Simple and Practical Anonymous Digital Coin Tracing Trustee Tokens Simple and Practical Anonymous Digital Coin Tracing Ari Juels RSA Laboratories

Quick Review of Chaumian E-cash (DigiCashTM)

Anonymous digital $1 coin Alice BANK PK SK Signs Alice -$1 Anonymous digital $1 coin

r, x rf1/3(x) r3f(x) (x, f1/3(x)) rf1/3(x) = (x, Sig(x)) = PK SK mod n Alice BANK PK SK mod n Signs 3 r3f(x) r, x rf1/3(x) r3f(x) (x, f1/3(x)) = (x, Sig(x)) = rf1/3(x) rf1/3(x)

Improved Computer Viruses (Young and Yung) An Application for Anonymous E-Cash An Application for Anonymous E-Cash

Improved Computer Virus r3f(x) Generates unsigned, blinded coin Generates encryption key pair Edgar

Improved Computer Virus r3f(x) PK

Alice

Hard Disk

Files Encrypted under PK *&DUHF(&$YY$H&*^$RH(*&UH *&(#*R&(*&(*$&(*$&(*U(*F&(*&* *&HKJF(*$YHF(*H$(*^FH*($HF& J(*F&$(*HS(*&$JF*($&SH$*&F$ *(&$*(F&(*$F$(*F&S(*&*F(&*E$$ )*F&(*$&*$&F(*$&F(*$&(*&(#(*$ Encrypted under PK PK Files

If you Want SK, i.e., your files, withdraw this Ransom Note

Alice BANK Oh, my files! Alice -$1

HETTINGA SUCCEEDS GREENSPAN AT FED

Anonymous coin Edgar

Answer: Trustee-based Tracing How can we prevent this?

The Idea: Trustee Tracing Anonymous coin

Tracing: Basic Idea I order the Trustee to trace this coin. Edgar Anonymous coin Judge Trustee Secret SK

Coin is anonymous unless trustee traces it

Many Trustee-based Tracing Schemes Brickell et al. ( ‘95) Stadler et al. (‘95) Jakobsson and Yung (‘96, ‘97) Camenisch et al., Frankel et al. (‘96) Davida et al. (‘97)

Trend in schemes Our Scheme Security Trustee Simplicity Computational Features Trustee Flexibility Simplicity Computational Efficiency

How our scheme works

1. 2. Two stages Token withdrawal Alice Trustee Coin withdrawal Alice BANK 2.

Token withdrawal Proves identity Alice Trustee Checks that Trustee coin contains [“Alice”]PK Trustee Token

Trustee Token Proves identity Alice r, x Trustee Trustee Checks that x contains [“Alice”]PK SigSK(r3f(x))

Coin withdrawal , Conditionally anonymous digital coin SK Alice Checks BANK SK Signs , Checks Conditionally anonymous digital coin

Observe: No change in coin structure or underlying withdrawal protocol

Tracing Trustee Token scheme guarantees that coins contain creator identity

Blackmail scenario Edgar registers his coin and gets caught or Alice can’t make the withdrawal for Edgar

Enhancements

No coin storage Alice can pseudo-randomly generate coins and blinding factors -- no coin storage

Bulk token withdrawal Alice can withdraw many tokens at once and store prior to coin withdrawals

One token - multiple coins

Result of Enhancements Little interaction with Trustee Tokens fit on, e.g., smart card

Pros and Cons

Advantages over other schemes Very simple Provably secure No change in coin structure, underlying protocol Seamless incorporation with DigiCashTM

Disadvantages Trustee interaction needed Security with multiple trustees needs trusted dealer Seamless incorporation with DigiCashTM - but no DigiCashTM

But... Can be used for general blind RSA E.g., X-cash Method can perhaps be extended to other e-cash systems (?)

Questions?