digital cash4
Post on 29-May-2018
215 Views
Preview:
TRANSCRIPT
-
8/9/2019 Digital Cash4
1/36
1
Digital Cash
Jason Bay
Gilbert Zaragoza
-
8/9/2019 Digital Cash4
2/36
2
Overview History of Money
Intro to Digital Cash E-Commerce systems
RSA encryption
Digital Signatures Implementation of digital cash
-
8/9/2019 Digital Cash4
3/36
3
History of Money Barter trade
Money with intrinsicvalue
Money backed by reserves
Money with no intrinsic value (fiat)
-
8/9/2019 Digital Cash4
4/36
4
Digital cash Intangible
Can be transferred over informationnetworks
No intrinsic value (like fiat money)
-
8/9/2019 Digital Cash4
5/36
5
Digital Cash Since no intrinsic value, value derived
by agreement
Ability to authenticate
Agreement to honor
Recognize worth and legal tender
Allows for e-commerce
-
8/9/2019 Digital Cash4
6/36
6
Pre-requisites Public key encryption
Blind signatures (for anonymity) System/Protocol for e-transactions
-
8/9/2019 Digital Cash4
7/36
7
Digital Cash systems DigiCash
PayPal
SET
-
8/9/2019 Digital Cash4
8/36
8
Schematics of e-commerce
-
8/9/2019 Digital Cash4
9/36
9
The Participants The Cardholder
The Bank The Merchant
-
8/9/2019 Digital Cash4
10/36
10
Rivest-Shamir-Adleman Theorem:
Assume p and q are distinct prime numbers(typically large) and let m = pq. Let e be an integersuch that e (m) and set d = e-1 mod (m). Thenfor each integer x in the range 1 x < m we have that
(xe)d mod m = x
-
8/9/2019 Digital Cash4
11/36
11
RSA Process Step 1: Generate Keys
Public Keys: m and ePrivate Key: (m) = (p-1)(q-1)
d = e-1 mod (m)
Step 2: Establish ProtocolA protocol must be used to converttext messages into a sequence of
positive integers < m.
Step 3: Sending the MessageUsing the agreed upon protocol convert a message into a sequence of
positive integers < mFor each integer x, calculate y = xe mod m and send y.
Step 4: Decrypting the MessageFor each y, calculate x = yd mod mConvert each x into text using the established protocol
-
8/9/2019 Digital Cash4
12/36
-
8/9/2019 Digital Cash4
13/36
13
Electronic Signature RSA supports a scheme for deducing
that a given message could only havecome from one source.
Involves two sets of keys. The Sendersand the Receivers
Thus 2 sets of keys:
(es, ms), (ds,ms) & (er,mr),(dr,mr)
-
8/9/2019 Digital Cash4
14/36
14
Sending a Message Suppose I wish to send the message x to Jason
I would use my private key (dG, m
G) and Jasons
public key (eJ, mJ) to encipher x, such that:y = (xdG mod mG)
eJ mod mJ where mG < mJ
Notice that if mJ < mG, some parts of the messagewould have been lost. Therefore y < mJ or must bebroken into parts y < mJ and by default y < mG
-
8/9/2019 Digital Cash4
15/36
15
Deciphering a message Jason then takes y and deciphers it
using his private key and my public keysuch that:
x = (ydj mod mj)eG mod mG
-
8/9/2019 Digital Cash4
16/36
16
Why ItWorks Let z = xdJ mod mJ
(zeG mod mG)dG mod mG = z
eGdG mod mG =
z mod mG
= z
Since z < mG by default
Now substituting in for z(((xdJ mod mJ)
eG mod mG)dG mod mG)
eJ mod mJ= ((zeG mod mG)
dG mod mG)eJ mod mJ
= zeJ mod mJ= (xdJ mod mJ)
eJ mod mJ= xdJeJ mod mJ= x
-
8/9/2019 Digital Cash4
17/36
17
Fraud Suppose Prof. Carlsson intercepts my message to Jason in the
form:y = (xeJ mod mJ) dG mod mG
He could then strip off my signature by computingz = yeG mod eGand attach his own signature by computing
y = zdC mod mCand sending this message to Jason.
Jason upon receiving the message will assume it came fromProf. Carlsonn, although Prof. Carlsonn will not have knownwhat message he sent.
-
8/9/2019 Digital Cash4
18/36
18
Protection AgainstFraud Time and name stamp within message Always encipher using the private key first.
Each person could publish
-
8/9/2019 Digital Cash4
19/36
-
8/9/2019 Digital Cash4
20/36
20
DSS Parameters A prime p in the range
2L-1 < p < 2L, where 512 < L < 1024 and L is a multiple of64 A prime q that divides p-1 and where
2159 < q < 2160
An integer g in the range 1 < g < pg = h(p-1)/q mod p
A randomly generated integer x in the range
0 < x < q The integer y = gx mod p A randomly generated integer k in the range
0 < k < q
-
8/9/2019 Digital Cash4
21/36
21
DSS Signing Public keys are p, q, and g, which can be
shared by a group
Individuals have private key x, and public keyy and a new k is chosen for each signeddocument
A digital signature of an encrypted message,
m, is a pair (r, s) of integersr = (gk mod p) mod q
s = k-1(m + xr) mod q
-
8/9/2019 Digital Cash4
22/36
22
Verifying Signatures To verify a signature compute
t = ms
-1
mod qu = rs-1 mod q
v = (gtyu mod p) mod q
Ifv = r then the signature is verified
-
8/9/2019 Digital Cash4
23/36
23
Why Verification Workss-1 mod q = k(m +xr)-1 mod q
s-1(m+xr)mod q = k mod q
Therefore(guyv mod p) mod q = (gmt mod qyrt mod q mod p) mod q
= (gmt mod qgxrt mod q mod p) mod q
= (gmt+xrt mod q mod p) mod q
= (g(m+xr)s-1 mod qmod p) mod q
= (gk mod q mod p) mod q
= (gk mod p) mod q
= r
-
8/9/2019 Digital Cash4
24/36
24
DSS Example
-
8/9/2019 Digital Cash4
25/36
25
Classifications Identified vs. Anonymous
Online vs.Offline
Most interesting case: Anonymous offlinedigital cash
-
8/9/2019 Digital Cash4
26/36
26
Key problem Anonymous offline digital cash
Prevention of double-spending
Counterfeiting is easy
Discussion method: S. Brands
Schnorr-type protocol
Challenge-and-response to prove possession ofcoin
Restricted blind signatures to protect identity
-
8/9/2019 Digital Cash4
27/36
-
8/9/2019 Digital Cash4
28/36
28
InitializationVariable Relation Known to bank? Known to spender?
g, g1, g2 g is index of rest YES YES
x Bank ID YES NO
h, h1, h2 hi | gix (mod p) YES YES
u Spender ID NO YES
I I | g1u (mod p) YES YES
z z| (Ig2)x (mod p) YES YES
-
8/9/2019 Digital Cash4
29/36
29
Coin Creation (A,B,z,a,b,r)Variable Relation Known to bank? Known to spender?
w Random # unique toeach coin
YES NO
gw, gw | gw (mod p)
| (Ig2)w (mod p)
YES YES
s,x1,x2,E1, E2 Random # unique toeach coin
NO YES
A, B A | (Ig2)s (mod p)
B | (g1x1
g2x2
) (mod p)
YES YES
Z z | zs (mod p)z | (Ig2)
s.x (mod p)YES YES
a, b a | (gwE1gE2) (mod p)
b | s.E1AE2 (mod p)YES YES
-
8/9/2019 Digital Cash4
30/36
30
Coin Creation (r)Variable Relation Known to bank? Known to spender?
c c | E1-1H(A,B,z,a,b)
(mod q)YES YES
c1 c1 | c.x + w (mod q) YES YES
r r | E1c1 + E2 (mod q) YES YES
-
8/9/2019 Digital Cash4
31/36
-
8/9/2019 Digital Cash4
32/36
32
Double-spending problem Spender computes r1|dus + x1, r2| ds
+ x2 (mod q) and sends to merchant
d Hashed, unique transaction identifiercomputed by merchant
u Spenders secret number
s, x1, x2 Secret numbers (only spenderknows)
-
8/9/2019 Digital Cash4
33/36
33
Double-spending problem In double spending, each merchant sends a
differentvalue of d, say d
r1 | dus + x1, r2| ds + x2 (mod q)r1| dus + x1, r2| ds + x2 (mod q)
Bank receives two sets of (r1,r2,d) r1 - r1| us(d-d), r2 - r2| s(d-d) (mod q)
u|
(r1 - r1)(r2 - r2)-1
(mod q) and the spender isidentified
Much like 2 points determine line, u is theslope of line.
-
8/9/2019 Digital Cash4
34/36
34
Built-in features Only the Spender knows how to generate r1,
r2
Only Bank knows how to compute c1 Bank employee can cheat, but cannot
compute r1, r2 Only 1 transaction per coin since Merchant
does not know how to generate r1, r2 -> Easyto identify all parties involved: Bank, Spender,Merchant once fraud detected
-
8/9/2019 Digital Cash4
35/36
35
Anonymity Bank cannot identify coin with Spender since
it does not know A,B,z,a,b,r at time of coin
creation At time of deposit, no change since A,B,z,a,b
are random powers of g and thereforerandom numbers to all but Spender
E1, E2 provide restricted blind signature.Single use cannot identify Spender, butdouble-spending does
-
8/9/2019 Digital Cash4
36/36
36
The End
top related