Digital%20Cash

1
Digital Cash

• Mehdi Bazargan
• Fall 2004

2
Introduction

• Definition
• Motivations
• Overview
• Properties
• Blind Signatures
• Brands Scheme
• Analysis

3
Definition

• Since hard currency or paper cash carries total
  anonymity in transactions, the term digital
  cash is coined to refer to anonymous electronic
  token based payment systems.
• Digital Cash is meant to work as paper cash.
• There are different implementation of Digital
  Cash.
• Digital Cash is a technical product of
  anonymous digital commerce in strategic level.
• It is a highly political subject.

4
Well

• Anonymous? How can I prove I made my payments?
• Private? What keeps the bank from stealing from
  me?
• If a government doesn't know who pays whom, how
  can it collect an income tax?
• If the ownership of financial assets is
  indeterminate, what happens to taxes on financial
  assets?

5
Motivations

• Comparing to paper cash, paper cash is slow,
  vulnerable, costly, and difficult to transfer.
• Compared to credit cards, digital cash provides
  more anonymity and security.

6
Overview
1. Alice deposits cash into the bank 2. Alice
receives some coins 3. Alice sends over the coins
to Bob 4. Bob receives the coins 5. Bob cashes
the coins and send Alice the product
7
Overview

• There are several approaches in implementing
  digital cash Simple Anonymous Cash by
  Fiat-Caum-Naor, Traceable Anonymous Cash by
  Ferguson, the Brands scheme, and Auditable,
  Anonymous Electronic Cash by Sander-Ta-Shama.
• The introduced methods have advantages and
  disadvantages. The Brands scheme provides
  reasonable security and anonymity however, it is
  more complicated.

8
Overview

• In Brands Scheme, we will mostly get benefit
  from a set of algorithms and mathematical
  toolkits
• Prime Factorization
• In short, it is hard to calculate prime factors
  of Np.q
• where p and q are large primes.
• Discrete Log Problem
• In short, if you have x ga mod p, it is hard
  to find a
• where x and g are known.

9
Overview

• Representation Issue in Groups with Prime Order
• Given a prime group G and a generator tuple of
  G (g1,
• g2,..gn), and constant h, it is hard to find a
  
• representation of h as ?ki1 (giai) where ai
  belongs to Z.
• However, it would be easy if you know the
  generator
• tuple and integers ai.
• Schnorrs Digital Signature
• A method of signing messages and verifying
  validity of
• signatures.

10
Properties

• Some important features of the system include
  these
• The on-line system is a self-contained subset
  of the off-line system, and if the off-line
  features are not used, the remaining
  software-only system still could be efficiently
  implemented.
• Payments are private-- i.e. untraceable and
  unlinkable.
• The customer is protected from fraudulent bank
  claims that the customer is double-spending (i.e.
  protected from framing attempts by the bank),
• There is non-repudiation-- customers cannot
  deny having made a valid payment.

11
Restrictive Blind Signature

• Let M denote a message. This message may be
  anything, including a piece of digital cash to be
  signed. To sign this message, the bank will raise
  it to the power x mod p, yielding
• 1 z signed(M) Mx.
• If we raise the message M to a random power w,
  we will call the result b a pseudo- signature.
  That is,
• 2 b pseudo-signed(M) Mw.

12
Restrictive Blind Signature

• The public key of the signer is a generator g
  raised to the power x. So let's call the
  generator g raised to a random power w a
  pseudo-public key. Label this a. Thus we have
• 3 public key h gx,
• 4 pseudo-public
• key a gw.

13
Restrictive Blind Signature

• The steps in the restrictive blind signature
  protocol are as follows (all calculations in this
  protocol are done mod p, unless otherwise
  stated)
• Step 1 The customer, Alice, sends a message M to
  the bank. It is intended that the bank sign M
  with its secret key x z Mx
• The proof is to guarantee to the customer that
  the bank has signed M with a valid signature
  namely with its secret key x.

14
Restrictive Blind Signature

• Step 2 The bank, generates a random number w
  and sends to the receiver, Alice, the following
  elements
• the signed message z Mxthe pseudo-public key
  a gwthe pseudo-signed message b Mw
• We shall see that b a will be used in part to
  provide zero-knowledge proof for Alice that the
  banks signature is valid.

15
Restrictive Blind Signature

• Step 3 The receiver generates a challenge c. To
  do this, the customer first generates four random
  numbers s, t and u, v. Using s and t, the
  customer computes modifications of M and z,
  namely the blinded message M' and the signed
  blinded message z'
• 5 M' Ms gt (blinded message)
• 6 z' zsht
• (Mx)s(gx)t
  Msgtx M'x (signed blinded
  message)

16
Restrictive Blind Signature

• Using u and v, the receiver (customer) computes
  modifications of a, and b, namely, a', and b'
• 7 a' augv (gw)ugv gw',
• 8 b' a(ut)b(us)M'v
• (gw)(ut)(Mw)(us)M'v
  (gt)(uw)(Ms)(uw)M'v
  M'(uw)M'v M'w'.
• where
• 9 w' uw v mod q.

17
Restrictive Blind Signature

• The customer then computes the hash value
• 10 c' H(M', z', a', b'),
• and sends to the bank the challenge c
• 11 c c'/u mod q .
• Step 4 The signer (bank) responds with
• 12 r w cx mod q.
• Notice this is a point on a line with slope x
  (the secret key) and intercept w.

18
Restrictive Blind Signature

• Step 5 The receiver, Alice, uses the challenge
  c and the response r to check that
• 13 ahc gr
• and
• 14 bzc Mr .
• If so, the receiver accepts the signature.

19
Brands Scheme

• Uses the concepts in signature blinding as
  discussed. Brands implementation of Digital
  Cash considers
• Opening an Account
• Withdrawal
• Deposit
• Payment

20
Opening an Account

• The user has public/private key pairs. These
  are not used in the protocols that follow so will
  not be denoted by individual symbols. But we
  require that the user be able to send digitally
  signed messages to the bank.
• To open an account, the user U generates a
  random number u1 from Z(q), and computes an
  identifier or public key
• 15 hu g1u1 mod p .

21
Opening an Account

• The user checks that hug2 is not equal to 1 mod
  p, and if so sends hu to the bank, keeping u1
  secret. The bank stores hu along with any other
  information it requires on U. The bank computes
  and returns to the user U a signature with its
  secret key x as follows
• 16 z (hug2)x mod p .

22
Withdrawal

• Before the user U is allowed to withdraw a coin,
  U must first prove ownership of his account.
• Step 1 The bank generates a random number w from
  Z(q), and sends the pseudo-public key a and the
  pseudo-signed message b to the user U
• 17 a gw mod p 18 b (hug2)w mod p

23
Withdrawal

• Step 2 The user U generates three random numbers
  s, x1 , and x2 from Z(q). These are used to
  calculate
• 19 A (hug2)s mod p 20 B g1x1g2x2
  mod p 21 z' zs mod p

24
Withdrawal

• U also generates two random numbers u, v from
  Z(q). These are used to calculate
• 22 a' augv mod p 23 b' b(su)Av
  mod p
• The user U then computes the challenge c' as
• 24 c' H(A, B, z', a', b')
• then sends the blinded challenge c back to the
  bank
• 25 c c'/u mod q .

25
Withdrawal

• The coin is the set of numbers A, B,
  (z',a',b',r').
• (z',a',b',r') is Schnorrs signature on A, B.
• Denominations take different g for each
  different denomination.

26
Withdrawal

• Step 3 The bank sends the response r
• 26 r w cx mod q
• and debits U's account in the amount equal to the
  value of one coin.
• Step 4 U accepts the debit only if
• 27 gr ahc mod p
• 28 (hug2)r bzc mod p .
• The user U also calculates r'
• 29 r' v ru mod q .

27
Payment

• When the user U is ready to spend the coin, the
  following protocol is enacted between the user
  and the shop S
• Step 1 The user sends A, B, (z',a',b',r') to
  S.
• Step 2 The shop returns the challenge d
• 30 d Ho(A, B, SHOP-ID, DATE-TIME) .
• Step 3 The user U calculates the responses r1,
  r2
• 31 r1 d(u1s) x1 mod q 32 r2 ds x2
  mod q

28
Payment

• Step 4 The shop S accepts the coin only if
• 33 gr' a'hc' mod p 34 Ar' b'z'c'
  mod p
• 35 AdB g1r1g2r2 mod p

29
Deposit

• When the shop S is ready to deposit the coin at
  the bank, the shop sends the payment transcript
  consisting of the coin A, B, (z',a',b',r'),
  along with (r1, r2) and the DATE-TIME of the
  transaction. The bank already knows the SHOP-ID,
  which is used in the communication.
• Step 1 The bank verifies equations 33 to
  35 to see that this is a valid coin.

30
Deposit

• Step 2 If the coin is valid, the bank checks
  its database to see if the coin was spent
  previously.
• CASE A If the coin is not in the database, then
  it was not previously spent. Hence the bank
  credits the account of S, and records the coin in
  the form
• A, B, DATE-TIME, r1, r2.

31
Deposit

• CASE B If the coin is already in the database,
  then a fraud has occurred. If S previously
  deposited the coin, and the DATE-TIME are the
  same, then S is trying to deposit the same coin
  or transcript twice. The deposit is rejected for
  that reason. The bank knows the identity of the
  shop S responsible.

32
Deposit

• CASE C. Otherwise, the coin has been
  double-spent, and the bank takes steps to unmask
  the double-spender. The bank has two sets of
  information on the coin
• A, B, DATE-TIME, r1, r2.A, B, DATE-TIME',
  r'1, r'2.
• Hence, the bank can calculate
• (r1 - r'1) / (r2 - r'2) d(u1s) - d'(u1s)
  / ds - d's u1 mod q.
• Thus it can check its database for the user
  identity!

33
Analysis

• Advantages
• Security of this system rests on the difficulty
  in finding discrete logarithmic factors. Other
  systems rely on prime factorization used in RSA.
  So the ability in factoring for large primes
  would not break this system as it would be the
  case in other systems.

34
Analysis

• Advantages
• The major advantage of this mechanism is that the
  user does not need to keep track many copies of
  identity and many different bills as is the case
  in other systems.

35
Analysis

• Disadvantages
• This scheme is difficult to understand and is
  more complex compared to other mechanisms used
  such as Chaums system. Moreover, since we use
  discrete logarithmic signatures, we have to deal
  with larger signatures compared to other methods.

36
References

• Jahanian Farsi, Mandana. Digital Cash.
  Retrieved November. 2004
• www.simovits.com/archive/dcash.pdf
• Cormen, Leiserson, Rivest, and Stein.
  Introduction to Algorithms.
• Massachussetts McGraw Hill, 2001.
• Sander, Ta-Shama. Auditable, Anonymous
  Electronic Cash. Retrieved
• November. lt2004 www.cs.tau.ac.il/amnon/Pape
  rs/ST.crypto99.pdfgt
• Bleumer, Gerrit. Electronic Cash. 25 April.
  2004.
• http//www.win.tue.nl/henkvt/GBl.ElectronicCa
  sh.pdf
• Orlin Grabbe,J . Stefan Brands' System of
  Digital Cash . 1997.
• http//www.aci.net/kalliste/stefbrdc.htm

37
Questions, Comments

• ?

38
(No Transcript)