Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money

Published byJoan Hugg Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money"— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money http://www.fun-with-money.com

2 12 April 2005University of Virginia CS 5882 Artist: Levente Jakab

3 12 April 2005University of Virginia CS 5883 Title 18, Section 474: Whoever prints, photographs, or in any other manner makes or executes any engraving, photograph, print, or impression in the likeness of any such obligation or other security, or any part thereof, or sells any such engraving, photograph, print, or impression, except to the United States, or brings into the United States, any such engraving, photograph, print, or impression, except by direction of some proper officer of the United States - is guilty of a class B felony. First Amendment: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.

4 12 April 2005University of Virginia CS 5884 Properties of Physical Cash Universally recognized as valuable Easy to transfer Anonymous Works even when the banks are closed Big and Heavy –Average bank robbery takes $4552 –500 US bills / pound –Bill Gates net worth would be ~200 tons in $100 bills Moderately difficult to counterfeit small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria)

5 12 April 2005University of Virginia CS 5885 Bank IOU Protocol Alice {KU A, KR A } Trusty Bank {KU TB, KR TB } M M = “The Trusty Bank owes the holder of this message $100.” E KR TB [H(M)]

6 12 April 2005University of Virginia CS 5886 Bank IOU Protocol Alice {KU A, KR A } Trusty Bank {KU TB, KR TB } M E KR TB [H(M)] Bob M E KR TB [H(M)] Bob’s secret curry recipe E KU A [Bob’s secret curry recipe]

7 12 April 2005University of Virginia CS 5887 Bank IOU Protocol Trusty Bank M E KR TB [H(M)] Bob M E KR TB [H(M)] M

8 12 April 2005University of Virginia CS 5888 Bank IOU Protocol ¥Universally recognized as valuable €Easy to transfer £Anonymous xHeavy xModerately difficult to counterfeit in small quantities xExtremely difficult to get away with counterfeiting large quantities

9 12 April 2005University of Virginia CS 5889 Bank Identifiers Bank adds a unique tag to each IOU it generates When someone cashes an IOU, bank checks that that IOU has not already been cashed Can’t tell if it was Alice or Bob who cheated Alice loses her anonymity – the bank can tell where she spends her money

10 12 April 2005University of Virginia CS 58810 Digital Cash, Protocol #1 1.Alice prepares 100 money orders for $1000 each. 2.Puts each one in a different sealed envelope, with a piece of carbon paper. 3.Gives envelopes to bank. 4.Bank opens 99 envelopes and checks they contain money order for $1000. 5.Bank signs the remaining envelope without opening it (signature goes through carbon paper).

11 12 April 2005University of Virginia CS 58811 Digital Cash, Protocol #1 cont. 6.Bank returns envelope to Alice and deducts $1000 from her account. 7.Alice opens envelope, and spends the money order. 8.Merchant checks the Bank’s signature. 9.Merchant deposits money order. 10.Bank verifies its signature and credits Merchant’s account.

12 12 April 2005University of Virginia CS 58812 Digital Cash, Protocol #1 Is it anonymous? Can Alice cheat? –Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud. Better make the penalty for this high (e.g., jail) –Copy the signed money order and re-spend it. Can Merchant cheat? –Copy the signed money order and re-deposit it.

13 12 April 2005University of Virginia CS 58813 Digital Cash, Protocol #2 Idea: prevent double-spending by giving each money order a unique ID. Problem: how do we provide unique IDs without losing anonymity? Solution: let Alice generate the unique IDs, and keep them secret from bank.

14 12 April 2005University of Virginia CS 58814 Digital Cash, Protocol #2 1.Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note. 2.Puts each one in a different sealed envelope, with a piece of carbon paper. 3.Gives envelopes to bank. 4.Bank opens 99 envelopes and checks they contain money order for $1000. 5.Bank signs the remaining envelope without opening it.

15 12 April 2005University of Virginia CS 58815 Digital Cash, Protocol #2 cont. 6.Bank returns envelope to Alice and deducts $1000 from her account. 7.Alice opens envelope, and spends the money order. 8.Merchant checks the Bank’s signature. 9.Merchant deposits money order. 10.Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant’s account, and records the unique random ID.

16 12 April 2005University of Virginia CS 58816 Digital Cash, Protocol #2 Is it anonymous? Can Alice cheat? Can Merchant cheat? Can bank catch cheaters?

17 12 April 2005University of Virginia CS 58817 Mimicking Carbon Paper How does bank sign the envelope without knowing what it contains? Normal signatures Alice sends bank M Bank sends Alice, S M = E KR Bank (M) Alice shows S M to Bob who decrypts with banks public key.

18 12 April 2005University of Virginia CS 58818 Blind Signatures Alice picks random k between 1 and n. Sends bank t = mk e mod n. ( e from Bank’s public key). Bank signs t using private key d. Sends Alice: t d = (mk e mod n ) d mod n = (mk e ) d mod n  m d k ed mod n What do we know about k ed mod n ?

19 12 April 2005University of Virginia CS 58819 Blind Signatures Alice gets t d  m d k mod n Alice divides by k to get s m  m d k / k  m d mod n. Hence: bank can sign money orders without opening them!

20 12 April 2005University of Virginia CS 58820 Digital Cash Protocol #2 Instead of envelopes, Alice blinds each money order using a different randomly selected k i. The bank asks for any 99 of the k i ’s. The bank unblinds the messages (by dividing) and checks they are valid. The bank signs the other money order. Still haven’t solved the catching cheaters problem!

21 12 April 2005University of Virginia CS 58821 Anonymity for Non-Cheaters Spend a bill once – maintain anonymity Spend a bill twice – lose anonymity Have we seen anything like this?

22 12 April 2005University of Virginia CS 58822 Digital Cash 1.Alice prepares n money orders each containing: AmountUniqueness String: X Identity Strings: I 1 = (h(I 1L ), h(I 1R ))... I n = (h(I nL ), h(I nR )) Each I n pair reveals Alice’s identity (name, address, etc.). I = I iL  I iR. h is a secure, one-way hash function.

23 12 April 2005University of Virginia CS 58823 Digital Cash, cont. 2.Alice blinds (multiplies by random k ) all n money orders and sends them to bank. 3.Bank asks for any n-1 of the random k i s and all its corresponding identity strings. 4.Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice’s account.

24 12 April 2005University of Virginia CS 58824 Digital Cash, cont. 5.Alice unblinds the signed note, and spends it with a Merchant. 6.Merchant asks Alice to randomly reveal either I iL or I iR for each i. (Merchant chooses n -bit selector string.) 7.Alice sends Merchant corresponding I iL ’s or I iR ’s. 8.Merchant uses h to confirm Alice didn’t cheat.

25 12 April 2005University of Virginia CS 58825 Digital Cash, cont. 9.Merchant takes money order and identity string halves to bank. 10.Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves.

26 12 April 2005University of Virginia CS 58826 Digital Cash, cont. 11.If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I. Arrests Alice. 12.If there are no i ’s, where different halves are known, arrest Merchant.

27 12 April 2005University of Virginia CS 58827 Digital Cash Protocol Universally recognized as valuable Easy to transfer Anonymous xHeavy Moderately difficult to counterfeit in small quantities ?Extremely difficult to get away with counterfeiting large quantities

28 12 April 2005University of Virginia CS 58828 Digital Cash Summary Preserves anonymity of non-cheating spenders (assuming large bank and standard denominations) Doesn’t preserve anonymity of Merchants Requires a trusted off-line bank Expensive – lots of computation for one transaction Other schemes (Peppercoin, Millicent, CyberCoin, NetBill, etc.) proposed for smaller transactions

29 12 April 2005University of Virginia CS 58829 Printing more valuable paper than cash?

30 12 April 2005University of Virginia CS 58830

31 12 April 2005University of Virginia CS 58831 Germany 2006 Tickets Tickets will include RFID Encodes name, birthdate and passport number of purchaser

32 12 April 2005University of Virginia CS 58832 RFID Tags Passive devices –Uses RF signals from reader for power Range: a few meters Little memory: ~128 bits Little computation: no real cryptography Transmit number in response to request from reader

33 12 April 2005University of Virginia CS 58833 RFID Reader To avoid conflicts RFID reader queries bit-by-bit 000 001 010 011100 101 110 111 00011011 01 ? Graph from Ari Juels slide

34 12 April 2005University of Virginia CS 58834 RFID Applications From Ari Juels USENIX Security 2004 talk: RFID: Security and Privacy for Five-Cent Computers http://www.usenix.org/events/sec04/tech/slides/juels.htm “Just in case you want to know, she’s got 700 Euro and 20 World Cup tickets…” More Efficient Mugging

35 12 April 2005University of Virginia CS 58835 Blocking RFID [Juels, Rivest, & Szydlo CCS ‘03] Recall RFID Reader: 000 001 010 011100 101 110 111 00011011 01 ? Graph from Ari Juels slide

36 12 April 2005University of Virginia CS 58836 RFID Blocker Is there a tag that starts with 0? Is there a tag that stats with 1? Always respond yes, represent all possible tags

37 12 April 2005University of Virginia CS 58837 Picture from Ari Juels talk

38 12 April 2005University of Virginia CS 58838 Charge Cryptographers can make infinite amounts of money (but can’t make it heavy) CS150 Plug: Fall 2005 Course –Computer Science: from Ada & Euclid to Quantum Computing and the World Wide Web –Open to all University students No computing background expected But…covers material that will be new to most 4 th year CS students –Recruit your friends (especially from the College) to take it

Download ppt "David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money"

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Information Assurance Management Key Escrow Digital Cash Week 12-1.

Information Assurance Management Key Escrow Digital Cash Week 12-1.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.

Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Similar presentations

Ads by Google