Cryptography Reference
In-Depth Information
Similarly,
c
2
r
(1)
r
(1)
c
1
) and
c
2
(
r
(2)
c
1
r
(2)
−
c
1
−
≡
s
1
(
c
2
−
−
c
2
)
≡
t
1
(
c
2
−
c
1
), so
c
1
c
2
c
1
(
c
2
r
(1)
r
(1)
c
2
c
1
)
−
1
,t
1
≡
(
c
2
(
r
(2)
c
1
r
(2)
c
1
)
−
1
,
(D.9)
s
1
≡
−
c
1
−
)(
c
2
−
−
))(
c
2
−
c
1
c
1
c
2
so from (D.8) and (D.9), the bank can calculate
s
1
,s
2
,t
1
,t
2
, and thereby
e
1
z
1
≡
s
1
+
s
2
and
e
2
z
1
≡
t
1
+
t
2
.
(D.10)
Lastly, since
r
(3)
c
1
r
(3)
c
2
c
2
) and
c
2
r
(3)
c
1
r
(3)
−
≡
u
2
(
c
1
−
−
≡
u
1
(
c
2
−
c
1
)
,
c
1
c
2
then
(
r
(3)
c
1
r
(3)
c
2
c
2
)
−
1
(
c
2
r
(3)
c
1
r
(3)
c
1
)
−
1
,
u
2
≡
−
)(
c
1
−
and
u
1
≡
−
)(
c
2
−
c
1
c
2
from which the bank computes
z
1
≡
u
1
+
u
2
.
Hence, from (D.10), the bank
g
e
1
g
e
2
≡
can compute
e
1
,e
2
, and so
A
(mod
p
), which identifies Alice, who is
2
charged with fraud.
If Alice does not try to double-spend and is indeed legitimate, her identity
is not revealed. Thus, Brands' scheme provides anonymity to legitimate enti-
ties since Alice never has to provide identification, as is the case with paper
money. As with the ECash scheme, Brands' scheme also ensures untraceabil-
ity of legitimate entities. However, as proved above, the bank can identify a
double-spender. Brands' scheme possesses authenticity since the scheme is se-
cure against impersonation due to the fact that it is based upon the intractability
of the DLP (see page 164).
One of the major advantages of Brands' method is that it does not use any
cut-and-choose protocol or secret splitting (see Section 5.5), because the time
costs are excessive. Thus, with Brands' scheme, the bank does not have to
engage in such protocols. Moreover, since Brands' scheme is based upon the
DLP, then the integer factoring problem does not come into play as it does with
the use of an RSA modulus, used in the ECash scheme. Now we look at the
parameters involved in Brands' method.
Since
g
1
,g
2
are made public, and
A
g
e
1
g
e
2
(mod
p
), then
g
1
,g
2
must be
chosen large enough to make it computationally infeasible for an adversary to
compute a representation of Alice's account. Nevertheless, the bank must be
able to accommodate all its customers with the pairs (
e
1
,e
2
), so the bank has
to ensure that
g
1
,g
2
are not chosen so large as to prevent this. The exponents
e
1
,e
2
are in (
≡
)
∗
and Brands suggests that
q
should have 140 bits while
e
1
,e
2
should be around 70 bits. As usual, the system is only as secure as the
implementation and security of the private/secret keys.
Although Brands' scheme is relatively complicated mathematically, most of
the work is required to preserve both anonymity and to prevent double-spending.
Given the above advantages, the consensus is that Brands' scheme is preferable
to the ECash scheme in most implementations.
Z
Z
/q
Search WWH ::
Custom Search