Ari Juels RSA Laboratories

Executable Financial Instrumentsand

MicroMint on the Cheap

with Markus Jakobsson Bell Laboratories

The Web provides an excellent means of communication with all kinds of people...

Yeah!

``Hi. My name is Darlene.

sometime?’’

I ’m a model. Want to meet

“Darlene”

He fell for it!

Ha ha!

…you know nothing about.

The Web provides an excellent means of communication with all kinds of

people...

The Web provides an excellent means of communication and commerce...

Cool!

``Hi. I’d like to buy your

OK?’’

car. I’ll pay $106,000.For s

ale

Another sucker!

…with people you know nothing about.

The Web provides an excellent means of communication and commerce...

Aim: Flexible commerce with minimal trust

?InternetYou

Two Ideas Today

X-cash: Executable financial instruments

MicroMint Outsourcing

A$$

MicroMint

Want a scheme that mimics economics of physical mint

Verifying validity of a coin is easy Base minting cost is high so... Forgery is expensive

The minting process

. Throw balls (jellybeans) into bins using “random” function h

. Any bin with two balls (jellybeans) is a coin

Minting in MicroMint

Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9

Collision = Coin

h

Checking a coin

Bin 2

h

Valid coin?

Features

Many bins, so need to throw many balls (jellybeans) to mint successfully

Minting requires very intensive computation

Minting requires special, e.g., $250,000 computer

“Deep Crack”

Another characteristic: Most balls are invalid

Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9

h

In fact, >99% of work goes to missed balls!

Idea: Make three stage process

. Create “valid” balls, i.e., balls that won’t miss (>99% of work)

. Throw balls into bins using “random” function h (<1% of work)

. Any bin with two balls is a coin

Have many other (untrusted) people do Step 1

Now...

99%+ of work is done for minter No participant will get enough balls

to do minting himself/herself (or else participants know “validity” h but not

“throwing” h) Minting is cheap for minter!

Minter can use ordinary server

Application III: Secure multiparty computation

Questions?

+?

X-cash: Executable Digital CashX-cash: Executable Digital Cash

Ari JuelsRSA Laboratories

joint work with

Markus Jakobsson, Bell Labs

23rd February 1998

The Internet: Many entities The Internet: Many entities wishing to trade with one wishing to trade with one

anotheranother

The Internet: Many entities The Internet: Many entities wishing to trade with one wishing to trade with one

anotheranother

Internet

$

Peer-to-peer trading can be Peer-to-peer trading can be problematicproblematic

Peer-to-peer trading can be Peer-to-peer trading can be problematicproblematic

Peer-to-peer interaction can create Peer-to-peer interaction can create communications bottleneckscommunications bottlenecks

Anonymity (both ways) is hard to Anonymity (both ways) is hard to protect in a peer-to-peer settingprotect in a peer-to-peer setting

Would like computational load Would like computational load involved with trading to be handled involved with trading to be handled by servers, not clientsby servers, not clients

Therefore, we would like trade to occur in a distributed fashion.

Therefore, we would like trade to occur in a distributed fashion.

A vehicle for distributed trade: Mobile agents

A vehicle for distributed trade: Mobile agents

Program+

DocumentationTo Internet

A problem: Pick-pocketingA problem: Pick-pocketing

Program

Other problems:Other problems:

Maliciously modified code Intercepted purchases A different scenario than digital cash:

multiple spending may be permissible

A solution: X-cashA solution: X-cash

Idea: Make redemption of cash conditional on delivery of desired

goods

First tool: A program that knows what it

wants

First tool: A program that knows what it

wantsMobile Agent includes a code segment P P takes as input potential purchase

items P outputs amount user is willing to pay

Paris P $300

E.g., airline tickets

Second tool:Negotiable certificate

Second tool:Negotiable certificate

BANK

Alice

= SIGSK (PKA, $500)B

ASIGSKASIGSK

($300,“For Bob”),

Bob

ASK

($300, “For Bob”),

Bank holds (SKB, PKB)Alice holds (SKA, PKA)

PKA

Alice

Alice

Alice

Idea: Bind negotiable certificate to agent program P

Idea: Bind negotiable certificate to agent program P

, SIGPK (P)A

PKA

X-cash

. . .Then . . .Then send off via send off via

mobile mobile agentagent

. . .Then . . .Then send off via send off via

mobile mobile agentagent

When Bob receives the mobile agent

When Bob receives the mobile agent

Bob

A

,SIGPK (P)

PKA

Bob can assess and authenticate Alice’s offer for his tickets

Bob can assess and authenticate Alice’s offer for his tickets

$300, SIGPK (P)A

PKA

Bob

A

PKA

The bank can verify and process the transaction

The bank can verify and process the transaction

BANK

, SIGPK (P)A

PKA $300

Bank gives $300 to Bob, deducting Bank gives $300 to Bob, deducting against the negotiable certificateagainst the negotiable certificate

Bank receives and holds tickets for Bank receives and holds tickets for Alice, or sends them to herAlice, or sends them to her

An ExampleAn Example

Alice needs ticket to important conference in Caribbean

Alice needs ticket to important conference in Caribbean

She will pay $300 for business class to St. Martin

She will pay $600 for first class fare to St. Martin

She will pay $400 for business class to Anguilla

She will pay $700 for first class to Anguilla

Alice creates a program PAlice creates a program P

Input to P: An airline ticket – Airline ticket may include certificates and

signatures, e.g., airline certificate, travel agent certificate, etc.

– P includes root certificates Output of P: Amount Alice will pay

– Conditional on correct dates, transferability of ticket, etc.

Alice gets a negotiable certificateAlice gets a negotiable certificate

Alice generates key pair (PKA, SKA). Alice withdraws a negotiable certificate

. = SIGSK (PKA, $700).B

PKA

Alice creates X-cash and sends mobile agent

Alice creates X-cash and sends mobile agent

,SIGPK (P)A

PKA

Bob’s Travel has a business class ticket T to Anguilla for sale

Bob’s Travel has a business class ticket T to Anguilla for sale

Bob does the followingBob does the following

Checks certificates and signatures in Alice’s mobile agent

Generates signatures tA transferring ownership of ticket T to Alice

Runs P(T,tA) on a ticket T and signatures tA transferring ownership to Alice

Sees output “$400” Sends and T, tA to bank,SIGPK (P)

A

PKA

The Bank does the followingThe Bank does the following

Verifies certificates and signatures in Alice’s agent

Sees that P(T,tA)=$400

Then: Deducts $400 against Alice’s negotiable

certificate Gives $400 to Bob Holds T,tA for Alice and notifies her

, SIGPK (P)A

PKA $400

X-cash extensionsX-cash extensions

Double spendingDouble spending

How does Alice know that Bob didn’t sell the ticket twice?

An issue with any digital cash system. Solutions:

On-line verification Penalization after fact Tamper resistance (for Bob)

AnonymityAnonymity

X-cash can be rendered anonymous using the following ideas:

Blind withdrawal of certificates with conditional revocation of anonymity

Anonymous re-mailers for delivery of goods (e.g., airline tickets)

Stateful offersStateful offers

In the examples above, Alice’s program P had no external state. This need not be the case.

Example of stateful offerExample of stateful offer

Alice wants to sell 100 ounces of gold at the market price

Alice’s program P contacts a Web site to get the current price of gold

Bob includes in his response C a value GB -- the maximum price he is willing to pay

When the Bank runs P(C), Bank checks that transaction cost is at most GB, as per Bob’s response.

Multiple banksMultiple banks

We assume above a single, universally trustworthy bank.

X-cash can be adapted for infrastructures with multiple, mutually suspicious banks.

ConclusionConclusion

X-cash is a simple means of achieving trusted commerce in a distributed setting like the Internet.

To InternetX-cash