Embed Size (px)
DESCRIPTION
Trustee Tokens. Simple and Practical Anonymous Digital Coin Tracing. Ari Juels RSA Laboratories. Quick Review of Chaumian E-cash (DigiCash TM ). Signs. BANK. Alice. PK. SK. Alice -$1. Anonymous digital $1 coin. r 3 f(x). 3. Signs. BANK. rf 1/3 (x). = (x, Sig(x)) =. r 3 f(x). - PowerPoint PPT Presentation
Citation preview
Trustee TokensSimple and Practical Anonymous Digital Coin
Tracing
Ari Juels RSA Laboratories
Quick Review of Chaumian E-cash
(DigiCashTM)
BANK Alice
SKPK
Signs
Alice -$1
Anonymous digital $1 coin
BANK Alice
r, x r3f(x)
r3f(x)rf1/3(x)rf1/3(x)
rf1/3(x)
SKPK
(x, f1/3(x))
Signs 3
= (x, Sig(x)) =
mod n
An Application for Anonymous E-Cash
An Application for Anonymous E-Cash
Improved Computer Viruses(Young and Yung)
Improved Computer Virus
Edgar
r3f(x)
Generates unsigned, blinded coin
Generates encryption key pair
Improved Computer Virus
r3f(x)
PK
Alice
Hard Disk
Files
PK
*&DUHF(&$YY$H&*^$RH(*&UH*&(#*R&(*&(*$&(*$&(*U(*F&(*&**&HKJF(*$YHF(*H$(*^FH*($HF&J(*F&$(*HS(*&$JF*($&SH$*&F$*(&$*(F&(*$F$(*F&S(*&*F(&*E$$)*F&(*$&*$&F(*$&F(*$&(*&(#(*$
Encrypted under PK
If you Want SK, i.e.,
your files, withddraw this
Ransom Note
BANK Alice
Oh, my files!
Alice -$1
HETTINGA SUCCEEDS GREENSPAN AT FED
Anonymous coin
Edgar
How can we prevent this?Answer: Trustee-basedTracing
The Idea: Trustee Tracing
Anonymous coin
Tracing: Basic Idea
Anonymous coin
Judge Trustee
I order the Trustee to trace this coin.
Trustee SecretSK
Edgar
Coin is anonymous unlesstrustee traces it
Many Trustee-based Tracing Schemes
Brickell et al. ( ‘95) Stadler et al. (‘95) Jakobsson and Yung (‘96, ‘97) Camenisch et al., Frankel et al. (‘96) Davida et al. (‘97)
Trend in schemes
SecurityFeatures
SimplicityTrusteeFlexibility
ComputationalEfficiency
Our Scheme
How our scheme works
Two stages
Alice Trustee
1.Token withdrawal
Alice
2.Coin withdrawal
BANK
Token withdrawal
AliceTrustee
Checks thatcoin contains[“Alice”]PK
TrusteeToken
Proves identity
Trustee Token
AliceTrustee
Checks thatx contains[“Alice”]PK
TrusteeToken
r, x
SigSK(r3f(x))
Proves identity
BANK Alice
SK
Coin withdrawal
Checks Signs ,
Conditionally anonymous digital coin
Observe: No change in coinstructure or underlying
withdrawal protocol
Tracing
Trustee Token scheme guarantees that coins contain creator identity
Blackmail scenario
Edgar registers his coin and gets caught or
Alice can’t make the withdrawal for Edgar
Enhancements
No coin storage
Alice can pseudo-randomly generate coins and blinding factors -- no coin storage
Bulk token withdrawal
Alice can withdraw many tokens at once and store prior to coin withdrawals
One token - multiple coins
Result of Enhancements
Little interaction with Trustee
Tokens fit on, e.g., smart card
Pros and Cons
Advantages over other schemes
Very simple Provably secure No change in coin structure, underlying
protocol Seamless incorporation with
DigiCashTM
Disadvantages
Trustee interaction needed Security with multiple trustees needs
trusted dealer Seamless incorporation with
DigiCashTM - but no DigiCashTM
But...
Can be used for general blind RSA – E.g., X-cash
Method can perhaps be extended to other e-cash systems (?)
Questions?
