VIEWS: 6 PAGES: 18 POSTED ON: 11/3/2009
Digital Cash Jordan Kunz May 2nd, 2007 Cryptography Introduction As we are all aware, the advent of advanced communications technologies have allowed for financial transactions to take place without an exchange of tangible objects (Paypal, EFT, direct deposit, etc) Credit cards are electronic, but not the same as digital cash Paper cash/coin is anonymous, but there is also a threat of counterfeiting Digital cash needs to accurately take this into account 6 Properties of Digital Cash T. Okamoto and K. Ohta describe six properties a digital cash system should have: The cash can be sent securely through computer networks The cash cannot be copied and reused The spender of the cash can remain anonymous The transaction can be done offline, meaning no communication with the central bank is needed during the transaction The cash can be transferred to others A piece of cash can be divided into smaller amounts These properties are much more complex than ordinary cash systems for two reasons: 1) Electronic objects can be copied for essentially no cost, making counterfeiting attractive 2) Anonymity must be preserved This leads to the use of “restricted blind signatures”. Participants We define three parties: The Bank The Spender The Merchant This model will look at how to meet requirements 1-4. Initialization The system is initialized once and for all by a central authority Choose a large prime p s.t. q = (p-1)/2 is also prime Let g be the square of a primitive root mod p k1 k2 Implies that g g (mod p) k1 k2 (mod q) g1 g k1 (mod p ) g 2 g k2 (mod p ) g, g1, and g2 are made public H takes a 5-tuple of integers and outputs an integer mod q H0 takes a 4-tuple of integers and outputs an integer mod q Two public hash functions are defined: Initialization (BANK) Chooses secret ID number x Computes h g x h1 g x1 h2 g x2 The numbers h, h1, h2 are made public and identify the Bank Initialization (SPENDER) Chooses secret ID number u Computes the account number I g (mod p ) u 1 I is sent to the Bank, which stores I with other information identifying the Spender (address, name, etc) The Bank sends z ( Ig 2 ) x (mod p) back to the Spender. Initialization (MERCHANT) Chooses ID number M and sends it to the Bank Creating a Coin A coin is represented by this 6-tuple of numbers: (A,B,z,a,b,r) The Bank Chooses random # w (different for each coin) g w g w (mod p) ( Ig 2 ) w (mod p) Computes Sends gw and β to Spender The Spender Chooses a secret random 5-tuple of integers: ( s, x1 , x2 ,1 , 2 ) Creating a Coin (Spender cont) Computes A ( Ig 2 ) s (mod p) B g1x1 g 2 x2 (mod p) z z s a g w1 g 2 (mod p) b s1 A2 (mod p) A 1 , so s cannot be divisible by q and we assume Ig 2 1(mod p) (solving a DLP) is highly unlikely with large enough p Creating a Coin (Spender cont) c 11 H ( A, B, z , a, b)(mod q) Computes Sends c to the Bank Bank computes c1 cx w(mod q) Sends c1 to Spender Spender computes r 1c1 2 (mod q) Complete! Process is repeated for each coin Spending the E-Bling The Spender gives a coin to the Merchant Merchant checks if g r ah H ( A,B , z ,a ,b ) (mod p) and Ar z H ( A,B , z ,a ,b )b(mod p) Coin is valid if both are true, but we still need to prevent double-spending Spending the E-Bling (cont) Merchant computes d H 0 ( A, B, M , t ) t is the date and time of the transaction This gives a different value of d for different transactions Sends d to Spender Spender computes r1 dus x1 (mod q) r2 ds x2 (mod q) Spending the E-Bling (cont) Sends r1 and r2 to Merchant r r d Merchant checks if g11 g 22 A B (mod p ) If this holds, accept the coin; else, reject Deposits Merchant submits coin (A,B,z,a,b,r) and the triple (r1,r2,d) to the Bank Bank checks if coin has already been deposited If so, someone is going to jail! 1 2 r r d Otherwise, the Bank verifies that g1 g 2 A B(mod p) g r ah H ( A,B , z ,a ,b ) (mod p) Ar z H ( A,B , z ,a ,b )b(mod p) If they hold, then the coin is valid and deposited Fraud! Scandal!! h4X0r5!!! There are a number of ways to attempt to cheat the system, but only one works 1) The Spender spends the coin twice, once with the Merchant and once with another “Vendor” Spender goes to jail because of double-blind system ID’s him 2) The Merchant tries to submit the coin twice, with one legitimate triple (r1,r2,d), and with a forged triple (r1’,r2’,d’) r r d It is very difficult to solve g1 g 2 A B (mod p ) 3) Someone tries to make an unauthorized coin Form of DLP problem and also doesn’t have x 4) Someone deposits a coin, but also tries to spend it with the Merchant Form of DLP problem 5) Someone in the Bank tries to forge a coin Bad banker doesn’t know u 6) Someone steals the coin from the Spender and tries to spend it Thief doesn’t know u, so cannot produce r1 and r2 7) Someone steals the coin and (r1,r2,d) from the Merchant before it can be deposited This works, just like it works in real-life 1 2 Anonymity The Spender never has to provide ID during transactions with the Merchant (like paper currency) α1 and α2 provide a restricted blind signature for the coin Used once, the Spender keeps anonymity Used twice, the Spender goes to jail To test this, let α1 = 1 The Bank can keep a list that matches values of c and the corresponding I A deposited coin would allow the value of H to be computed and compared to c Assuming that only one person per c, the identity would be compromised