digital cash4

8/9/2019 Digital Cash4

1/36

1

Digital Cash

Jason Bay

Gilbert Zaragoza


2/36

2

Overview History of Money

Intro to Digital Cash E-Commerce systems

RSA encryption

Digital Signatures Implementation of digital cash


3/36

3

History of Money Barter trade

Money with intrinsicvalue

Money backed by reserves

Money with no intrinsic value (fiat)


4/36

4

Digital cash Intangible

Can be transferred over informationnetworks

No intrinsic value (like fiat money)


5/36

5

Digital Cash Since no intrinsic value, value derived

by agreement

Ability to authenticate

Agreement to honor

Recognize worth and legal tender

Allows for e-commerce


6/36

6

Pre-requisites Public key encryption

Blind signatures (for anonymity) System/Protocol for e-transactions


7/36

7

Digital Cash systems DigiCash

PayPal

SET


8/36

8

Schematics of e-commerce


9/36

9

The Participants The Cardholder

The Bank The Merchant


10/36

10

Rivest-Shamir-Adleman Theorem:

Assume p and q are distinct prime numbers(typically large) and let m = pq. Let e be an integersuch that e (m) and set d = e-1 mod (m). Thenfor each integer x in the range 1 x < m we have that

(xe)d mod m = x


11/36

11

RSA Process Step 1: Generate Keys

Public Keys: m and ePrivate Key: (m) = (p-1)(q-1)

d = e-1 mod (m)

Step 2: Establish ProtocolA protocol must be used to converttext messages into a sequence of

positive integers < m.

Step 3: Sending the MessageUsing the agreed upon protocol convert a message into a sequence of

positive integers < mFor each integer x, calculate y = xe mod m and send y.

Step 4: Decrypting the MessageFor each y, calculate x = yd mod mConvert each x into text using the established protocol


12/36


13/36

13

Electronic Signature RSA supports a scheme for deducing

that a given message could only havecome from one source.

Involves two sets of keys. The Sendersand the Receivers

Thus 2 sets of keys:

(es, ms), (ds,ms) & (er,mr),(dr,mr)


14/36

14

Sending a Message Suppose I wish to send the message x to Jason

I would use my private key (dG, m

G) and Jasons

public key (eJ, mJ) to encipher x, such that:y = (xdG mod mG)

eJ mod mJ where mG < mJ

Notice that if mJ < mG, some parts of the messagewould have been lost. Therefore y < mJ or must bebroken into parts y < mJ and by default y < mG


15/36

15

Deciphering a message Jason then takes y and deciphers it

using his private key and my public keysuch that:

x = (ydj mod mj)eG mod mG


16/36

16

Why ItWorks Let z = xdJ mod mJ

(zeG mod mG)dG mod mG = z

eGdG mod mG =

z mod mG

= z

Since z < mG by default

Now substituting in for z(((xdJ mod mJ)

eG mod mG)dG mod mG)

eJ mod mJ= ((zeG mod mG)

dG mod mG)eJ mod mJ

= zeJ mod mJ= (xdJ mod mJ)

eJ mod mJ= xdJeJ mod mJ= x


17/36

17

Fraud Suppose Prof. Carlsson intercepts my message to Jason in the

form:y = (xeJ mod mJ) dG mod mG

He could then strip off my signature by computingz = yeG mod eGand attach his own signature by computing

y = zdC mod mCand sending this message to Jason.

Jason upon receiving the message will assume it came fromProf. Carlsonn, although Prof. Carlsonn will not have knownwhat message he sent.


18/36

18

Protection AgainstFraud Time and name stamp within message Always encipher using the private key first.

Each person could publish


19/36


20/36

20

DSS Parameters A prime p in the range

2L-1 < p < 2L, where 512 < L < 1024 and L is a multiple of64 A prime q that divides p-1 and where

2159 < q < 2160

An integer g in the range 1 < g < pg = h(p-1)/q mod p

A randomly generated integer x in the range

0 < x < q The integer y = gx mod p A randomly generated integer k in the range

0 < k < q


21/36

21

DSS Signing Public keys are p, q, and g, which can be

shared by a group

Individuals have private key x, and public keyy and a new k is chosen for each signeddocument

A digital signature of an encrypted message,

m, is a pair (r, s) of integersr = (gk mod p) mod q

s = k-1(m + xr) mod q


22/36

22

Verifying Signatures To verify a signature compute

t = ms

-1

mod qu = rs-1 mod q

v = (gtyu mod p) mod q

Ifv = r then the signature is verified


23/36

23

Why Verification Workss-1 mod q = k(m +xr)-1 mod q

s-1(m+xr)mod q = k mod q

Therefore(guyv mod p) mod q = (gmt mod qyrt mod q mod p) mod q

= (gmt mod qgxrt mod q mod p) mod q

= (gmt+xrt mod q mod p) mod q

= (g(m+xr)s-1 mod qmod p) mod q

= (gk mod q mod p) mod q

= (gk mod p) mod q

= r


24/36

24

DSS Example


25/36

25

Classifications Identified vs. Anonymous

Online vs.Offline

Most interesting case: Anonymous offlinedigital cash


26/36

26

Key problem Anonymous offline digital cash

Prevention of double-spending

Counterfeiting is easy

Discussion method: S. Brands

Schnorr-type protocol

Challenge-and-response to prove possession ofcoin

Restricted blind signatures to protect identity


27/36


28/36

28

InitializationVariable Relation Known to bank? Known to spender?

g, g1, g2 g is index of rest YES YES

x Bank ID YES NO

h, h1, h2 hi | gix (mod p) YES YES

u Spender ID NO YES

I I | g1u (mod p) YES YES

z z| (Ig2)x (mod p) YES YES


30/36

30

Coin Creation (r)Variable Relation Known to bank? Known to spender?

c c | E1-1H(A,B,z,a,b)

(mod q)YES YES

c1 c1 | c.x + w (mod q) YES YES

r r | E1c1 + E2 (mod q) YES YES


31/36


32/36

32

Double-spending problem Spender computes r1|dus + x1, r2| ds

+ x2 (mod q) and sends to merchant

d Hashed, unique transaction identifiercomputed by merchant

u Spenders secret number

s, x1, x2 Secret numbers (only spenderknows)


33/36

33

Double-spending problem In double spending, each merchant sends a

differentvalue of d, say d

r1 | dus + x1, r2| ds + x2 (mod q)r1| dus + x1, r2| ds + x2 (mod q)

Bank receives two sets of (r1,r2,d) r1 - r1| us(d-d), r2 - r2| s(d-d) (mod q)

u|

(r1 - r1)(r2 - r2)-1

(mod q) and the spender isidentified

Much like 2 points determine line, u is theslope of line.


34/36

34

Built-in features Only the Spender knows how to generate r1,

r2

Only Bank knows how to compute c1 Bank employee can cheat, but cannot

compute r1, r2 Only 1 transaction per coin since Merchant

does not know how to generate r1, r2 -> Easyto identify all parties involved: Bank, Spender,Merchant once fraud detected


35/36

35

Anonymity Bank cannot identify coin with Spender since

it does not know A,B,z,a,b,r at time of coin

creation At time of deposit, no change since A,B,z,a,b

are random powers of g and thereforerandom numbers to all but Spender

E1, E2 provide restricted blind signature.Single use cannot identify Spender, butdouble-spending does


36/36

36

The End

digital cash4

Documents