Lecture 18: Money
Download
Report
Transcript Lecture 18: Money
Lecture 18:
Money
http://www.fun-with-money.com
CS588: Cryptography
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Artist: Levente Jakab
12 April 2005
University of Virginia CS 588
2
Title 18, Section 474:
Whoever prints, photographs, or
in any other manner makes or
executes any engraving,
photograph, print, or impression
in the likeness of any such
obligation or other security, or any
part thereof, or sells any such
engraving, photograph, print, or
impression, except to the United
States, or brings into the United
States, any such engraving,
photograph, print, or impression,
except by direction of some
proper officer of the United States
- is guilty of a class B felony.
12 April 2005
First Amendment:
Congress shall make no
law respecting an
establishment of
religion, or prohibiting
the free exercise
thereof; or abridging the
freedom of speech, or
of the press; or the right
of the people peaceably
to assemble, and to
petition the government
for a redress of
grievances.
University of Virginia CS 588
3
Properties of Physical Cash
•
•
•
•
•
Universally recognized as valuable
Easy to transfer
Anonymous
Works even when the banks are closed
Big and Heavy
– Average bank robbery takes $4552
– 500 US bills / pound
– Bill Gates net worth would be ~200 tons in $100 bills
• Moderately difficult to counterfeit small quantities
• Extremely difficult to get away with counterfeiting
large quantities (unless you are Iran or Syria)
12 April 2005
University of Virginia CS 588
4
Bank IOU Protocol
Alice
{KUA, KRA}
12 April 2005
M
EKRTB[H(M)]
M = “The Trusty Bank
owes the holder of
this message $100.”
University of Virginia CS 588
Trusty
Bank
{KUTB, KRTB}
5
Bank IOU Protocol
Trusty
Bank
M
Alice
{KUA, KRA}
M
EKRTB[H(M)]
EKRTB[H(M)]
Bob’s secret
EKUA[Bob’s
secret curry
curry recipe
recipe]
12 April 2005
{KUTB, KRTB}
University of Virginia CS 588
Bob
6
Bank IOU Protocol
EKRTB[H(M)]
M
Bob
M
M
12 April 2005
EKRTB[H(M)]
Trusty
Bank
EKRTB[H(M)]
University of Virginia CS 588
7
Bank IOU Protocol
¥ Universally recognized as valuable
€ Easy to transfer
£ Anonymous
x Heavy
x Moderately difficult to counterfeit in
small quantities
x Extremely difficult to get away with
counterfeiting large quantities
12 April 2005
University of Virginia CS 588
8
Bank Identifiers
• Bank adds a unique tag to each IOU it
generates
• When someone cashes an IOU, bank
checks that that IOU has not already
been cashed
• Can’t tell if it was Alice or Bob who
cheated
• Alice loses her anonymity – the bank
can tell where she spends her money
12 April 2005
University of Virginia CS 588
9
Digital Cash, Protocol #1
1. Alice prepares 100 money orders for
$1000 each.
2. Puts each one in a different sealed
envelope, with a piece of carbon paper.
3. Gives envelopes to bank.
4. Bank opens 99 envelopes and checks
they contain money order for $1000.
5. Bank signs the remaining envelope
without opening it (signature goes
through carbon paper).
12 April 2005
University of Virginia CS 588
10
Digital Cash, Protocol #1 cont.
6. Bank returns envelope to Alice and
deducts $1000 from her account.
7. Alice opens envelope, and spends the
money order.
8. Merchant checks the Bank’s signature.
9. Merchant deposits money order.
10. Bank verifies its signature and credits
Merchant’s account.
12 April 2005
University of Virginia CS 588
11
Digital Cash, Protocol #1
• Is it anonymous?
• Can Alice cheat?
– Make one of the money orders for $100000, 1%
chance of picking right bill, 99% chance bank
detects attempted fraud.
• Better make the penalty for this high (e.g., jail)
– Copy the signed money order and re-spend it.
• Can Merchant cheat?
– Copy the signed money order and re-deposit it.
12 April 2005
University of Virginia CS 588
12
Digital Cash, Protocol #2
• Idea: prevent double-spending by giving
each money order a unique ID.
• Problem: how do we provide unique IDs
without losing anonymity?
• Solution: let Alice generate the unique
IDs, and keep them secret from bank.
12 April 2005
University of Virginia CS 588
13
Digital Cash, Protocol #2
1. Alice prepares 100 money orders for
$1000 each, adds a long, unique random
ID to each note.
2. Puts each one in a different sealed
envelope, with a piece of carbon paper.
3. Gives envelopes to bank.
4. Bank opens 99 envelopes and checks they
contain money order for $1000.
5. Bank signs the remaining envelope without
opening it.
12 April 2005
University of Virginia CS 588
14
Digital Cash, Protocol #2 cont.
6. Bank returns envelope to Alice and
deducts $1000 from her account.
7. Alice opens envelope, and spends the
money order.
8. Merchant checks the Bank’s signature.
9. Merchant deposits money order.
10. Bank verifies its signature, checks that the
unique random ID has not already been
spent, credits Merchant’s account, and
records the unique random ID.
12 April 2005
University of Virginia CS 588
15
Digital Cash, Protocol #2
•
•
•
•
Is it anonymous?
Can Alice cheat?
Can Merchant cheat?
Can bank catch cheaters?
12 April 2005
University of Virginia CS 588
16
Mimicking Carbon Paper
• How does bank sign the envelope
without knowing what it contains?
• Normal signatures
Alice sends bank M
Bank sends Alice, SM = EKRBank (M)
Alice shows SM to Bob who decrypts with
banks public key.
12 April 2005
University of Virginia CS 588
17
Blind Signatures
• Alice picks random k between 1 and n.
• Sends bank t = mke mod n. (e from
Bank’s public key).
• Bank signs t using private key d. Sends
Alice:
td = (mke mod n)d mod n
= (mke)d mod n mdked mod n
= (mke)d mod n mdked mod n
What do we know about ked mod n?
12 April 2005
University of Virginia CS 588
18
Blind Signatures
• Alice gets
td mdk mod n
• Alice divides by k to get
sm mdk / k md mod n.
• Hence: bank can sign money orders
without opening them!
12 April 2005
University of Virginia CS 588
19
Digital Cash Protocol #2
• Instead of envelopes, Alice blinds each
money order using a different randomly
selected ki.
• The bank asks for any 99 of the ki’s.
The bank unblinds the messages (by
dividing) and checks they are valid.
• The bank signs the other money order.
• Still haven’t solved the catching
cheaters problem!
12 April 2005
University of Virginia CS 588
20
Anonymity for Non-Cheaters
• Spend a bill once – maintain anonymity
• Spend a bill twice – lose anonymity
• Have we seen anything like this?
12 April 2005
University of Virginia CS 588
21
Digital Cash
1. Alice prepares n money orders each
containing:
Amount
Uniqueness String: X
Identity Strings: I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
Each In pair reveals Alice’s identity (name,
address, etc.). I = IiL IiR.
h is a secure, one-way hash function.
12 April 2005
University of Virginia CS 588
22
Digital Cash, cont.
2. Alice blinds (multiplies by random k) all n
money orders and sends them to bank.
3. Bank asks for any n-1 of the random kis
and all its corresponding identity strings.
4. Bank checks money orders. If okay,
signs the remaining blinded money
order, and deducts amount from Alice’s
account.
12 April 2005
University of Virginia CS 588
23
Digital Cash, cont.
5. Alice unblinds the signed note, and
spends it with a Merchant.
6. Merchant asks Alice to randomly reveal
either IiL or IiR for each i. (Merchant
chooses n-bit selector string.)
7. Alice sends Merchant corresponding IiL’s
or IiR’s.
8. Merchant uses h to confirm Alice didn’t
cheat.
12 April 2005
University of Virginia CS 588
24
Digital Cash, cont.
9. Merchant takes money order and
identity string halves to bank.
10. Bank verifies its signature, and checks
uniqueness string. If it has not been
previously deposited, bank credits
Merchant and records uniqueness string
and identity string halves.
12 April 2005
University of Virginia CS 588
25
Digital Cash, cont.
11. If it has been previously deposited,
bank looks up previous identity string
halves. Finds one where both L and R
halves are known, and calculates I.
Arrests Alice.
12. If there are no i’s, where different
halves are known, arrest Merchant.
12 April 2005
University of Virginia CS 588
26
Digital Cash Protocol
Universally recognized as valuable
Easy to transfer
Anonymous
x Heavy
Moderately difficult to counterfeit in
small quantities
? Extremely difficult to get away with
counterfeiting large quantities
12 April 2005
University of Virginia CS 588
27
Digital Cash Summary
• Preserves anonymity of non-cheating
spenders (assuming large bank and
standard denominations)
• Doesn’t preserve anonymity of Merchants
• Requires a trusted off-line bank
• Expensive – lots of computation for one
transaction
• Other schemes (Peppercoin, Millicent,
CyberCoin, NetBill, etc.) proposed for
smaller transactions
12 April 2005
University of Virginia CS 588
28
Printing more valuable paper
than cash?
12 April 2005
University of Virginia CS 588
29
12 April 2005
University of Virginia CS 588
30
Germany 2006 Tickets
• Tickets will include RFID
• Encodes name,
birthdate and passport
number of purchaser
12 April 2005
University of Virginia CS 588
31
RFID Tags
• Passive devices
– Uses RF signals from reader for power
•
•
•
•
Range: a few meters
Little memory: ~128 bits
Little computation: no real cryptography
Transmit number in response to request
from reader
12 April 2005
University of Virginia CS 588
32
RFID Reader
• To avoid conflicts RFID reader queries
bit-by-bit
0
1
?
00
000
01
001 010
10
011 100
101 110
11
111
Graph from Ari Juels slide
12 April 2005
University of Virginia CS 588
33
RFID Applications
More Efficient Mugging
“Just in case you
want to know, she’s
got 700 Euro and
20 World Cup tickets…”
From Ari Juels USENIX Security 2004 talk:
RFID: Security and Privacy for Five-Cent Computers
http://www.usenix.org/events/sec04/tech/slides/juels.htm
12 April 2005
University of Virginia CS 588
34
Blocking RFID
[Juels, Rivest, & Szydlo CCS ‘03]
• Recall RFID Reader:
0
1
?
00
000
01
001 010
10
011 100
101 110
11
111
Graph from Ari Juels slide
12 April 2005
University of Virginia CS 588
35
RFID Blocker
• Is there a tag that starts with 0?
• Is there a tag that stats with 1?
• Always respond yes, represent all
possible tags
12 April 2005
University of Virginia CS 588
36
Picture from Ari Juels talk
12 April 2005
University of Virginia CS 588
37
Charge
• Cryptographers can make infinite amounts of
money (but can’t make it heavy)
• CS150 Plug: Fall 2005 Course
– Computer Science: from Ada & Euclid to Quantum
Computing and the World Wide Web
– Open to all University students
• No computing background expected
• But…covers material that will be new to most 4th year CS
students
– Recruit your friends (especially from the College) to
take it
12 April 2005
University of Virginia CS 588
38