Download presentation
Presentation is loading. Please wait.
1
Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins
2
Blind Signatures Analogy – place a document to be signed inside an envelope with a carbon paper over it, and have the signing party sign the envelope. Signing the envelope causes the document to be signed because of the carbon paper inside.
3
Customer wants the bank to sign coins, but does not want the bank to know the serial number of the coin since this would associate the coin with the customer, eliminating anonymity. Customer sends the bank a blinded coin, the bank signs it, and then the customer unblinds the coin. Since the bank cannot see the coin’s contents, the customer could attribute an arbitrary value to the coin and lie to the bank, thus paying 5 cents for a $1 coin. Therefore, only the serial number is supplied by the client – the bank uses different signing keys to denote different denominations.
4
Using public key cryptograpy, the bank generates key pairs for the different denominations of coins. The same modulus N is used, with different (e,d) key pairs. To withdraw a coin, the wallet software chooses a serial number and a random blinding factor r. The blinding factor is then raised to the power of the bank’s public key for the desired denomination, modulus N.
5
When the bank signs the message with the private signing key of the desired denomination, the blinding factor is raised to the power of the bank’s private key modulus N. Since the blinding factor has now been raised to both the public and private key exponents, the customer can divide the signed message by the blinding factor r and get the signed serial number.
6
(serial# * r e ) d (mod N) = serial# d * r ed (mod N) = serial# d * r (mod N) Dividing by r, we get the serial number signed in the bank’s private key, serial# d. The serial number was signed by the bank while it was blinded with the blinding factor r e, therefore the withdrawal is anonymous.
7
The serial numbers are randomly chosen by the wallet software. When a coin is spent, it’s serial number is revealed to the bank for the first time. The bank must record this serial number and check all future coins of the same denomination against the stored serial numbers to guard against double spending. The serial numbers must be large to avoid collisions Coins have an expiry date so that the serial numbers of expired coins do not have to be remembered by the bank. The wallet software will exchange coins before they expire.
8
Ecash Bank Merchant Software Client Wallet Web Browser Web Server 1. Select Order 2. Merchant wallet starts 3. Payment Request 4. Payment (coins, order) 5. Deposit coins 6. Accepted 7. Receipt 8. Send goods 9. Goods/acknowledgement From “Electronic Payment Systems”, O’Mahony, Peirce, and Tweari, 1997, pp155
9
Zero-Knowledge Proof Secret door A B 1) “A” watches as “B” successfully makes it through the “secret door”, proving to “A” that “B” can get through the door. 2) If the door opens upon the correct response to a “yes or no” question, “B” may just have been lucky. 3) Assume a different question is asked each time the door is approached. “A” therefore makes “B” go through the door many times.
10
The probability of “B” making through the door successfully by guessing correctly is Once = ½ Twice = ½ * ½ = ¼ … n times = (½) n = 1/2 n For example, succeeding 30 times without knowledge would be worse odds than one in a billion.
11
Typical example from graph theory – isomorphic graphs. A graph consists of nodes and edges between nodes. Two graphs G and H are isomorphic if there exists a mapping from the nodes of G to the nodes of H such that every edge in G connecting nodes a,b will be mapped to an edge in H connecting the mapped node of a to the mapped node of b, and there will be no additional edges or nodes in H that are not represented by this mapping. AB C D E I H L J K A->H B->I C->L D->J E->K
12
Given two graphs G and H that are isomorphic, it is difficult to find a mapping from G to H (NP complete). Given a graph G, it is easy to construct another graph K isomorphic to G. If a mapping from G to H is known, it is easy to construct a mapping from K to H by combining the mapping from K to G with the mapping from G to H. The mapping from K to G is known from the method of constructing K. Now, if Sam knows a mapping from G to H, Sam can use a zero knowledge proof to demonstrate to Jane that he knows a mapping without revealing the mapping.
13
First, Sam generates a new graph K isomorphic to G, and presents this new graph to Jane. Then Jane makes a decision 1 – Jane asks Sam to prove that K is an isomorphism of G or 2 – Jane asks Sam to prove that K is an isomorphism of H Since Sam doesn’t know in advance which option Jane will choose, he should be able to produce either result. If Sam doesn’t, in fact, know a mapping from G to H, he might try to guess what Jane will ask for – if he expects her to select option 1, he will create K from G. Otherwise, he will create K from H. Either way, he has a 50-50 chance of being able to fulfill Jane’s request. To prove that Sam in fact knows the mapping, the process is repeated for different versions of K. After n successful rounds, either Sam knows a mapping from G to H or he has beaten the odds of 1 in 2 n.
14
Now let Sam generate n different graphs K i isomorphic to G. Take the representation of these n graphs and generate a message digest of their concatenation. For each K i, demonstrate how K i is isomorphic to G if the i th bit in the message digest is a zero, and demonstrate how K i is isomorphic to H if the i th bit in the message digest is a one. The package containing G, H, every K, and the n mappings from each K to either G or H gives a package that can be independently verified after the fact. The strength of the digest algorithm guarantees that Sam couldn’t have cheated.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.