Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Published byClarissa Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 378 Digital Cash

2 slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot “mint” valid cash on their own uAnonymous and untraceable Cannot link a payment to payer’s identity Without this property, might as well use a credit card, except for micropayments (more on this later) uDoes not require online intermediaries Accepting merchant does not have to interact with the bank to verify that user’s payment is valid

3 slide 3 Overview of the System user bank merchant Withdraw digital “coins” Spend coins Deposit coins

4 slide 4 Digital “Coins” uUser creates the coin, bank signs it and debits the coin’s face amount to user’s account user bank Coin m=(amount, serial number) =sig bank (m) Any merchant can verify bank’s signature on the coin No anonymity from the bank! Bank can record all serial numbers. When a coin is presented for payment by merchant, bank will know who spent it.

5 slide 5 Blind Signatures uUser creates a coin uUser puts his coin into a digital “envelope” uBank signs “through” the envelope Electronic equivalent of embossing an envelope: bank signs its contents without learning what they are uUser receives the signed envelope and opens it, extracting bank’s signature on the coin uThe coin is signed by the bank, but bank does not know its number and cannot trace it!

6 slide 6 RSA Signatures Redux uPublic key is (n,e), private key is d Main property: for any b, b ed mod n  b Assume that everybody knows bank’s public key uTo sign message m: s = m d mod n It’s infeasible to compute s on m if you don’t know d uTo verify signature s on message m: s e mod n = (m d ) e mod n  m Anyone who knows n and e (public key) can verify signatures produced with d (private key)

7 slide 7 Coins with Blind RSA Signatures [Chaum] uUser creates the coin, blinds it, bank signs it, user removes blinding and obtains a valid coin user bank r=m  b e, “amount=$10” =sig bank (r)=(m  b e ) d =m d  (b ed )=m d  b mod n User can cheat! For example, amount=$100 in m, but amount=$10 in user’s message to bank Create m=(amount, serial num) Public key=(n,e) b is a secret random multiplier chosen by user Bank does not see m, so send amount separately This is bank’s signature on the actual coin m To extract it, user divides bank’s signature on r by his secret b. Bank has not learned m!

8 slide 8 “Cut-and-Choose” Verification uUser creates and blinds K coins, bank asks to open K-1 of them (user doesn’t know in advance which ones) user bank r 1 =m 1  b 1 e … r k =m k  b k e “amount=$10” Give me all b 1 … b k except b i Create k coins m i =(amount, serial num) Public key=(n,e) Extract m 1 … m i-1 m i+1 … m k and verify that they contain the right amount b 1 … b i-1 b i+1 … b k Pick random i =sig bank (r i )=m i d  b i mod n Coin m i will be used Probability that user can cheat without being detected is only 1/k

9 slide 9 Double-Spending uDigital coins are easy to copy A digital coin is simply a bitstring with certain properties uBank must keep track of spent coins to make sure user does not spend the same coin twice Blinding is not a problem (why?) uCan’t prevent double-spending if bank is offline… User pays with same coin at many merchants; when they try to deposit the coin, bank refuses all but one –To prevent this, must involve bank in every transaction u… but can make sure that if a coin is double- spent, identity of cheater is revealed

10 slide 10 Preventing Double-Spending Alice bank merchant #1 Create N random numbers r 1, … r N for each coin random b 1 …b N 1 or 0 For each b i, send r i if b i =0 “Alice”  r i if b i =1 r i if b i =0 “Alice”  r i if b i =1 Cannot extract “Alice” from this if coin is spent once merchant #2 random b’ 1 …b’ N r i if b’ i =0 “Alice”  r i if b’ i =1 Coin is double-spent r i if b’ i =0 “Alice”  r i if b’ i =1 If b i  b’ i for at least one i, bank can compute (Alice  r i )  r i = “Alice” and de-anonymize the cheater Probability of this is 1-1/2 n

11 slide 11 Micropayment Schemes uCredit cards are impractical for payments < $10 Newspaper articles, mobile downloads, etc. Processing one credit-card payment costs about 25c uMany (unsuccessful) micropayment schemes Millicent, PayWord, NetCard, iKP, PayTree, MicroMint uKey obstacle: implementation cost Customer acquisition, disputes, overspending, fraud uIdea: aggregate small payments to reduce per- payment processing cost Chaum’s digital coins are not good for aggregation

12 slide 12 Probabilistic Aggregation uUser gives merchant a “lottery ticket” whose expected value is equal to the payment amount Proposed independently by Rivest, Wheeler and others For example, instead of a 1-cent payment, give “lottery ticket” that wins $10 with probability 1/1000 uAfter a large number of payments, merchant’s total winnings from lottery tickets will be statistically close to the total amount of payments With 5000 tickets, merchant wins $50 on average uOnly winning tickets need to be presented to bank Few tickets win, so processing cost greatly reduced

13 slide 13 Peppercoin [Rivest and Micali] user bank merchant sig user (“This check is worth $10 if the three low-order digits of the hash of your digital signature on today’s date are 756”) Winning checks “You owe me 1 cent” Probability of this is approximately 1/1000 On average, only 1 transaction out of 1000 wins and must be presented for payment

14 slide 14 Problem: Statistical Variations uUnlucky user may pay $20 for his first two 1-cent transactions If both tickets happen to win uPayment scheme is user-fair if user never has to pay more than he would pay if all his payments were non-probabilistic checks for the exact amount I.e., as if user were writing 1-cent checks instead of $10 lottery tickets

15 slide 15 Achieving User-Fairness uAssume that each payment is exactly 1 cent uUser sequentially numbers his payments: 1, 2, … uWhen merchant submits a winning payment with sequence number N, bank charges the user the difference between this N and the previous sequence number that has been paid Severely punish users for reusing sequence numbers! paid User is charged 3 cents

Download ppt "Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
Micropayments Revisited Written by Silvio Micali and Ronald Rivest Presented by Charles Song and Michael Wasser.

Micropayments Revisited Written by Silvio Micali and Ronald Rivest Presented by Charles Song and Michael Wasser.
Micropayments Revisited Ronald L. Rivest & Silvio Micali RSA Conference 2002 Seminar 89-957, CS Dept., Bar Ilan University By Sharon Haroni.

Micropayments Revisited Ronald L. Rivest & Silvio Micali RSA Conference 2002 Seminar , CS Dept., Bar Ilan University By Sharon Haroni.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money
PAYWORD, MICROMINT -TWO MICROPAYMENT SCHEMES PROJECT OF CS 265 SPRING, 2004 WRITTEN BY JIAN DAI.

PAYWORD, MICROMINT -TWO MICROPAYMENT SCHEMES PROJECT OF CS 265 SPRING, 2004 WRITTEN BY JIAN DAI.
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)

Copyright 1996 RSA Data Security, Inc. All rights reserved.Revised 1/1/96 PayWord and MicroMint: Two Simple MicroPayment Schemes Ronald L. Rivest (MIT)
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2004 -

IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:

Micro-Payment Protocols and Systems Speaker: Jerry Gao Ph.D. San Jose State University URL:
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Similar presentations

Ads by Google