View
221
Download
1
Category
Preview:
Citation preview
Ari Juels RSA Laboratories
Executable Financial Instrumentsand
MicroMint on the Cheap
with Markus Jakobsson Bell Laboratories
The Web provides an excellent means of communication with all kinds of people...
Yeah!
``Hi. My name is Darlene.
sometime?’’
I ’m a model. Want to meet
“Darlene”
He fell for it!
Ha ha!
…you know nothing about.
The Web provides an excellent means of communication with all kinds of
people...
The Web provides an excellent means of communication and commerce...
Cool!
``Hi. I’d like to buy your
OK?’’
car. I’ll pay $106,000.For s
ale
Another sucker!
…with people you know nothing about.
The Web provides an excellent means of communication and commerce...
Aim: Flexible commerce with minimal trust
?InternetYou
Two Ideas Today
X-cash: Executable financial instruments
MicroMint Outsourcing
A$$
MicroMint
Want a scheme that mimics economics of physical mint
Verifying validity of a coin is easy Base minting cost is high so... Forgery is expensive
The minting process
. Throw balls (jellybeans) into bins using “random” function h
. Any bin with two balls (jellybeans) is a coin
Minting in MicroMint
Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
Collision = Coin
h
Checking a coin
Bin 2
h
Valid coin?
Features
Many bins, so need to throw many balls (jellybeans) to mint successfully
Minting requires very intensive computation
Minting requires special, e.g., $250,000 computer
“Deep Crack”
Another characteristic: Most balls are invalid
Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9
h
In fact, >99% of work goes to missed balls!
Idea: Make three stage process
. Create “valid” balls, i.e., balls that won’t miss (>99% of work)
. Throw balls into bins using “random” function h (<1% of work)
. Any bin with two balls is a coin
Have many other (untrusted) people do Step 1
Now...
99%+ of work is done for minter No participant will get enough balls
to do minting himself/herself (or else participants know “validity” h but not
“throwing” h) Minting is cheap for minter!
Minter can use ordinary server
Application III: Secure multiparty computation
Questions?
+?
X-cash: Executable Digital CashX-cash: Executable Digital Cash
Ari JuelsRSA Laboratories
joint work with
Markus Jakobsson, Bell Labs
23rd February 1998
The Internet: Many entities The Internet: Many entities wishing to trade with one wishing to trade with one
anotheranother
The Internet: Many entities The Internet: Many entities wishing to trade with one wishing to trade with one
anotheranother
Internet
$
Peer-to-peer trading can be Peer-to-peer trading can be problematicproblematic
Peer-to-peer trading can be Peer-to-peer trading can be problematicproblematic
Peer-to-peer interaction can create Peer-to-peer interaction can create communications bottleneckscommunications bottlenecks
Anonymity (both ways) is hard to Anonymity (both ways) is hard to protect in a peer-to-peer settingprotect in a peer-to-peer setting
Would like computational load Would like computational load involved with trading to be handled involved with trading to be handled by servers, not clientsby servers, not clients
Therefore, we would like trade to occur in a distributed fashion.
Therefore, we would like trade to occur in a distributed fashion.
A vehicle for distributed trade: Mobile agents
A vehicle for distributed trade: Mobile agents
Program+
DocumentationTo Internet
A problem: Pick-pocketingA problem: Pick-pocketing
Program
Other problems:Other problems:
Maliciously modified code Intercepted purchases A different scenario than digital cash:
multiple spending may be permissible
A solution: X-cashA solution: X-cash
Idea: Make redemption of cash conditional on delivery of desired
goods
First tool: A program that knows what it
wants
First tool: A program that knows what it
wantsMobile Agent includes a code segment P P takes as input potential purchase
items P outputs amount user is willing to pay
Paris P $300
E.g., airline tickets
Second tool:Negotiable certificate
Second tool:Negotiable certificate
BANK
Alice
= SIGSK (PKA, $500)B
ASIGSKASIGSK
($300,“For Bob”),
Bob
ASK
($300, “For Bob”),
Bank holds (SKB, PKB)Alice holds (SKA, PKA)
PKA
Alice
Alice
Alice
Idea: Bind negotiable certificate to agent program P
Idea: Bind negotiable certificate to agent program P
, SIGPK (P)A
PKA
X-cash
. . .Then . . .Then send off via send off via
mobile mobile agentagent
. . .Then . . .Then send off via send off via
mobile mobile agentagent
When Bob receives the mobile agent
When Bob receives the mobile agent
Bob
A
,SIGPK (P)
PKA
Bob can assess and authenticate Alice’s offer for his tickets
Bob can assess and authenticate Alice’s offer for his tickets
$300, SIGPK (P)A
PKA
Bob
A
PKA
The bank can verify and process the transaction
The bank can verify and process the transaction
BANK
, SIGPK (P)A
PKA $300
Bank gives $300 to Bob, deducting Bank gives $300 to Bob, deducting against the negotiable certificateagainst the negotiable certificate
Bank receives and holds tickets for Bank receives and holds tickets for Alice, or sends them to herAlice, or sends them to her
An ExampleAn Example
Alice needs ticket to important conference in Caribbean
Alice needs ticket to important conference in Caribbean
She will pay $300 for business class to St. Martin
She will pay $600 for first class fare to St. Martin
She will pay $400 for business class to Anguilla
She will pay $700 for first class to Anguilla
Alice creates a program PAlice creates a program P
Input to P: An airline ticket – Airline ticket may include certificates and
signatures, e.g., airline certificate, travel agent certificate, etc.
– P includes root certificates Output of P: Amount Alice will pay
– Conditional on correct dates, transferability of ticket, etc.
Alice gets a negotiable certificateAlice gets a negotiable certificate
Alice generates key pair (PKA, SKA). Alice withdraws a negotiable certificate
. = SIGSK (PKA, $700).B
PKA
Alice creates X-cash and sends mobile agent
Alice creates X-cash and sends mobile agent
,SIGPK (P)A
PKA
Bob’s Travel has a business class ticket T to Anguilla for sale
Bob’s Travel has a business class ticket T to Anguilla for sale
Bob does the followingBob does the following
Checks certificates and signatures in Alice’s mobile agent
Generates signatures tA transferring ownership of ticket T to Alice
Runs P(T,tA) on a ticket T and signatures tA transferring ownership to Alice
Sees output “$400” Sends and T, tA to bank,SIGPK (P)
A
PKA
The Bank does the followingThe Bank does the following
Verifies certificates and signatures in Alice’s agent
Sees that P(T,tA)=$400
Then: Deducts $400 against Alice’s negotiable
certificate Gives $400 to Bob Holds T,tA for Alice and notifies her
, SIGPK (P)A
PKA $400
X-cash extensionsX-cash extensions
Double spendingDouble spending
How does Alice know that Bob didn’t sell the ticket twice?
An issue with any digital cash system. Solutions:
On-line verification Penalization after fact Tamper resistance (for Bob)
AnonymityAnonymity
X-cash can be rendered anonymous using the following ideas:
Blind withdrawal of certificates with conditional revocation of anonymity
Anonymous re-mailers for delivery of goods (e.g., airline tickets)
Stateful offersStateful offers
In the examples above, Alice’s program P had no external state. This need not be the case.
Example of stateful offerExample of stateful offer
Alice wants to sell 100 ounces of gold at the market price
Alice’s program P contacts a Web site to get the current price of gold
Bob includes in his response C a value GB -- the maximum price he is willing to pay
When the Bank runs P(C), Bank checks that transaction cost is at most GB, as per Bob’s response.
Multiple banksMultiple banks
We assume above a single, universally trustworthy bank.
X-cash can be adapted for infrastructures with multiple, mutually suspicious banks.
ConclusionConclusion
X-cash is a simple means of achieving trusted commerce in a distributed setting like the Internet.
To InternetX-cash
Recommended