380 likes | 459 Views
Trustee Tokens. Simple and Practical Anonymous Digital Coin Tracing. Ari Juels RSA Laboratories. Quick Review of Chaumian E-cash (DigiCash TM ). Signs. BANK. Alice. PK. SK. Alice -$1. Anonymous digital $1 coin. r 3 f(x). 3. Signs. BANK. rf 1/3 (x). = (x, Sig(x)) =. r 3 f(x).
E N D
Trustee Tokens Simple and Practical Anonymous Digital Coin Tracing Ari Juels RSA Laboratories
Quick Review of Chaumian E-cash (DigiCashTM)
Signs BANK Alice PK SK Alice -$1 Anonymous digital $1 coin
r3f(x) 3 Signs BANK rf1/3(x) = (x, Sig(x)) = r3f(x) rf1/3(x) rf1/3(x) (x, f1/3(x)) Alice PK SK mod n r, x
Improved Computer Viruses (Young and Yung) An Application for Anonymous E-Cash An Application for Anonymous E-Cash
Generates unsigned, blinded coin r3f(x) • Generates encryption key pair Improved Computer Virus Edgar
r3f(x) PK Improved Computer Virus
*&DUHF(&$YY$H&*^$RH(*&UH *&(#*R&(*&(*$&(*$&(*U(*F&(*&* *&HKJF(*$YHF(*H$(*^FH*($HF& J(*F&$(*HS(*&$JF*($&SH$*&F$ *(&$*(F&(*$F$(*F&S(*&*F(&*E$$ )*F&(*$&*$&F(*$&F(*$&(*&(#(*$ Encrypted under PK PK Files
If youWant SK, i.e., your files, withdraw this Ransom Note
BANK Alice Oh, my files! Alice -$1
Anonymous coin Edgar
Answer: Trustee-basedTracing How can we prevent this?
The Idea: Trustee Tracing Anonymous coin
I order the Trustee to trace this coin. Edgar Trustee Trustee Secret SK Tracing: Basic Idea Anonymous coin Judge
Many Trustee-based Tracing Schemes • Brickell et al. ( ‘95) • Stadler et al. (‘95) • Jakobsson and Yung (‘96, ‘97) • Camenisch et al., Frankel et al. (‘96) • Davida et al. (‘97)
Our Scheme Trend in schemes Trustee Flexibility Security Features Computational Efficiency Simplicity
BANK Trustee Alice Alice Two stages Token withdrawal 1. Coin withdrawal 2.
Proves identity Trustee Trustee Token Alice Token withdrawal Checks that coin contains [“Alice”]PK
Proves identity r,x Trustee Token Trustee Alice SigSK(r3f(x)) Trustee Token Checks that x contains [“Alice”]PK
Coin withdrawal , Checks Signs BANK Alice SK Conditionally anonymous digital coin
Observe: No change in coinstructure or underlying withdrawal protocol
Tracing Trustee Token scheme guarantees that coins contain creator identity
Blackmail scenario • Edgar registers his coin and gets caught or • Alice can’t make the withdrawal for Edgar
No coin storage • Alice can pseudo-randomly generate coins and blinding factors -- no coin storage
Bulk token withdrawal • Alice can withdraw many tokens at once and store prior to coin withdrawals
Tokens fit on, e.g., smart card Result of Enhancements • Little interaction with Trustee
Advantages over other schemes • Very simple • Provably secure • No change in coin structure, underlying protocol • Seamless incorporation with DigiCashTM
Disadvantages • Trustee interaction needed • Security with multiple trustees needs trusted dealer • Seamless incorporation with DigiCashTM - but no DigiCashTM
But... • Can be used for general blind RSA • E.g., X-cash • Method can perhaps be extended to other e-cash systems (?)