electronic payment systems 20-763 lecture 11 electronic cash
DESCRIPTION
Electronic Payment Systems 20-763 Lecture 11 Electronic Cash. Electronic Cash. Token money in the form of bits, except unlike token money it can be copied. This creates new problems: - PowerPoint PPT PresentationTRANSCRIPT
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Electronic Payment Systems20-763
Lecture 11Electronic Cash
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Electronic Cash• Token money in the form of bits, except unlike token
money it can be copied. This creates new problems:• Copy of a real bill = counterfeit. Copy of an ecash string
is not counterfeit (or a perfect counterfeit)• How is it issued? Spent?• Counterfeiting• Loss• Fraud, merchant fraud, use in crime, double spending• Efficiency (offline use -- no need to visit a site)• Anonymity (even with collusion)
No existing system solves all these problems
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Online v. Offline Systems
• Online system requires access to a server for each transaction.– Example: credit card authorization. Merchant must get code
from issuing bank.• Offline system allows transactions with no server.
– Example: cash transaction. Merchant inspects money. No communications needed.
– Note: an Internet system can be “offline” if the transaction is only between buyer and seller, with no third-party access during the transaction
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Outline• Non-anonymous ecash
– Easy• Online anonymous ecash
– Not difficult with blind signatures• Offline anonymous ecash
– Difficult– Requires secret sharing & bit commitment
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Electronic Cash -- Idea 1• Bank sells character strings containing:
– denomination, serial number, bank ID– digitally signed by the bank
• First person to return string to bank gets the money
PROBLEMS:• Can’t use offline. Must verify money not yet spent.
(You might not be the first person to deposit the coin.)• Not anonymous. Bank can record serial number.• Sophisticated transaction processing system required
with locking to prevent double spending.
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Blind Signatures (Chaum)• Sometimes useful to have people sign things without seeing
what they are signing– notarizing confidential documents– preserving anonymity
• Alice wants to have Bob sign message M.(In cryptography, a message is just a number.)
• Alice multiplies M by a number -- the blinding factor• Alice sends the blinded message to Bob. He can’t read it --
it’s blinded.• Bob signs with his private key, sends it back to Alice.• Alice divides out the blinding factor. She now has M signed
by Bob.
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Blind Signatures• Alice wants to have Bob sign message M.• Bob’s public key is (e, n). Bob’s private key is d.• Alice picks a blinding factor k between 1 and n.• Alice blinds the message M by computing
T = M ke (mod n) She sends T to Bob.• Bob signs T by computing
Td = (M ke)d (mod n) = Md k (mod n)• Alice unblinds this by dividing out the blinding factor:
S = Td/k = Md k (mod n)/k = Md (mod n)• But this is the same as if Bob had just signed M, except Bob
was unable to read T
e • d = 1 (mod n)
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Blind Signatures• It’s a problem signing documents you can’t read• Blind signatures are only used in special situations• Example:
– Ask a bank to sign (certify) an electronic coin for $100– It uses a special signature good only for $100 coins
• Blind signatures are the basis of anonymous ecash
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
eCash (Formerly DigiCash)
Withdrawal(Minting):
Spending:
PersonalTransfer:
ALICE BUYS DIGITALCOINS FROM A BANK
ALICE SEND UNSIGNEDBLINDED COINS TO THE BANK
BANK SIGNS COINS, SENDS THEM BACK. ALICE UNBLINDS THEM
ALICE PAYS BOBBOB VERIFIES COINSNOT SPENT
ALICE TRANSFERS COINS TO CINDYCINDY VERIFIES COINSNOT SPENT
BOB DEPOSITS
CINDY GETS COINS BACK
WALLETSOFTWARE
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Minting eCash• Alice requests coins from the bank where she has an
account• Alice sends the bank
{ { blinded coins, denominations }SigAlice }PKBank
• Bank knows they came from Alice and have not been altered (digital signature)
• The message is secret (only Bank can decode it)• Bank knows Alice’s account number• Bank deducts the total amount from Alice’s account
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Minting eCash, cont.• Bank signs the blinded coins with special signatures
corresponding to the denominations– $100 coins signed with $100 signature– $5 coins signed with $5 signature
• Bank cannot lose if it only accepts each coin once, since it has already been paid by Alice
• Each of Alice’s blinded coins has a serial#• Alice unblinds the coins• Now they can be spent
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Spending eCash• Alice sends coins to Bob• Bob checks the signatures using the bank’s public keys
– For a $100 coin he uses the bank’s $100 public key to verify the bank’s digital signature
• Coin might be good, but already spent• Bob must deposit it in the bank immediately• Bank checks the coin for validity; looks up the serial
number• If the serial number has not been seen before, bank
credits Bob’s account• Bank can’t identify Alice, but the protocol is online
1. Blinded random large # (160 bits, so no collisions). SigAlice(request for $100).
2. Sigbank_$100(blinded(#)): signed by bank3. Sigbank_$100(#)4. Sigbank_$100(#)5. OK from bank6. OK from Bob
Alice Bob
Bank1 2
34
Anonymous online eCash
5
6
MINTING SPENDING
SOURCE: GUY BLELLOCH
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Proving a Payment• If eCash is anonymous, how can Alice ever prove she
paid Bob?• She can create a number (payer_code) and include a
hash H(payer_code) in each coin• When it accepts a coin for deposit, bank records
H(payer_code)• If Bob claims Alice never paid, she can reveal
payer_code to the bank which can verify it by hashing
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Lost eCash• Ecash can be “lost”. Disk crashes, passwords
forgotten, numbers written on paper are lost.• Alice sends a message to the bank that coins have
been lost• Banks re-sends Alice her last n batches of blinded
coins (n = 16)• If Alice still has the blinding factor, she can unblind• Alice deposits all the coins bank in the bank. (The
ones that were spent will be rejected.)• Alice now withdraws new coins
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Anonymous Ecash Crime• Kidnapper takes hostage• Ransom demand is a series of blinded coins• Bank signs the coins to pay ransom• Kidnapper tells bank to publish the coins in the
newspaper (they’re just strings)• Only the kidnapper can unblind the coins (only he
knows the blinding factor)• Kidnapper can now use the coins and is completely
anonymous
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Offline Double-Spending• Double spending easy to stop in online systems:
System maintains record of serial numbers of spent coins.
• Suppose Bob can’t check every coin online. How does he know a coin has not been spent before?
• Method 1: create a tamperproof dispenser (smart card) that will not dispense a coin more than once.– Problem: replay attack. Just record the bits as they come
out.
• Method 2: protocol that provably identifies the double-spender but is anonymous for the single-spender.
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum’s Double-Spending Protocol• How do we prevent double spending in an
offline transaction (can’t check with bank)? Idea:– Alice stays anonymous– If Alice spends a coin twice, she is identified– If Bob deposits twice, he is caught but Alice remains
anonymous– Must be secure against Alice and Bob cheating the
bank together– Must be secure Alice or Bob making it look like the
other is cheating
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Secret-Sharing• Is there a way to divide a message into n pieces so any m
pieces are sufficient to reconstruct it, but no small set is sufficient? Solution due to Shamir.
• Let the secret be a number s in the finite field mod p, where p is a large prime
• Select m-1 random elements of the field ai and form the polynomial f(x) = s + a1 x + a2 x
2 + … + am-1 x m-1
• Now choose n integers xi and let the secret shares be the pairs (xi, f (xi))
• Any m points uniquely determine a polynomial of degree m-1, so any m pairs uniquely determine s!
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Bit Commitment
• Alice wants to “commit” a number M to Bob without telling him what it is
• “Commit” means that she can later reveal the number and prove that she hasn’t changed it
• Idea: Alice writes M on a piece of paper, locks it in a box and gives the box to Bob. Alice keeps the key.
• Later, Bob asks Alice what the number was. She produces the key and opens the box.
• Can this be done on a computer? It’s easy.
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Bit Commitment
• Alice wants to “commit” number M to Bob • She picks a random nonce r (to prevent replay attack)• She sends Bob y = H(r || M) (H is a one-way hash)• Alice sends y to Bob. Now she can’t change it.• When Bob wants to know M, Alice sends M and r.• Bob H(r || M) and sees if it equals y. If so, M was in
the commitment y originally
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Double-Spending Protocol• Split Alice’s identity (a secret) so that any two pieces
can identify her but one piece cannot• Each time the coin is spent, insert another piece of the
secret (secret-sharing)• Have Alice to put this information in the coins through
bit commitment• Verify that Alice is not cheating through cut-and-choose• If the coin is spent only once, no possibility of different
data• If the bank sees the same coin from two different
parties, Alice is the double spender
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Cut-and-Choose• A probabilistic method to verify that Alice is following a
protocol• We ask Alice to put a piece of a secret in each coin.
But the coins are blinded. How do we know she did it?• If Alice wants 100 coins, bank asks her to send 200
coins• Bank randomly picks 100 coins and asks her for the
blinding factor for each• Bank unblinds the test coins and sees if they all have
parts of the secret• If so, they probably all have parts of the secret
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Probability Footnote• If Alice sends 2n coins to the bank but k have no part of the
secret, what is the probability none of the k are among the n coins the bank picks?
• The probability that Alice gets away with it is p(0).• For k = 1, p(0) = 1/2• For n = 100, k = 10, p(0) ~ 8/10000• For n = 100, k = 100, p(0) ~ 10-59
nn
jnkn
jk
jp22
)(
WAYS TO PICK EXACTLYj OF k BAD COINS
WAYS TO PICK EXACTLYn OF 2n TOTAL COINS
WAYS TO PICK EXACTLYn- j OF 2n- k GOOD COINS
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Double-Spending Protocol• If the coin is spent only once, no possibility of seeing
different pieces of the secret, so Alice stays anonymous
• If the bank sees the same coin from two different parties, Alice is the double spender
• If Bob tries to deposit the coin twice, the bank sees the same serial number and knows that Bob is the cheater
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Double-Spending Protocol• Alice wants 100 five-dollar coins.• Alice sends 200 five-dollar coins to the bank (twice as
many as she needs). For each coin, she inserts a share of her account number
• Bank selects half the coins (100), signs them, gives them back to Alice
• Bank asks her for the random numbers for the other 100 coins and uses it to read her account number– Bank feels safe that the blinded coins it signed had a piece
of her account number. (It picked the 100 out of 200, not Alice.)
Chaum’s Double-Spending Protocol• u = Alice’s account number (identifies her)• r0, r1, …, rm-1 are m random numbers
• (uli, uri) = a secret split of u over 2 pieces using ri so that both are required to recover u.E.g. (ri XOR u, ri) (XORing the pieces gives u)
• vli = a bit commitment of uli • vri = a bit commitment of uri
• Coin contains:– Value– Unique ID (long random number)– (vl0,vr0), (vl1,vr1), …, (vlm-1,vrm-1)
SOURCE: GUY BLELLOCH
1. 2n blinded coins and Alice’s account #2. A request to unblind and prove all bit commitments for
n of the 2n coins (chosen at random)3. The blinding factors and proofs of commitment for the n
coins4. Assuming step 3. passes, bank signs the other n coins
Alice Bank
12
Chaum’s Protocol: Minting
34
SOURCE: GUY BLELLOCH
1. A signed coin C (unblinded)2. A random bit vector B of length m3. For each i if bit Bi = 0 return bit value for uli else return
bit value for uri (not both)Include all “proofs” that the uli or uri match vli or vri
• Now the merchant checks that the coin is properly signed by the bank, and the ul or ur match the vl or vr
Alice Bob
12
Chaum’s Protocol: Spending
3
SOURCE: GUY BLELLOCH
1. The signed coin, bit vector B, values of ul i or uri that Bob received from Alice.
2. An OK, or fail• If fail, i.e., already returned:
1. If B matches previous order, the Merchant is guilty2. Otherwise Alice is guilty and can be identified since for
some i (where Bs don’t match) the bank will have (ul i, uri), which reveals her secret u (her identity).
Bob Bank
12
Chaum’s Protocol: Depositing
SOURCE: GUY BLELLOCH
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Protocol• If Alice’s random number has b bits, what is the probability she can
spend a coin twice without being detected?• Bob and Charlie’s random numbers would have to be identical. If
they differ by 1 bit, the bank can identify Alice.
• Probability that two b-bit numbers are identical p(b) = 2 -b
p(1) = 0.5p(10) ~ .001p(20) ~ 1/1,000,000p(30) ~ 1/1,000,000,000
p(64) ~ 5 x 10 -20
p(128) ~ 3 x 10 -39
• Chaum protocol does not guarantee detection
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Major Ideas• eCash raises great security concerns• eCash provides protection against loss• eCash raises significant legal problems• eCash is difficult to implement with both anonymity
and protection against double spending• eCash may not be successful because of stored-
value cards and peer-to-peer systems
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
QA&
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Spending eCash• Alice orders goods from Bob• Bob’s serves requests coins from Alice’s wallet:
payreq = { currency, amount, timestamp,merchant_bankID, merchant_accID, description }
• Alice approves the request. Her wallet sends:payment = { payment_info, {coins, H(payment_info)}PKmerchant_bank }
payment_info = { Alice’s_bank_ID, amount, currency, ncoins, timestamp, merchant_ID, H(description), H(payer_code) }
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Depositing eCash• Bob receives the payment message, forwards it to
the bank for deposit by sendingdeposit = { { payment }SigBob }PKBank
• Bank decrypts the message using SKBank.
• Bank examines payment info to obtain serial# and verify that the coin has not been spent
• Bank credits Bob’s account and sends Bob a deposit receipt:
deposit_ack = { deposit_data, amount }SigBank
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Proving an eCash Payment• Alice generates payer-code before paying Bob• A hash of the payer_code is included in payment_info• Bob cannot tamper with H(payer_code) since
payment_info is encrypted with the bank’s public key• The merchant’s bank records H(payer_code) along
with the deposit• If Bob denies being paid, Alice can reveal her
payer_code to the bank• Otherwise, Alice is anonymous; Bob is not.
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Protocol• Alice’s account number is 12, which in hex is 0C = 00001100• Alice picks serial number 100 and blinding number 5• She asks the bank for a coin with serial number
100 x 5 = 500• Alice chooses a number b and creates b random numbers for
this coin. Say b=6• Alice’s wallet XORs each random number with her account
number:i acct random acct random 0 0C 1B 17 1 0C 13 1F 2 0C 09 05 3 0C 05 09 4 0C 2B 27 5 0C 11 1D
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Protocol• Bob receives Alice’s coin. He obtains b and picks a random b-bit number,
say 111010• For every bit position in which Bob’s number has a 1, wallet reveals Alice’s
random number for that position• For every 0-bit, Bob receives Alice’s account number XOR her random
number for that position
• Bob’s wallet sends last column to the bank when depositing
i acct random acct random Bob’s bit Bob receives 0 0D 1B 17 0 17 1 0D 13 1F 1 13 2 0D 09 05 0 05 3 0D 05 09 1 05 4 0D 2B 27 1 2B 5 0D 11 1D 1 11
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Protocol• Now Alice tries to spend the coin again with Charlie. He finds
b=6 and picks random number 010000• Her wallet probably sends a different set of numbers• Charlie goes through the same procedure as Bob and sends the
numbers he receives to the bank when he deposits the coin
i acct random acct random Charlie’s bit Charlie receives 0 0D 1B 17 0 17 1 0D 13 1F 0 1F 2 0D 09 05 0 05 3 0D 05 09 0 09 4 0D 2B 27 1 2B 5 0D 11 1D 0 1D
ELECTRONIC PAYMENT SYSTEMS 20-763
SPRING 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Chaum Protocol• The bank refuses to pay Charlie, since the coin was previously deposited
by Bob• The bank combines data from Bob and Charlie (or both) using XOR where
it has different data from the two sources:
• This identifies Alice as the cheater! Neither Bob nor Alice nor the bank could do it alone
i acct random acct random random acct random
acct holder
0 0C 17 1 0C 13 1F 0C Alice 2 0C 05 3 0C 05 09 0C Alice 4 0C 2B 5 0C 11 1D 0C Alice