Presentation is loading. Please wait.

Presentation is loading. Please wait.

Simple and Practical Anonymous Digital Coin Tracing

Published byIsabel Buchanan Modified over 10 years ago

Similar presentations

Presentation on theme: "Simple and Practical Anonymous Digital Coin Tracing"— Presentation transcript:

1 Simple and Practical Anonymous Digital Coin Tracing
Trustee Tokens Simple and Practical Anonymous Digital Coin Tracing Ari Juels RSA Laboratories

2 Quick Review of Chaumian E-cash
(DigiCashTM)

3 Anonymous digital $1 coin
Alice BANK PK SK Signs Alice -$1 Anonymous digital $1 coin

4 r, x rf1/3(x) r3f(x) (x, f1/3(x)) rf1/3(x) = (x, Sig(x)) = PK SK mod n
Alice BANK PK SK mod n Signs 3 r3f(x) r, x rf1/3(x) r3f(x) (x, f1/3(x)) = (x, Sig(x)) = rf1/3(x) rf1/3(x)

5 Improved Computer Viruses
(Young and Yung) An Application for Anonymous E-Cash An Application for Anonymous E-Cash

6 Improved Computer Virus
r3f(x) Generates unsigned, blinded coin Generates encryption key pair Edgar

7 Improved Computer Virus
r3f(x) PK

8 Alice

9 Hard Disk

10 Files Encrypted under PK *&DUHF(&$YY$H&*^$RH(*&UH
*&(#*R&(*&(*$&(*$&(*U(*F&(*&* *&HKJF(*$YHF(*H$(*^FH*($HF& J(*F&$(*HS(*&$JF*($&SH$*&F$ *(&$*(F&(*$F$(*F&S(*&*F(&*E$$ )*F&(*$&*$&F(*$&F(*$&(*&(#(*$ Encrypted under PK PK Files

11 If you Want SK, i.e., your files, withdraw this Ransom Note

12 Alice BANK Oh, my files! Alice -$1

13 HETTINGA SUCCEEDS GREENSPAN AT FED

14 Anonymous coin Edgar

15 Answer: Trustee-based Tracing
How can we prevent this?

16 The Idea: Trustee Tracing
Anonymous coin

17 Tracing: Basic Idea I order the Trustee to trace this coin. Edgar
Anonymous coin Judge Trustee Secret SK

18 Coin is anonymous unless trustee traces it

19 Many Trustee-based Tracing Schemes
Brickell et al. ( ‘95) Stadler et al. (‘95) Jakobsson and Yung (‘96, ‘97) Camenisch et al., Frankel et al. (‘96) Davida et al. (‘97)

20 Trend in schemes Our Scheme Security Trustee Simplicity Computational
Features Trustee Flexibility Simplicity Computational Efficiency

21 How our scheme works

22 1. 2. Two stages Token withdrawal Alice Trustee Coin withdrawal Alice
BANK 2.

23 Token withdrawal Proves identity Alice Trustee Checks that Trustee
coin contains [“Alice”]PK Trustee Token

24 Trustee Token Proves identity Alice r, x Trustee Trustee Checks that
x contains [“Alice”]PK SigSK(r3f(x))

25 Coin withdrawal , Conditionally anonymous digital coin SK Alice Checks
BANK SK Signs , Checks Conditionally anonymous digital coin

26 Observe: No change in coin structure or underlying withdrawal protocol

27 Tracing Trustee Token scheme guarantees
that coins contain creator identity

28 Blackmail scenario Edgar registers his coin and gets caught or
Alice can’t make the withdrawal for Edgar

29 Enhancements

30 No coin storage Alice can pseudo-randomly generate coins and blinding factors -- no coin storage

31 Bulk token withdrawal Alice can withdraw many tokens at once and store prior to coin withdrawals

32 One token - multiple coins

33 Result of Enhancements
Little interaction with Trustee Tokens fit on, e.g., smart card

34 Pros and Cons

35 Advantages over other schemes
Very simple Provably secure No change in coin structure, underlying protocol Seamless incorporation with DigiCashTM

36 Disadvantages Trustee interaction needed
Security with multiple trustees needs trusted dealer Seamless incorporation with DigiCashTM - but no DigiCashTM

37 But... Can be used for general blind RSA
E.g., X-cash Method can perhaps be extended to other e-cash systems (?)

38 Questions?

Download ppt "Simple and Practical Anonymous Digital Coin Tracing"

Similar presentations

Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories.

Ari Juels RSA Laboratories Executable Financial Instruments and MicroMint on the Cheap with Markus Jakobsson Bell Laboratories.
Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.

Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
Internet payment systems

Internet payment systems
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.

The Attestation Mechanism in Trusted Computing. A Simple Remote Attestation Protocol Platform TPM Verifier Application A generates PK A & SK A 2) computes.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research.

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research.
PORs: Proofs of Retrievability for Large Files

PORs: Proofs of Retrievability for Large Files
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Signatures and applications Math 7290CryptographySu07.

Digital Signatures and applications Math 7290CryptographySu07.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels

Similar presentations

Ads by Google