> _^QC(
A/0DTimes New Roman0:A 0DComic Sans MSn0:A 0B DArialSans MSn0:A 0C.
@n?" dd@ @@``B:x .E%-7
0-,
kl
*0e0e
A A5% 8c8c
?1 d0u0@Ty2 NP'p<'pA)BCD|E||"0e@ @ABC DEEFGHIJK5%LMNOPQRSTUWYZ[ \]^_ `abN E5% N E5% N F
5%
!"?N@ABC DEFFGHIJK5%LMNOPQRSTUWYZ[ \]^_ `abpf3u4@gR(ʚ;s8ʚ;g4bdbd:A 0ppp@<4dddd # 0$lh___PPT2001D<4Xn0___PPT10
pp___PPT9EGI?%h-/Introduction to Modern Cryptography, Lecture 130 .Money Related Issues ($$$)
and
Odds and Ends/// 9PHomework #3& :QHomework #3 Suppose Bob has split a secret amongst n people such that k out of them can reconstruct the secret.
Suppose Bob wants to increase k?
Increase n?
Decrease k?
Decrease n?
What should he do? 6dEdE ;RHomework #3 Voting schemes:
You want to arrange a Yes/No vote so that
Everyones vote is secret
Anyone can verify that the final result is correct
What can you do?
Look up the literature on voting schemes.
:++&; EElectronic Checks( Simple:
Sign a document transferring money from your account to another account
This document goes to your bank
The bank verifies that this is not a copy of a previous check
The bank checks your balance
The bank transfers the sum 6!" Problems ( Requires online access to the bank
Is expensive (?) $0.25 per bank transaction minimum
The bank / income tax authorities / etc. can easily trace your activities
( 0GOnline Non-Anonymous Cash nLet s follow the flow of a $1 bill:
The bank debits the customer account by $1, takes the string account number || serial number , signs it, and sends it to the customer
The customer presents this to the merchant
The merchant sends this to the bank, that verifies that the bill has not been used previously
J%!" o%8 1HProblems ( Requires online access to the bank
Is expensive (?) $0.25 per bank transaction minimum
The bank / income tax authorities / etc. can easily trace your activities
Only difference from electronic check: does not have to check balance, does have to check non-reuse
( D
Some concepts 2Untraceable electronic cash
Online
Offline
Micropayment protocols
Real Protocols SET, EMC,
EMC is really used, old
SET seems to be dead in the waterL5:5: /F#Main idea (Chaum): blind signatures$$(& RSA: m 1/e mod n
Blind RSA:
Two party protocol:
Alice sends Bob (re m) mod n
Bob computes (re m)1/e = r m1/e mod n
Alice computes m1/e mod n
Problems:
Alice can get Bob to sign anything,
Bod does not know what he is signing]JJ& " 2IOnline Non-Anonymous Cash .Let s follow the flow of a $1 bill:
Alice takes the string m = account number || serial number , chooses a random r, and sends m re mod n to the bank
The bank signs this message and sends m1/e r to Alice
Alice extracts a signature on account number || serial number (m1/e) , and gives it to the merchant
The merchant sends this to the bank, that verifies that the bill has not been used previously
<%!r" o%9
3
M
3JProblems |No anonymity
What is Alice having signed anyway? The bank does not know.
Imagine that a signature on the string f(s) means one dollar
Alice could prove to the bank that this is the format of what she is asking for
Could be done via general multiparty computation
Could be done via cut and choose (the rabbit problem)TIZZgZI*dg&q 4KOnline Anonymous Cash RAlice chooses a random s, r, sends re (f(s)) to the bank
The bank debits Alice s account by $1 and send r (f(s))1/e to Alice
Alice extracts (f(s))1/e, and gives it and s to the merchant
The merchant sends this to the bank, that verifies that the bill (s) has not been used previously
B) ZZ
>
T &3 5LAdvantages & Problems: The bank has given Alice a bill, but does not know what the bill looks like
The bank cannot later identify Alice with the bill
The bank must be online at all times to identify bills
Multiparty computation is entirely inefficientZ 6MHow to do cut and choose here Alice sends the bank many values z1, z2, & , zk
The bank asks Alice to reveal of the values zi = ri (f(si))
The bank extracts the root of the multiplication of all the others
The bill is valid if it is of the root of a product of (f(si))
Remark: in this case, it s not clear that we need for Alice to prove anything to the bank, any deviation from protocol for Alice can only harm herZ!
.
, / ~ 7N"How to do Offline Anonymous Cash? ##(# bIf Alice double spends she will be caught and identified
If Alice does not her anonymity is guaranteed
The merchant cannot reuse the money (other than send it to the bank) 8OXIdea: encode Alice s identity into the money--(- (Alice generates f(s1), f(s2), & f(sk), t1 || f(t1), f(t2), & , f(tk), such that si xor ti = Alice
Alice sends blinded versions of all of these to the bank
The bank verifies the correctness and sends Alice the root of the product of the indices not revealed
The merchant asks alice for the signature and for a random subset of the indices
If Alice double spends, her identity becomes known to the bank.
HZ
=
| ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@ " @ ` n?" dd@ @@``PR @ ` `p>>z(
64 "P
X Click to edit Master title style!! (
0́ "
RClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level!
S N
0 "` nVN___PPT90(@@
j*"
0 "`
^*
0ܓ "``
^* T
<vh@ ?
blank`"(
0)
^* B
0! P n)VN___PPT90(@@
l*$
6& `
^*
6+ `P
`* H
0h ? ̙3380___PPT10.|@?&}p$(
r
S%>%
r
S% `
%
H
0h ? ___PPT10i.r0xI+D=' =
@B +
~ (
~
s*P
X
<ܙ
V
Consider a verifyable secret sharing scheme (VSS) based on Shamir's polynomial secret sharing as follows.
A dealer has a secret S, a public prime p and a public generator g of Zp*.
The dealer gives player pj a share s(j) in a degree-t polynomial whose value at zero is a random a0.
The dealer publicizes S * a0, as well as commitments to all shares in the form gs(j) (mod p).
Suppose that an auditing agency wishes to check that the dealer is not corrupt. The agency can view all public information, but no secret data (in particular, no private share of any player). Furthermore, it cannot interact with the players, who might not be on-line during the check.
Describe how the auditing agency can verify that all the commitments to shares are consistent, i.e., that any subset of t+1 commitments defines the same, unique committed secret.
0 l1 1 1*0*clccccccccckkcck cc
cc,cckcck3cckcccc<c
& o H
0h ? 3380___PPT10.`}<
<(
~
s*,P
~
s*l
H
0h ? 3380___PPT10.cV<
<(
~
s*ãP
~
s*ˣ
H
0h ? 3380___PPT10.j$
$(
r
S<)P
)
r
S=))
H
0h ? 80___PPT10.gĄ
*(
r
SC)
)
x
c$D)/O)
H
0h ? ___PPT10i.r@n۟+D=' =
@B +$
` $(
r
S@S)qt
)
r
ST)/B)
H
0h ? 80___PPT10.?ABCDEFGHIJKLMOPQRSTUWXYZ[\]`Root EntrydO)Current UserVSummaryInformation(@PowerPoint Document(DocumentSummaryInformation8N