University of Virginia, Department of Computer Science CS588: Cryptology - Principles and Applications, Fall 2001

Manifest: Wednesday 10 October 2001

```@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the host key has just been changed.
Add correct host key in /af10/evans/.ssh/known_hosts to get rid of this message.
Agent forwarding is disabled to avoid attacks by corrupted servers.
X11 forwarding is disabled to avoid attacks by corrupted servers.
Are you sure you want to continue connecting (yes/no)? yes
```
 Assignments Due Now Problem Set 3 Wednesday, 17 October No Class Wednesday, 24 October Midterm Monday, 29 October Full Proposal Due

### Blind Signatures

1. Alice picks random k between 1 and n.
2. Send's Bank t = mke mod n. (e from the Bank's public key.)
3. Bank signs t using private key d. Sends Alice:
td = (mke mod n)d mod n = (mke)d mod nmdked mod n
= (mke)d mod nmdked
mod nmdk mod n
.
4. Alice divides by k to get sm = md mod n.

### Digital Cash Protocol

(Based on Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition. Section 6.4 has an excellent presentation of digital cash protocols.)
1. Alice prepares n money orders each containing:
• Amount
• Uniqueness String: X
• Identity Strings: I1 = (h(I1L), h(I1R)), ..., In = (h(InL), h(InR)).
Each (IiL, IiR) pair reveals Alice's identity, I = IiL XOR IiR.
h is a secure, one-way hash function.
2. Alice blinds (multiplies by random k) all n money orders and sends them to bank.
3. Bank asks for any n - 1 of the random kis and all its corresponding identity strings.
4. Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice's account.
5. Alice unblinds the signed note, and spends it with a Merchant.
6. Merchant asks Alice to randomly reveal either IiL or IiR for each i. (Merchant chooses random n-bit selector string.)
7. Alice sends Merchant corresponding IiLs or IiRs.
8. Merchant uses h to confirm Alice didn't cheat.
9. Merchant takes money order and identity string halves to bank.
10. Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves.
11. If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I to identify Alice. Arrests Alice.
12. If there are no i's, where different halves are known, arrest Merchant.
Questions

• What is cash? What is it good for?
• What properties should digital cash have?
• How can someone sign something without knowing what it is?
• How is this useful to be able to sign something without knowing what it is? How is it dangerous?
• How does the digital cash protocol work?