1 / 38

Trustee Tokens

Trustee Tokens. Simple and Practical Anonymous Digital Coin Tracing. Ari Juels RSA Laboratories. Quick Review of Chaumian E-cash (DigiCash TM ). Signs. BANK. Alice. PK. SK. Alice -$1. Anonymous digital $1 coin. r 3 f(x). 3. Signs. BANK. rf 1/3 (x). = (x, Sig(x)) =. r 3 f(x).

nerina
Download Presentation

Trustee Tokens

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trustee Tokens Simple and Practical Anonymous Digital Coin Tracing Ari Juels RSA Laboratories

  2. Quick Review of Chaumian E-cash (DigiCashTM)

  3. Signs BANK Alice PK SK Alice -$1 Anonymous digital $1 coin

  4. r3f(x) 3 Signs BANK rf1/3(x) = (x, Sig(x)) = r3f(x) rf1/3(x) rf1/3(x) (x, f1/3(x)) Alice PK SK mod n r, x

  5. Improved Computer Viruses (Young and Yung) An Application for Anonymous E-Cash An Application for Anonymous E-Cash

  6. Generates unsigned, blinded coin r3f(x) • Generates encryption key pair Improved Computer Virus Edgar

  7. r3f(x) PK Improved Computer Virus

  8. Alice

  9. Hard Disk

  10. *&DUHF(&$YY$H&*^$RH(*&UH *&(#*R&(*&(*$&(*$&(*U(*F&(*&* *&HKJF(*$YHF(*H$(*^FH*($HF& J(*F&$(*HS(*&$JF*($&SH$*&F$ *(&$*(F&(*$F$(*F&S(*&*F(&*E$$ )*F&(*$&*$&F(*$&F(*$&(*&(#(*$ Encrypted under PK PK Files

  11. If youWant SK, i.e., your files, withdraw this Ransom Note

  12. BANK Alice Oh, my files! Alice -$1

  13. HETTINGA SUCCEEDS GREENSPAN AT FED

  14. Anonymous coin Edgar

  15. Answer: Trustee-basedTracing How can we prevent this?

  16. The Idea: Trustee Tracing Anonymous coin

  17. I order the Trustee to trace this coin. Edgar Trustee Trustee Secret SK Tracing: Basic Idea Anonymous coin Judge

  18. Coin is anonymous unlesstrustee traces it

  19. Many Trustee-based Tracing Schemes • Brickell et al. ( ‘95) • Stadler et al. (‘95) • Jakobsson and Yung (‘96, ‘97) • Camenisch et al., Frankel et al. (‘96) • Davida et al. (‘97)

  20. Our Scheme Trend in schemes Trustee Flexibility Security Features Computational Efficiency Simplicity

  21. How our scheme works

  22. BANK Trustee Alice Alice Two stages Token withdrawal 1. Coin withdrawal 2.

  23. Proves identity Trustee Trustee Token Alice Token withdrawal Checks that coin contains [“Alice”]PK

  24. Proves identity r,x Trustee Token Trustee Alice SigSK(r3f(x)) Trustee Token Checks that x contains [“Alice”]PK

  25. Coin withdrawal , Checks Signs BANK Alice SK Conditionally anonymous digital coin

  26. Observe: No change in coinstructure or underlying withdrawal protocol

  27. Tracing Trustee Token scheme guarantees that coins contain creator identity

  28. Blackmail scenario • Edgar registers his coin and gets caught or • Alice can’t make the withdrawal for Edgar

  29. Enhancements

  30. No coin storage • Alice can pseudo-randomly generate coins and blinding factors -- no coin storage

  31. Bulk token withdrawal • Alice can withdraw many tokens at once and store prior to coin withdrawals

  32. One token - multiple coins

  33. Tokens fit on, e.g., smart card Result of Enhancements • Little interaction with Trustee

  34. Pros and Cons

  35. Advantages over other schemes • Very simple • Provably secure • No change in coin structure, underlying protocol • Seamless incorporation with DigiCashTM

  36. Disadvantages • Trustee interaction needed • Security with multiple trustees needs trusted dealer • Seamless incorporation with DigiCashTM - but no DigiCashTM

  37. But... • Can be used for general blind RSA • E.g., X-cash • Method can perhaps be extended to other e-cash systems (?)

  38. Questions?

More Related