Title: Trustee Tokens
1Trustee Tokens
- Simple and Practical Anonymous Digital Coin
Tracing
Ari Juels RSA Laboratories
2 3 PK
SK
Alice -1
Anonymous digital 1 coin
4 PK
SK
mod n
r, x
5 An Application for Anonymous E-Cash
An Application for Anonymous E-Cash
6Improved Computer Virus
Edgar
7Improved Computer Virus
8 9Hard Disk
10PK
Files
11Ransom Note
12 Oh, my files!
Alice -1
13HETTINGA SUCCEEDS GREENSPAN AT FED
14Anonymous coin
Edgar
15How can we prevent this?
16The Idea Trustee Tracing
Anonymous coin
17Tracing Basic Idea
Anonymous coin
Judge
18Coin is anonymous unlesstrustee traces it
19Many Trustee-based Tracing Schemes
- Brickell et al. ( 95)
- Stadler et al. (95)
- Jakobsson and Yung (96, 97)
- Camenisch et al., Frankel et al. (96)
- Davida et al. (97)
20Trend in schemes
Trustee Flexibility
Security Features
Computational Efficiency
Simplicity
21How our scheme works
22Two stages
Token withdrawal
1.
Coin withdrawal
2.
23Token withdrawal
Checks that coin contains AlicePK
24Trustee Token
Checks that x contains AlicePK
25 Coin withdrawal
SK
Conditionally anonymous digital coin
26Observe No change in coinstructure or
underlying withdrawal protocol
27Tracing
Trustee Token scheme guarantees that coins
contain creator identity
28Blackmail scenario
- Edgar registers his coin and gets caught or
- Alice cant make the withdrawal for Edgar
29Enhancements
30No coin storage
- Alice can pseudo-randomly generate coins and
blinding factors -- no coin storage
31Bulk token withdrawal
- Alice can withdraw many tokens at once and store
prior to coin withdrawals
32One token - multiple coins
33Result of Enhancements
- Little interaction with Trustee
-
34Pros and Cons
35Advantages over other schemes
- Very simple
- Provably secure
- No change in coin structure, underlying protocol
- Seamless incorporation with DigiCashTM
36Disadvantages
- Trustee interaction needed
- Security with multiple trustees needs trusted
dealer - Seamless incorporation with DigiCashTM - but no
DigiCashTM
37But...
- Can be used for general blind RSA
- E.g., X-cash
- Method can perhaps be extended to other e-cash
systems (?)
38Questions?