Executable Financial Instruments and Micro Mint on the

Executable Financial Instruments and Micro. Mint on the Cheap Ari Juels RSA Laboratories with Markus Jakobsson Bell Laboratories

The Web provides an excellent means of communication with all kinds of people. . . ``Hi. My name is Darlene. I’m a model. Want to meet Yeah! sometime? ’’

The Web provides an excellent means of communication with all kinds of people. . . He fell for it! Ha ha! “Darlene” …you know nothing about.

The Web provides an excellent means of communication and commerce. . . ale rs Fo ``Hi. I’d like to buy your car. I’ll pay $106, 000. Cool! OK? ’’

The Web provides an excellent means of communication and commerce. . . Another sucker! …with people you know nothing about.

Aim: Flexible commerce with minimal trust You Internet ?

Two Ideas Today u. Micro. Mint Outsourcing u. X-cash: Executable financial instruments $ A

Micro. Mint Want a scheme that mimics economics of physical mint u u u Verifying validity of a coin is easy Base minting cost is high so. . . Forgery is expensive

The minting process 1. Throw balls (jellybeans) into bins using “random” function h 2. Any bin with two balls (jellybeans) is a coin

Minting in Micro. Mint h Collision = Coin Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9

Checking a coin h Valid coin? Bin 2

Features u u Many bins, so need to throw many balls (jellybeans) to mint successfully Minting requires very intensive computation

Minting requires special, e. g. , $250, 000 computer “Deep Crack”

Another characteristic: balls are invalid Most h Bin 1 Bin 2 Bin 3 Bin 4 Bin 5 Bin 6 Bin 7 Bin 8 Bin 9 In fact, >99% of work goes to missed balls!

Idea: Make three stage process 1. Create “valid” balls, i. e. , balls that won’t miss (>99% of work) 2. Throw balls into bins using “random” function h (<1% of work) 3. Any bin with two balls is a coin

Have many other (untrusted) people do Step 1

Now. . . u u u 99%+ of work is done for minter No participant will get enough balls to do minting himself/herself (or else participants know “validity” h but not “throwing” h) Minting is cheap for minter!

Minter can use ordinary server

Application III: Secure multiparty computation

Questions? ? +

X-cash: Executable Digital Cash Ari Juels RSA Laboratories joint work with Markus Jakobsson, Bell Labs 23 rd February 1998

The Internet: Many entities wishing to trade with one another $ Internet

Peer-to-peer trading can be problematic n Peer-to-peer interaction can create communications bottlenecks n Anonymity (both ways) is hard to protect in a peer-to-peer setting n Would like computational load involved with trading to be handled by servers, not clients

Therefore, we would like trade to occur in a distributed fashion.

A vehicle for distributed trade: Mobile agents Program + Documentation To Internet

A problem: Pick-pocketing Program

Other problems: u u u Maliciously modified code Intercepted purchases A different scenario than digital cash: multiple spending may be permissible

A solution: X-cash Idea: Make redemption of cash conditional on delivery of desired goods

First tool: A program that knows what it wants Mobile Agent includes a code segment P u P takes as input potential purchase items u P airline tickets E. g. , outputs amount user is willing to pay Paris P $300

Second tool: Negotiable certificate Bank holds (SKB, PKB) Alice holds (SKA, PKA) Alice = SIGSK (PKA, $500) B PKA Alice BANK Alice SIGSK s. SK ($300, “For Bob”), Alice A Bob

Idea: Bind negotiable certificate to agent program P X-cash PKA , SIGPK (P) A . . . Then send off via mobile agent

When Bob receives the mobile agent PKA , SIG PK (P) A Bob

Bob can assess and authenticate Alice’s offer for his tickets PKA A Bob PKA , SIGPK (P) A $300

The bank can verify and process the transaction BANK PKA , SIGPK (P) $300 A n Bank gives $300 to Bob, deducting against the negotiable certificate n Bank receives and holds tickets for Alice, or sends them to her

An Example

Alice needs ticket to important conference in Caribbean u u She will pay $300 for business class to St. Martin She will pay $600 for first class fare to St. Martin She will pay $400 for business class to Anguilla She will pay $700 for first class to Anguilla

Alice creates a program P u Input to P: An airline ticket – Airline ticket may include certificates and signatures, e. g. , airline certificate, travel agent certificate, etc. – P includes root certificates u Output of P: Amount Alice will pay – Conditional on correct dates, transferability of ticket, etc.

Alice gets a negotiable certificate Alice generates key pair (PKA, SKA). u PK Alice withdraws a negotiable certificate A B. = SIGSK (PKA, $700). u

Alice creates X-cash and sends mobile agent PKA , SIGPK (P) A

Bob’s Travel has a business class ticket T to Anguilla for sale

Bob does the following u u u Checks certificates and signatures in Alice’s mobile agent Generates signatures t. A transferring ownership of ticket T to Alice Runs P(T, t. A) on a ticket T and signatures t. A transferring ownership to Alice PK , SIGPK (P) A Sees output “$400” Sends and T, t. A to bank A u u

The Bank does the following u u Verifies certificates and signatures in Alice’s agent Sees that P(T, t. A)=$400 Then: u Deducts $400 against Alice’s negotiable certificate u Gives $400 to Bob u Holds T, t. A for Alice and notifies her PKA , SIGPK (P) A $400

X-cash extensions

Double spending How does Alice know that Bob didn’t sell the ticket twice? An issue with any digital cash system. Solutions: u On-line verification u Penalization after fact u Tamper resistance (for Bob)

Anonymity X-cash can be rendered anonymous using the following ideas: u Blind withdrawal of certificates with conditional revocation of anonymity u Anonymous re-mailers for delivery of goods (e. g. , airline tickets)

Stateful offers In the examples above, Alice’s program P had no external state. This need not be the case.

Example of stateful offer Alice wants to sell 100 ounces of gold at the market price u Alice’s program P contacts a Web site to get the current price of gold u Bob includes in his response C a value GB -- the maximum price he is willing to pay u When the Bank runs P(C), Bank checks that transaction cost is at most GB, as per Bob’s response.

Multiple banks We assume above a single, universally trustworthy bank. X-cash can be adapted for infrastructures with multiple, mutually suspicious banks.

Conclusion X-cash is a simple means of achieving trusted commerce in a distributed setting like the Internet. To Internet X-cash