DigiCash

Cryptocurrency Café
UVa cs4501 Spring 2015
David Evans
Class 5: DigiCash

Plan for Today
Hashing
Preventing Double Spending
DigiCash – Untraceable Cash
Distributed Consensus
1
Project 1 is due Friday (11:59pm)
Upcoming office hours:
Me: Thursday 4-5pm (Rice 507)
Nick: Friday noon-2pm (HackCville)

Size of Bitcoin
3
$0
$2
$4
$6
$8
$10
$12
$14
$16
$18
$20
Apple's Profits, last 3 months Bitcoin Market Cap
Apple’s Profits
(last 3 months) = $18B
(Revenues = $75B)
Value of all Bitcoin at
today’s price: $3.5B

Size of Bitcoin
4
$0
$2
$4
$6
$8
$10
$12
$14
$16
$18
$20
Apple's Profits, last 3 months Bitcoin Market Cap
$0
$2,000
$4,000
$6,000
$8,000
$10,000
$12,000
$14,000
$16,000
$18,000
$20,000
Apple's Profits, last
3 months
Bitcoin Market Cap Apple's Market Cap US National Debt
US National Debt:
$18.1 T

Using Asymmetric Crypto: Signatures
5
E D
Verified
Message
Signed Message
Message
Insecure Channel
KUB
KRB
Bob
Generates key pair: KUB, KRB
Publishes KUB
Anyone
Get KUB from
trusted provider

Signing Long Messages
6
Alice signs m1 = { “I give coin x = KUA, t to address KUB.”}
with KRA.
Bob signs m2 = { “I give coin x = KUA, t, given to me by
m1to address KUC.”} with KRB.
Asymmetric crypto is expensive: what is the longest m we can sign with 256-bit ECDSA?

Verified
Message
Message
Message Digests
7
E D
Verified
Message
Digest
Message
Alice Bob
KUB
KRB
H
MessageDigest
H=
SignedMessage
H is a cryptographic hash function:
one-way: given H(x) cannot find preimage x
strong collision-resistant:
hard to find pair x and y where H(x) = H(y)

Hash Functions
8
E
IV
K

P1
C1
E

P2
C2
... EK

Pn
Cn
Cipher Block Chaining

SHA-2
9http://opencores.org/project,sha256core
SHA-256
256-bit output
64 rounds
(best known
attacks break
preimage
resistance for
52 rounds)

Cryptographic Hashing in Bitcoin
• Transactions: message digests for signatures
• Public address: hash of public key
• Blockchain
10

12
Alice
{KUA, KRA}
High
Trust
Bank
{KUTB, KRTB}
M
M = “The High Trust Bank owes the
holder of this message $100.”
EKRTB
[H(M)]
Bank IOU Protocol

13
Alice
High
Trust
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Bob

14
Alice
High
Trust
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
[secret curry recipe]

15
Alice
High
Trust
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
M EKRTB
[H(M)]

16
Alice
High
Trust
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Bob
M EKRTB
[H(M)]
EKUA
M EKRTB
[H(M)]
Both Alice and Bob can
attempt to redeem the
IOU (multiple times).

17
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
M = “Bill #51342: Bear’s Turns Bank owes
the holder of this message $100.”
EKRTB
[H(M)]
Add Unique Identifiers

18
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Bill can only be
redeemed once.
Bank cannot tell if it is Alice
or Bob who cheated (first
redeemer wins?)
Not anonymous; tracable

CRYPTO 1988
David Chaum
Photo: Declan McCullagh (2002)19

Key Technology: Blind Signatures
21
Normal Signatures:
Alice selects message m
Sends m to bank
Bank returns signature:
SM = md mod n
Blind Signatures:
Bank’s public key: (e, n)
Bank’s private key: d

Key Technology: Blind Signatures
22
Normal Signatures:
SM = md mod n
Blind Signatures:
Picks random k in [1, n)
Sends bank t = mke mod n
Bank signs:
td = (mke mod n)d mod n
Alice computes md mod n:
= (mke)d mod n  mdked mod n
divide by k = md mod n
Bank’s public key: (e, n)
Bank’s private key: d

23
Bear’s
Turns
Bank
{KUTB, KRTB}
Mk
EKRTB
[Mk]
Client-Selected Identifiers

24
Bear’s
Turns
Bank
{KUTB, KRTB}
Mk
EKRTB
[Mk]
Client-Selected Identifiers

Cut-and-Choose
25
M1
k1
M2
k2
M256
k256
…
Mi = “Bill #[ri] : Bear’s Turns Bank owes the

Cut-and-Choose
26
M1
k1
M2
k2
M256
k256
…
Alice generate N different messages, and blinds each
with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges
Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened
message, and returns it to Alice.

Cut-and-Choose
27
M1
k1
M2
k2
M256
k256
…
Alice generate N different messages, and blinds each
with different k. Sends all of them to Bank.
Bank randomly selects N-1 of them, and challenges
Alice to unblind.
If all are okay, Bank (blindly) signs the one un-opened
message, and returns it to Alice.
What is probability Alice can cheat without getting caught?

28
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Bill can only be
redeemed once.
Bank cannot tell if it is Alice
or Bob who cheated (first
redeemer wins?)
Not anonymous; tracable

29
Alice
{KUA, KRA}
Bear’s
Turns
Bank
{KUTB, KRTB}
M
EKRTB
[H(M)]
Blinded Identifiers
Bill can only be
redeemed once.
Bank cannot tell who cheated
(first redeemer wins?)
Anonymous and untraceable

Catching Cheaters
30
M EKRTB
[H(M)] M EKRTB
[H(M)]
Bear’s
Turns
Bank
Spend a bill once: anonymity preserved
M EKRTB
[H(M)]
Spend a bill twice: identity revealed

Identity Strings
31
M1
k1
M2
k2
M256
k256
…
I = “alice@alice.org”
+ identity strings:
I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
where h is a one-way hash function and
each IiL  IiR = I

Spending a Bill
32
M EKRTB
[H(M)]
I = “alice@alice.org”
+ identity strings:
I1 = (h(I1L), h(I1R))
...
In = (h(InL), h(InR))
where h is a one-way hash function and
each IiL  IiR = I
Reveal request: LRRLRLR…
(randomly select L or R for each pair)
I1L, I2R,I3R, I4L,… verifies hashes,
accepts bill

Charge
Next week: The Blockchain
Project 1 is due Friday
33
Upcoming office hours:
Me: Thursday 4-5pm (Rice 507)
Nick: Friday noon-2pm (HackCville)

DigiCash

More Related Content

Similar to DigiCash (20)

More from David Evans (20)

Recently uploaded (20)

DigiCash