

























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Various protocols for anonymous money orders and blind signatures, which are essential for maintaining privacy in digital transactions. The authors, b. Warinschi and n.p. Smart, explore the problems with previous protocols and propose solutions using identity encoding, blind signatures, and commitment schemes. They also introduce zk-proofs for identification and non-interactive zk-proofs. The document also covers schnorr signatures and rsa-fdh, as well as key encapsulation and data encapsulation mechanisms.
Typology: Study notes
1 / 97
This page cannot be seen from the preview
Don't miss anything!


























































































B. Warinschi and N.P. Smart
Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.
January 30, 2009
B. Warinschi and N.P. Smart
Overview
e-Cash
Commitment Schemes
Zero Knowledge Proofs
Proofs of Security and Random Oracles
Advanced ZK-Protocols
B. Warinschi and N.P. Smart
Locations for money: I (^) in your bank account, I (^) under your mattress, I (^) in your pocket, I (^) in cheques, I (^) in money orders,....
There are various definitions of what money is. I (^) One of the main problems of certain areas of economics is to define money.
B. Warinschi and N.P. Smart
Digital money is the term that we use for the money in your bank account.
Your bank knows a great deal about it: I (^) how much you have; I (^) where it comes from; I (^) where it’s going next.
Digital money can help to I (^) reduces fraud and it I (^) gives a complete audit trail.
B. Warinschi and N.P. Smart
It would be nice to have an electronic form of cash with I (^) all the benefits of cash itself.
There have been a number of digital cash systems proposed over the last twenty years. I (^) Many are based on constructs such as digital signatures, hash function and zero-knowledge proofs. There are a number of design issues: I (^) anonymity versus auditability; I (^) single use tokens (to detect copying); I (^) payment across the Internet need to be made securely; I (^) scalability demands off line processing; In the next few slides we discuss a philosophical protocol which forms the basis of a number of real protocols.
B. Warinschi and N.P. Smart
Note: The bank, in step 5, cannot trace the MO back to Alice. I (^) This is because it never saw what it was signing. Problem: How does the bank know it is signing a MO for 100 pounds and not 200 pounds?
B. Warinschi and N.P. Smart
Problem: If duplicate serial numbers are obtained by the bank, who does the bank accuse of cheating, Alice or Bob?
B. Warinschi and N.P. Smart
B. Warinschi and N.P. Smart
We need a method in which I (^) Alice’s identity is kept secret unless I (^) she cheats when it is revealed. This is done using a variant of a zero-knowledge protocol.
Alice creates an identity string containing her details: name, address, etc. I (^) This is split into two (or many) pieces. Each piece is committed to on the money order before she sends it to the bank for signing. I (^) Alice cannot change her details (hence commitment). I (^) She can reveal (de-commit) what she committed to and it can be verified that she has not cheated.
B. Warinschi and N.P. Smart
On the previous slide we required a method for Alice to commit to a string. Here we use a commitment scheme based on a hash function; we will see more details of commitment schemes in general later in the course. Suppose we have a bit string b to which Alice wishes to commit. I (^) Alice generates a random strings P. I (^) Alice computes h = H(P‖b), where H is a cryptographic hash function. I (^) Alice publishes h.
For Alice to open the commitment or de-commit she proceeds as follows. I (^) Alice supplies P and b to Bob. I (^) Bob can then check that h in the commitment equals H(P‖b).
B. Warinschi and N.P. Smart
If Alice spends the same money order twice the bank will detect this and want to recover Alice’s identity.
With two such money order’s there is a high probability that, for some i, the bank obtains both Li and Ri - since for the two money orders with the same serial number Bob will have given two distinct bit vectors.
For example I (^) Li from the first use of the money order and I (^) Ri from the second use of the money order.
In this case the bank recovers Alice’s identity: ID = Li ⊕ Ri.
B. Warinschi and N.P. Smart
The only thing we have not discussed is how one implements, digitally, an envelope with carbon paper for the bank to sign.
This is accomplished using a blind signature scheme. I (^) This allows the bank to sign something without knowing what that something is.
To do this we exploit the homomorphic property of RSA signatures. I (^) Notice that homomorphic property is often considered to be a bad thing.
B. Warinschi and N.P. Smart
Now go back to our protocol and look what we have achieved.
Alice remains anonymous to the bank in the sense that where she spends her money cannot be traced.
If Alice cheats her identity is revealed - notice that we do not stop her from cheating.
Bob cannot cheat since if he copies a money order and presents it to the bank he will not get his money.
Alice and Bob cannot collude to defraud the bank.
B. Warinschi and N.P. Smart
How about a malicious outsider, Eve.
Eave can cheat! I (^) Suppose Eve eavesdrops on the communication between Alice and Bob and goes to the bank before Bob does. I (^) Then, when Bob arrives, he is identified as a cheater! I (^) Suppose Eve spends Alice’s money before Alice can. I (^) Then Alice will be identified as a cheater.
Hence Alice and Bob need to protect their data just as they would do with paper money.
B. Warinschi and N.P. Smart