Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, April 1993.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....modifying the numbers on a credit card slip after the fact, the merchant can simply introduce a difference between data presented to the user and the users secure coprocessor. 3.2. 3 Previous Work An alternative to the secure coprocessor managed electronic currency is Chaum s Digicash protocol [8, 10]. In such systems, anonymity is paramount, and cryptographic techniques are used to preserve the secrecy of the users identities. No physically secure hardware is used, except in the observers refinement to prevent double spending of electronic money (rather than detecting it after the fact) 4 ....

Stefan Brand. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....we consider, both in the regular and blind settings, is the signature of knowledge of the discrete logarithm of a given y 2 G to a given base g (hgi = G) Definition 1. An (l 1) tuple (c; s 1 ; s l ) 2 f0; 1g k Theta Z l n satisfying c = H l (m;y;g;g s1 y c[1] g s2 y c[2] ; g s l y c[l] 3) is a signature of knowledge of the discrete logarithm of y 2 G to the base g on a message m, with respect to security parameter l, denoted SKLOG l [ff j y = g ff ] m) 4) In general we use Greek letters to represent values whose knowledge will be proven by the ....

....regular proof of knowledge, our protocol is zeroknowledge. We now define signatures of knowledge based on variations of the discrete logarithm problem and extend the protocol above to construct blind versions of these signatures. One important variation is the representation problem, studied in [2, 5]. It is a direct generalization of the signature of knowledge discussed above, except we have y 1 ; yw instead of just one y, and g 1 ; g v , instead of just one g. We omit a more formal treatment of signatures of knowledge based on the representation problem due to space limitations. We ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI, April 1993.

....choosing X randomly from (ZZ q ) n : ffl An : view(n; X) y) for a randomly chosen y 2 G, ffl Dn : view(n; X) K(n; X) Let the operator poly denote polynomial indistinguishability. Remark: Polynomial indistinguishability of the 2 party Diffie Helman key is considered, e.g. in [2]. The notion of polynomial indistinguishability is related to polynomial time statistical test as defined in [22, 14] In this context, it means that no polynomial time algorithm can distinguish between a Diffie Hellman key and a random value with probability significantly greater that 1 2 . More ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI, March 1993.

....tokens are meant to act as a type of currency: they can be used to purchase a good, but like coins, they do not reveal the identity of the holder. These systems offer privacy in making a purchase. Some typical examples of token based electronic payment protocols ( digital cash protocols) are [2, 3, 7, 5, 14]. These protocols provide consumers with the ability to make anonymous purchases, purchases which can not be tracked by a bank to identify the purchaser. A stronger form of anonymity can be considered anonymity in which the identity of the purchaser is hidden from both the bank and the ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....choosing X randomly from (ZZ q ) n : ffl An : view(n; X) y) for a randomly chosen y 2 G, ffl Dn : view(n; X) K(n; X) Let the operator poly denote polynomial indistinguishability. Remark: Polynomial indistinguishability of the 2 party Diffie Helman key is considered, e.g. in [2]. The notion of polynomial indistinguishability is related to polynomial time statistical test as defined in [22, 14] In this context, it means that no polynomial time algorithm can distinguish between a Diffie Hellman key and a random value with probability significantly greater that 1 2 . More ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI, March 1993.

....gen choses randomly a pair (q; ff) such that q has length k bit, q and q 0 = 2q 1 are both prime, and ff generates the unique subgroup G of ZZ q 0 of order q. Groups of this type are used, e.g. in [10] and [11] The indistinguishability of the 2 party key is considered, e.g. in [12]. For (q; ff) gen(k) n 2 N, and X = N1 ; Nn) for N i 2 ZZq , let ffl view(q; ff; n; X) the ordered set of all ff N i 1 Delta Delta Delta N i m for all proper subsets fi1 ; i mg of f1; ng, ffl K(q; ff; n; X) ff N 1 Delta Delta Delta Nn . If (q; ff) are ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI, March 1993.

....a normal secure coprocessor; however, they need not run the secure coprocessor kernel, nor would they have access to all secret keys normally installed into a secure coprocessor. 3.4.2. Previous Work An alternative to the secure coprocessor managed electronic currency is Chaum s DigiCash protocol [12, 16]. In such systems, anonymity is paramount, and cryptographic techniques are used to preserve the secrecy of the users identities. No physically secure hardware is used, except in the observers refinement to prevent double spending of electronic money (rather than detecting it after the fact) 17 ....

Stefan Brand. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....are truly tamper proof, this appears to provide a safe way to exchange values off line. This approach (with slight modifications) is taken in the new proposed MasterCard 2000 and Visa Stored Value Card systems [5, 6, 8] A different set of approaches has been proposed by digital cash researchers [2, 3, 4]. These approaches are sometimes called electronic wallets or electronic purses. Electronic wallets transfer an electronic token to the point of sale system. At a later time, the electronic token is cashed in , for reconciliation, to the computer acting as a bank. Digital cash approaches ....

Stefan Brand. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....truly tamperproof, this approach appears to provide a safe way to exchange values off line. This approach (with slight modifications) is taken in the proposed MasterCard 2000 and Visa Stored Value Card systems [8, 10, 12] A different set of approaches has been proposed by digital cash researchers [5, 6, 7]. Electronic wallets transfer an electronic token to the point ofsale system. At a later time, the electronic token is cashed in , for reconciliation, to the computer 1 Tamper resistance is more difficult than it appears at first. Anderson and Kuhn[2] have show how to break a purportedly ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....basic idea of information separation is used in both protocols, there are major differences between the two. These are pointed out in x5 after the protocol description. An alternative to our approach that also provides payment anonymity is the use of digital cash first proposed in [3] see also [2, 8, 1] and references therein. Since the electronic cash is given to a customer, a means is needed to prevent the individual from duplicating and spending it over and over again, and to prevent possible forgery. Our approach avoids these problems since funds are transferred only among trusted entities. ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical report CS-R9323, CWI, Amsterdam, The Netherlands, March 1993.

....These tokens are meant to act as a type of currency: they can be used to purchase a good, but like coins, they do not reveal the identity of the holder. These systems offer privacy in making a purchase. Some typical examples of tokenbased electronic payment protocols ( digital cash protocols) are [2, 3, 7, 5, 15]. These protocols provide consumers with the ability to make anonymous purchases, purchases which can not be tracked by a bank to identify the purchaser. A stronger form of anonymity can be considered anonymity in which the identity of the purchaser is hidden from both the bank and the ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....basic idea of information separation is used in both protocols, there are major differences between the two. These are pointed out in x5 after the protocol description. An alternative to our approach that also provides payment anonymity is the use of digital cash first proposed in [3] see also [2, 8, 1] and references therein. Since the electronic cash is given to a customer, a means is needed to prevent the individual from duplicating and spending it over and over again, and to prevent possible forgery. Our approach avoids these problems since funds are transferred only among trusted entities. ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical report CS-R9323, CWI, Amsterdam, The Netherlands, March 1993.

....on Networking Reference [3] suggests a very interesting approach that uses a cryptographic protocol to create electronic cash, thus making it impossible in an automated transaction to associate a purchase with the customer. There have since been many proposals for electronic cash; see e.g. [2, 11, 1] and references therein. Since the electronic cash is given to a customer, a means is needed to prevent the individual from duplicating and spending it over and over again, and to prevent possible forgery; see Appendix. Reference [6] designs a simple protocol to perform payment transactions ....

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical report CS-R9323, CWI, Amsterdam, The Netherlands, March 1993.

....than modifying the numbers a credit card slip after the fact, the merchant can simply introduce a difference between data presented to the user and the users secure coprocessor. 3.2. 3 Previous Work An alternative to the secure coprocessor managed electronic currency is Chaum s Digicash protocol [8, 10]. In such systems, anonymity is paramount, and cryptographic techniques are used to preserve the secrecy of the users identities. No physically secure hardware is used, except in the observers refinement to prevent double spending of electronic money (rather than detecting it after the fact) 4 ....

Stefan Brand. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, 1993.

....holds (see Brands [15, Proposition 2.3.3. Property 1 Regardless of the choice of l, assuming it is infeasible to compute discrete logarithms in G q , Alice cannot compute a Digital Credential public key for which she knows more than one secret key. This property was first proved by Brands [10]; earlier on, Chaum, van Heijst, and Pfitzmann [37, 38] proved collision intractability for the case of fixed l. Consequently, by signing the Digital Credential public key the CA binds a unique attribute tuple to Alice s Digital Credential, albeit in an indirect manner: the CA s signature binds ....

....and discarding of Digital Credentials. It can also be used in all kinds of applications, for example to increment counters in loyalty schemes. The protocol is based on a protocol by Chaum and Pedersen [35] for demonstrating the equality of two discrete logarithms, and was first used by Brands [10, 11] for the special case l =1 in order to design an off line electronic cash scheme. The CA s digital signature on a Digital Credential public key h #=1this time consists of three elements, z # G q , c # 0 Z q , and r 0 Z q , satisfying z # ,g 0 h c 0 ,h (z # ) c ) ....

[Article contains additional citation context not shown here]

Stefan Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, April 1993.

....in this case. 8 HUT TML 2000 Tik 110.501 Seminar on Network Security 2.3 Brands Electronic Cash Where Chaum s electronic cash system is based on RSA signatures, Brands electronic check system is based on the discrete logarithm problem and the discrete logarithm representation problem 3 . [1, 3]. Another basic primitive in Brands system is a secret key certificate [4] An application of a secret key certificate is a certificate where the signer of the certificate has seen the attributes of the certificate, but not the key bound to the certificate. This allows the owner of the ....

Stefan Brands. An Efficient Off-Line Electronic Cash System Based on the Representation Problem Report CS-R9323, Computer Science/Department of Algorithms and Architecture, CWI, Mar 1993.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC