Digital Cash

Jason Bay
Gilbert Zaragoza

1
Overview
 History of Money
 Intro to Digital Cash
 E-Commerce systems
 RSA encryption
 Digital Signatures
 Implementation of digital cash

2
History of Money
 Barter trade
 Money with intrinsic value
 Money backed by reserves
 Money with no intrinsic value (fiat)

3
Digital cash
 Intangible
 Can be transferred over information
networks
 No intrinsic value (like fiat money)

4
Digital Cash
 Since no intrinsic value, value derived
by agreement
 Ability to authenticate
 Agreement to honor
 Recognize worth and legal tender
 Allows for e-commerce

5
Pre-requisites
 Public key encryption
 Blind signatures (for anonymity)
 System/Protocol for e-transactions

6
Digital Cash systems
 DigiCash
 PayPal
 SET

7
Schematics of e-commerce

8
The Participants
 The Cardholder
 The Bank
 The Merchant

9
Rivest-Shamir-Adleman
 Theorem:
Assume p and q are distinct prime numbers (typically
large) and let m = pq. Let e be an integer such that e ┻
∂(m) and set d = e-1 mod ∂(m). Then for each integer x in
the range 1 ≤ x < m we have that
(xe)d mod m = x

10
RSA Process
 Step 1: Generate Keys
Public Keys: m and e
Private Key: ∂(m) = (p-1)(q-1)
d = e-1 mod ∂(m)
 Step 2: Establish Protocol
A protocol must be used to convert text messages into a sequence of
positive integers < m.

 Step 3: Sending the Message

Using the agreed upon protocol convert a message into a sequence of
positive integers < m
For each integer x, calculate y = xe mod m and send y.

 Step 4: Decrypting the Message

For each y, calculate x = yd mod m
Convert each x into text using the established protocol

11
RSA Example
 Suppose my public key is (1009,
264099224369484639974579586676121)
 Jason wishes to send me the message, 123456789.
 He computes y = 1234567891003 mod
264099224369484639974579586676121
i.e. y = xe mod m
 Sends y to me, which I then decipher using my private key,
d = e-1 mod ∂(m), where ∂(m) = (p-1)(q-1)
 So x = yd mod m = ??? 5758357716678561924068988749703689 mod
264099224369484639974579586676121 =
123456789

12
Electronic Signature
 RSA supports a scheme for deducing
that a given message could only have
come from one source.
 Involves two sets of keys. The Senders
and the Receivers
Thus 2 sets of keys:
(es, ms), (ds,ms) & (er,mr),(dr,mr)

13
Sending a Message
 Suppose I wish to send the message x to Jason

 I would use my private key (dG, mG) and Jason’s

public key (eJ, mJ) to encipher x, such that:
y = (xdG mod mG)eJ mod mJ where mG < mJ

 Notice that if mJ < mG, some parts of the message

would have been lost. Therefore y < mJ or must be
broken into parts y’ < mJ and by default y’ < mG

14
Deciphering a message
 Jason then takes y and deciphers it
using his private key and my public key
such that:
x = (ydj mod mj)eG mod mG

15
Why It Works
 Let z = xdJ mod mJ
(zeG mod mG)dG mod mG = zeGdG mod mG =
z mod mG = z
Since z < mG by default
 Now substituting in for z
(((xdJ mod mJ)eG mod mG)dG mod mG)eJ mod mJ
= ((zeG mod mG)dG mod mG)eJ mod mJ
= zeJ mod mJ
= (xdJ mod mJ)eJ mod mJ
= xdJeJ mod mJ
= x

16
Fraud
 Suppose Prof. Carlsson intercepts my message to Jason in the
form:
y = (xeJ mod mJ) dG mod mG
He could then strip off my signature by computing
z = yeG mod eG
and attach his own signature by computing
y’ = zdC mod mC
and sending this message to Jason.

 Jason upon receiving the message will assume it came from

Prof. Carlsonn, although Prof. Carlsonn will not have known
what message he sent.

17
Protection Against Fraud
 Time and name stamp within message
 Always encipher using the private key first.
 Each person could publish

18
Digital Signature
 The Digital Signature Standard (DSS) is
designed to allow digital signatures as a
legal alternative to traditionally signed
documents. It also allows for
maintaining anonymity.

19
DSS Parameters
 A prime p in the range
2L-1 < p < 2L, where 512 < L < 1024 and L is a multiple of 64
 A prime q that divides p-1 and where
2159 < q < 2160
 An integer g in the range 1 < g < p
g = h(p-1)/q mod p
 A randomly generated integer x in the range
0<x<q
 The integer y = gx mod p
 A randomly generated integer k in the range
0<k<q

20
DSS Signing
 Public keys are p, q, and g, which can be
shared by a group
 Individuals have private key x, and public key
y and a new k is chosen for each signed
document
 A digital signature of an encrypted message,
m, is a pair (r, s) of integers
r = (gk mod p) mod q
s = k-1(m + xr) mod q

21
Verifying Signatures
 To verify a signature compute
t = ms-1 mod q
u = rs-1 mod q
v = (gtyu mod p) mod q
If v = r then the signature is verified

22
Why Verification Works
s-1 mod q = k(m +xr)-1 mod q
s-1(m+xr)mod q = k mod q
Therefore
(guyv mod p) mod q = (gmt mod qyrt mod q mod p) mod q
= (gmt mod qgxrt mod q mod p) mod q
= (gmt+xrt mod q mod p) mod q
= (g(m+xr)s-1 mod qmod p) mod q
= (gk mod q mod p) mod q
= (gk mod p) mod q
= r

23
DSS Example

24
Classifications
 Identified vs. Anonymous
 Online vs. Offline

 Most interesting case: Anonymous offline

digital cash

25
Key problem
 Anonymous offline digital cash
 Prevention of double-spending
 Counterfeiting is easy
 Discussion method: S. Brands
 Schnorr-type protocol
 Challenge-and-response to prove possession of
coin
 Restricted blind signatures to protect identity

26
Basic proposition
 For a large prime, p, such that q = (p-
1)/2, is also prime
 Then, gk1  gk2 (mod p)  k1  k2
(mod q)

27
Initialization
Variable Relation Known to bank? Known to spender?

g, g1, g2 g is index of rest YES YES

x Bank ID YES NO

h, h1, h2 hi  gix (mod p) YES YES

u Spender ID NO YES

I I  g1u (mod p) YES YES

z’ z’  (Ig2)x (mod p) YES YES

28
Coin Creation (A,B,z,a,b,r)
Variable Relation Known to bank? Known to spender?
w Random # unique to YES NO
each coin
gw, β gw  gw (mod p) YES YES
β  (Ig2)w (mod p)
s,x1,x2,1, 2 Random # unique to NO YES
each coin
A, B A  (Ig2)s (mod p) YES YES
B  (g1x1g2x2) (mod p)
Z z  z’s (mod p) YES YES
z  (Ig2)s.x (mod p)
a, b a  (gw1g2) (mod p) YES YES
b  βs.1A2 (mod p)

29
Coin Creation (r)
Variable Relation Known to bank? Known to spender?

c c  1-1H(A,B,z,a,b) YES YES

(mod q)
c1 c1  c.x + w (mod q) YES YES

r r  1c1 + 2 (mod q) YES YES

30
Verifying coins
 Check validity of coin
 gr  ahH(A,B,z,a,b) (mod p)
 Ar  zH(A,B,z,a,b)b (mod p)
 Authenticate spender (since identity
anonymous)
 d = H0(A,B,M,t)
 r1 dus+x1 r2 ds+x2 (mod q)
 g1r1g2r2  AdB (mod p)

31
Double-spending problem
 Spender computes r1dus + x1, r2  ds
+ x2 (mod q) and sends to merchant
 d – Hashed, unique transaction identifier
computed by merchant
 u – Spender’s secret number
 s, x1, x2 – Secret numbers (only spender
knows)

32
Double-spending problem
 In double spending, each merchant sends a
different value of d, say d’
 r1  dus + x1, r2  ds + x2 (mod q)
r1’  d’us + x1, r2’  d’s + x2 (mod q)
 Bank receives two sets of (r1,r2,d)
 r1 - r1’  us(d-d’), r2 - r2’  s(d-d’) (mod q)
u  (r1 - r1’)(r2 - r2’)-1 (mod q) and the spender is
identified
 Much like 2 points determine line, u is the
slope of line.
33
Built-in features
 Only the Spender knows how to generate r1,
r2
 Only Bank knows how to compute c1
 Bank employee can cheat, but cannot
compute r1, r2
 Only 1 transaction per coin since Merchant
does not know how to generate r1, r2 -> Easy
to identify all parties involved: Bank, Spender,
Merchant once fraud detected

34
Anonymity
 Bank cannot identify coin with Spender since
it does not know A,B,z,a,b,r at time of coin
creation
 At time of deposit, no change since A,B,z,a,b
are random powers of g and therefore
random numbers to all but Spender
 1, 2 provide restricted blind signature.
Single use cannot identify Spender, but
double-spending does
35
The End

36