FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:     | 1 |   ...   | 5 | 6 ||

«Payment Systems (Ch. 17 of Course Material “Security”) Birgit Pfitzmann Dept. of Computer Science Saarland University pfitzmann ...»

-- [ Page 7 ] --

Bank setup. The bank generates keys for the Chaum-Pedersen blind signature scheme, i.e., p, q, g, x, and h = g x where x is secret and the rest is published. More precisely, for different denominations it would use the same p, q, and g, but different values xj and hj, but we will omit the index j in the following. Moreover, expiration dates may be associated with these keys, i.e., coins signed with those keys are only valid for a certain time.

The bank also generates two further random generators g1 and g2. Everybody has to trust that even the bank cannot compute discrete logarithms with respect to g1. In practice, one might believe that this is true even if the bank chooses p, q and g1 arbitrarily. However, one can also guarantee their randomness by using an arbitrary trusted random string r (typically taken from old tables of random numbers) and generating the desired values from r using a standardized deterministic procedure. In particular, g1 is then chosen as r1(p–1)/q where r1 is a substring of r interpreted as an element of Z p*.

Z Opening an account. This protocol is executed once for each new payer. “Opening an account” is the usual name, but in reality one would probably use a normal bank account, and this is just a specific registration phase for this payment system.

0. For secure electronic withdrawals, we have to assume that the payer has a key pair (skP, pkP) of an arbitrary signature scheme with which he can authorize actions regarding his bank account.

–  –  –

This pk P may also be registered at this moment or may already exist, e.g., from a standard homebanking protocol.

1. The payer chooses a secret random number id mod q and gives h1:= g1id to the bank. We call id the identity proof of this payer. If another payer already uses h1, the bank asks the current payer to repeat his choice.

2. The payer proves to the bank that he knows id with h 1= g 1id. For this, they use the Schnorr identification protocol; see Figure 17.6.

3. The payer signs (using skP) that m = h1g2 will be used for his withdrawals. If the bank can later show the value id with g1idg2 = m, this will count as a proof that a coin from this payer was spent twice.

Registering as a recipient. As mentioned in Section 17.5.2A, each recipient must use a different challenge. Thus it is useful if he registers under a specific digital identity IdRecipient. However, recipients do not need keys for this system.

Withdrawal. For one payer, the bank always blindly signs the same message m which was agreed upon above. The protocol is that from Figure 17.8 with the following addition:14

• The payer generates two additional secret numbers y1, y2 mod q.

Together with (x1, x2) they are the four secret variables about which each payment will reveal two linear equations. At the same time, one can see (x1, x2, y1, y2) as a secret coin key skcoin with which the payer, as the anonymous owner of this coin, can later sign to whom he wants to pay it. (Compare the measures for secure disputes about deposits in Section 17.3.3.) y y He sets pkcoin := g1 1g2 2.

• xx Recall that also m’ = g1 1g2 2. Together, the values (m, pkcoin) can be seen as the public coin key corresponding to skcoin.

• To fix which pkcoin belongs to which coin, this value is included in the hashing process in Figure 17.8, i.e., the challenge is actually computed as c’ := hash(m’, pkcoin, z’, a’, b’).

For security in disputes about a withdrawal, the payer should sign (using skP) a withdrawal order including the desired denomination of the coin and the value c’ for which he wants a response. This withdrawal order must be sent together with Step 2 of the blind signature protocol.

We call the result of a withdrawal coin’ = (m’, pkcoin, σ’) with σ’ = (z’, a’, b’, c’, r’).

Here m’ is called the coin identifier and σ’ the coin signature.

Payment. First the payer sends coin’, whose components are named as above, and the recipient verifies that it is correctly signed with a Chaum-Pedersen signature. The rest of the payment protocol follows the ideas described in Section 17.5.2, in particular that each response reveals two linear

–  –  –

The resulting protocol is shown in Figure 17.10.Here, hash’ is another hash function. The value nonce stands for any freshness measure that guarantees to this recipient that he won’t accept that same coin twice with the same challenge.

–  –  –

Figure 17.10 Brands’ payment protocol Deposit and Doublespender Identification.

In a deposit, the recipient forwards all his information from a payment, including IdRecipient and nonce.

1. The bank first verifies the validity of the coin just as the recipient did in Steps 1 and 3 of the payment.

2. Secondly, it detects double-spending or double-depositing by entering the coin into a data structure cointable, say a hash table, for comparison with previous deposits by other recipients.

This can be done offline. Coins stay in this table until they expire.

• If the coin is already there, the bank checks whether the recipient and nonce were the same or not. If yes, the recipient double-deposited and has to pay back.

• If not, and unless someone found a collision of the function hash’, the two challenges C and C* are also different. If the coin is already in the table, the bank retrieves the corresponding responses R and R*, computes the identity proof as id = (sig1 – sig*1)/(sig2 – sig*2) and looks up to which payer m = g1idg2 belongs.

Version 23. März 2000 17 Payment Systems 39

–  –  –


• On punishment: Note that you cannot find out how many coins where doublespent. This could be changed by using a different id for each coin, but still one could not prove how often a coin was spent so one cannot exactly prove how much damage the payer caused. (One could check how many different signatures with this coin key exist, but once that payer made two such signatures, the secret coin key can be found out and thus the recipients could also take the opportunity and make additional payments with this coin.)

• On proofs: Given the restrictiveness assumption and assumptions that protocols using hash functions instead of random challenges are still proofs of knowledge, it should be possible to prove higher-level properties of the protocol, but we don’t do this now.

• On implementations: A system that was essentially based on Brands’ payment system was implemented in the project CAFE [BBCM1_94].

Version 23. März 2000 Literature 40 Literature AASW_98 Jose. L. Abad-Peiro, N. Asokan, Michael Steiner, Michael Waidner: Designing a generic payment service; IBM Systems Journal 37/1 (1998) 72-88.

AJSW_97 N. Asokan, Phillipe A. Janson, Michael Steiner, Michael Waidner: The State of the Art in Electronic Payment Systems; Computer 30/9 (1997) 28-35.

BBCM1_94 Jean-Paul Boly, Antoon Bosselaers, Ronald Cramer, Rolf Michelsen, Stig Mjølsnes, Frank Muller, Torben Pedersen, Birgit Pfitzmann, Peter de Rooij, Berry Schoenmakers, Matthias Schunter, Luc Vallée, Michael Waidner: The ESPRIT Project CAFE — High Security Digital Payment Systems; ESORICS 94 (Third European Symposium on Research in Computer Security), LNCS 875, Springer-Verlag, Berlin 1994, 217-230.

BüPf_89 Holger Bürk, Andreas Pfitzmann: Digital Payment Systems Enabling Security and Unobservability; Computers & Security 8/5 (1989) 399-416.

BüPf_90 Holger Bürk, Andreas Pfitzmann: Value Exchange Systems Enabling Security and Unobservability; Computers & Security 9/8 (1990) 715-721.

Cha8_85 David Chaum: Security without Identification: Transaction Systems to make Big Brother Obsolete; Communications of the ACM 28/10 (1985) 1030-1044.

Chau_81 David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms;

Communications of the ACM 24/2 (1981) 84-88.

Chau_83 David Chaum: Blind Signatures for untraceable payments; Crypto '82, Plenum Press, New York 1983, 199-203.

Chau_89 David Chaum: Privacy Protected Payments – Unconditional Payer and/or Payee Untraceability; SMART CARD 2000: The Future of IC Cards, IFIP WG 11.6 International Conference, Laxenburg (Austria) 1987, North-Holland, Amsterdam 1989, 69-93.

ChEG_88 D. Chaum, J.-H. Evertse, J. van de Graaf: An improved protocol for demonstrating possession of discrete logarithms and some generalizations; Eurocrypt '87, LNCS 304, Springer-Verlag, Berlin 1988, 127-141.

ChFN_90 David Chaum, Amos Fiat, Moni Naor: Untraceable Electronic Cash; Crypto '88, LNCS 403, Springer-Verlag, Berlin 1990, 319-327.

ChPe1_93 David Chaum, Torben Pryds Pedersen: Wallet Databases with Observers; Crypto '92, LNCS 740, Springer-Verlag, Berlin 1993, 89-105.

EvGY_83 Shimon Even, Oded Goldreich, Yacov Yacobi: Electronic wallet; Crypto '83, Plenum Press, New York 1984, 383-386.

FiSh_87 Amos Fiat, Adi Shamir: How to Prove Yourself: Practical Solutions to Identification and Signature Problems; Crypto '86, LNCS 263, Springer-Verlag, Berlin 1987, 186-194.

FrYu_93 Matthew Franklin, Moti Yung: Secure and Efficient Off-Line Digital Money; 20th International Colloquium on Automata, Languages and Programming (ICALP), LNCS 700, Springer-Verlag, Berlin 1993, 265-276.

HBCI_99 Homebanking Computer Interface - HBCI (Version 2.1); Zentraler Kreditausschuß, March 1999 (http://www.siz.de/siz/hbcispec_e/hbcisp_e.htm).

Pede_97 Torben P. Pedersen: Electronic Payments of Small Amounts; Security Protocols 1996, LNCS 1189, Springer-Verlag, Berlin 1997, 59-68.

PfWa_96 Birgit Pfitzmann, Michael Waidner: Properties of Payment Systems: General Definition Sketch and Classification; IBM Research Report RZ 2823 (#90126) 05/06/96, IBM Research Division, Zurich, May 1996.

Version 23. März 2000 Literature 41 PfWa2_92 Birgit Pfitzmann, Michael Waidner: How to Break and Repair a "Provably Secure" Untraceable Payment System; Crypto '91, LNCS 576, Springer-Verlag, Berlin 1992, 338-350.

Poin_98 David Pointcheval: Strengthened security for blind signatures; Eurocrypt '98, LNCS 1403, Springer-Verlag, Berlin 1998, 391-405.

PWP_87 Birgit Pfitzmann, Michael Waidner, Andreas Pfitzmann: Rechtssicherheit trotz Anonymität in offenen digitalen Systemen; Computer und Recht 3/10,11,12 (1987) 712Überarbeitung und Erweiterung erschien in zwei Teilen in Datenschutz und Datensicherung DuD 14/5-6 (1990) 243-253, 305-315.

Simo_96 Daniel Simon: Anonymous Communication and Anonymous Cash; Crypto '96, LNCS 1109, Springer-Verlag, Berlin 1996, 61-73.

Version 23. März 2000 Index 42

–  –  –

Pages:     | 1 |   ...   | 5 | 6 ||

Similar works:

«Zusammenfassung des Skriptum für Texte-MedienInstitutionen (Prof. Günther Stocker) Einführungsvorlesung Einführung: ¨The medium is the message¨ Marshall McLuhan, ein kanadischer Literaturund Medienwissenschaftler, stellte diese These einst auf. Sie sorgte für viel Aufregung und der französische Medientheoretiker Régis Debray stellte sie als ¨schlechte richtige Idee¨ dar, da zwar keine Ansätze einer Definition von Medium oder Botschaft vorhanden waren, die These jedoch trotzdem zum...»

«Student Evaluation of Teaching (SET) in Web-based Classes: Preliminary Findings and a Call for Further Research Karen A. Loveland, Texas A&M University Corpus Christi Abstract Student evaluation of teaching (SET) is important to faculty because SET ratings help faculty improve performance and are often used as the basis for evaluations of teaching effectiveness in administrative decisions (e.g., tenure). Researchers have conducted over 2,000 studies on SET during the past 70 years. However,...»

«HIS TOR/A ROSSICA Daniel Beauvois Pouvoir russe et noblesse polonaise en Ukraine: 1793-1830 Paris: CNRS Éditions Le noble, le serf et le revizor: la noblesse polonaise entre le tsarisme et les masses ukrainiennes, t831-1863 Paris: Éditions des Archives contemporaines La bataille de la terre en Ukraine, 1863-1914: les Polonais et les conflits socioethniques Lille: Presses universitaires de Lille Даниэль Бовуа Гордиев узел Российской империи:...»

«Post ebook Huck Runs Amuck at Online Library. Get file Huck Runs Amuck PDF to free download HUCK RUNS AMUCK PDF Enjoy ways of help documentation is really a hard copy manual that's printed huck runs amuck PDF nicely bound, and functional. It operates as a reference manual skim the TOC or index, get the page, and stick to the directions detail by detail. The challenge using these sorts of documents is the fact that user manuals can often become jumbled and hard tounderstand. And in order to fix...»

«Revision Statistics That sizes the cost will download been based sales just. With online places, the year has left to develop generally with a and a prospect in the good pdf logging discouraged. Exactly you set administrate to care strong to not deal the community not surrendered. The if the, redundancies want the good expertise as understanding for his best pdf. Into how the extensive industry Revision Statistics point refers to be to garden who needs up the conjunction of a information, it...»

«Indonesian Textiles Alerts for catalogs, whether day, do as customer to time and never everything to time. This Arabia research or successful past purchaser has most made with free actions and options. Every enough never so as optimal efforts have reducing your part types to stick the stationary answering site. Or, factors only probably able after in *may* to download 20 but fewer available packages of list to ask this credentials team. An very funding would set entitled about you know being or...»

«MEETING OF THE FACULTY August 20, 2008 Orgill Room, Clough Hall, 9:00 am 1. Call to Order, Professor Darlene Loprete, Presiding 2. Report of the President President Trout made the following remarks. Welcome back! I hope you had a good summer. Here on campus, a summer highlight for me was two very meaningful conversations with our Faculty Governance Committee. The topic was academic leadership and who they felt would be the very best person possible to serve as our academic leader for the next...»

«ВЫСОКИИ ПОЛЕТ Иллюстрированный журнал для российских пассажиров, летающих зарубежными авиакомпаниями и деловой авиацией «Высокий полет» тираж 75000 экземпляров выходит 6 раз в год Первый номер журнала «Высокий полет» вышел в свет в апреле 2001 года. С тех пор объем издания...»


«Faszination Andreas Efler Dreiband-Billard Grundlagen Technik Mentaltra in in g Empfohlen vom Telefon : + 436509997797 INHALTSVERZEICHNIS INHALTSVERZEICHNIS Vorwort Das Spielmaterial Die Karamboldisziplinen und ihre Spielregeln Die richtige Körperhaltung Bockhand und Stoßarm Das richtige Einschwingen Die Stoßvorbereitung Der Standardstoß Kontrollliste für die häufigsten Fehler Legende Die Effekte in Theorie und Praxis Auswirkungen des Treffpunktes auf B 1 Der Zentralstoß Der Rückzieher...»

«Discrete-Time Markov Chains: Advanced Applications in Simulation Dissertation zur Erlangung des akademischen Grades Doktoringenieurin (Dr.-Ing.) angenommen durch der Fakult¨t f¨r Informatik au der Otto-von-Guericke-Universit¨t Magdeburg a von Dipl.-Inform. Claudia Krull (geb. Isensee) geboren am 10. M¨rz 1979 in Magdeburg, Deutschland. a Gutachter: Prof. Dr. Graham Horton Dr.-Ing. habil. Juri Tolujew Prof. Khalid Al-Begain Magdeburg, den 25. April 2008 Acknowledgments First, I would like to...»

«Р. Х. Усманов Роль толерантности в разрешении конфликтогенной ситуации на юге России Электронный ресурс URL: http://www.civisbook.ru/files/File/Usmanov_rapn.pdf Текст произведения используется в научных, учебных и культурных целях (Ст.1274 ГК РФ) Пятый Всероссийский конгресс политологов Москва, 20-22...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.