University of Virginia, Department of Computer Science
CS588: Cryptology - Principles and Applications, Fall 2001

Manifest: Wednesday 10 October 2001

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the host key has just been changed.
Please contact your system administrator.
Add correct host key in /af10/evans/.ssh/known_hosts to get rid of this message.
Agent forwarding is disabled to avoid attacks by corrupted servers.
X11 forwarding is disabled to avoid attacks by corrupted servers.
Are you sure you want to continue connecting (yes/no)? yes
Assignments Due
NowProblem Set 3
Wednesday, 17 OctoberNo Class
Wednesday, 24 OctoberMidterm
Monday, 29 OctoberFull Proposal Due


Blind Signatures

  1. Alice picks random k between 1 and n.
  2. Send's Bank t = mke mod n. (e from the Bank's public key.)
  3. Bank signs t using private key d. Sends Alice:
    td = (mke mod n)d mod n = (mke)d mod nmdked mod n
    = (mke)d mod nmdked
    mod nmdk mod n
  4. Alice divides by k to get sm = md mod n.

Digital Cash Protocol

(Based on Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition. Section 6.4 has an excellent presentation of digital cash protocols.)
  1. Alice prepares n money orders each containing:
    • Amount
    • Uniqueness String: X
    • Identity Strings: I1 = (h(I1L), h(I1R)), ..., In = (h(InL), h(InR)).
      Each (IiL, IiR) pair reveals Alice's identity, I = IiL XOR IiR.
      h is a secure, one-way hash function.
  2. Alice blinds (multiplies by random k) all n money orders and sends them to bank.
  3. Bank asks for any n - 1 of the random kis and all its corresponding identity strings.
  4. Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice's account.
  5. Alice unblinds the signed note, and spends it with a Merchant.
  6. Merchant asks Alice to randomly reveal either IiL or IiR for each i. (Merchant chooses random n-bit selector string.)
  7. Alice sends Merchant corresponding IiLs or IiRs.
  8. Merchant uses h to confirm Alice didn't cheat.
  9. Merchant takes money order and identity string halves to bank.
  10. Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves.
  11. If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I to identify Alice. Arrests Alice.
  12. If there are no i's, where different halves are known, arrest Merchant.

CS 655 University of Virginia
Department of Computer Science
CS 588: Cryptology - Principles and Applications
David Evans