1 / 22

Electronic Cash

Electronic Cash. R. Newman. Topics. Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology. Payment forms. Barter Cash Check Wire transfer Credit/debit card

elizabethjsmith
Download Presentation

Electronic Cash

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Cash R. Newman

  2. Topics • Defining anonymity • Need for anonymity • Defining privacy • Threats to anonymity and privacy • Mechanisms to provide anonymity • Metrics for Anonymity • Applications of anonymity technology

  3. Payment forms • Barter • Cash • Check • Wire transfer • Credit/debit card • E-cash

  4. Payment forms • Barter • Earliest form of payment • Value intrinsic in the bartered good/service • Physical presence of good/service • Not flexible, not easily divisible • Cash • Check • Wire transfer • Credit/debit card • E-cash

  5. Payment forms • Barter • Cash • Difficult to trace • Hard to forge • Physical presence of coins, notes • May or may not have intrinsic value • Check • Wire transfer • Credit/debit card • E-cash

  6. Payment forms • Barter • Cash • Check • Easy to trace, can be revoked • Flexible amounts • Slow – hard to verify immediately • Can be mailed or used electronically • Wire transfer • Credit/debit card • E-cash

  7. Payment forms • Barter • Cash • Check • Wire transfer • Easy to verify • Fast • Expensive • Credit/debit card • E-cash

  8. Payment forms • Barter • Cash • Check • Wire transfer • Credit/debit card • Easy to verify quickly • Less expensive than wire transfer • Easy to trace, cards can be revoked • Convenient for electronic use (remote payment) • E-cash

  9. Electronic Payment Problems • Credentials can be stolen • Account number, name on card • Address, zip code easy to find • PIN revealed during use • Smart cards • Alleviate some of the issues above • Still, can be traced – privacy is lost

  10. Electronic Cash Requirements • Easy to use electronically • Convenience • Easy to verify • Inexpensive • Reliable • Detect forgeries easily • Easy for bank to generate, hard for others • Hard to trace (for payer) • Privacy • Easy to determine if used twice (for bank)

  11. Chaum Electronic Cash • Form of currency: • (x, f(x)1/3 mod n) • n is large composite whose factors known only to bank • f is a one-way function

  12. Chaum Electronic Cash • 1. Alice choses random x, r, sends Bank • B = r3 f(x) % n • 2. Bank computes and returns cube root to Alice, • r f(x)1/3 % n • withdraws a dollar from Alice’s account • 3. Alice extracts C = f(x)1/3 % n • 4. To pay Bob one dollar, Alice give him (x, f(x)1/3 % n) • 5. Bob immediately verifies coin with bank • ensures coin has not been spent already

  13. Chaum Electronic Cash • All can verify correct structure • Bank cannot associate coin with Alice’s account • But Bob must contact Bank immediately • Newer protocol removes this requirement • Allows bank to reveal Alice’s identity if coin spent twice

  14. Untraceable Coins • Bank publishes an RSA modulus n such that phi(n) has no small odd factors, sets security parameter k • k used for cut-and-choose verification • Let f and g be two-arguement, collision-free functions – i.e., computationally infeasible to find two inputs that map to the same output • Alice has bank account number u • Bank associates counter v with account u

  15. Untraceable Coins • To get a coin: • 1. Alice chooses ai, ci, di, and ri independently and uniformly from residues modulo n, for 1 <= i <= k • 2. Alice sends Bank blinded candidates: • Bi = ri3 f(xi, yi) % n • where xi = g(ai, ci) and • yi = g(ai XOR (u || (v + i), di) • 3. Bank chooses half of the candidates at random • 4. Alice provides Bank with ai, ci, di, and ri for the selected candidates (cut-and-choose)

  16. Untraceable Coins • To get a coin (con’t): • 5. Bank verifies Alice was honest with those candiates, then sends Alice • P Bi1/3 for the remaining candidates, • charges account u a dollar, increments v by k • 6. Alice extracts C = Pf(xi, yi)1/3 % n • Note: Bank catches Alice with high probability if she cheats with her blinded candidates

  17. Untraceable Coins • To use a coin • 1. Alice sends C to Bob • 2. Bob chooses k/2 random bits zi • 3. If zi = 1, Alice sends Bob ai, ci, and yi • else Alice sends Bob xi, ai XOR (u || (v + i), and di • 4. Bob verifies form of C and Alice’s responses fit • 5. Bob later sends C and Alice’s responses to Bank • 6. Bank verifies correctness of spent coin and credits Bob’s account, stores C, zis, and responses

  18. Untraceable Coins • If Alice spends a coin twice, • It is likely that for some i, zi XOR zi’ = 1 • Bank can search for C’s to see if coin was spent • If C was used twice, it is likely that Bank has both • ai and ai XOR (u || (v + i), for some i • So Bank can determine u and catch Alice

  19. Untraceable Coins • If Alice colludes with a second vendor Charlie, • After spending her coin with Bob, they can arrange for Charlie to use the same zis as Bob • Bank knows that one cheated, but not which one! • And Bank can’t identify Alice! • Remedy: Force each vendor to use distinct zis for some portion of them, random zis for the rest (sufficient number to allow for many purchases by Alice)

  20. Proving Multiple Spending • Bank can frame Alice! (how?) • Hence, won’t hold up in court • To prevent this, Alice uses public key signatures • Computational security only • Alice uses pseudonymous account for each coin

  21. Proving Multiple Spending • Alice chooses for each i random zi’, zi’’ • ui is of the form [Alice’s acct number || zi’ || zi’’] • Along with Bi’s, Alice gives Bank signature for • g(z1’, z1’’) || g(z2’, z2’’) || ... || g(zk’, zk’’) • During cut-and-choose, Bank verifies correctness of form of ui for each of the k/2 Bi’s it examines • Bank has proof of multiple spending of a coin whenever it can present preimage of at least k/2+1 of the g(zi’, zi’’)

  22. Other Results • Untraceable checks – issued with maximum value • Use coins of with power of 2 values to express arbitrary value as sum of powers of two • Retrieve unspent coins from check • Central Bank always an issue • Solved with Byzantine agreement in Bitcoin • Very different approach to valuation....

More Related