Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Digital Cash_1_

VIEWS: 6 PAGES: 18

									Digital Cash
Jordan Kunz May 2nd, 2007 Cryptography

Introduction


As we are all aware, the advent of advanced communications technologies have allowed for financial transactions to take place without an exchange of tangible objects (Paypal, EFT, direct deposit, etc) Credit cards are electronic, but not the same as digital cash Paper cash/coin is anonymous, but there is also a threat of counterfeiting






Digital cash needs to accurately take this into account

6 Properties of Digital Cash
T. Okamoto and K. Ohta describe six properties a digital cash system should have:

    

The cash can be sent securely through computer networks The cash cannot be copied and reused The spender of the cash can remain anonymous The transaction can be done offline, meaning no communication with the central bank is needed during the transaction The cash can be transferred to others A piece of cash can be divided into smaller amounts

These properties are much more complex than ordinary cash systems for two reasons:




1) Electronic objects can be copied for essentially no cost, making counterfeiting attractive 2) Anonymity must be preserved

This leads to the use of “restricted blind signatures”.

Participants


We define three parties:


The Bank The Spender





The Merchant

This model will look at how to meet requirements 1-4.

Initialization




The system is initialized once and for all by a central authority Choose a large prime p s.t. q = (p-1)/2 is also prime


Let g be the square of a primitive root mod p k1 k2  Implies that g  g (mod p)  k1  k2 (mod q) 

g1  g k1 (mod p )

g 2  g k2 (mod p )



g, g1, and g2 are made public H takes a 5-tuple of integers and outputs an integer mod q H0 takes a 4-tuple of integers and outputs an integer mod q



Two public hash functions are defined:
 

Initialization (BANK)


Chooses secret ID number x



Computes h  g x h1  g x1 h2  g x2
The numbers h, h1, h2 are made public and identify the Bank



Initialization (SPENDER)


Chooses secret ID number u Computes the account number I  g (mod p )
u 1





I is sent to the Bank, which stores I with other information identifying the Spender (address, name, etc) The Bank sends z   ( Ig 2 ) x (mod p) back to the Spender.



Initialization (MERCHANT)


Chooses ID number M and sends it to the Bank

Creating a Coin
A coin is represented by this 6-tuple of numbers: (A,B,z,a,b,r)


The Bank
 



Chooses random # w (different for each coin) g w  g w (mod p)   ( Ig 2 ) w (mod p) Computes Sends gw and β to Spender



The Spender


Chooses a secret random 5-tuple of integers: ( s, x1 , x2 ,1 , 2 )

Creating a Coin (Spender cont)


Computes

A  ( Ig 2 ) s (mod p) B  g1x1 g 2 x2 (mod p)

z  z s
a  g w1 g  2 (mod p)

b   s1 A2 (mod p)


A  1 , so s cannot be divisible by q and we assume Ig 2  1(mod p) (solving a DLP) is highly unlikely with

large enough p

Creating a Coin (Spender cont)


c  11 H ( A, B, z , a, b)(mod q) Computes


Sends c to the Bank



Bank computes


c1  cx  w(mod q)

Sends c1 to Spender



Spender computes r  1c1   2 (mod q)
Complete! Process is repeated for each coin



Spending the E-Bling


The Spender gives a coin to the Merchant



Merchant checks if g r  ah H ( A,B , z ,a ,b ) (mod p) and
Ar  z H ( A,B , z ,a ,b )b(mod p)



Coin is valid if both are true, but we still need to prevent double-spending

Spending the E-Bling (cont)


Merchant computes d  H 0 ( A, B, M , t )


t is the date and time of the transaction  This gives a different value of d for different transactions



Sends d to Spender



Spender computes r1  dus  x1 (mod q)

r2  ds  x2 (mod q)

Spending the E-Bling (cont)


Sends r1 and r2 to Merchant
r r d Merchant checks if g11 g 22  A B (mod p )





If this holds, accept the coin; else, reject

Deposits


Merchant submits coin (A,B,z,a,b,r) and the triple (r1,r2,d) to the Bank Bank checks if coin has already been deposited




If so, someone is going to jail!
1 2



r r d Otherwise, the Bank verifies that g1 g 2  A B(mod p)

g r  ah H ( A,B , z ,a ,b ) (mod p)


Ar  z H ( A,B , z ,a ,b )b(mod p)

If they hold, then the coin is valid and deposited

Fraud! Scandal!! h4X0r5!!!


There are a number of ways to attempt to cheat the system, but only one works




    

1) The Spender spends the coin twice, once with the Merchant and once with another “Vendor”  Spender goes to jail because of double-blind system ID’s him 2) The Merchant tries to submit the coin twice, with one legitimate triple (r1,r2,d), and with a forged triple (r1’,r2’,d’) r r d  It is very difficult to solve g1 g 2  A B (mod p ) 3) Someone tries to make an unauthorized coin  Form of DLP problem and also doesn’t have x 4) Someone deposits a coin, but also tries to spend it with the Merchant  Form of DLP problem 5) Someone in the Bank tries to forge a coin  Bad banker doesn’t know u 6) Someone steals the coin from the Spender and tries to spend it  Thief doesn’t know u, so cannot produce r1 and r2 7) Someone steals the coin and (r1,r2,d) from the Merchant before it can be deposited  This works, just like it works in real-life
1 2

Anonymity


The Spender never has to provide ID during transactions with the Merchant (like paper currency) α1 and α2 provide a restricted blind signature for the coin  Used once, the Spender keeps anonymity  Used twice, the Spender goes to jail To test this, let α1 = 1  The Bank can keep a list that matches values of c and the corresponding I  A deposited coin would allow the value of H to be computed and compared to c  Assuming that only one person per c, the identity would be compromised






								
To top