Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Slides:

Advertisements

Similar presentations

Secure Multiparty Computations on Bitcoin

Advertisements

Digital Cash Mehdi Bazargan Fall 2004.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

Information Assurance Management Key Escrow Digital Cash Week 12-1.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Introduction to Modern Cryptography Homework assignments.

1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.

Electronic Payment Systems. Transaction reconciliation –Cash or check.

E-Money / Digital Cash Lin Huang. Money / Digital Cash What is Money –Coins, Bill – can’t exist on two places at one time –Bearer bonds: immediate cashable.

Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.

Computer Science Public Key Management Lecture 5.

13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

RSA Implementation. What is Encryption ? Encryption is the transformation of data into a form that is as close to impossible as possible to read without.

10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.

Chapter 4: Intermediate Protocols

Lecture 8 e-money. Today Secure Electronic Transaction (SET) CyberCash On line payment system using e-money ECash NetCash MilliCent CyberCoin.

Public-Key Cryptography CS110 Fall Conventional Encryption.

Lecture 12 E-Commerce and Digital Cash. As communication technologies, such as the Internet and wireless networks, have advanced, new avenues of commerce.

Topic 22: Digital Schemes (2)

Micropayments Revisited Background for Peppercoin scheme By Willer Travassos.

Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.

6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.

Privacy Enhancing Technologies Spring What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.

Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.

Chapter 6:Esoteric Protocols Dulal C Kar. Secure Elections Ideal voting protocol has at least following six properties 1.Only authorized voters can vote.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Network Security – Special Topic on Skype Security.

Anonymous Digital Cash  Ashok Reddy  Madhu Tera  Laxminarayan Muktinutalapati (Lux)  Venkat Nagireddy.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1. ◦ Intro ◦ Online shopping vs MOTO ◦ Credit card payments vs PayPal ◦ E-cash? 2.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Electronic Cash R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.

Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.

Electronic Payment Systems Presented by Rufus Knight Veronica Ogle Chris Sullivan As eCommerce grows, so does our need to understand current methods of.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

BZUPAGES.COM E-cash Payment System A company, DigiCash, has pioneered the use of electronic cash or e-cash. Anonymity of the buyer is the key feature of.

多媒體網路安全實驗室 Private Information Retrieval Scheme Combined with E- Payment in Querying Valuable Information Date： Reporter: Chien-Wen Huang 出處:

 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.

A Secure Online Card Payment Protocol VIJAY CHOUDHARY M.Tech(IS), DTU.

CS580 Internet Security Protocols Huiping Guo Department of Computer Science California State University, Los Angeles 6. Blind Signature.

KNAPSACK公開金鑰密碼學 Algorithms FINITE DEFINITENESS INPUT/OUTPUT GENERALITY

第四章數位簽章.

第四章數位簽章.

Practical E-Payment Scheme

Anonymous Credentials

eCommerce Technology Lecture 13 Electronic Cash

Homework #3 Consider a verifyable secret sharing scheme (VSS) based on Shamir's polynomial secret sharing as follows. A dealer has a secret S, a public.

Presentation transcript:

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends

Homework #3 Consider a verifyable secret sharing scheme (VSS) based on Shamir's polynomial secret sharing as follows. A dealer has a secret S, a public prime p and a public generator g of Z p *. The dealer gives player p j a share s(j) in a degree-t polynomial whose value at zero is a random a 0. The dealer publicizes S * a 0, as well as commitments to all shares in the form g s(j) (mod p). Suppose that an auditing agency wishes to check that the dealer is not corrupt. The agency can view all public information, but no secret data (in particular, no private share of any player). Furthermore, it cannot interact with the players, who might not be on-line during the check. Describe how the auditing agency can verify that all the commitments to shares are consistent, i.e., that any subset of t+1 commitments defines the same, unique committed secret.

Homework #3 Suppose Bob has split a secret amongst n people such that k out of them can reconstruct the secret. –Suppose Bob wants to increase k? –Increase n? –Decrease k? –Decrease n? What should he do?

Homework #3 Voting schemes: –You want to arrange a Yes/No vote so that Everyones vote is secret Anyone can verify that the final result is correct What can you do? Look up the literature on voting schemes.

Electronic Checks Simple: Sign a document transferring money from your account to another account This document goes to your bank The bank verifies that this is not a copy of a previous check The bank checks your balance The bank transfers the sum

Problems Requires online access to the bank Is expensive (?) $0.25 per bank transaction minimum The bank / income tax authorities / etc. can easily trace your activities

Online Non-Anonymous Cash Let ’ s follow the flow of a $1 bill: The bank debits the customer account by $1, takes the string “ account number ” || “ serial number ”, signs it, and sends it to the customer The customer presents this to the merchant The merchant sends this to the bank, that verifies that the bill has not been used previously

Problems Requires online access to the bank Is expensive (?) $0.25 per bank transaction minimum The bank / income tax authorities / etc. can easily trace your activities Only difference from electronic check: does not have to check balance, does have to check non-reuse

Some concepts Untraceable electronic cash –Online –Offline Micropayment protocols “ Real Protocols ” – SET, EMC, –EMC is really used, old –SET seems to be dead in the water

Main idea (Chaum): blind signatures RSA: m 1/e mod n Blind RSA: –Two party protocol: Alice sends Bob (r e m) mod n Bob computes (r e m) 1/e = r m 1/e mod n Alice computes m 1/e mod n Problems: –Alice can get Bob to sign anything, –Bod does not know what he is signing

Online Non-Anonymous Cash Let ’ s follow the flow of a $1 bill: Alice takes the string m = “ account number ” || “ serial number ”, chooses a random r, and sends m r e mod n to the bank The bank signs this message and sends m 1/e r to Alice Alice extracts a signature on “ account number ” || “ serial number ” (m 1/e ), and gives it to the merchant The merchant sends this to the bank, that verifies that the bill has not been used previously

Problems No anonymity What is Alice having signed anyway? The bank does not know. –Imagine that a signature on the string “ f(s) ” means one dollar –Alice could prove to the bank that this is the format of what she is asking for Could be done via general multiparty computation Could be done via cut and choose (the rabbit problem)

Online Anonymous Cash Alice chooses a random s, r, sends r e (f(s)) to the bank The bank debits Alice ’ s account by $1 and send r (f(s)) 1/e to Alice Alice extracts (f(s)) 1/e, and gives it and s to the merchant The merchant sends this to the bank, that verifies that the bill (s) has not been used previously

Advantages & Problems: The bank has given Alice a bill, but does not know what the bill looks like The bank cannot later identify Alice with the bill The bank must be online at all times to identify bills Multiparty computation is entirely inefficient

How to do cut and choose here Alice sends the bank many values z 1, z 2, …, z k The bank asks Alice to reveal ½ of the values z i = r i (f(s i )) The bank extracts the root of the multiplication of all the others The bill is valid if it is of the root of a product of (f(s i )) Remark: in this case, it ’ s not clear that we need for Alice to prove anything to the bank, any deviation from protocol for Alice can only harm her

How to do Offline Anonymous Cash? If Alice “ double spends ” – she will be caught and identified If Alice does not – her anonymity is guaranteed The merchant cannot reuse the money (other than send it to the bank)

Idea: encode Alice ’ s identity into the money Alice generates f(s 1 ), f(s 2 ), … f(s k ), t 1 || f(t 1 ), f(t 2 ), …, f(t k ), such that s i xor t i = “ Alice ” Alice sends blinded versions of all of these to the bank The bank verifies the correctness and sends Alice the root of the product of the indices not revealed The merchant asks alice for the signature and for a random subset of the indices If Alice double spends, her identity becomes known to the bank.