Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories.

Similar presentations


Presentation on theme: "Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories."— Presentation transcript:

1 Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories

2 The Web provides an excellent means of communication with all kinds of people... Yeah! ``Hi. My name is Darlene. sometime? Im a model. Want to meet

3 Darlene He fell for it! Ha ha! …you know nothing about. The Web provides an excellent means of communication with all kinds of people...

4 The Web provides an excellent means of communication and commerce... Cool! ``Hi. Id like to buy your OK? car. Ill pay $106,000. For sale

5 Another sucker! …with people you know nothing about. The Web provides an excellent means of communication and commerce...

6 Aim: Flexible commerce with minimal trust ? Internet You

7 Two Ideas Today u X-cash : Executable financial instruments u MicroMint Outsourcing A $ $

8 MicroMint Want a scheme that mimics economics of physical mint u Verifying validity of a coin is easy u Base minting cost is high so... u Forgery is expensive

9 The minting process 1. Throw balls (jellybeans) into bins using random function h 2. Any bin with two balls (jellybeans) is a coin

10 Minting in MicroMint Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9 Collision = Coin h

11 Checking a coin Bin 2 h Valid coin?

12 Features u Many bins, so need to throw many balls (jellybeans) to mint successfully u Minting requires very intensive computation

13 Minting requires special, e.g., $250,000 computer Deep Crack

14 Another characteristic: Most balls are invalid Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9 h In fact, >99% of work goes to missed balls!

15 Idea: Make three stage process 1. Create valid balls, i.e., balls that wont miss (>99% of work) 2. Throw balls into bins usingrandom function h (<1% of work) 3. Any bin with two balls is a coin

16 Have many other (untrusted) people do Step 1

17 Now... u 99%+ of work is done for minter u No participant will get enough balls to do minting himself/herself ( or else participants know validity h but notthrowing h ) u Minting is cheap for minter!

18 Minter can use ordinary server

19 Application III: Secure multiparty computation

20 Questions? + ?

21 X-cash: Executable Digital Cash Ari Juels RSA Laboratories joint work with Markus Jakobsson, Bell Labs 23rd February 1998

22 The Internet: Many entities wishing to trade with one another Internet $

23 Peer-to-peer trading can be problematic Peer-to-peer interaction can create communications bottlenecks Peer-to-peer interaction can create communications bottlenecks Anonymity (both ways) is hard to protect in a peer-to-peer setting Anonymity (both ways) is hard to protect in a peer-to-peer setting Would like computational load involved with trading to be handled by servers, not clients Would like computational load involved with trading to be handled by servers, not clients

24 Therefore, we would like trade to occur in a distributed fashion.

25 A vehicle for distributed trade: Mobile agents Program + Documentation To Internet

26 A problem: Pick-pocketing Program

27 Other problems: u Maliciously modified code u Intercepted purchases u A different scenario than digital cash: multiple spending may be permissible

28 A solution: X-cash Idea: Make redemption of cash conditional on delivery of desired goods

29 First tool: A program that knows what it wants Mobile Agent includes a code segment P u P takes as input potential purchase items u P outputs amount user is willing to pay Paris P $300 E.g., airline tickets

30 Second tool: Negotiable certificate BANK Alice = SIG SK (PK A, $500) B A SIG SK A ($300, For Bob ), Bob A SK ($300, For Bob ), Bank holds (SK B, PK B ) Alice holds (SK A, PK A ) PK A Alice

31 Idea: Bind negotiable certificate to agent program P, SIG PK (P) A PK A X-cash...Then send off via mobile agent

32 When Bob receives the mobile agent Bob A, SIG PK (P) PK A

33 Bob can assess and authenticate Alice s offer for his tickets $300, SIG PK (P) A PK A Bob A PK A

34 The bank can verify and process the transaction BANK, SIG PK (P) A PK A $300 Bank gives $300 to Bob, deducting against the negotiable certificate Bank gives $300 to Bob, deducting against the negotiable certificate Bank receives and holds tickets for Alice, or sends them to her Bank receives and holds tickets for Alice, or sends them to her

35 An Example

36 Alice needs ticket to important conference in Caribbean u She will pay $300 for business class to St. Martin u She will pay $600 for first class fare to St. Martin u She will pay $400 for business class to Anguilla u She will pay $700 for first class to Anguilla

37 Alice creates a program P u Input to P: An airline ticket –Airline ticket may include certificates and signatures, e.g., airline certificate, travel agent certificate, etc. –P includes root certificates u Output of P: Amount Alice will pay –Conditional on correct dates, transferability of ticket, etc.

38 Alice gets a negotiable certificate u Alice generates key pair (PK A, SK A ). u Alice withdraws a negotiable certificate. = SIG SK (PK A, $700). B PK A

39 Alice creates X-cash and sends mobile agent, SIG PK (P) A PK A

40 Bob s Travel has a business class ticket T to Anguilla for sale

41 Bob does the following u Checks certificates and signatures in Alices mobile agent u Generates signatures t A transferring ownership of ticket T to Alice u Runs P(T,t A ) on a ticket T and signatures t A transferring ownership to Alice u Sees output $400 u Sends and T, t A to bank, SIG PK (P) A PK A

42 The Bank does the following u Verifies certificates and signatures in Alices agent u Sees that P(T,t A )=$400 Then: u Deducts $400 against Alices negotiable certificate u Gives $400 to Bob u Holds T,t A for Alice and notifies her, SIG PK (P) A PK A $400

43 X-cash extensions

44 Double spending How does Alice know that Bob didnt sell the ticket twice? An issue with any digital cash system. Solutions: u On-line verification u Penalization after fact u Tamper resistance (for Bob)

45 Anonymity X-cash can be rendered anonymous using the following ideas: u Blind withdrawal of certificates with conditional revocation of anonymity u Anonymous r ers for delivery of goods (e.g., airline tickets)

46 Stateful offers In the examples above, Alices program P had no external state. This need not be the case.

47 Example of stateful offer Alice wants to sell 100 ounces of gold at the market price u Alices program P contacts a Web site to get the current price of gold u Bob includes in his response C a value G B -- the maximum price he is willing to pay u When the Bank runs P(C), Bank checks that transaction cost is at most G B, as per Bobs response.

48 Multiple banks We assume above a single, universally trustworthy bank. X-cash can be adapted for infrastructures with multiple, mutually suspicious banks.

49 Conclusion X-cash is a simple means of achieving trusted commerce in a distributed setting like the Internet. To Internet X-cash


Download ppt "Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories."

Similar presentations


Ads by Google