Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins."— Presentation transcript:

1 Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins

2 Blind Signatures Analogy – place a document to be signed inside an envelope with a carbon paper over it, and have the signing party sign the envelope. Signing the envelope causes the document to be signed because of the carbon paper inside.

3 Customer wants the bank to sign coins, but does not want the bank to know the serial number of the coin since this would associate the coin with the customer, eliminating anonymity. Customer sends the bank a blinded coin, the bank signs it, and then the customer unblinds the coin. Since the bank cannot see the coin’s contents, the customer could attribute an arbitrary value to the coin and lie to the bank, thus paying 5 cents for a $1 coin. Therefore, only the serial number is supplied by the client – the bank uses different signing keys to denote different denominations.

4 Using public key cryptograpy, the bank generates key pairs for the different denominations of coins. The same modulus N is used, with different (e,d) key pairs. To withdraw a coin, the wallet software chooses a serial number and a random blinding factor r. The blinding factor is then raised to the power of the bank’s public key for the desired denomination, modulus N.

5 When the bank signs the message with the private signing key of the desired denomination, the blinding factor is raised to the power of the bank’s private key modulus N. Since the blinding factor has now been raised to both the public and private key exponents, the customer can divide the signed message by the blinding factor r and get the signed serial number.

6 (serial# * r e ) d (mod N) = serial# d * r ed (mod N) = serial# d * r (mod N) Dividing by r, we get the serial number signed in the bank’s private key, serial# d. The serial number was signed by the bank while it was blinded with the blinding factor r e, therefore the withdrawal is anonymous.

7 The serial numbers are randomly chosen by the wallet software. When a coin is spent, it’s serial number is revealed to the bank for the first time. The bank must record this serial number and check all future coins of the same denomination against the stored serial numbers to guard against double spending. The serial numbers must be large to avoid collisions Coins have an expiry date so that the serial numbers of expired coins do not have to be remembered by the bank. The wallet software will exchange coins before they expire.

8 Ecash Bank Merchant Software Client Wallet Web Browser Web Server 1. Select Order 2. Merchant wallet starts 3. Payment Request 4. Payment (coins, order) 5. Deposit coins 6. Accepted 7. Receipt 8. Send goods 9. Goods/acknowledgement From “Electronic Payment Systems”, O’Mahony, Peirce, and Tweari, 1997, pp155

9 Zero-Knowledge Proof Secret door A B 1) “A” watches as “B” successfully makes it through the “secret door”, proving to “A” that “B” can get through the door. 2) If the door opens upon the correct response to a “yes or no” question, “B” may just have been lucky. 3) Assume a different question is asked each time the door is approached. “A” therefore makes “B” go through the door many times.

10 The probability of “B” making through the door successfully by guessing correctly is Once = ½ Twice = ½ * ½ = ¼ … n times = (½) n = 1/2 n For example, succeeding 30 times without knowledge would be worse odds than one in a billion.

11 Typical example from graph theory – isomorphic graphs. A graph consists of nodes and edges between nodes. Two graphs G and H are isomorphic if there exists a mapping from the nodes of G to the nodes of H such that every edge in G connecting nodes a,b will be mapped to an edge in H connecting the mapped node of a to the mapped node of b, and there will be no additional edges or nodes in H that are not represented by this mapping. AB C D E I H L J K A->H B->I C->L D->J E->K

12 Given two graphs G and H that are isomorphic, it is difficult to find a mapping from G to H (NP complete). Given a graph G, it is easy to construct another graph K isomorphic to G. If a mapping from G to H is known, it is easy to construct a mapping from K to H by combining the mapping from K to G with the mapping from G to H. The mapping from K to G is known from the method of constructing K. Now, if Sam knows a mapping from G to H, Sam can use a zero knowledge proof to demonstrate to Jane that he knows a mapping without revealing the mapping.

13 First, Sam generates a new graph K isomorphic to G, and presents this new graph to Jane. Then Jane makes a decision 1 – Jane asks Sam to prove that K is an isomorphism of G or 2 – Jane asks Sam to prove that K is an isomorphism of H Since Sam doesn’t know in advance which option Jane will choose, he should be able to produce either result. If Sam doesn’t, in fact, know a mapping from G to H, he might try to guess what Jane will ask for – if he expects her to select option 1, he will create K from G. Otherwise, he will create K from H. Either way, he has a 50-50 chance of being able to fulfill Jane’s request. To prove that Sam in fact knows the mapping, the process is repeated for different versions of K. After n successful rounds, either Sam knows a mapping from G to H or he has beaten the odds of 1 in 2 n.

14 Now let Sam generate n different graphs K i isomorphic to G. Take the representation of these n graphs and generate a message digest of their concatenation. For each K i, demonstrate how K i is isomorphic to G if the i th bit in the message digest is a zero, and demonstrate how K i is isomorphic to H if the i th bit in the message digest is a one. The package containing G, H, every K, and the n mappings from each K to either G or H gives a package that can be independently verified after the fact. The strength of the digest algorithm guarantees that Sam couldn’t have cheated.

Download ppt "Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins."

Similar presentations

Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.

Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2004 -

IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google