Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends."— Presentation transcript:

1 Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends

2 Homework #3 Consider a verifyable secret sharing scheme (VSS) based on Shamir's polynomial secret sharing as follows. A dealer has a secret S, a public prime p and a public generator g of Z p *. The dealer gives player p j a share s(j) in a degree-t polynomial whose value at zero is a random a 0. The dealer publicizes S * a 0, as well as commitments to all shares in the form g s(j) (mod p). Suppose that an auditing agency wishes to check that the dealer is not corrupt. The agency can view all public information, but no secret data (in particular, no private share of any player). Furthermore, it cannot interact with the players, who might not be on-line during the check. Describe how the auditing agency can verify that all the commitments to shares are consistent, i.e., that any subset of t+1 commitments defines the same, unique committed secret.

3 Homework #3 Suppose Bob has split a secret amongst n people such that k out of them can reconstruct the secret. –Suppose Bob wants to increase k? –Increase n? –Decrease k? –Decrease n? What should he do?

4 Homework #3 Voting schemes: –You want to arrange a Yes/No vote so that Everyones vote is secret Anyone can verify that the final result is correct What can you do? Look up the literature on voting schemes.

5 Electronic Checks Simple: Sign a document transferring money from your account to another account This document goes to your bank The bank verifies that this is not a copy of a previous check The bank checks your balance The bank transfers the sum

6 Problems Requires online access to the bank Is expensive (?) $0.25 per bank transaction minimum The bank / income tax authorities / etc. can easily trace your activities

7 Online Non-Anonymous Cash Let ’ s follow the flow of a $1 bill: The bank debits the customer account by $1, takes the string “ account number ” || “ serial number ”, signs it, and sends it to the customer The customer presents this to the merchant The merchant sends this to the bank, that verifies that the bill has not been used previously

8 Problems Requires online access to the bank Is expensive (?) $0.25 per bank transaction minimum The bank / income tax authorities / etc. can easily trace your activities Only difference from electronic check: does not have to check balance, does have to check non-reuse

9 Some concepts Untraceable electronic cash –Online –Offline Micropayment protocols “ Real Protocols ” – SET, EMC, –EMC is really used, old –SET seems to be dead in the water

10 Main idea (Chaum): blind signatures RSA: m 1/e mod n Blind RSA: –Two party protocol: Alice sends Bob (r e m) mod n Bob computes (r e m) 1/e = r m 1/e mod n Alice computes m 1/e mod n Problems: –Alice can get Bob to sign anything, –Bod does not know what he is signing

11 Online Non-Anonymous Cash Let ’ s follow the flow of a $1 bill: Alice takes the string m = “ account number ” || “ serial number ”, chooses a random r, and sends m r e mod n to the bank The bank signs this message and sends m 1/e r to Alice Alice extracts a signature on “ account number ” || “ serial number ” (m 1/e ), and gives it to the merchant The merchant sends this to the bank, that verifies that the bill has not been used previously

12 Problems No anonymity What is Alice having signed anyway? The bank does not know. –Imagine that a signature on the string “ f(s) ” means one dollar –Alice could prove to the bank that this is the format of what she is asking for Could be done via general multiparty computation Could be done via cut and choose (the rabbit problem)

13 Online Anonymous Cash Alice chooses a random s, r, sends r e (f(s)) to the bank The bank debits Alice ’ s account by $1 and send r (f(s)) 1/e to Alice Alice extracts (f(s)) 1/e, and gives it and s to the merchant The merchant sends this to the bank, that verifies that the bill (s) has not been used previously

14 Advantages & Problems: The bank has given Alice a bill, but does not know what the bill looks like The bank cannot later identify Alice with the bill The bank must be online at all times to identify bills Multiparty computation is entirely inefficient

15 How to do cut and choose here Alice sends the bank many values z 1, z 2, …, z k The bank asks Alice to reveal ½ of the values z i = r i (f(s i )) The bank extracts the root of the multiplication of all the others The bill is valid if it is of the root of a product of (f(s i )) Remark: in this case, it ’ s not clear that we need for Alice to prove anything to the bank, any deviation from protocol for Alice can only harm her

16 How to do Offline Anonymous Cash? If Alice “ double spends ” – she will be caught and identified If Alice does not – her anonymity is guaranteed The merchant cannot reuse the money (other than send it to the bank)

17 Idea: encode Alice ’ s identity into the money Alice generates f(s 1 ), f(s 2 ), … f(s k ), t 1 || f(t 1 ), f(t 2 ), …, f(t k ), such that s i xor t i = “ Alice ” Alice sends blinded versions of all of these to the bank The bank verifies the correctness and sends Alice the root of the product of the indices not revealed The merchant asks alice for the signature and for a random subset of the indices If Alice double spends, her identity becomes known to the bank.

Download ppt "Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Information Assurance Management Key Escrow Digital Cash Week 12-1.

Information Assurance Management Key Escrow Digital Cash Week 12-1.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.

Feb 18, 2003Mårten Trolin1 Previous lecture Block ciphers Modes of operations First assignment Hash functions.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.

Quantum Cryptography Qingqing Yuan. Outline No-Cloning Theorem BB84 Cryptography Protocol Quantum Digital Signature.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.

Similar presentations

Ads by Google