Professional Documents
Culture Documents
Jason Bay
Gilbert Zaragoza
1
Overview
History of Money
Intro to Digital Cash
E-Commerce systems
RSA encryption
Digital Signatures
Implementation of digital cash
2
History of Money
Barter trade
Money with intrinsic value
Money backed by reserves
Money with no intrinsic value (fiat)
3
Digital cash
Intangible
Can be transferred over information
networks
No intrinsic value (like fiat money)
4
Digital Cash
Since no intrinsic value, value derived
by agreement
Ability to authenticate
Agreement to honor
Recognize worth and legal tender
Allows for e-commerce
5
Pre-requisites
Public key encryption
Blind signatures (for anonymity)
System/Protocol for e-transactions
6
Digital Cash systems
DigiCash
PayPal
SET
7
Schematics of e-commerce
8
The Participants
The Cardholder
The Bank
The Merchant
9
Rivest-Shamir-Adleman
Theorem:
Assume p and q are distinct prime numbers (typically
large) and let m = pq. Let e be an integer such that e ┻
∂(m) and set d = e-1 mod ∂(m). Then for each integer x in
the range 1 ≤ x < m we have that
(xe)d mod m = x
10
RSA Process
Step 1: Generate Keys
Public Keys: m and e
Private Key: ∂(m) = (p-1)(q-1)
d = e-1 mod ∂(m)
Step 2: Establish Protocol
A protocol must be used to convert text messages into a sequence of
positive integers < m.
11
RSA Example
Suppose my public key is (1009,
264099224369484639974579586676121)
Jason wishes to send me the message, 123456789.
He computes y = 1234567891003 mod
264099224369484639974579586676121
i.e. y = xe mod m
Sends y to me, which I then decipher using my private key,
d = e-1 mod ∂(m), where ∂(m) = (p-1)(q-1)
So x = yd mod m = ??? 5758357716678561924068988749703689 mod
264099224369484639974579586676121 =
123456789
12
Electronic Signature
RSA supports a scheme for deducing
that a given message could only have
come from one source.
Involves two sets of keys. The Senders
and the Receivers
Thus 2 sets of keys:
(es, ms), (ds,ms) & (er,mr),(dr,mr)
13
Sending a Message
Suppose I wish to send the message x to Jason
14
Deciphering a message
Jason then takes y and deciphers it
using his private key and my public key
such that:
x = (ydj mod mj)eG mod mG
15
Why It Works
Let z = xdJ mod mJ
(zeG mod mG)dG mod mG = zeGdG mod mG =
z mod mG = z
Since z < mG by default
Now substituting in for z
(((xdJ mod mJ)eG mod mG)dG mod mG)eJ mod mJ
= ((zeG mod mG)dG mod mG)eJ mod mJ
= zeJ mod mJ
= (xdJ mod mJ)eJ mod mJ
= xdJeJ mod mJ
= x
16
Fraud
Suppose Prof. Carlsson intercepts my message to Jason in the
form:
y = (xeJ mod mJ) dG mod mG
He could then strip off my signature by computing
z = yeG mod eG
and attach his own signature by computing
y’ = zdC mod mC
and sending this message to Jason.
17
Protection Against Fraud
Time and name stamp within message
Always encipher using the private key first.
Each person could publish
18
Digital Signature
The Digital Signature Standard (DSS) is
designed to allow digital signatures as a
legal alternative to traditionally signed
documents. It also allows for
maintaining anonymity.
19
DSS Parameters
A prime p in the range
2L-1 < p < 2L, where 512 < L < 1024 and L is a multiple of 64
A prime q that divides p-1 and where
2159 < q < 2160
An integer g in the range 1 < g < p
g = h(p-1)/q mod p
A randomly generated integer x in the range
0<x<q
The integer y = gx mod p
A randomly generated integer k in the range
0<k<q
20
DSS Signing
Public keys are p, q, and g, which can be
shared by a group
Individuals have private key x, and public key
y and a new k is chosen for each signed
document
A digital signature of an encrypted message,
m, is a pair (r, s) of integers
r = (gk mod p) mod q
s = k-1(m + xr) mod q
21
Verifying Signatures
To verify a signature compute
t = ms-1 mod q
u = rs-1 mod q
v = (gtyu mod p) mod q
If v = r then the signature is verified
22
Why Verification Works
s-1 mod q = k(m +xr)-1 mod q
s-1(m+xr)mod q = k mod q
Therefore
(guyv mod p) mod q = (gmt mod qyrt mod q mod p) mod q
= (gmt mod qgxrt mod q mod p) mod q
= (gmt+xrt mod q mod p) mod q
= (g(m+xr)s-1 mod qmod p) mod q
= (gk mod q mod p) mod q
= (gk mod p) mod q
= r
23
DSS Example
24
Classifications
Identified vs. Anonymous
Online vs. Offline
25
Key problem
Anonymous offline digital cash
Prevention of double-spending
Counterfeiting is easy
Discussion method: S. Brands
Schnorr-type protocol
Challenge-and-response to prove possession of
coin
Restricted blind signatures to protect identity
26
Basic proposition
For a large prime, p, such that q = (p-
1)/2, is also prime
Then, gk1 gk2 (mod p) k1 k2
(mod q)
27
Initialization
Variable Relation Known to bank? Known to spender?
x Bank ID YES NO
u Spender ID NO YES
28
Coin Creation (A,B,z,a,b,r)
Variable Relation Known to bank? Known to spender?
w Random # unique to YES NO
each coin
gw, β gw gw (mod p) YES YES
β (Ig2)w (mod p)
s,x1,x2,1, 2 Random # unique to NO YES
each coin
A, B A (Ig2)s (mod p) YES YES
B (g1x1g2x2) (mod p)
Z z z’s (mod p) YES YES
z (Ig2)s.x (mod p)
a, b a (gw1g2) (mod p) YES YES
b βs.1A2 (mod p)
29
Coin Creation (r)
Variable Relation Known to bank? Known to spender?
30
Verifying coins
Check validity of coin
gr ahH(A,B,z,a,b) (mod p)
Ar zH(A,B,z,a,b)b (mod p)
Authenticate spender (since identity
anonymous)
d = H0(A,B,M,t)
r1 dus+x1 r2 ds+x2 (mod q)
g1r1g2r2 AdB (mod p)
31
Double-spending problem
Spender computes r1dus + x1, r2 ds
+ x2 (mod q) and sends to merchant
d – Hashed, unique transaction identifier
computed by merchant
u – Spender’s secret number
s, x1, x2 – Secret numbers (only spender
knows)
32
Double-spending problem
In double spending, each merchant sends a
different value of d, say d’
r1 dus + x1, r2 ds + x2 (mod q)
r1’ d’us + x1, r2’ d’s + x2 (mod q)
Bank receives two sets of (r1,r2,d)
r1 - r1’ us(d-d’), r2 - r2’ s(d-d’) (mod q)
u (r1 - r1’)(r2 - r2’)-1 (mod q) and the spender is
identified
Much like 2 points determine line, u is the
slope of line.
33
Built-in features
Only the Spender knows how to generate r1,
r2
Only Bank knows how to compute c1
Bank employee can cheat, but cannot
compute r1, r2
Only 1 transaction per coin since Merchant
does not know how to generate r1, r2 -> Easy
to identify all parties involved: Bank, Spender,
Merchant once fraud detected
34
Anonymity
Bank cannot identify coin with Spender since
it does not know A,B,z,a,b,r at time of coin
creation
At time of deposit, no change since A,B,z,a,b
are random powers of g and therefore
random numbers to all but Spender
1, 2 provide restricted blind signature.
Single use cannot identify Spender, but
double-spending does
35
The End
36