Digital Cash Mehdi Bazargan Fall 2004.

Slides:



Advertisements
Similar presentations
Public Key Cryptosystem
Advertisements

Internet payment systems
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures and Hash Functions. Digital Signatures.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:
ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1.
Chapter 7-1 Signature Schemes.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Electronic Payment Systems. Transaction reconciliation –Cash or check.
E-Money / Digital Cash Lin Huang. Money / Digital Cash What is Money –Coins, Bill – can’t exist on two places at one time –Bearer bonds: immediate cashable.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.
Public Key Model 8. Cryptography part 2.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Bob can sign a message using a digital signature generation algorithm
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
MIS 3090 IT for Financial Services Digital Cash September 4, 2015.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Bitcoin (what, why and how?)
Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.
Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.
Lecture 12 E-Commerce and Digital Cash. As communication technologies, such as the Internet and wireless networks, have advanced, new avenues of commerce.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Clemente-Cuervo et al. A PDA Implementation of an Off-line e-Cash Protocol.
Digital Cash. p2. OUTLINE  Properties  Scheme  Initialization  Creating a Coin  Spending the Coin  Depositing the Coin  Fraud Control  Anonymity.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Chapter 21 Public-Key Cryptography and Message Authentication.
Chapter 6:Esoteric Protocols Dulal C Kar. Secure Elections Ideal voting protocol has at least following six properties 1.Only authorized voters can vote.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
2/16/001 E-commerce Systems Electronic Payment Systems.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Anonymous Digital Cash  Ashok Reddy  Madhu Tera  Laxminarayan Muktinutalapati (Lux)  Venkat Nagireddy.
Prepared by Dr. Lamiaa Elshenawy
Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.
Private key
Electronic Payment Systems Presented by Rufus Knight Veronica Ogle Chris Sullivan As eCommerce grows, so does our need to understand current methods of.
Key Management Network Systems Security Mort Anvari.
Secure untraceable off-line electronic cash system Sharif University of Technology Scientia Iranica Volume 20, Issue 3, Pp. 637–646, June 2013 Baseri,
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
BZUPAGES.COM E-cash Payment System A company, DigiCash, has pioneered the use of electronic cash or e-cash. Anonymity of the buyer is the key feature of.
TOMIN: Trustworthy Mobile Cash with Expiration-date Attached Author: Rafael Martínez-Peláez and Francisco Rico-Novella. Source: Journal of Software, 2010,
CS580 Internet Security Protocols Huiping Guo Department of Computer Science California State University, Los Angeles 6. Blind Signature.
KNAPSACK公開金鑰密碼學 Algorithms FINITE DEFINITENESS INPUT/OUTPUT GENERALITY
第四章 數位簽章.
第四章 數位簽章.
Practical E-Payment Scheme
Digital Signatures…!.
Presentation transcript:

Digital Cash Mehdi Bazargan Fall 2004

Introduction Definition Motivations Overview Properties Blind Signatures Brands Scheme Analysis

Definition Since hard currency or paper cash carries total anonymity in transactions, the term digital cash is coined to refer to anonymous electronic token based payment systems. Digital Cash is meant to work as paper cash. There are different implementation of Digital Cash. Digital Cash is a technical product of anonymous digital commerce in strategic level. It is a highly political subject.

Well… Anonymous? How can I prove I made my payments? Private? What keeps the bank from stealing from me? If a government doesn't know who pays whom, how can it collect an income tax? If the ownership of financial assets is indeterminate, what happens to taxes on financial assets?

Motivations Comparing to paper cash, paper cash is: slow, vulnerable, costly, and difficult to transfer. Compared to credit cards, digital cash provides more anonymity and security.

Overview 1. Alice deposits cash into the bank 2 5 3 4 1. Alice deposits cash into the bank 2. Alice receives some coins 3. Alice sends over the coins to Bob 4. Bob receives the coins 5. Bob cashes the coins and send Alice the product

Overview There are several approaches in implementing digital cash: “Simple Anonymous Cash” by Fiat-Caum-Naor, “Traceable Anonymous Cash” by Ferguson, the Brands scheme, and “Auditable, Anonymous Electronic Cash” by Sander-Ta-Shama. The introduced methods have advantages and disadvantages. The Brands scheme provides reasonable security and anonymity; however, it is more complicated.

Overview In Brands Scheme, we will mostly get benefit from a set of algorithms and mathematical toolkits: Prime Factorization: In short, it is hard to calculate prime factors of N=p.q where p and q are large primes. Discrete Log Problem: In short, if you have x= ga mod p, it is hard to find a where x and g are known.

Overview Representation Issue in Groups with Prime Order Given a prime group G and a generator tuple of G (g1, g2,..gn), and constant h, it is hard to find a representation of h as Πki=1 (giai) where ai belongs to Z. However, it would be easy if you know the generator tuple and integers ai. Schnorr’s Digital Signature A method of signing messages and verifying validity of signatures.

Properties Some important features of the system include these: The on-line system is a self-contained subset of the off-line system, and if the off-line features are not used, the remaining software-only system still could be efficiently implemented. Payments are private-- i.e. untraceable and unlinkable. The customer is protected from fraudulent bank claims that the customer is double-spending (i.e. protected from framing attempts by the bank), There is non-repudiation-- customers cannot deny having made a valid payment.

Restrictive Blind Signature Let M denote a message. This message may be anything, including a piece of digital cash to be signed. To sign this message, the bank will raise it to the power x mod p, yielding [1] z = signed(M) = M^x. If we raise the message M to a random power w, we will call the result b a pseudo- signature. That is, [2] b = pseudo-signed(M) = M^w.

Restrictive Blind Signature The public key of the signer is a generator g raised to the power x. So let's call the generator g raised to a random power w a pseudo-public key. Label this a. Thus we have: [3] public key h = g^x, [4] pseudo-public key a = g^w.

Restrictive Blind Signature The steps in the restrictive blind signature protocol are as follows (all calculations in this protocol are done mod p, unless otherwise stated): Step 1: The customer, Alice, sends a message M to the bank. It is intended that the bank sign M with its secret key x: z = M^x The proof is to guarantee to the customer that the bank has signed M with a valid signature; namely with its secret key x.

Restrictive Blind Signature Step 2: The bank, generates a random number w and sends to the receiver, Alice, the following elements: the signed message z = M^x the pseudo-public key a = g^w the pseudo-signed message b = M^w We shall see that b & a will be used in part to provide zero-knowledge proof for Alice that the bank’s signature is valid.

Restrictive Blind Signature Step 3: The receiver generates a challenge c. To do this, the customer first generates four random numbers: s, t and u, v. Using s and t, the customer computes modifications of M and z, namely the blinded message M' and the signed blinded message z': [5] M' = M^s * g^t (blinded message) [6] z' = z^s*h^t = (M^x)^s*(g^x)^t = [M^s*g^t]^x = M'^x (signed blinded message)

Restrictive Blind Signature Using u and v, the receiver (customer) computes modifications of a, and b, namely, a', and b': [7] a' = a^u*g^v = (g^w)^u*g^v = g^w', [8] b' = [a^(u*t)]*[b^(u*s)]*M'^v = [(g^w)^(u*t)]*[(M^w)^(u*s)]*M'^v = [(g^t)^(u*w)]*[(M^s)^(u*w)]*M'^v = [M'^(u*w)]*M'^v = M'^w'. where [9] w' = u*w + v mod q.

Restrictive Blind Signature The customer then computes the hash value [10] c' = H(M', z', a', b'), and sends to the bank the challenge c: [11] c = c'/u mod q . Step 4: The signer (bank) responds with [12] r = w + c*x mod q. Notice this is a point on a line with slope x (the secret key) and intercept w.

Restrictive Blind Signature Step 5: The receiver, Alice, uses the challenge c and the response r to check that [13] a*h^c = g^r and [14] b*z^c = M^r . If so, the receiver accepts the signature.

Brand’s Scheme Uses the concepts in signature blinding as discussed. Brand’s implementation of Digital Cash considers: Opening an Account Withdrawal Deposit Payment

Opening an Account The user has public/private key pairs. These are not used in the protocols that follow so will not be denoted by individual symbols. But we require that the user be able to send digitally signed messages to the bank. To open an account, the user U generates a random number u1 from Z(q)*, and computes an identifier or public key [15] hu = g1^u1 mod p .

Opening an Account The user checks that hu*g2 is not equal to 1 mod p, and if so sends hu to the bank, keeping u1 secret. The bank stores hu along with any other information it requires on U. The bank computes and returns to the user U a signature with its secret key x as follows: [16] z = (hu*g2)^x mod p .

Withdrawal Before the user U is allowed to withdraw a coin, U must first prove ownership of his account. Step 1: The bank generates a random number w from Z(q)*, and sends the pseudo-public key a and the pseudo-signed message b to the user U: [17] a= g^w mod p [18] b = (hu*g2)^w mod p

Withdrawal Step 2: The user U generates three random numbers s, x1 , and x2 from Z(q)*. These are used to calculate: [19] A = (hu*g2)^s mod p [20] B = g1^x1*g2^x2 mod p [21] z' = z^s mod p

Withdrawal U also generates two random numbers u, v from Z(q)*. These are used to calculate [22] a' = a^u*g^v mod p [23] b' = b^(s*u)*A^v mod p The user U then computes the challenge c' as: [24] c' = H(A, B, z', a', b') then sends the blinded challenge c back to the bank: [25] c = c'/u mod q .

Withdrawal The coin is the set of numbers {A, B, (z',a',b',r')}. (z',a',b',r') is Schnorr’s signature on A, B. Denominations… take different g for each different denomination.

Withdrawal Step 3: The bank sends the response r : [26] r = w + c*x mod q and debits U's account in the amount equal to the value of one coin. Step 4: U accepts the debit only if [27] g^r = a*h^c mod p [28] (hu*g2)^r = b*z^c mod p . The user U also calculates r': [29] r' = v + r*u mod q .

Payment When the user U is ready to spend the coin, the following protocol is enacted between the user and the shop S: Step 1: The user sends {A, B, (z',a',b',r')} to S. Step 2: The shop returns the challenge d: [30] d = Ho(A, B, SHOP-ID, DATE-TIME) . Step 3: The user U calculates the responses r1, r2: [31] r1 = d*(u1*s) + x1 mod q [32] r2 = d*s + x2 mod q

Payment Step 4: The shop S accepts the coin only if: [33] g^r' = a'*h^c' mod p [34] A^r' = b'*z'^c' mod p [35] A^d*B = g1^r1*g2^r2 mod p

Deposit When the shop S is ready to deposit the coin at the bank, the shop sends the payment transcript consisting of the coin {A, B, (z',a',b',r')}, along with (r1, r2) and the DATE-TIME of the transaction. The bank already knows the SHOP-ID, which is used in the communication. Step 1: The bank verifies equations [33] to [35] to see that this is a valid coin.

Deposit Step 2: If the coin is valid, the bank checks its database to see if the coin was spent previously. CASE A: If the coin is not in the database, then it was not previously spent. Hence the bank credits the account of S, and records the coin in the form {A, B, DATE-TIME, r1, r2}.

Deposit CASE B: If the coin is already in the database, then a fraud has occurred. If S previously deposited the coin, and the DATE-TIME are the same, then S is trying to deposit the same coin or transcript twice. The deposit is rejected for that reason. The bank knows the identity of the shop S responsible.

Deposit CASE C. Otherwise, the coin has been double-spent, and the bank takes steps to unmask the double-spender. The bank has two sets of information on the coin: {A, B, DATE-TIME, r1, r2}. {A, B, DATE-TIME', r'1, r'2}. Hence, the bank can calculate (r1 - r'1) / (r2 - r'2) = [d*(u1*s) - d'*(u1*s)] / [d*s - d's] = u1 mod q. Thus it can check its database for the user identity!

Analysis Advantages: Security of this system rests on the difficulty in finding discrete logarithmic factors. Other systems rely on prime factorization used in RSA. So the ability in factoring for large primes would not break this system as it would be the case in other systems.

Analysis Advantages: The major advantage of this mechanism is that the user does not need to keep track many copies of identity and many different bills as is the case in other systems.

Analysis Disadvantages: This scheme is difficult to understand and is more complex compared to other mechanisms used such as Chaum’s system. Moreover, since we use discrete logarithmic signatures, we have to deal with larger signatures compared to other methods.

References Jahanian Farsi, Mandana. Digital Cash. Retrieved: November. 2004 www.simovits.com/archive/dcash.pdf Cormen, Leiserson, Rivest, and Stein. Introduction to Algorithms. Massachussetts: McGraw Hill, 2001. Sander, Ta-Shama. Auditable, Anonymous Electronic Cash. Retrieved: November. <2004 www.cs.tau.ac.il/~amnon/Papers/ST.crypto99.pdf> Bleumer, Gerrit. Electronic Cash. 25 April. 2004. http://www.win.tue.nl/~henkvt/GBl.ElectronicCash.pdf Orlin Grabbe,J . Stefan Brands' System of Digital Cash . 1997. http://www.aci.net/kalliste/stefbrdc.htm

Questions, Comments… ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.