Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Digital Cash, Randomness.

Published byElmer Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Digital Cash, Randomness."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Digital Cash, Randomness

2 22 Oct 2001University of Virginia CS 5882 Menu Randomness Cannibalistic Voting Protocols Digital Cash

3 22 Oct 2001University of Virginia CS 5883 Random Numbers For numbers in range 0...2 n-1, an observer with the first m - 1 numbers, cannot guess the m th with probability better than 1/2 n.

4 22 Oct 2001University of Virginia CS 5884 Good Random Numbers Lava Lamps (http://www.lavarnd.org) Gieger Counter and Radioactive stuff

5 22 Oct 2001University of Virginia CS 5885 Pseudo-Random Number Generators 1.Start in a hard-to-guess state 2.Run an algorithm that generates an unpredictable sequence from that state

6 22 Oct 2001University of Virginia CS 5886 Typical Random Numbers random () –Doesn’t give cryptographic random numbers Using system clock in milliseconds to seed (even a good PRNG) –There are only 24*60*60*1000 = 86.4M Fine for video games, not fine for protecting nuclear secrets. srandom (time (NULL)); for (...) random (); Doesn’t satisfy either property!

7 22 Oct 2001University of Virginia CS 5887 Jefferson Wheel Key Generator long key[NUMWHEELS]; int i, j; srandom ((unsigned)time (NULL)); for (i = 0; i < NUMWHEELS; i++) key[i] = random (); for (i = 0; i < NUMWHEELS; i++) { long highest = -1; int highindex = -1; for (j = 0; j < NUMWHEELS; j++) { if (key[j] > highest) { highindex = j; highest = key[j]; } } fprintf (stdout, "%d\n", highindex); key[highindex] = -1; } Reduces key space from 36! (3.7 * 10 41 ) to 86M! Challenge is now 2.3 * 10 34 easier!

8 22 Oct 2001University of Virginia CS 5888 Tiny, Yarrow-160 Accumulate Entropy –Unspecified how: implementer decides Recent Linux systems have /dev/random –User keystrokes, disk seek times, network activity (be careful!), etc. Use entropy and SHA1 hash function produce unpredictable K. Calculate random numbers: C = (C + 1) mod 2 n R = E K (C) E K is AES (Tiny); 3DES (Yarrow-160)

9 22 Oct 2001University of Virginia CS 5889 Jon Erdman

10 Erdman Sand Encryption Or, Why I Don’t Need to Take the Midterm

11 22 Oct 2001University of Virginia CS 58811 Problem Our survivors need to reveal their public keys without revealing who owns which key. All messages must be exchanged through a public forum (the sand).

12 22 Oct 2001University of Virginia CS 58812 The solution Players encrypt their message with the public keys of two other players. Secretly pass the encrypted message at random through the group until the two encryptions are removed.

13 22 Oct 2001University of Virginia CS 58813 Before we get started: Each pair of people needs to establish a secret key to communicate with each other. They could use the Diffie-Hellman key exchange or … the Erdman Key Exchange

14 22 Oct 2001University of Virginia CS 58814 Erdman Key Exchange Each player generates a RSA key pair. Encrypt secret key using their private key followed by player X’s public key. Send encrypted message to player X by writing it in the sand. Decrypt using your private key and other player’s public key. Each player sends a key to every other player using this method: the pair key is the xor of the keys the players sent to each other.

15 22 Oct 2001University of Virginia CS 58815 Erdman Key Exchange (ctd.) Encrypting with your private key verifies to the other person that the message is coming from you. Encrypting with their public key verifies to you that only the other person can read the message. Can add check bits to the end to ensure message was not tampered with.

16 22 Oct 2001University of Virginia CS 58816 Step 1: Encryption Player generates a random bit string (which I’ll call the messer) equal in length to the RSA keys. Player does a RSA encryption on their public key,KUx, xored with the messer. Concatenate result with the messer and the check bits (CB) corresponding to the word “final”. Encrypt result using the public key (KU2y) of a random player of their choosing. C1 = E KU2y [(M xor messer1) || messer1 || CB]

17 22 Oct 2001University of Virginia CS 58817 Step 2: More Encryption Repeat step one using C1 instead of M, choosing a different person, different messer, and using the check bits for “middle.” C2 = E KU2z [C1 xor messer2 || messer2 || CB]

18 22 Oct 2001University of Virginia CS 58818 Step 3: Passing Each player does a 3DES encryption on the resulting messages and some check bits, using the unique key they made with yet another random player Write the result in the sand for all to see C3 = 3DES (C2 || CB, Kxq)

19 22 Oct 2001University of Virginia CS 58819 Step 4:Gathering Players need to find messages sent to them Decrypt the messages in the sand using the Kxy established earlier. If the check bits are valid they know the message was ment for them.

20 22 Oct 2001University of Virginia CS 58820 Step 5: Decrypting (maybe) Players take messages sent to them and attempt to decrypt using their private key. If they see the check bits “middle” they know they have C1. If they see the check bits “final” they have one of the keys. If they have one of the keys, they can write it in the sand for all to see.

21 22 Oct 2001University of Virginia CS 58821 Mathematical Interlude C = E KUz [M xor messer || messer || CB] attempt to decrypt using E KRz D KRz [C] = D KRz [E KUz [M xor messer || messer || CB]] = M xor messer || messer || CB CB will only be valid if the decryption key is the pair to the encryption key. M = M xor messer xor messer

22 22 Oct 2001University of Virginia CS 58822 Step 6: Repeat If the messages players received are not a final message, send it to another random player. Repeat until all keys have been found.

23 22 Oct 2001University of Virginia CS 58823 Why the messer? What if there is no messer? The first person is being passed a message encrypted with two public keys. After final messages are revealed they can try encrypting the messages with various public key combinations and find the one that produces the same message they got on the first pass. Only N choose 2 combinations! The messer introduces a random factor into the encryption so this will not be possible.

24 22 Oct 2001University of Virginia CS 58824 Shortest Path Example A encrypts the message with the keys of C then B. A then passes to D D who passes to B who takes of one lock B passes to C who takes off other lock Each person knows who passed it to them and who they passed it to.

25 22 Oct 2001University of Virginia CS 58825 Shortest Path (continued) Path: A -> D -> B -> C D does not know who B passed to so can not know the message C writes is A’s. B does not know that it was A that passed to D. C does not know the identity of D or A.

26 22 Oct 2001University of Virginia CS 58826 Shortest Path (continued) Path: A -> D -> B -> C If D and B decide to share information they can figure out A’s message. This depends on the random passes being very lucky. Can improve the algorithm by adding more encryptions at the beginning.

27 Questions?

28 22 Oct 2001University of Virginia CS 58828 Digital Cash

29 22 Oct 2001University of Virginia CS 58829 Properties of Physical Cash Universally recognized as valuable Easy to transfer Anonymous Big and Heavy –Average bank robbery takes $4552 –500 US bills / pound –Bill Gates net worth would be 400 tons in $100 bills Moderately difficult to counterfeit in small quantities Extremely difficult to get away with counterfeiting large quantities (unless you are Iran or Syria)

30 22 Oct 2001University of Virginia CS 58830 Bank IOU Protocol Alice {KU A, KR A } Trusty Bank {KU TB, KR TB } M M = “The Trusty Bank owes the holder of this message $100.” E KR TB [H(M)]

31 22 Oct 2001University of Virginia CS 58831 Bank IOU Protocol Alice {KU A, KR A } Trusty Bank {KU TB, KR TB } M E KR TB [H(M)] Bob M E KR TB [H(M)] Bob’s secret curry recipe E KU A [Bob’s secret curry recipe]

32 22 Oct 2001University of Virginia CS 58832 Bank IOU Protocol Trusty Bank M E KR TB [H(M)] Bob M E KR TB [H(M)] M

33 22 Oct 2001University of Virginia CS 58833 Bank IOU Protocol Universally recognized as valuable Easy to transfer Anonymous xHeavy xModerately difficult to counterfeit in small quantities xExtremely difficult to get away with counterfeiting large quantities

34 22 Oct 2001University of Virginia CS 58834 Bank Identifiers Bank adds a unique tag to each IOU it generates When someone cashes an IOU, bank checks that that IOU has not already been cashed Can’t tell if it was Alice or Bob who cheated Alice loses her anonymity – the bank can tell where she spends her money

35 22 Oct 2001University of Virginia CS 58835 Digital Cash, Protocol #1 1.Alice prepares 100 money orders for $1000 each. 2.Puts each one in a different sealed envelope, with a piece of carbon paper. 3.Gives envelopes to bank. 4.Bank opens 99 envelopes and checks they contain money order for $1000. 5.Bank signs the remaining envelope without opening it (signature goes through carbon paper).

36 22 Oct 2001University of Virginia CS 58836 Digital Cash, Protocol #1 cont. 6.Bank returns envelope to Alice and deducts $1000 from her account. 7.Alice opens envelope, and spends the money order. 8.Merchant checks the Bank’s signature. 9.Merchant deposits money order. 10.Bank verifies its signature and credits Merchant’s account.

37 22 Oct 2001University of Virginia CS 58837 Digital Cash, Protocol #1 Is it anonymous? Can Alice cheat? –Make one of the money orders for $100000, 1% chance of picking right bill, 99% chance bank detects attempted fraud. Better make the penalty for this high (e.g., jail) –Copy the signed money order and re-spend it. Can Merchant cheat? –Copy the signed money order and re-deposit it.

38 22 Oct 2001University of Virginia CS 58838 Digital Cash, Protocol #2 Idea: prevent double-spending by giving each money order a unique ID. Problem: how do we provide unique IDs without losing anonymity? Solution: let Alice generate the unique IDs, and keep them secret from bank.

39 22 Oct 2001University of Virginia CS 58839 Digital Cash, Protocol #2 1.Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note. 2.Puts each one in a different sealed envelope, with a piece of carbon paper. 3.Gives envelopes to bank. 4.Bank opens 99 envelopes and checks they contain money order for $1000. 5.Bank signs the remaining envelope without opening it.

40 22 Oct 2001University of Virginia CS 58840 Digital Cash, Protocol #2 cont. 6.Bank returns envelope to Alice and deducts $1000 from her account. 7.Alice opens envelope, and spends the money order. 8.Merchant checks the Bank’s signature. 9.Merchant deposits money order. 10.Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant’s account, and records the unique random ID.

41 22 Oct 2001University of Virginia CS 58841 Digital Cash, Protocol #2 Is it anonymous? Can Alice cheat? Can Merchant cheat? Can bank catch cheaters?

42 22 Oct 2001University of Virginia CS 58842 Mimicking Carbon Paper How does bank sign the envelope without knowing what it contains? Normal signatures Alice sends bank M Bank sends Alice, S M = E KR Bank (M) Alice shows S M to Bob who decrypts with banks public key.

43 22 Oct 2001University of Virginia CS 58843 Blind Signatures Alice picks random k between 1 and n. Sends bank t = mk e mod n. ( e from Bank’s public key). Bank signs t using private key d. Sends Alice: t d = (mk e mod n ) d mod n = (mk e ) d mod n  m d k ed mod n What do we know about k ed mod n ?

44 22 Oct 2001University of Virginia CS 58844 Blind Signatures Alice gets t d  m d k mod n Alice divides by k to get s m  m d k / k  m d mod n. Hence: bank can sign money orders without opening them!

45 22 Oct 2001University of Virginia CS 58845 Digital Cash Protocol #2 Instead of envelopes, Alice blinds each money order using a different randomly selected k i. The bank asks for any 99 of the k i ’s. The bank unblinds the messages (by dividing) and checks they are valid. The bank signs the other money order. Still haven’t solved the catching cheaters problem!

46 22 Oct 2001University of Virginia CS 58846 Anonymity for Non-Cheaters Spend a bill once – maintain anonymity Spend a bill twice – lose anonymity Have we seen anything like this?

47 22 Oct 2001University of Virginia CS 58847 Digital Cash 1.Alice prepares n money orders each containing: AmountUniqueness String: X Identity Strings: I 1 = (h(I 1L ), h(I 1R ))... I n = (h(I nL ), h(I nR )) Each I n pair reveals Alice’s identity (name, address, etc.). I = I iL  I iR. h is a secure, one-way hash function.

48 22 Oct 2001University of Virginia CS 58848 Digital Cash, cont. 2.Alice blinds (multiplies by random k ) all n money orders and sends them to bank. 3.Bank asks for any n-1 of the random k i s and all its corresponding identity strings. 4.Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice’s account.

49 22 Oct 2001University of Virginia CS 58849 Digital Cash, cont. 5.Alice unblinds the signed note, and spends it with a Merchant. 6.Merchant asks Alice to randomly reveal either I iL or I iR for each i. (Merchant chooses n -bit selector string.) 7.Alice sends Merchant corresponding I iL ’s or I iR ’s. 8.Merchant uses h to confirm Alice didn’t cheat.

50 22 Oct 2001University of Virginia CS 58850 Digital Cash, cont. 9.Merchant takes money order and identity string halves to bank. 10.Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves.

51 22 Oct 2001University of Virginia CS 58851 Digital Cash, cont. 11.If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I. Arrests Alice. 12.If there are no i ’s, where different halves are known, arrest Merchant.

52 22 Oct 2001University of Virginia CS 58852 Digital Cash Protocol Universally recognized as valuable Easy to transfer Anonymous xHeavy Moderately difficult to counterfeit in small quantities ?Extremely difficult to get away with counterfeiting large quantities

53 22 Oct 2001University of Virginia CS 58853 Digital Cash Summary Preserves anonymity of non-cheating spenders (assuming large bank and standard denominations) Doesn’t preserve anonymity of Merchants Requires a trusted off-line bank Expensive – lots of computation for one transaction Other schemes (Millicent, CyberCoin, NetBill, etc.) proposed for smaller transactions

54 22 Oct 2001University of Virginia CS 58854 Charge Cryptographers can make infinite amounts of money! (but can’t make it heavy) Midterm is Wednesday –“Flood” Handout –You may discuss this with anyone you want, but course staff will not answer specific questions about it. Review session: tonight at 7:00, Olsson 005

Download ppt "David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 14: Digital Cash, Randomness."

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 18: Money
Information Assurance Management Key Escrow Digital Cash Week 12-1.

Information Assurance Management Key Escrow Digital Cash Week 12-1.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

Similar presentations

Ads by Google