A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Similar documents
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

ECash and Anonymous Credentials

Introduction to Cryptography Lecture 13

is caused by the urgent need to protect against account-holders who doublespend their electronic cash, since hardly anything is easier to copy than di

Fairness realized with Observer

Divisible E-cash Made Practical

Cryptographical Security in the Quantum Random Oracle Model

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

INTRODUCTION N A S D A Q - U T I L I S I N G L I N Q B L O C K C H A I N L E D G E R T E C H N O L O G Y S I N C E

Lecture 10: Zero-Knowledge Proofs

Question: Total Points: Score:

Introduction to Modern Cryptography. Benny Chor

CPSC 467: Cryptography and Computer Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Cryptology. Vilius Stakėnas autumn

Lecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008

ABSTRACT. Haejung Park, Master of Arts, Department of Mathematics

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Uncloneable Quantum Money

CPSC 467b: Cryptography and Computer Security

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Frequently Asked Questions

Overview. Public Key Algorithms II

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Katz, Lindell Introduction to Modern Cryptrography

ECS 189A Final Cryptography Spring 2011

Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Lecture 1: Introduction to Public key cryptography

Lecture V : Public Key Cryptography

Exam Security January 19, :30 11:30

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Public-Key Cryptosystems CHAPTER 4

Blind Collective Signature Protocol

Digital Signatures. p1.

II. Digital signatures

Dan Boneh. Introduction. Course Overview

CPSC 467: Cryptography and Computer Security

Unlinkable Divisible Electronic Cash

Cryptanalysis of Threshold-Multisignature Schemes

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

George Danezis Microsoft Research, Cambridge, UK

Group Blind Digital Signatures: A Scalable Solution to Electronic Cash

Introduction to Modern Cryptography Lecture 11

Dr George Danezis University College London, UK

New Variant of ElGamal Signature Scheme

Number Theory in Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

1 Number Theory Basics

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications

Elliptic Curve Cryptography

Security Analysis of Some Batch Verifying Signatures from Pairings

Cryptography IV: Asymmetric Ciphers

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Lecture Notes 15 : Voting, Homomorphic Encryption

Chapter 8 Public-key Cryptography and Digital Signatures

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Digital Signatures. Adam O Neill based on

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

A New RSA-Based Signature Scheme

P4R: Privacy-Preserving Pre-Payments with Refunds for Transportation Systems

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

On the Big Gap Between p and q in DSA

Public Key Cryptography

A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Applied cryptography

Introduction to Cryptography. Susan Hohenberger

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

LECTURE NOTES ON Quantum Cryptography

On the Key-collisions in the Signature Schemes

arxiv: v1 [cs.cr] 16 Dec 2015

18733: Applied Cryptography Anupam Datta (CMU) Course Overview

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Threshold Undeniable RSA Signature Scheme

Untraceable Fair Network Payment Protocols with Off-Line TTP

MATH UN Midterm 2 November 10, 2016 (75 minutes)

Introduction to Modern Cryptography. Benny Chor

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Foundations of Network and Computer Security

Homework 3 Solutions

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Algorithmic Number Theory and Public-key Cryptography

Notes on Zero Knowledge

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Risk Management for E-Cash Systems with Partial Real-Time Audit

Transcription:

A FEW E-COMMERCE APPLICATIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 9 of Trappe and Washington

E-COMMERCE: SET SET = Secure Electronic Transaction Consider a credit card transaction over the net. We want: Authenticity No impersonations. No forgeries. Integrity Documents cannot be altered after the fact. Privacy The details of the transaction should be private. Security Credit card numbers & the like must be protected. SET - a collection of crypto protocols for credit card transactions ( 1997) 1

Characters Cardholder Merchant Bank SET EXAMPLE H - a public hash function PKC - say RSA These guys don t trust one another Encryption/Decryption Functions E C E M E B Public Private D C D M D B Cardholder GSO - goods and services order (cardholder s name, merchant s name, prices, etc.) PI - payment instructions (merchant s name, card number, total price, etc.) 2

SET EXAMPLE CONTINUED Q: Who knows what from the transactions? Cardholder Computes GSO md = H(E M (GSO)) PI md = H(E B (PI)) PO md = H(PI md GSO md ) DS = D C (PO md ) Sends E M (GSO), DS, PI md, E B (PI) to Merchant Merchant (on receiving E M (GSO), DS, PI md, E B (PI)) Computes Checks gso md gso md = H(E M (GSO)) b = H(PI md gso md )? = H(EM (gso)) & b? = c Sends GSO md, E B (PI), DS to the Bank gso = D M (E M (GSO)) c = E C (DS) 3

SET EXAMPLE, CONTINUED Bank (on receiving GSO md, E B (PI), DS) Computes Checks b? = c pi md = H(E B (PI)) c = E C (DS) pi = D B (E B (PI)) b = H(pi md GSO md ) Sends E M (a payment auth. + signature) to Merchant. Merchant Sends E C (receipt + signature) to Cardholder. 4

DIGITAL CASH Okamoto & Ohta s Criteria Cash can be sent securely through computer networks Cash cannot be copied or reused. The spender can remain anonymous neither the merchant nor the bank can id the spender The transactions can be done off-line the bank does not have to be involved. Cash can be transfered to others. Cash can be divided into smaller amounts. 5

Characters BRANDS S DIGITAL CASH SCHEME Bank Spender Merchant Central Authority Central Authority Chooses: Eve L. Dewar A prime p q = (p 1)/2 is also prime. α a primitive element of Z p. g = α 2 (mod p). (So: g e 1 g e 2 (mod p) e 1 e 2 (mod q)) e 1, e 2 Z p 1 secret exponents. g 1 = g e 1 and g 2 = g e 2. H: Z 5 Z q and H 0 : Z 4 Z q. Hash functions Public: p, q, g, g 1, g 2, H, and H 0. Private: e 1 and e 2 6

BRANDS S DIGITAL CASH: THE SETUP CONTINUED The Bank Chooses x ran Z q The bank s private ID Computes h = g x, h 1 = g1 x, and h 2 = g2 x. (All (mod p)) h, h 1, h 2 the bank s public ID The Spender Chooses u ran Z q The spender s private ID Computes I = g1 u (mod p) & sends I to the bank. The Bank Saves I + info on the spender Computes z = (Ig 2 ) x (mod p) and sends z to the spender. The Merchant Chooses an ID number M and sends it to the bank. 7

Coin (A, B, z, a, b, r) Z 6 CREATING A COIN Spender Asks bank for a coin and sends ID I. Bank Chooses: w ran Z q and computes: Sends g w and β to the spender. In number theory we trust. g w g w β (Ig 2 ) w Spender Chooses (s, x 1, x 2, α 1, α 2 ) ran Z 5 Computes: A (Ig 2 ) s B g x } 1 1 gx 2 2 z (z ) s a g α 1 w g α 2 b β sα 1A α 2 A=1 not allowed. } (mod p) (mod p) 8

CREATING A COIN, CONTINUED Spender continued Computes c α 1 1 H(A, B, z, a, b) (mod q). Sends c to the bank. Bank Computes c 1 (c x + w) (mod q). Sends c 1 to the spender. Spender Computes r (α 1 c 1 + α 2 ) (mod q). The coin (A, B, z, a, b, r) is complete. The amount of the coin is removed from the spender s bank account. 9

SPENDING THE COIN Spender Gives the coin (A, B, z, a, b, r) to the merchant. Merchant g r ah H(A,B,z,a,b) Checks: A r z H(A,B,z,a,b) (Check on board) b (mod q) Computes d = H 0 (A, B, M, t), where t = a time stamp. Sends d to spender. Spender Computes r 1 d u s + x 1 r 2 d s + x 2 Sends r 1 and r 2 to merchant. } (mod q) Merchant Checks: g r 1 1 gr 2 2 Ad B (mod p) (Check on board) Accepts the coint iff this holds. 10

DEPOSITING THE COIN IN THE BANK Merchant Sends (A, B, z, a, b, r) and (r 1, r 2, d) to the bank. Bank Checks that the coin has not yet be deposited. Fraud control (If it has, call the cops.) Checks that g r a h H(A,B,z,a,b) A r z H(A,B,z,a,b) b g r 1 1 gr 2 2 Ad B Accepts the coin iff these check out. (mod p) 11

FRAUD CONTROL: I The spender tries to spend the same coin with the merchant and the vendor. Merchant Sends the coin and (r 1, r 2, d) to the bank. Vendor Sends the coin and (r 1, r 2, d ) to the bank. Bank Since r 1 r 1 us(d d ) (mod q) r 2 r 2 s(d d ) (mod q) we have u (r 1 r 1 )(r 2 r 2 ) 1 (mod q) I g1 u (mod q) the ID of the spender 12

FRAUD CONTROL: II The merchant tries to deposit the same coin twice Once with (r 1, r 2, d) legit Once with (r 1, r 2, d ) forged This is hard to do. The merchant has to produce r 1, r 2, and d g r 1 1 gr 2 2 Ad B (mod p). 13

FRAUD CONTROL: III Someone tries to make an unauthorized coin This requires finding numbers } g r a h H(A,B,z,a,b) A r z H(A,B,z,a,b) b (mod p) } Discrete logs and worse! Eve L. Dewer dot com receives a coin from the spender and tries to spend the coin with the merchant Merchant Computes d for Eve, which is unlikely to equal d. Etc. see text 14

ANONYMITY The spender never needs to show the merchant an ID. The bank never sees the values of A, B, z, a, b, r until the coin is deposited. the bank and the merchant cannot figure out the ID of the spender unless there is double spending. See text for fuller details 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback