210 likes | 451 Views
Digital Cash. OUTLINE. Properties Scheme Initialization Creating a Coin Spending the Coin Depositing the Coin Fraud Control Anonymity. Properties. Security The cash can be sent securely through computer network. Can’t be copied and reused Privacy (Untraceability or Anonymity)
E N D
OUTLINE • Properties • Scheme • Initialization • Creating a Coin • Spending the Coin • Depositing the Coin • Fraud Control • Anonymity
Properties • Security The cash can be sent securely through computer network. • Can’t be copied and reused • Privacy (Untraceability or Anonymity) If the cash is spent legitimately, neither the recipient nor the bank can identify the spender. • Offline payment No communication with the bank is needed during the transaction. • Transferability The cash can be transferred to others. • Dividability A piece of cash can be divided into smaller amounts.
T. Okamoto and K. Ohta, "Universal electronic cash," Advances in Cryptology-CRYPTO'91, LNCS 576, Springer-Verlag, pp. 324-337, 1991. (satisfies 1 ~ 6) • S. Brands, "Untraceable off-line cash in wallets with observers," Advances in Cryptology-CRYPTO'93, LNCS 773, Springer-Verlag, pp. 302-318, 1994. (satisfies 1 ~ 4)
Bank 1. Withdraw 6. Results 2. Coin 5. Deposit 3. Payment Spender 4. Receipt Merchant Scheme
Initialization (1/2) • Publish: • p: a large prime, s.t. q = (p – 1) / 2 is also prime. • g: the square of a primitive root mod p. • g1 =g a mod p • g2 =g b mod p • H : a hash function H : Z Z Z Z Z Zq* • H0: a hash function H0: Z Z Z Z Zq* (a and b are secretly chosen and discarded immediately)
Bank 2. Register M 3. Send I 4. Send z’ (Ig2)x (mod p) Spender Merchant Initialization (2/2) 1. Choose a secret number x 2. Compute h gx, h1 g1x, h2 g2x (mod p) 3. Publish h, h1, and h2 1. Choose an ID number M 1. Choose a secret number u 2. Compute I g1u (mod p)
Withdraw Bank Choose a secret random 5-tuple of integers (s, x1, x2, 1, 2), s 0 (mod q) gw gw, (Ig2)w(mod p) c1 cx + w (mod q) Compute Spender C = (A, B, z, a, b, r) Creating a Coin Choose a random number w Computer 1 c1 + 2 (mod q)
Pay (A, B, z, a, b, r) d = H0(A, B, M, Timestamp) Accept or reject r1 dus + x1, r2 ds + x2 (mod q) Check whether Spender Merchant Spending the Coin Check whether gr ahH(A, B, z, a, b) (mod p),Ar zH(A, B, z, a, b)b (mod p)
Deposit (A, B, z, a, b, r), (r1, r2, d) Bank Results gr ahH(A, B, z, a, b) (mod p),Ar zH(A, B, z, a, b)b (mod p), Merchant Depositing the Coin Check whetherthe coin has been previously deposited or not, and
Fraud Control (1/7) Case 1: The Spender spends the coin twice. Merchant 1 C, (r1, r2, d) Spender Merchant 2
Bank Merchant Fraud Control (2/7) Case 2: The Merchant tries submitting the coin twice. C, (r1, r2, d) forged Impossible! Since it is very difficult to produce numbers such that (since the Merchant does not know u).
Fraud Control (3/7) Case 3: Someone try to make an unauthorized coin. Impossible! Since this requires finding numbers such that gr ahH(A, B, z, a, b) (mod p), andAr zH(A, B, z, a, b)b (mod p),
2. Deposit C, (r1, r2, d) Merchant 1 1. Spend C Bank 3. Spend C Spender Merchant 2 Fraud Control (4/7) Case 4: evil Impossible! The Merchant 2 computes d’ (very likely != d). It is very difficult for the evil merchant to produce numbers such that
Fraud Control (5/7) Case 5: Someone working in the Bank tries to forge a coin. It is possible to make a coin satisfied gr ahH(A, B, z, a, b) (mod p), andAr zH(A, B, z, a, b)b (mod p), but he does not know u , thus unable to produce a suitable r1. So, he cannot spend it.
Fraud Control (6/7) Case 6: Someone steal the coin from the Spender and try to spend it. Impossible! The thief does not know u, thus unable to produce r1.
Fraud Control (7/7) Case 7: An evil merchant steals the coin and (r1, r2, d) before they are submitted to the Bank, and then deposits them to the Bank. Possible! This is a flaw of ordinary cash, too.
Anonymity (1/3) • During the entire transaction with the Merchant, the Spender never needs to provide any identification.
Anonymity (2/3) • Is it possible for the Bank to extract the Spender’s identity from knowledge of the coin (A, B, z, a, b, r) and the triple (r1, r2, d) ? No. • A, B, z, a, b look like random numbers to everyone except the Spender. • The Bank never sees A, B, z, a, b, r until the coin is deposited.
Anonymity (3/3) • When creating the coin, the Bank provides only gw and c1, and has seen only c 1–1H(A, B, z, a, b)(mod q). the Bank cannot compute H(A, B, z, a, b) and deduce 1 at that time. • The Bank can keep a list of all values c it has received, along with values of H for every coin that is deposited, and then try all combinations to find 1. (impractical for a system of millions of coins)