Upload
vernon-carroll
View
224
Download
0
Embed Size (px)
Citation preview
Electronic Cash
R. Newman
Topics
Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology
Barter Cash Check Wire transfer Credit/debit card E-cash
Payment forms
Barter Earliest form of payment Value intrinsic in the bartered good/service Physical presence of good/service Not flexible, not easily divisible
Cash Check Wire transfer Credit/debit card E-cash
Payment forms
Barter Cash
Difficult to trace Hard to forge Physical presence of coins, notes May or may not have intrinsic value
Check Wire transfer Credit/debit card E-cash
Payment forms
Barter Cash Check
Easy to trace, can be revoked Flexible amounts Slow – hard to verify immediately Can be mailed or used electronically
Wire transfer Credit/debit card E-cash
Payment forms
Barter Cash Check Wire transfer
Easy to verify Fast Expensive
Credit/debit card E-cash
Payment forms
Barter Cash Check Wire transfer Credit/debit card
Easy to verify quickly Less expensive than wire transfer Easy to trace, cards can be revoked Convenient for electronic use (remote payment)
E-cash
Payment forms
Credentials can be stolen Account number, name on card Address, zip code easy to find PIN revealed during use
Smart cards Alleviate some of the issues above Still, can be traced – privacy is lost
Electronic Payment Problems
Easy to use electronically Convenience
Easy to verify Inexpensive Reliable Detect forgeries easily Easy for bank to generate, hard for others
Hard to trace (for payer) Privacy
Easy to determine if used twice (for bank)
Electronic Cash Requirements
Form of currency:
(x, f(x)1/3 mod n)
n is large composite whose factors known only to bank
f is a one-way function
Chaum Electronic Cash
1. Alice choses random x, r, sends Bank
B = r3 f(x) % n
2. Bank computes and returns cube root to Alice,
r f(x)1/3 % n
withdraws a dollar from Alice’s account
3. Alice extracts C = f(x)1/3 % n
4. To pay Bob one dollar, Alice give him (x, f(x)1/3 % n)
5. Bob immediately verifies coin with bank
ensures coin has not been spent already
Chaum Electronic Cash
All can verify correct structure
Bank cannot associate coin with Alice’s account
But Bob must contact Bank immediately
Newer protocol removes this requirement
Allows bank to reveal Alice’s identity if coin spent twice
Chaum Electronic Cash
Bank publishes an RSA modulus n such that phi(n) has no small odd factors, sets security parameter k
k used for cut-and-choose verification
Let f and g be two-arguement, collision-free functions – i.e., computationally infeasible to find two inputs that map to the same output
Alice has bank account number u
Bank associates counter v with account u
Untraceable Coins
To get a coin:
1. Alice chooses ai, ci, di, and ri independently and uniformly from residues modulo n, for 1 <= i <= k
2. Alice sends Bank blinded candidates:
Bi = ri3 f(xi, yi) % n
where xi = g(ai, ci) and
yi = g(ai XOR (u || (v + i), di)
3. Bank chooses half of the candidates at random
4. Alice provides Bank with ai, ci, di, and ri for the selected candidates (cut-and-choose)
Untraceable Coins
To get a coin (con’t):
5. Bank verifies Alice was honest with those candiates, then sends Alice
Bi1/3 for the remaining candidates,
charges account u a dollar, increments v by k
6. Alice extracts C = f(xi, yi)1/3 % n
Note: Bank catches Alice with high probability if she cheats with her blinded candidates
Untraceable Coins
To use a coin
1. Alice sends C to Bob
2. Bob chooses k/2 random bits zi
3. If zi = 1, Alice sends Bob ai, ci, and yi
else Alice sends Bob xi, ai XOR (u || (v + i), and di
4. Bob verifies form of C and Alice’s responses fit
5. Bob later sends C and Alice’s responses to Bank
6. Bank verifies correctness of spent coin and credits Bob’s account, stores C, zis, and responses
Untraceable Coins
If Alice spends a coin twice,
It is likely that for some i, zi XOR zi’ = 1
Bank can search for C’s to see if coin was spent
If C was used twice, it is likely that Bank has both
ai and ai XOR (u || (v + i), for some i
So Bank can determine u and catch Alice
Untraceable Coins
If Alice colludes with a second vendor Charlie,
After spending her coin with Bob, they can arrange for Charlie to use the same zis as Bob
Bank knows that one cheated, but not which one!
And Bank can’t identify Alice!
Remedy: Force each vendor to use distinct z is for some portion of them, random zis for the rest (sufficient number to allow for many purchases by Alice)
Untraceable Coins
Bank can frame Alice! (how?)
Hence, won’t hold up in court
To prevent this, Alice uses public key signatures
Computational security only
Alice uses pseudonymous account for each coin
Proving Multiple Spending
Alice chooses for each i random zi’, zi’’
ui is of the form [Alice’s acct number || zi’ || zi’’]
Along with Bi’s, Alice gives Bank signature for
g(z1’, z1’’) || g(z2’, z2’’) || ... || g(zk’, zk’’)
During cut-and-choose, Bank verifies correctness of form of ui for each of the k/2 Bi’s it examines
Bank has proof of multiple spending of a coin whenever it can present preimage of at least k/2+1 of the g(zi’, zi’’)
Proving Multiple Spending
Untraceable checks – issued with maximum value
Use coins of with power of 2 values to express arbitrary value as sum of powers of two
Retrieve unspent coins from check
Central Bank always an issue
Solved with Byzantine agreement in Bitcoin
Very different approach to valuation....
Other Results