Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Published byVernon Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity."— Presentation transcript:

1 Electronic Cash R. Newman

2 Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

3 Barter Cash Check Wire transfer Credit/debit card E-cash Payment forms

4 Barter Earliest form of payment Value intrinsic in the bartered good/service Physical presence of good/service Not flexible, not easily divisible Cash Check Wire transfer Credit/debit card E-cash Payment forms

5 Barter Cash Difficult to trace Hard to forge Physical presence of coins, notes May or may not have intrinsic value Check Wire transfer Credit/debit card E-cash Payment forms

6 Barter Cash Check Easy to trace, can be revoked Flexible amounts Slow – hard to verify immediately Can be mailed or used electronically Wire transfer Credit/debit card E-cash Payment forms

7 Barter Cash Check Wire transfer Easy to verify Fast Expensive Credit/debit card E-cash Payment forms

8 Barter Cash Check Wire transfer Credit/debit card Easy to verify quickly Less expensive than wire transfer Easy to trace, cards can be revoked Convenient for electronic use (remote payment) E-cash Payment forms

9 Credentials can be stolen Account number, name on card Address, zip code easy to find PIN revealed during use Smart cards Alleviate some of the issues above Still, can be traced – privacy is lost Electronic Payment Problems

10 Easy to use electronically Convenience Easy to verify Inexpensive Reliable Detect forgeries easily Easy for bank to generate, hard for others Hard to trace (for payer) Privacy Easy to determine if used twice (for bank) Electronic Cash Requirements

11 Form of currency: (x, f(x) 1/3 mod n) n is large composite whose factors known only to bank f is a one-way function Chaum Electronic Cash

12 1. Alice choses random x, r, sends Bank B = r 3 f(x) % n 2. Bank computes and returns cube root to Alice, r f(x) 1/3 % n withdraws a dollar from Alice’s account 3. Alice extracts C = f(x) 1/3 % n 4. To pay Bob one dollar, Alice give him (x, f(x) 1/3 % n) 5. Bob immediately verifies coin with bank ensures coin has not been spent already Chaum Electronic Cash

13 All can verify correct structure Bank cannot associate coin with Alice’s account But Bob must contact Bank immediately Newer protocol removes this requirement Allows bank to reveal Alice’s identity if coin spent twice Chaum Electronic Cash

14 Bank publishes an RSA modulus n such that phi(n) has no small odd factors, sets security parameter k k used for cut-and-choose verification Let f and g be two-arguement, collision-free functions – i.e., computationally infeasible to find two inputs that map to the same output Alice has bank account number u Bank associates counter v with account u Untraceable Coins

15 To get a coin: 1. Alice chooses a i, c i, d i, and r i independently and uniformly from residues modulo n, for 1 <= i <= k 2. Alice sends Bank blinded candidates: B i = r i 3 f(x i, y i ) % n where x i = g(a i, c i ) and y i = g(a i XOR (u || (v + i), d i ) 3. Bank chooses half of the candidates at random 4. Alice provides Bank with a i, c i, d i, and r i for the selected candidates (cut-and-choose) Untraceable Coins

16 To get a coin (con’t): 5. Bank verifies Alice was honest with those candiates, then sends Alice  B i 1/3 for the remaining candidates, charges account u a dollar, increments v by k 6. Alice extracts C =  f(x i, y i ) 1/3 % n Note: Bank catches Alice with high probability if she cheats with her blinded candidates Untraceable Coins

17 To use a coin 1. Alice sends C to Bob 2. Bob chooses k/2 random bits z i 3. If z i = 1, Alice sends Bob a i, c i, and y i else Alice sends Bob x i, a i XOR (u || (v + i), and d i 4. Bob verifies form of C and Alice’s responses fit 5. Bob later sends C and Alice’s responses to Bank 6. Bank verifies correctness of spent coin and credits Bob’s account, stores C, z i s, and responses Untraceable Coins

18 If Alice spends a coin twice, It is likely that for some i, z i XOR z i ’ = 1 Bank can search for C’s to see if coin was spent If C was used twice, it is likely that Bank has both a i and a i XOR (u || (v + i), for some i So Bank can determine u and catch Alice Untraceable Coins

19 If Alice colludes with a second vendor Charlie, After spending her coin with Bob, they can arrange for Charlie to use the same z i s as Bob Bank knows that one cheated, but not which one! And Bank can’t identify Alice! Remedy: Force each vendor to use distinct z i s for some portion of them, random z i s for the rest (sufficient number to allow for many purchases by Alice) Untraceable Coins

20 Bank can frame Alice! (how?) Hence, won’t hold up in court To prevent this, Alice uses public key signatures Computational security only Alice uses pseudonymous account for each coin Proving Multiple Spending

21 Alice chooses for each i random z i ’, z i ’’ u i is of the form [Alice’s acct number || z i ’ || z i ’’] Along with B i ’s, Alice gives Bank signature for g(z 1 ’, z 1 ’’) || g(z 2 ’, z 2 ’’) ||... || g(z k ’, z k ’’) During cut-and-choose, Bank verifies correctness of form of u i for each of the k/2 B i ’s it examines Bank has proof of multiple spending of a coin whenever it can present preimage of at least k/2+1 of the g(z i ’, z i ’’) Proving Multiple Spending

22 Untraceable checks – issued with maximum value Use coins of with power of 2 values to express arbitrary value as sum of powers of two Retrieve unspent coins from check Central Bank always an issue Solved with Byzantine agreement in Bitcoin Very different approach to valuation.... Other Results

Download ppt "Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity."

Similar presentations

Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.

Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Presentation by Team 4.  What Is It?—Tim Johnson  How Does it Work—Javier Navarro  Different Kinds of Cryptocurrency—Idong  Challenges—Mark Weeks.

Presentation by Team 4.  What Is It?—Tim Johnson  How Does it Work—Javier Navarro  Different Kinds of Cryptocurrency—Idong  Challenges—Mark Weeks.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Checking Accounts & Banking Services

Checking Accounts & Banking Services
7. Asymmetric encryption-

7. Asymmetric encryption-
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Similar presentations

Ads by Google