p2.
OUTLINE
Properties
Scheme
Initialization
Creating a Coin
Spending the Coin
Depositing the Coin
Fraud Control
Anonymity
p3.
Properties
1. SecurityThe cash can be sent securely through computer network.
2. Can’t be copied and reused3. Privacy (Untraceability or Anonymity)
If the cash is spent legitimately, neither the recipient nor the bank can identify the spender.
4. Offline paymentNo communication with the bank is needed during the transaction.
5. TransferabilityThe cash can be transferred to others.
6. DividabilityA piece of cash can be divided into smaller amounts.
p4.
T. Okamoto and K. Ohta, "Universal electronic cash," Advances in Cryptology-CRYPTO'91, LNCS 576, Springer-Verlag, pp. 324-337, 1991. (satisfies 1 ~ 6)
S. Brands, "Untraceable off-line cash in wallets with observers," Advances in Cryptology-CRYPTO'93, LNCS 773, Springer-Verlag, pp. 302-318, 1994. (satisfies 1 ~ 4)
p6.
Initialization (1/2)
Publish: p : a large prime, s.t. q = (p – 1) / 2 is also
prime. g : the square of a primitive root mod p. g1 = g a mod p g2 = g b mod p H : a hash function
H : Z Z Z Z Z Zq*
H0 : a hash function
H0 : Z Z Z Z Zq*
(a and b are secretly chosen and discarded immediately)
p7.
Initialization (2/2)
Bank
Spender
Merchant
3. Send I4. Send z’ (Ig2)x (mod p)
2. Register M
1. Choose an ID number M
1. Choose a secret number x2. Compute h gx, h1 g1
x, h2 g2x (mod p)
3. Publish h, h1, and h2
1. Choose a secret number u
2. Compute I g1
u (mod p)
p8.
Creating a Coin
Bank Spender
Withdraw
Choose a random number w
gw gw , (Ig2) w(mod p)
Compute
) (mod ,
,',,)(
2121
21212
pAbgga
zzggBIgAs
w
sxxs
),,,,(1
1 bazBAHc
c1 cx + w (mod q)Compute r 1 c1 + 2 (mod q)
C = (A, B, z, a, b, r)
Choose a secret random 5-tuple of integers (s, x1, x2, 1, 2), s 0 (mod q)
p9.
Spending the Coin
Spender
MerchantCheck whether
gr ahH(A, B, z, a, b) (mod p), Ar zH(A, B, z, a, b)b (mod p)d = H0(A, B, M, Timestamp)
r1 dus + x1, r2 ds + x2 (mod q)Check whether
) (mod 2121 pBAgg drr
Accept or reject
(A, B, z, a, b, r)Pay
p10.
Depositing the Coin
Merchant
Bank
Check whetherthe coin has been previously deposited or not, and
) (mod 2121 pBAgg drr
gr ahH(A, B, z, a, b) (mod p),
Ar zH(A, B, z, a, b)b (mod p),
(A, B, z, a, b, r), (r1, r2, d)Deposit
Results
p11.
Fraud Control (1/7)
Case 1: The Spender spends the coin twice.
Merchant 1
Merchant 2
Spender
C, (r1, r2, d)
)',','(, 21 drrC
), (mod )'('11 qddusrr ) (mod )'('22 qddsrr
) (mod )')('( 12211 qrrrru ) (mod 1 pgI u
p12.
Fraud Control (2/7)
Case 2: The Merchant tries submitting the coin twice.
C, (r1, r2, d)
)',','(, 21 drrC
) (mod ''2
'1
21 pBAgg drr
Merchant
Bank
forged
Impossible! Since it is very difficult to produce numbers such that (since the Merchant does not know u).
p13.
Fraud Control (3/7)
Case 3: Someone try to make an unauthorized coin.
Impossible! Since this requires finding numbers such that
gr ahH(A, B, z, a, b) (mod p), and
Ar zH(A, B, z, a, b)b (mod p),
p14.
Fraud Control (4/7)
Case 4:
Impossible!
Bank
Merchant 1
Merchant 2
Spender
1. Spend C 3. Spend C
2. Deposit C, (r1, r2, d)
evil
The Merchant 2 computes d’ (very likely != d).
It is very difficult for the evil merchant to produce numbers such that
) (mod ''2
'1
21 pBAgg drr
p15.
Fraud Control (5/7)
Case 5: Someone working in the Bank tries to forge a coin.
It is possible to make a coin satisfied
gr ahH(A, B, z, a, b) (mod p), and
Ar zH(A, B, z, a, b)b (mod p),
but he does not know u , thus unable to produce a suitable r1. So, he cannot spend it.
p16.
Fraud Control (6/7)
Case 6: Someone steal the coin from the Spender and try to spend it.
Impossible! The thief does not know u, thus unable to produce r1.
p17.
Fraud Control (7/7)
Case 7: An evil merchant steals the coin and (r1, r2, d) before they are submitted to the Bank, and then deposits them to the Bank.
Possible! This is a flaw of ordinary cash, too.
p18.
Anonymity (1/3)
During the entire transaction with the Merchant, the Spender never needs to provide any identification.
p19.
Anonymity (2/3)
Is it possible for the Bank to extract the Spender’s identity from knowledge of
the coin (A, B, z, a, b, r) and the triple (r1, r2, d) ?
No.
A, B, z, a, b look like random numbers to everyone except the Spender.
The Bank never sees A, B, z, a, b, r until the coin is deposited.
p20.
Anonymity (3/3)
When creating the coin, the Bank provides only gw and c1, and has seen only
c 1–1H(A, B, z, a, b) (mod q).
the Bank cannot compute H(A, B, z, a, b)
and deduce 1 at that time.
The Bank can keep a list of all values c it has received, along with values of H for every coin that is deposited, and then try all combinations to find 1. (impractical for a
system of millions of coins)