Trustee TokensSimple and Practical Anonymous Digital Coin

Tracing

Ari Juels RSA Laboratories

Quick Review of Chaumian E-cash

(DigiCashTM)

BANK Alice

SKPK

Signs

Alice -$1

Anonymous digital $1 coin

BANK Alice

r, x r3f(x)

r3f(x)rf1/3(x)rf1/3(x)

rf1/3(x)

SKPK

(x, f1/3(x))

Signs 3

= (x, Sig(x)) =

mod n

An Application for Anonymous E-Cash

An Application for Anonymous E-Cash

Improved Computer Viruses(Young and Yung)

Improved Computer Virus

Edgar

r3f(x)

Generates unsigned, blinded coin

Generates encryption key pair

Improved Computer Virus

r3f(x)

PK

Alice

Hard Disk

Files

PK

*&DUHF(&$YY$H&*^$RH(*&UH*&(#*R&(*&(*$&(*$&(*U(*F&(*&**&HKJF(*$YHF(*H$(*^FH*($HF&J(*F&$(*HS(*&$JF*($&SH$*&F$*(&$*(F&(*$F$(*F&S(*&*F(&*E$$)*F&(*$&*$&F(*$&F(*$&(*&(#(*$

Encrypted under PK

If you Want SK, i.e.,

your files, withddraw this

Ransom Note

BANK Alice

Oh, my files!

Alice -$1

HETTINGA SUCCEEDS GREENSPAN AT FED

Anonymous coin

Edgar

How can we prevent this?Answer: Trustee-basedTracing

The Idea: Trustee Tracing

Anonymous coin

Tracing: Basic Idea

Anonymous coin

Judge Trustee

I order the Trustee to trace this coin.

Trustee SecretSK

Edgar

Coin is anonymous unlesstrustee traces it

Many Trustee-based Tracing Schemes

Brickell et al. ( ‘95) Stadler et al. (‘95) Jakobsson and Yung (‘96, ‘97) Camenisch et al., Frankel et al. (‘96) Davida et al. (‘97)

Trend in schemes

SecurityFeatures

SimplicityTrusteeFlexibility

ComputationalEfficiency

Our Scheme

How our scheme works

Two stages

Alice Trustee

1.Token withdrawal

Alice

2.Coin withdrawal

BANK

Token withdrawal

AliceTrustee

Checks thatcoin contains[“Alice”]PK

TrusteeToken

Proves identity

Trustee Token

AliceTrustee

Checks thatx contains[“Alice”]PK

TrusteeToken

r, x

SigSK(r3f(x))

Proves identity

BANK Alice

SK

Coin withdrawal

Checks Signs ,

Conditionally anonymous digital coin

Observe: No change in coinstructure or underlying

withdrawal protocol

Tracing

Trustee Token scheme guarantees that coins contain creator identity

Blackmail scenario

Edgar registers his coin and gets caught or

Alice can’t make the withdrawal for Edgar

Enhancements

No coin storage

Alice can pseudo-randomly generate coins and blinding factors -- no coin storage

Bulk token withdrawal

Alice can withdraw many tokens at once and store prior to coin withdrawals

One token - multiple coins

Result of Enhancements

Little interaction with Trustee

Tokens fit on, e.g., smart card

Pros and Cons

Advantages over other schemes

Very simple Provably secure No change in coin structure, underlying

protocol Seamless incorporation with

DigiCashTM

Disadvantages

Trustee interaction needed Security with multiple trustees needs

trusted dealer Seamless incorporation with

DigiCashTM - but no DigiCashTM

But...

Can be used for general blind RSA – E.g., X-cash

Method can perhaps be extended to other e-cash systems (?)

Questions?