $300 E.g., airline tickets
Second tool: Negotiable certificate BANK Alice = SIG SK (PK A, $500) B A SIG SK A ($300, For Bob ), Bob A SK ($300, For Bob ), Bank holds (SK B, PK B ) Alice holds (SK A, PK A ) PK A Alice
Idea: Bind negotiable certificate to agent program P, SIG PK (P) A PK A X-cash...Then send off via mobile agent
When Bob receives the mobile agent Bob A, SIG PK (P) PK A
Bob can assess and authenticate Alice s offer for his tickets $300, SIG PK (P) A PK A Bob A PK A
The bank can verify and process the transaction BANK, SIG PK (P) A PK A $300 Bank gives $300 to Bob, deducting against the negotiable certificate Bank gives $300 to Bob, deducting against the negotiable certificate Bank receives and holds tickets for Alice, or sends them to her Bank receives and holds tickets for Alice, or sends them to her
Alice needs ticket to important conference in Caribbean u She will pay $300 for business class to St. Martin u She will pay $600 for first class fare to St. Martin u She will pay $400 for business class to Anguilla u She will pay $700 for first class to Anguilla
Alice creates a program P u Input to P: An airline ticket –Airline ticket may include certificates and signatures, e.g., airline certificate, travel agent certificate, etc. –P includes root certificates u Output of P: Amount Alice will pay –Conditional on correct dates, transferability of ticket, etc.
Alice gets a negotiable certificate u Alice generates key pair (PK A, SK A ). u Alice withdraws a negotiable certificate. = SIG SK (PK A, $700). B PK A
Alice creates X-cash and sends mobile agent, SIG PK (P) A PK A
Bob s Travel has a business class ticket T to Anguilla for sale
Bob does the following u Checks certificates and signatures in Alices mobile agent u Generates signatures t A transferring ownership of ticket T to Alice u Runs P(T,t A ) on a ticket T and signatures t A transferring ownership to Alice u Sees output $400 u Sends and T, t A to bank, SIG PK (P) A PK A
The Bank does the following u Verifies certificates and signatures in Alices agent u Sees that P(T,t A )=$400 Then: u Deducts $400 against Alices negotiable certificate u Gives $400 to Bob u Holds T,t A for Alice and notifies her, SIG PK (P) A PK A $400
Double spending How does Alice know that Bob didnt sell the ticket twice? An issue with any digital cash system. Solutions: u On-line verification u Penalization after fact u Tamper resistance (for Bob)
Anonymity X-cash can be rendered anonymous using the following ideas: u Blind withdrawal of certificates with conditional revocation of anonymity u Anonymous r ers for delivery of goods (e.g., airline tickets)
Stateful offers In the examples above, Alices program P had no external state. This need not be the case.
Example of stateful offer Alice wants to sell 100 ounces of gold at the market price u Alices program P contacts a Web site to get the current price of gold u Bob includes in his response C a value G B -- the maximum price he is willing to pay u When the Bank runs P(C), Bank checks that transaction cost is at most G B, as per Bobs response.
Multiple banks We assume above a single, universally trustworthy bank. X-cash can be adapted for infrastructures with multiple, mutually suspicious banks.
Conclusion X-cash is a simple means of achieving trusted commerce in a distributed setting like the Internet. To Internet X-cash