Transcript Lecture

Lecture 12:
Randomness
and Cash
Cash is a problem. It’s annoying to carry, it spreads
germs, and people can steal it from you. Checks and
credit cards have reduced the amount of physical cash
flowing through society, but the complete elimination of
cash is virtually impossible. It’ll never happen; drug
dealers and politicians would never stand for it. Checks
and credit cards have an audit trail; you can’t hide to
whom you gave money.
Bruce Schneier, Applied Cryptography
CS551: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
• Randomness
• Money
27 July 2016
University of Virginia CS 551
2
Random Numbers
• For numbers in range 0...2n-1, an
observer with the first m - 1 numbers,
cannot guess the mth with probability
better than 1/2n.
27 July 2016
University of Virginia CS 551
3
Good Random Numbers
• Lava Lamps
(http://lavarand.sgi.com)
• Gieger Counter and Radioactive stuff
27 July 2016
University of Virginia CS 551
4
Pseudo-Random Number
Generators
1. Start in a hard-to-guess state
2. Run an algorithm that generates an
unpredictable sequence from that
state
27 July 2016
University of Virginia CS 551
5
Bad Random Numbers
srandom (time (NULL));
Doesn’t
for (...) satisfy
random ();either
property!
• random ()
– Doesn’t give cryptographic random numbers
• Using system clock in milliseconds to seed
(even a good PRNG)
– There are only 24*60*60*1000 = 86.4M
• Fine for video games, not fine for protecting
nuclear secrets.
27 July 2016
University of Virginia CS 551
6
Jefferson Wheel Challenge
Key Generator
long key[NUMWHEELS]; int i, j;
srandom ((unsigned)time (NULL));
for (i = 0; i < NUMWHEELS; i++) key[i] = random ();
for (i = 0; i < NUMWHEELS; i++) {
long highest = -1;
int highindex = -1;
for (j = 0; j < NUMWHEELS; j++) {
if (key[j] > highest) { highindex = j; highest = key[j]; }
}
fprintf (stdout, "%d\n", highindex);
key[highindex] = -1;
}
Reduces key space from 36! (3.7 * 1041) to 86M!
Challenge is now 2.3 * 1034 easier!
27 July 2016
University of Virginia CS 551
7
Yarrow-160
• Accumulate Entropy
– Unspecified how: implemented decides
– User keystrokes, disk seek times, network activity
(be careful!), etc.
• Use entropy to and SHA1 hash function
produce unpredictable K.
• Calculate random numbers:
C = (C + 1) mod 2n
R = EK (C)
• EK is 3DES
27 July 2016
University of Virginia CS 551
8
Digital Cash
27 July 2016
University of Virginia CS 551
9
Real Cash
• Why does it have value?
– Nice pictures of Mr. Jefferson (< 1¢)
– Because it is hard to print (< 5¢)
• Because other people think it does
– We trust our government not to print too
much
– People who forge it get sent to jail
27 July 2016
University of Virginia CS 551
10
Counterfeiting
• Secret Service siezed $209M in 1994 (of
$380B circulated)
• Nearly 2/3 of US cash is in foreign countries
• Why did US bills change?
– Iran and Syria probably print counterfeit US bills
– They have a De la rue Giori (Switzerland) printing
press, same as used for old US bills
– 1992 report, led to currency redesign
• Most foreign countries are smarter
– Use of color
– Obvious, well-known security features
– Bigger bills for bigger denominations
27 July 2016
University of Virginia CS 551
11
Properties of Physical Cash
•
•
•
•
•
Universally recognized as valuable
Easy to transfer
Anonymous
Heavy
Moderately difficult to counterfeit in
small quantities
• Extremely difficult to get away with
counterfeiting large quantities (unless
you are Iran or Syria)
27 July 2016
University of Virginia CS 551
12
IOU Protocol (Lecture 9)
M = “I, Alice, owe Bob $1000.”
M
EKRA[H(M)]
Bob
knows KUA
Alice
{KUA, KRA}
27 July 2016
M
Judge
knows KUA
EKRA[H(M)]
Bob can verify H(M) by
decrypting, but cannot forge
M, EKRA[H(M)] pair without
knowing KRA.
University of Virginia CS 551
13
IOU Protocol
x Universally recognized as valuable
x Easy to transfer
x Anonymous
x Heavy
? Moderately difficult to counterfeit in
small quantities
? Extremely difficult to get away with
counterfeiting large quantities (unless
you are Iran or Syria)
27 July 2016
University of Virginia CS 551
14
What is cash really?
• IOU from a bank
• Instead of generating, “I, Alice, owe Bob
$1000”, let’s generate, “I, the
Trustworthy Trust Bank, owe the bearer
of this note $1000.”
• Alice asks the bank for an IOU, and the
bank deducts $1000 from her account.
27 July 2016
University of Virginia CS 551
15
Bank IOU Protocol
Universally recognized as valuable
Easy to transfer
Anonymous
x Heavy
? Moderately difficult to counterfeit in
small quantities
? Extremely difficult to get away with
counterfeiting large quantities (unless
you are Iran or Syria)
27 July 2016
University of Virginia CS 551
16
Counterfeiting Bank IOUs
• Assuming the hash and signature are
secure
• Alice gives Bob bank IOU for $1000
• Bob sends bank 100 copies of bank
IOU
• The bank has lost $99 000.
• Bits are easy to copy! Hard to make
something rare...
27 July 2016
University of Virginia CS 551
17
Bank Identifiers
• Bank adds a unique tag to each IOU it
generates
• When someone cashes an IOU, bank
checks that that IOU has not already
been cashed
• Can’t tell if it was Alice or Bob who
cheated
• Alice loses her anonymity – the bank
can tell where she spends her money
27 July 2016
University of Virginia CS 551
18
Digital Cash, Protocol #1
1. Alice prepares 100 money orders for
$1000 each.
2. Puts each one in a different sealed
envelope, with a piece of carbon paper.
3. Gives envelopes to bank.
4. Bank opens 99 envelopes and checks
they contain money order for $1000.
5. Bank signs the remaining envelope
without opening it (signature goes
through carbon paper).
27 July 2016
University of Virginia CS 551
19
Digital Cash, Protocol #1 cont.
6. Bank returns envelope to Alice and
deducts $1000 from her account.
7. Alice opens envelope, and spends the
money order.
8. Merchant checks the Bank’s signature.
9. Merchant deposits money order.
10. Bank verifies its signature and credits
Merchant’s account.
27 July 2016
University of Virginia CS 551
20
Digital Cash, Protocol #1
• Is it anonymous?
• Can Alice cheat?
– Make one of the money orders for $100000, 1%
chance of picking right bill, 99% chance bank
detects attempted fraud.
• Better make the penalty for this high (e.g., jail)
– Copy the signed money order and re-spend it.
• Can Merchant cheat?
– Copy the signed money order and re-deposit it.
27 July 2016
University of Virginia CS 551
21
Digital Cash, Protocol #2
• Idea: prevent double-spending by giving
each money order a unique ID.
• Problem: how do we provide unique IDs
without losing anonymity?
• Solution: let Alice generate the unique
IDs, and keep them secret from bank.
27 July 2016
University of Virginia CS 551
22
Digital Cash, Protocol #2
1. Alice prepares 100 money orders for
$1000 each, adds a long, unique random
ID to each note.
2. Puts each one in a different sealed
envelope, with a piece of carbon paper.
3. Gives envelopes to bank.
4. Bank opens 99 envelopes and checks they
contain money order for $1000.
5. Bank signs the remaining envelope without
opening it.
27 July 2016
University of Virginia CS 551
23
Digital Cash, Protocol #2 cont.
6. Bank returns envelope to Alice and
deducts $1000 from her account.
7. Alice opens envelope, and spends the
money order.
8. Merchant checks the Bank’s signature.
9. Merchant deposits money order.
10. Bank verifies its signature, checks that the
unique random ID has not already been
spent, credits Merchant’s account, and
records the unique random ID.
27 July 2016
University of Virginia CS 551
24
Digital Cash, Protocol #2
•
•
•
•
Is it anonymous?
Can Alice cheat?
Can Merchant cheat?
Can bank catch cheaters?
27 July 2016
University of Virginia CS 551
25
Mimicking Carbon Paper
• How does bank sign the envelope
without knowing what it contains?
• Normal signatures
Alice sends bank M
Bank sends Alice, SM = EKRBank (M)
Alice shows SM to Bob who decrypts with
banks public key.
27 July 2016
University of Virginia CS 551
26
Blind Signatures
• Alice picks random k between 1 and n.
• Sends bank t = mke mod n. (e from
Bank’s public key).
• Bank signs t using private key d. Sends
Alice:
td = (mke mod n)d mod n
= (mke)d mod n  mdked mod n
= (mke)d mod n  mdked mod n
What do we know about ked mod n?
27 July 2016
University of Virginia CS 551
27
Blind Signatures
• Alice gets
td  mdk mod n
• Alice divides by k to get
sm  mdk / k  md mod n.
• Hence: bank can sign money orders
without opening them!
27 July 2016
University of Virginia CS 551
28
Digital Cash Protocol #2
• Instead of envelopes, Alice blinds each
money order using a different randomly
selected ki.
• The bank asks for any 99 of the ki’s.
The bank unblinds the messages (by
dividing) and checks they are valid.
• The bank signs the other money order.
• Still haven’t solved the catching
cheaters problem!
27 July 2016
University of Virginia CS 551
29
Anonymity for Non-Cheaters
• Spend a bill once – maintain anonymity
• Spend a bill twice – lose anonymity
• Have we seen anything like this?
27 July 2016
University of Virginia CS 551
30
Digital Cash
1. Alice prepares n money orders each
containing:
Amount
Uniqueness String: X
Identity Strings: I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
Each In pair reveals Alice’s identity (name,
address, etc.). I = IiL  IiR.
h is a secure, one-way hash function.
27 July 2016
University of Virginia CS 551
31
Digital Cash, cont.
2. Alice blinds (multiplies by random k) all n
money orders and sends them to bank.
3. Bank asks for any n-1 of the random kis
and all its corresponding identity strings.
4. Bank checks money orders. If okay,
signs the remaining blinded money
order, and deducts amount from Alice’s
account.
27 July 2016
University of Virginia CS 551
32
Digital Cash, cont.
5. Alice unblinds the signed note, and
spends it with a Merchant.
6. Merchant asks Alice to randomly reveal
either IiL or IiR for each i. (Merchant
chooses n-bit selector string.)
7. Alice sends Merchant corresponding IiL’s
or IiR’s.
8. Merchant uses h to confirm Alice didn’t
cheat.
27 July 2016
University of Virginia CS 551
33
Digital Cash, cont.
9. Merchant takes money order and
identity string halves to bank.
10. Bank verifies its signature, and checks
uniqueness string. If it has not been
previously deposited, bank credits
Merchant and records uniqueness string
and identity string halves.
27 July 2016
University of Virginia CS 551
34
Digital Cash, cont.
11. If it has been previously deposited,
bank looks up previous identity string
halves. Finds one where both L and R
halves are known, and calculates I.
Arrests Alice.
12. If there are no i’s, where different
halves are known, arrest Merchant.
27 July 2016
University of Virginia CS 551
35
Digital Cash Protocol
Universally recognized as valuable
Easy to transfer
Anonymous
x Heavy
Moderately difficult to counterfeit in
small quantities
? Extremely difficult to get away with
counterfeiting large quantities (unless
you are Iran or Syria)
27 July 2016
University of Virginia CS 551
36
Digital Cash Summary
• Preserves anonymity of non-cheating
spenders (assuming large bank and
standard denominations)
• Doesn’t preserve anonymity of Merchants
• Requires a trusted off-line bank
• Expensive – lots of computation for one
transaction
• Other schemes (Millicent, CyberCoin,
NetBill, etc.) proposed for smaller
transactions University of Virginia CS 551
27 July 2016
37
Charge
• PS3 due Wednesday
• Project proposal feedback in office
hours tomorrow (3-5)
• Next class:
– Factoring breakthrough
– Attacking biometrics
– Trust models
27 July 2016
University of Virginia CS 551
38