420 likes | 553 Views
Electronic Payment Systems 20-763 Lecture 11 Electronic Cash. Electronic Cash. Token money in the form of bits, except unlike token money it can be copied. This creates new problems:
E N D
Electronic Cash • Token money in the form of bits, except unlike token money it can be copied. This creates new problems: • Copy of a real bill = counterfeit. Copy of an ecash string is not counterfeit (or a perfect counterfeit) • How is it issued? Spent? • Counterfeiting • Loss • Fraud, merchant fraud, use in crime, double spending • Efficiency (offline use -- no need to visit a site) • Anonymity (even with collusion) No existing system solves all these problems
Online v. Offline Systems • Online system requires access to a server for each transaction. • Example: credit card authorization. Merchant must get code from issuing bank. • Offline system allows transactions with no server. • Example: cash transaction. Merchant inspects money. No communications needed. • Note: an Internet system can be “offline” if the transaction is only between buyer and seller, with no third-party access during the transaction
Outline • Non-anonymous ecash • Easy • Online anonymous ecash • Not difficult with blind signatures • Offline anonymous ecash • Difficult • Requires secret sharing & bit commitment
Electronic Cash -- Idea 1 • Bank sells character strings containing: • denomination, serial number, bank ID • digitally signed by the bank • First person to return string to bank gets the money PROBLEMS: • Can’t use offline. Must verify money not yet spent. (You might not be the first person to deposit the coin.) • Not anonymous. Bank can record serial number. • Sophisticated transaction processing system required with locking to prevent double spending.
Blind Signatures (Chaum) • Sometimes useful to have people sign things without seeing what they are signing • notarizing confidential documents • preserving anonymity • Alice wants to have Bob sign message M.(In cryptography, a message is just a number.) • Alice multiplies M by a number -- the blinding factor • Alice sends the blinded message to Bob. He can’t read it -- it’s blinded. • Bob signs with his private key, sends it back to Alice. • Alice divides out the blinding factor. She now has M signed by Bob.
Blind Signatures • Alice wants to have Bob sign message M. • Bob’s public key is (e, n). Bob’s private key is d. • Alice picks a blinding factor k between 1 and n. • Alice blinds the message M by computing T = M ke(mod n) She sends T to Bob. • Bob signs T by computing Td = (M ke)d (mod n) = Md k (mod n) • Alice unblinds this by dividing out the blinding factor: S = Td/k = Md k (mod n)/k = Md (mod n) • But this is the same as if Bob had just signed M, except Bob was unable to read T e•d = 1 (mod n)
Blind Signatures • It’s a problem signing documents you can’t read • Blind signatures are only used in special situations • Example: • Ask a bank to sign (certify) an electronic coin for $100 • It uses a special signature good only for $100 coins • Blind signatures are the basis of anonymous ecash
eCash (Formerly DigiCash) ALICE SEND UNSIGNED BLINDED COINS TO THE BANK Withdrawal (Minting): WALLET SOFTWARE ALICE BUYS DIGITAL COINS FROM A BANK BANK SIGNS COINS, SENDS THEM BACK. ALICE UNBLINDS THEM BOB VERIFIES COINS NOT SPENT ALICE PAYS BOB Spending: BOB DEPOSITS CINDY VERIFIES COINS NOT SPENT ALICE TRANSFERS COINS TO CINDY PersonalTransfer: CINDY GETS COINS BACK
Minting eCash • Alice requests coins from the bank where she has an account • Alice sends the bank{ { blinded coins, denominations }SigAlice }PKBank • Bank knows they came from Alice and have not been altered (digital signature) • The message is secret (only Bank can decode it) • Bank knows Alice’s account number • Bank deducts the total amount from Alice’s account
Minting eCash, cont. • Bank signs the blinded coins with special signatures corresponding to the denominations • $100 coins signed with $100 signature • $5 coins signed with $5 signature • Bank cannot lose if it only accepts each coin once, since it has already been paid by Alice • Each of Alice’s blinded coins has a serial# • Alice unblinds the coins • Now they can be spent
Spending eCash • Alice sends coins to Bob • Bob checks the signatures using the bank’s public keys • For a $100 coin he uses the bank’s $100 public key to verify the bank’s digital signature • Coin might be good, but already spent • Bob must deposit it in the bank immediately • Bank checks the coin for validity; looks up the serial number • If the serial number has not been seen before, bank credits Bob’s account • Bank can’t identify Alice, but the protocol is online
SPENDING MINTING Anonymous online eCash Bank • Blinded random large # (160 bits, so no collisions). SigAlice(request for $100). • Sigbank_$100(blinded(#)): signed by bank • Sigbank_$100(#) • Sigbank_$100(#) • OK from bank • OK from Bob 1 4 2 5 3 Alice Bob 6 SOURCE: GUY BLELLOCH
Proving a Payment • If eCash is anonymous, how can Alice ever prove she paid Bob? • She can create a number (payer_code) and include a hash H(payer_code) in each coin • When it accepts a coin for deposit, bank records H(payer_code) • If Bob claims Alice never paid, she can reveal payer_code to the bank which can verify it by hashing
Lost eCash • Ecash can be “lost”. Disk crashes, passwords forgotten, numbers written on paper are lost. • Alice sends a message to the bank that coins have been lost • Banks re-sends Alice her last n batches of blinded coins (n = 16) • If Alice still has the blinding factor, she can unblind • Alice deposits all the coins bank in the bank. (The ones that were spent will be rejected.) • Alice now withdraws new coins
Anonymous Ecash Crime • Kidnapper takes hostage • Ransom demand is a series of blinded coins • Bank signs the coins to pay ransom • Kidnapper tells bank to publish the coins in the newspaper (they’re just strings) • Only the kidnapper can unblind the coins (only he knows the blinding factor) • Kidnapper can now use the coins and is completely anonymous
Offline Double-Spending • Double spending easy to stop in online systems:System maintains record of serial numbers of spent coins. • Suppose Bob can’t check every coin online. How does he know a coin has not been spent before? • Method 1: create a tamperproof dispenser (smart card) that will not dispense a coin more than once. • Problem: replay attack. Just record the bits as they come out. • Method 2: protocol that provably identifies the double-spender but is anonymous for the single-spender.
Chaum’s Double-Spending Protocol • How do we prevent double spending in an offline transaction (can’t check with bank)? Idea: • Alice stays anonymous • If Alice spends a coin twice, she is identified • If Bob deposits twice, he is caught but Alice remains anonymous • Must be secure against Alice and Bob cheating the bank together • Must be secure Alice or Bob making it look like the other is cheating
Secret-Sharing • Is there a way to divide a message into n pieces so any m pieces are sufficient to reconstruct it, but no small set is sufficient? Solution due to Shamir. • Let the secret be a number s in the finite field mod p, where p is a large prime • Select m-1 random elements of the field ai and form the polynomialf(x) = s + a1x + a2x2 + … + am-1xm-1 • Now choose n integers xi and let the secret shares be the pairs (xi, f(xi)) • Any m points uniquely determine a polynomial of degree m-1, so any m pairs uniquely determine s!
Bit Commitment • Alice wants to “commit” a number M to Bob without telling him what it is • “Commit” means that she can later reveal the number and prove that she hasn’t changed it • Idea: Alice writes M on a piece of paper, locks it in a box and gives the box to Bob. Alice keeps the key. • Later, Bob asks Alice what the number was. She produces the key and opens the box. • Can this be done on a computer? It’s easy.
Bit Commitment • Alice wants to “commit” number M to Bob • She picks a random nonce r (to prevent replay attack) • She sends Bob y = H(r || M) (H is a one-way hash) • Alice sends y to Bob. Now she can’t change it. • When Bob wants to know M, Alice sends M and r. • Bob H(r || M) and sees if it equals y. If so, M was in the commitment y originally
Chaum Double-Spending Protocol • Split Alice’s identity (a secret) so that any two pieces can identify her but one piece cannot • Each time the coin is spent, insert another piece of the secret (secret-sharing) • Have Alice to put this information in the coins through bit commitment • Verify that Alice is not cheating through cut-and-choose • If the coin is spent only once, no possibility of different data • If the bank sees the same coin from two different parties, Alice is the double spender
Cut-and-Choose • A probabilistic method to verify that Alice is following a protocol • We ask Alice to put a piece of a secret in each coin. But the coins are blinded. How do we know she did it? • If Alice wants 100 coins, bank asks her to send 200 coins • Bank randomly picks 100 coins and asks her for the blinding factor for each • Bank unblinds the test coins and sees if they all have parts of the secret • If so, they probably all have parts of the secret
Probability Footnote • If Alice sends 2n coins to the bank but k have no part of the secret, what is the probability none of the k are among the n coins the bank picks? • The probability that Alice gets away with it is p(0). • For k = 1, p(0) = 1/2 • For n = 100, k = 10, p(0) ~ 8/10000 • For n = 100, k = 100, p(0) ~ 10-59 WAYS TO PICK EXACTLY n OF 2n TOTAL COINS WAYS TO PICK EXACTLY n- j OF 2n-k GOOD COINS WAYS TO PICK EXACTLY j OF k BAD COINS
Chaum Double-Spending Protocol • If the coin is spent only once, no possibility of seeing different pieces of the secret, so Alice stays anonymous • If the bank sees the same coin from two different parties, Alice is the double spender • If Bob tries to deposit the coin twice, the bank sees the same serial number and knows that Bob is the cheater
Chaum Double-Spending Protocol • Alice wants 100 five-dollar coins. • Alice sends 200 five-dollar coins to the bank (twice as many as she needs). For each coin, she inserts a share of her account number • Bank selects half the coins (100), signs them, gives them back to Alice • Bank asks her for the random numbers for the other 100 coins and uses it to read her account number • Bank feels safe that the blinded coins it signed had a piece of her account number. (It picked the 100 out of 200, not Alice.)
Chaum’s Double-Spending Protocol • u = Alice’s account number (identifies her) • r0, r1, …, rm-1 are m random numbers • (uli, uri) = a secret split of u over 2 pieces using ri so that both are required to recover u.E.g. (riXOR u, ri) (XORing the pieces gives u) • vli = a bit commitment of uli • vri = a bit commitment of uri • Coin contains: • Value • Unique ID (long random number) • (vl0,vr0), (vl1,vr1), …, (vlm-1,vrm-1) SOURCE: GUY BLELLOCH
Chaum’s Protocol: Minting 1 2 • 2n blinded coins and Alice’s account # • A request to unblind and prove all bit commitments for n of the 2n coins (chosen at random) • The blinding factors and proofs of commitment for the n coins • Assuming step 3. passes, bank signs the other n coins Alice Bank 3 4 SOURCE: GUY BLELLOCH
Chaum’s Protocol: Spending 1 2 • A signed coin C (unblinded) • A random bit vector B of length m • For each i if bit Bi = 0 return bit value for uli else return bit value for uri (not both)Include all “proofs” that the uli or uri match vli or vri • Now the merchant checks that the coin is properly signed by the bank, and the ul or ur match the vl or vr Alice Bob 3 SOURCE: GUY BLELLOCH
Chaum’s Protocol: Depositing 1 • The signed coin, bit vector B, values of uli or uri that Bob received from Alice. • An OK, or fail • If fail, i.e., already returned: • If B matches previous order, the Merchant is guilty • Otherwise Alice is guilty and can be identified since for some i (where Bs don’t match) the bank will have (uli, uri), which reveals her secret u (her identity). 2 Bob Bank SOURCE: GUY BLELLOCH
Chaum Protocol • If Alice’s random number has b bits, what is the probability she can spend a coin twice without being detected? • Bob and Charlie’s random numbers would have to be identical. If they differ by 1 bit, the bank can identify Alice. • Probability that two b-bit numbers are identical p(b) = 2-bp(1) = 0.5p(10) ~ .001p(20) ~ 1/1,000,000p(30) ~ 1/1,000,000,000p(64) ~ 5 x 10-20p(128) ~ 3 x 10-39 • Chaum protocol does not guarantee detection
Major Ideas • eCash raises great security concerns • eCash provides protection against loss • eCash raises significant legal problems • eCash is difficult to implement with both anonymity and protection against double spending • eCash may not be successful because of stored-value cards and peer-to-peer systems
Q A &
Spending eCash • Alice orders goods from Bob • Bob’s serves requests coins from Alice’s wallet: payreq = { currency, amount, timestamp, merchant_bankID, merchant_accID, description } • Alice approves the request. Her wallet sends: payment = { payment_info, {coins, H(payment_info)}PKmerchant_bank } payment_info = { Alice’s_bank_ID, amount, currency, ncoins, timestamp, merchant_ID, H(description), H(payer_code) }
Depositing eCash • Bob receives the payment message, forwards it to the bank for deposit by sending deposit = { { payment }SigBob }PKBank • Bank decrypts the message using SKBank. • Bank examines payment info to obtain serial# and verify that the coin has not been spent • Bank credits Bob’s account and sends Bob a deposit receipt: deposit_ack = { deposit_data, amount }SigBank
Proving an eCash Payment • Alice generates payer-code before paying Bob • A hash of the payer_code is included in payment_info • Bob cannot tamper with H(payer_code) since payment_info is encrypted with the bank’s public key • The merchant’s bank records H(payer_code) along with the deposit • If Bob denies being paid, Alice can reveal her payer_code to the bank • Otherwise, Alice is anonymous; Bob is not.
Chaum Protocol • Alice’s account number is 12, which in hex is 0C = 00001100 • Alice picks serial number 100 and blinding number 5 • She asks the bank for a coin with serial number100 x 5 = 500 • Alice chooses a number b and creates b random numbers for this coin. Say b=6 • Alice’s wallet XORs each random number with her account number:
Chaum Protocol • Bob receives Alice’s coin. He obtains b and picks a random b-bit number, say 111010 • For every bit position in which Bob’s number has a 1, wallet reveals Alice’s random number for that position • For every 0-bit, Bob receives Alice’s account number XOR her random number for that position • Bob’s wallet sends last column to the bank when depositing
Chaum Protocol • Now Alice tries to spend the coin again with Charlie. He finds b=6 and picks random number 010000 • Her wallet probably sends a different set of numbers • Charlie goes through the same procedure as Bob and sends the numbers he receives to the bank when he deposits the coin
Chaum Protocol • The bank refuses to pay Charlie, since the coin was previously deposited by Bob • The bank combines data from Bob and Charlie (or both) using XOR where it has different data from the two sources: • This identifies Alice as the cheater! Neither Bob nor Alice nor the bank could do it alone