Electronic Cash R. Newman

Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

Barter Cash Check Wire transfer Credit/debit card E-cash Payment forms

Barter Earliest form of payment Value intrinsic in the bartered good/service Physical presence of good/service Not flexible, not easily divisible Cash Check Wire transfer Credit/debit card E-cash Payment forms

Barter Cash Difficult to trace Hard to forge Physical presence of coins, notes May or may not have intrinsic value Check Wire transfer Credit/debit card E-cash Payment forms

Barter Cash Check Easy to trace, can be revoked Flexible amounts Slow – hard to verify immediately Can be mailed or used electronically Wire transfer Credit/debit card E-cash Payment forms

Barter Cash Check Wire transfer Easy to verify Fast Expensive Credit/debit card E-cash Payment forms

Barter Cash Check Wire transfer Credit/debit card Easy to verify quickly Less expensive than wire transfer Easy to trace, cards can be revoked Convenient for electronic use (remote payment) E-cash Payment forms

Credentials can be stolen Account number, name on card Address, zip code easy to find PIN revealed during use Smart cards Alleviate some of the issues above Still, can be traced – privacy is lost Electronic Payment Problems

Easy to use electronically Convenience Easy to verify Inexpensive Reliable Detect forgeries easily Easy for bank to generate, hard for others Hard to trace (for payer) Privacy Easy to determine if used twice (for bank) Electronic Cash Requirements

Form of currency: (x, f(x) 1/3 mod n) n is large composite whose factors known only to bank f is a one-way function Chaum Electronic Cash

1. Alice choses random x, r, sends Bank B = r 3 f(x) % n 2. Bank computes and returns cube root to Alice, r f(x) 1/3 % n withdraws a dollar from Alice’s account 3. Alice extracts C = f(x) 1/3 % n 4. To pay Bob one dollar, Alice give him (x, f(x) 1/3 % n) 5. Bob immediately verifies coin with bank ensures coin has not been spent already Chaum Electronic Cash

All can verify correct structure Bank cannot associate coin with Alice’s account But Bob must contact Bank immediately Newer protocol removes this requirement Allows bank to reveal Alice’s identity if coin spent twice Chaum Electronic Cash

Bank publishes an RSA modulus n such that phi(n) has no small odd factors, sets security parameter k k used for cut-and-choose verification Let f and g be two-arguement, collision-free functions – i.e., computationally infeasible to find two inputs that map to the same output Alice has bank account number u Bank associates counter v with account u Untraceable Coins

To get a coin: 1. Alice chooses a i, c i, d i, and r i independently and uniformly from residues modulo n, for 1 <= i <= k 2. Alice sends Bank blinded candidates: B i = r i 3 f(x i, y i ) % n where x i = g(a i, c i ) and y i = g(a i XOR (u || (v + i), d i ) 3. Bank chooses half of the candidates at random 4. Alice provides Bank with a i, c i, d i, and r i for the selected candidates (cut-and-choose) Untraceable Coins

To get a coin (con’t): 5. Bank verifies Alice was honest with those candiates, then sends Alice  B i 1/3 for the remaining candidates, charges account u a dollar, increments v by k 6. Alice extracts C =  f(x i, y i ) 1/3 % n Note: Bank catches Alice with high probability if she cheats with her blinded candidates Untraceable Coins

To use a coin 1. Alice sends C to Bob 2. Bob chooses k/2 random bits z i 3. If z i = 1, Alice sends Bob a i, c i, and y i else Alice sends Bob x i, a i XOR (u || (v + i), and d i 4. Bob verifies form of C and Alice’s responses fit 5. Bob later sends C and Alice’s responses to Bank 6. Bank verifies correctness of spent coin and credits Bob’s account, stores C, z i s, and responses Untraceable Coins

If Alice spends a coin twice, It is likely that for some i, z i XOR z i ’ = 1 Bank can search for C’s to see if coin was spent If C was used twice, it is likely that Bank has both a i and a i XOR (u || (v + i), for some i So Bank can determine u and catch Alice Untraceable Coins

If Alice colludes with a second vendor Charlie, After spending her coin with Bob, they can arrange for Charlie to use the same z i s as Bob Bank knows that one cheated, but not which one! And Bank can’t identify Alice! Remedy: Force each vendor to use distinct z i s for some portion of them, random z i s for the rest (sufficient number to allow for many purchases by Alice) Untraceable Coins

Bank can frame Alice! (how?) Hence, won’t hold up in court To prevent this, Alice uses public key signatures Computational security only Alice uses pseudonymous account for each coin Proving Multiple Spending

Alice chooses for each i random z i ’, z i ’’ u i is of the form [Alice’s acct number || z i ’ || z i ’’] Along with B i ’s, Alice gives Bank signature for g(z 1 ’, z 1 ’’) || g(z 2 ’, z 2 ’’) ||... || g(z k ’, z k ’’) During cut-and-choose, Bank verifies correctness of form of u i for each of the k/2 B i ’s it examines Bank has proof of multiple spending of a coin whenever it can present preimage of at least k/2+1 of the g(z i ’, z i ’’) Proving Multiple Spending

Untraceable checks – issued with maximum value Use coins of with power of 2 values to express arbitrary value as sum of powers of two Retrieve unspent coins from check Central Bank always an issue Solved with Byzantine agreement in Bitcoin Very different approach to valuation.... Other Results