David Evans http://www.cs.virginia.edu/~evans Lecture 12: Randomness and Cash Cash is a problem. It’s annoying to carry, it spreads germs, and people can steal it from you. Checks and credit cards have reduced the amount of physical cash flowing through society, but the complete elimination of cash is virtually impossible. It’ll never happen; drug dealers and politicians would never stand for it. Checks and credit cards have an audit trail; you can’t hide to whom you gave money. Bruce Schneier, Applied Cryptography Background just got here last week finished degree at MIT week before Philosophy of advising students don’t come to grad school to implement someone else’s idea can get paid more to do that in industry learn to be a researcher important part of that is deciding what problems and ideas are worth spending time on grad students should have their own project looking for students who can come up with their own ideas for research will take good students interested in things I’m interested in – systems, programming languages & compilers, security rest of talk – give you a flavor of the kinds of things I am interested in meant to give you ideas (hopefully even inspiration!) but not meant to suggest what you should work on CS551: Security and Privacy University of Virginia Computer Science David Evans http://www.cs.virginia.edu/~evans

University of Virginia CS 551 Menu Randomness Money 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Random Numbers For numbers in range 0...2n-1, an observer with the first m - 1 numbers, cannot guess the mth with probability better than 1/2n. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Good Random Numbers Lava Lamps (http://lavarand.sgi.com) Gieger Counter and Radioactive stuff 12 November 2018 University of Virginia CS 551

Pseudo-Random Number Generators Start in a hard-to-guess state Run an algorithm that generates an unpredictable sequence from that state 12 November 2018 University of Virginia CS 551

Bad Random Numbers Doesn’t satisfy either property! srandom (time (NULL)); for (...) random (); Doesn’t satisfy either property! random () Doesn’t give cryptographic random numbers Using system clock in milliseconds to seed (even a good PRNG) There are only 24*60*60*1000 = 86.4M Fine for video games, not fine for protecting nuclear secrets. 12 November 2018 University of Virginia CS 551

Jefferson Wheel Challenge Key Generator long key[NUMWHEELS]; int i, j; srandom ((unsigned)time (NULL)); for (i = 0; i < NUMWHEELS; i++) key[i] = random (); for (i = 0; i < NUMWHEELS; i++) { long highest = -1; int highindex = -1; for (j = 0; j < NUMWHEELS; j++) { if (key[j] > highest) { highindex = j; highest = key[j]; } } fprintf (stdout, "%d\n", highindex); key[highindex] = -1; Reduces key space from 36! (3.7 * 1041) to 86M! Challenge is now 2.3 * 1034 easier! 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Yarrow-160 Accumulate Entropy Unspecified how: implemented decides User keystrokes, disk seek times, network activity (be careful!), etc. Use entropy to and SHA1 hash function produce unpredictable K. Calculate random numbers: C = (C + 1) mod 2n R = EK (C) EK is 3DES 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Real Cash Why does it have value? Nice pictures of Mr. Jefferson (< 1¢) Because it is hard to print (< 5¢) Because other people think it does We trust our government not to print too much People who forge it get sent to jail 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Counterfeiting Secret Service siezed $209M in 1994 (of $380B circulated) Nearly 2/3 of US cash is in foreign countries Why did US bills change? Iran and Syria probably print counterfeit US bills They have a De la rue Giori (Switzerland) printing press, same as used for old US bills 1992 report, led to currency redesign Most foreign countries are smarter Use of color Obvious, well-known security features Bigger bills for bigger denominations 12 November 2018 University of Virginia CS 551

Properties of Physical Cash Universally recognized as valuable Easy to transfer Anonymous Heavy Moderately difficult to counterfeit in small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) 12 November 2018 University of Virginia CS 551

IOU Protocol (Lecture 9) M = “I, Alice, owe Bob $1000.” M EKRA[H(M)] Bob Alice knows KUA {KUA, KRA} M EKRA[H(M)] Bob can verify H(M) by decrypting, but cannot forge M, EKRA[H(M)] pair without knowing KRA. Judge knows KUA 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 IOU Protocol Universally recognized as valuable Easy to transfer Anonymous Heavy Moderately difficult to counterfeit in small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 What is cash really? IOU from a bank Instead of generating, “I, Alice, owe Bob $1000”, let’s generate, “I, the Trustworthy Trust Bank, owe the bearer of this note $1000.” Alice asks the bank for an IOU, and the bank deducts $1000 from her account. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Bank IOU Protocol Universally recognized as valuable Easy to transfer Anonymous Heavy Moderately difficult to counterfeit in small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) 12 November 2018 University of Virginia CS 551

Counterfeiting Bank IOUs Assuming the hash and signature are secure Alice gives Bob bank IOU for $1000 Bob sends bank 100 copies of bank IOU The bank has lost $99 000. Bits are easy to copy! Hard to make something rare... 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Bank Identifiers Bank adds a unique tag to each IOU it generates When someone cashes an IOU, bank checks that that IOU has not already been cashed Can’t tell if it was Alice or Bob who cheated Alice loses her anonymity – the bank can tell where she spends her money 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #1 Alice prepares 100 money orders for $1000 each. Puts each one in a different sealed envelope, with a piece of carbon paper. Gives envelopes to bank. Bank opens 99 envelopes and checks they contain money order for $1000. Bank signs the remaining envelope without opening it (signature goes through carbon paper). 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #1 cont. Bank returns envelope to Alice and deducts $1000 from her account. Alice opens envelope, and spends the money order. Merchant checks the Bank’s signature. Merchant deposits money order. Bank verifies its signature and credits Merchant’s account. 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #1 Is it anonymous? Can Alice cheat? Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud. Better make the penalty for this high (e.g., jail) Copy the signed money order and re-spend it. Can Merchant cheat? Copy the signed money order and re-deposit it. 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #2 Idea: prevent double-spending by giving each money order a unique ID. Problem: how do we provide unique IDs without losing anonymity? Solution: let Alice generate the unique IDs, and keep them secret from bank. 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #2 Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note. Puts each one in a different sealed envelope, with a piece of carbon paper. Gives envelopes to bank. Bank opens 99 envelopes and checks they contain money order for $1000. Bank signs the remaining envelope without opening it. 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #2 cont. Bank returns envelope to Alice and deducts $1000 from her account. Alice opens envelope, and spends the money order. Merchant checks the Bank’s signature. Merchant deposits money order. Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant’s account, and records the unique random ID. 12 November 2018 University of Virginia CS 551

Digital Cash, Protocol #2 Is it anonymous? Can Alice cheat? Can Merchant cheat? Can bank catch cheaters? 12 November 2018 University of Virginia CS 551

Mimicking Carbon Paper How does bank sign the envelope without knowing what it contains? Normal signatures Alice sends bank M Bank sends Alice, SM = EKRBank (M) Alice shows SM to Bob who decrypts with banks public key. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Blind Signatures Alice picks random k between 1 and n. Sends bank t = mke mod n. (e from Bank’s public key). Bank signs t using private key d. Sends Alice: td = (mke mod n)d mod n = (mke)d mod n  mdked mod n What do we know about ked mod n? 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Blind Signatures Alice gets td  mdk mod n Alice divides by k to get sm  mdk / k  md mod n. Hence: bank can sign money orders without opening them! 12 November 2018 University of Virginia CS 551

Digital Cash Protocol #2 Instead of envelopes, Alice blinds each money order using a different randomly selected ki. The bank asks for any 99 of the ki’s. The bank unblinds the messages (by dividing) and checks they are valid. The bank signs the other money order. Still haven’t solved the catching cheaters problem! 12 November 2018 University of Virginia CS 551

Anonymity for Non-Cheaters Spend a bill once – maintain anonymity Spend a bill twice – lose anonymity Have we seen anything like this? 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash Alice prepares n money orders each containing: Amount Uniqueness String: X Identity Strings: I1 = (h(I1L), h(I1R)) ... In = (h(InL), h(InR)) Each In pair reveals Alice’s identity (name, address, etc.). I = IiL  IiR. h is a secure, one-way hash function. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash, cont. Alice blinds (multiplies by random k) all n money orders and sends them to bank. Bank asks for any n-1 of the random kis and all its corresponding identity strings. Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice’s account. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash, cont. Alice unblinds the signed note, and spends it with a Merchant. Merchant asks Alice to randomly reveal either IiL or IiR for each i. (Merchant chooses n-bit selector string.) Alice sends Merchant corresponding IiL’s or IiR’s. Merchant uses h to confirm Alice didn’t cheat. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash, cont. Merchant takes money order and identity string halves to bank. Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash, cont. If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I. Arrests Alice. If there are no i’s, where different halves are known, arrest Merchant. 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash Protocol Universally recognized as valuable Easy to transfer Anonymous Heavy Moderately difficult to counterfeit in small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria) 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Digital Cash Summary Preserves anonymity of non-cheating spenders (assuming large bank and standard denominations) Doesn’t preserve anonymity of Merchants Requires a trusted off-line bank Expensive – lots of computation for one transaction Other schemes (Millicent, CyberCoin, NetBill, etc.) proposed for smaller transactions 12 November 2018 University of Virginia CS 551

University of Virginia CS 551 Charge PS3 due Wednesday Project proposal feedback in office hours tomorrow (3-5) Next class: Factoring breakthrough Attacking biometrics Trust models 12 November 2018 University of Virginia CS 551