E-cash is one of many forms of financial instruments, an alternative to cash. Cash itself isn’t well understood. There are those that think of cash as an easy form of gold transfer, called the *gold standard*, and those that think of cash as representing nothing more than a state promise, the *fiat money* standard. Discussion of gold standard and fiat money go on all the time and for all time. There is even a theory that Wizard of Oz was a subtle lampoon of the gold standard theoretists, in the use of a yellow brick road leading to an emerald castle and a phoney wizard.

E-cash is designed to mimic the anonymity and unlinkability of cash. That is, if you pay cash, no one knows you bought it. This is not entirely true, as each dollar bill has a unique serial number, but no one bothers to follow it, except Where’s George enthusiasts. The limits of linkablity is tested every day in the battle between money launderers and the U.S. Treasury and Secret Service.

David Chaum in 1982 proposed the first E-cash scheme, and with it, several innovations in cryptography. All of these innovations have many uses throughout cryptography, so in familiarizing yourself with the E-cash scheme you will have a much better understanding of the breath of methods used in cryptography. The fate of his E-cash scheme is not the point — David Chaum’s company Digicash was a notable corporation for its gathering of many of the early pioneers of modern cryptography but was not a commercial success. No E-cash schemes met commercial success until BitCoin by the mysterious Satoshi Nakamoto.

The three innovative ideas introduced are:

- The
*blind signature*, leading to the concept of blinded computation in general, *cut-and-choose methods*, that probabilistically insure correct following of the protocols by competing interested parties,- The use of a hash function to provide a cryptographically strong pseudo-random number that simultaneously seals an action, which predicts the similar use of hash functions for non-interactive zero-knowledge proofs.

**Blind Signatures**

Eventually, e-cash will come down to a signed documentation stating: this document is worth $10, or some amount. In e-cash, a bank will sign the document, it will be paid $10 to sign such a document, and it will render $10 to a presenter of said document (disregarding fees, which will of course be charged to maintain the interest of the bank).

This presents a problem for anonymity and unlinkability. If the bank is to prevent double spending, that is, that the owner of the document duplicates it and claims that each of the duplicate is an individual and separate claim to $10 from the bank, the document must be unique. As it was purchased unanonymously (we presume), the bank can remember the document and who it was sold to.

Blind signatures prevent this linking by a mathematical process of the user blinding the document, that is, transforming it, having the bank sign that, and the user transforming back the signature so that it is a signature of the original document. It must be that the only thing the user can do is transform it back to one signature on one document (in fact the bank’s signature on the original document has to be useless), and if and when the user’s document is presented to the bank to reclaim the cash amount, the bank cannot tie it to any document it did sign, although the signature does verify as bona fide of the bank.

Chaum used RSA as follows to blind sign. Alice and the Bank (the Band of Bob) engage in this protocol:

- The bank publishes is public RSA key n=pq, and retains 3
^{-1}mod (p-1)(q-1) as the private key; and a hash function h is chosen. - Alice picks a random r in the group of invertible elements mod n and sends r
^{3}h(message) to the Bank. - The Bank, wishing to sign, extracts the third root mod n and returns r h(message)
^{1/3}back to Alice. - Alice divides by r and has in its possession the signature Sig
_{Bank}(h(message))=h(message)^{1/3}.

Note carefully that (h(message),h(message)^{1/3}) looks suspiciously like (h(message)^{3},h(message)) but one is a signature and the other is just a number and its cube mod n. The role of the hash function is important in interpreting the number pair as a signature.

Verification is the presentation of the message and σ=h(message)^{1/3}, to which Verify(message, σ) checks h(message) == σ^{3} mod n (where double equal signs signifies to equality predicate).

**Double Spending**

A fundamental difficulty of E-cash is to prevent double spending. Actually, it must not only be prevented, but punished or remediated. Unless the protocol is completely on-line, so that each transaction is monitored for double spending before goods trade hands, users such as Alice must be sufficiently incentivized not to engage in double spending, because it will come to naught.

Chaum built in a trapdoor to the spending protocol so that if Alice spent a coin twice, the bank will not only recognize the double spending, but can break the e-cash anonymity and reveal the that the owner of the double-spent coin was Alice.

It works by encoding in message Alice’s name, itself blinded so that a single run of the spending protocol will not break the blinding, but two runs most certainly will. This is a compact activity, since the message is hashed then signed (cube root extracted) so that something of the preimage of the hash must be revealed.

The exact method uses two hash functions, h_{1} and h_{2} each taking a pair of elements in **Z ^{*}_{n}**, the invertible elements mod n, and producing an element in

B_{i} = r^{3} h_{1}(x_{i},y_{i}),

where x_{i} = h_{2}(a_{i},c_{i}) and y_{i} = h_{2}(a_{i}⊕(“Alice”||i),d_{i}),

and a_{i}, c_{i}, d_{i} and r_{i} are each chosen randomly from **Z ^{*}_{n}** for each i from 1 to 2k, with k a large integer chosen to achieve desired security level.

The protocol will require Alice to reveal x_{i} and y_{i}, so that the signature can be verified, but also the input to the calculation of either x_{i} or y_{i}, but not both. Double spending will like cause both inputs to be revealed, including both a_{i} and a_{i}⊕(“Alice”||i), from which knowledge of (“Alice”||i) follows.

**Cut and choose**

From the above description of the protocol, it is apparent that Alice must correctly calculate the B_{i}. But she might not want to. It is the Bank that wishes her to do so, so the Bank must force assurance that the B_{i} were correctly calculated.

The Bank will do this by taking half of the B_{i} and challenge Alice to provide all the inputs as to how it was calculated. The protocol for spending will detect double spending if as long as most of the B_{i} were properly calculated. It doesn’t require that all are. The question is, if I have a basket with possibly some bad apples, and I take from that basket half the apples and none are bad, what is the likelihood that among the apples remaining in the basket, a significant fraction are bad?

This is the essence of cut and choose, and it relates to everyday protocols where fairness is assured by having one player cut and the other choose. Self interest holds both parties honest.

**The signature and spending**

Given that Alice has successfully revealed for each chosen B_{i} the a_{i}, c_{i}, d_{i} and r_{i} that correctly calculates out, the Bank multiplies the remaining B_{i} and extracts the cube root, returning the result to Alice. Alice divides off the r_{i} and now has a blind-signed coin:

S = Π_{i} h_{1}(x_{i},y_{i}))^{1/3},

and the documentation to support the claim to the signature,

{(a_{i},c_{i},d_{i})} i = 1, 2, …, k

The elements in this list are arranged so that h_{i}(x_{i},y_{i}) ≤

h_{i+1}(x_{i},y_{i}). This is necessary so that the transcript in the spending protocol gives this elements in a consistent order.

The coin is spent in a protocol between Alice and the Merchant. Alice must prove to the Merchant that the coin is properly signed. She sends the Merchant S. The Merchant then sends a list of k random coin tosses, as challenges c_{1}, c_{2}, …, c_{k} where each c_{i}. Alice responds with,

if c_{i}==0 then reveal to the Merchant C_{i}=(x_{i},a_{i}⊕(“Alice”||i),d_{i})

if c_{i}==1 then reveal to the Merchant C_{i}=(a_{i},c_{i},y_{i})

and the Merchant can then recalculate each of the h_{1}(x_{i},y_{i}), and their product, and check it equals S^{3}.If it checks out, the Merchant accepts the coin, and also remembers the collection of values T={(c_{i},C_{i})}.

The Merchant deposits the coin in the Bank by presenting S and T. The Bank checks a ledger that S has never been presented for deposit, and verifies the signature as did the Merchant. If all is correct, the Bank credits the Merchants account and the values S and T are placed on a ledger.

If on the other hand, S is already on the ledger, and associated is a transcript of challenge/responses T’, it is likely that for at least one i, the i-th coin flip in transcript T is different than that in transcript T. If so, Alice has provided a_{i} in one transcript, and a_{i}⊕(“Alice”||i) in another. So the name “Alice” is recovered as the double spender.

Note that the elements in the transcript list can be aligned the fact that the h_{1} hashes are given in ascending order.

We now see the need for c_{i} and d_{i}. Without those an exhaustive search through all known users can reveal ownership of a coin. If the challenge provides (a_{i},c_{i},y_{i}), and d_{i} was not the second input to the hash function, try all usernames (“X”||i) for a solution to y_{i}=h_{2}(a_{i}⊕(“X”||i)).

As a quick rundown of the theory, if α is a generator then since α^{(p-1)}=1 implies α^{(p-1)/2}= −1, that is, the non-trivial square root of 1. As a consequence, α cannot be a square, for if α=β^{2} then α^{(p-1)/2}= β^{(p-1)}= 1. Furthermore if β=b^{2} is a square and α is not, then the product (β α) is not, else there would be an equation b^{2} α = c^{2} which could be solved as √α=c b^{−1}.

So in the sequence α, α^{2}, α^{3}, … those values with even exponents are squares and those with odd exponents are not. It also follows that although the sequence might be different if a different generator α was chosen, which numbers have even exponent and which have odd is not dependent on that choice, as “squareness” is not changed by how the number is represented.

To determine whether the squareness, or whether the number b is a *quadratic residue* or a non-residue, calculate the *Legendre Symbol* of b,

b^{(n-1)/2} = 1 or −1 (calculated mod p)

for clearly if α^{i} then

b^{(n-1)/2}= α^{i(n-1)/2} =(α^{(n-1)/2})^{i} = (−1)^{i} (mod p)

which simply detects whether i is even or odd.

Hence if the DLOG of a number is written in binary, the least significant bit (LSB) of this number *is not secure*. It is easily calculated by the calculation of the Legendre Symbol. What other bits of the DLOG are insecure? What exactly about the DLOG is secure and how do we avoid divulging information by improper encoding?

**Extension to more bits**

The method of isolating the LSB can be extended to further to the lowest t order bit, when p−1 = s 2^{t} for odd integer s. The idea is to determine the LSB, and possibly dividing by α so that the LSB is or is made to be zero, then take the square root. If the square root of α^{2i} is α^{i}, we can then repeat this process, thereby divulge the next LSB.

The problem is that there are two square roots, and we cannot say which of the two were delivered by the square root extraction. Therefore we have either α^{i} or

−α^{i}=(−1)α^{i}=α^{(p-1)/2}α^{i}=α^{i+(p-1)/2}=α^{i+s2t-1}

Bringing down the exponents for clarity, the square root algorithm allows us to proceed with either i or i+s2^{t-1}. This does not change the lowest order t-1 bits, hence we can proceed in this manner to extract the first t lowest order bits through the legendre symbol.

We therefore consider the set:

I = { i*a+j*b | i and j range over all integers }.

You might object that this is a finite set, that its presentation is not clear. However it is constructive. If you like thinking about things with analogies to computer programs, think of a double for loop that loops over all possible integer i and j’s (how would you do this), adding to a linked list (that is keep sorted by absolute value) of the result of i*a+j*b. This list is infinite be pretty soon it will become clear that this set is actually the same as:

{ i*d | i ranges over all integers }

and we shall show that: (1) this d is the smallest positive, non-zero number in I and (2) that this d is the gcd of a and b.

So if you could magically or otherwise “poof” into existence this I, just look for the smallest, positive, non-zero integer in I and you have distilled out the gcd of a and b. The Euclidean algorithm is the magic, or it does away with the magic, that finds that d. What it does is start with a and b, which are in I (why?) and “climbs down” the elements in I, replacing iteratively a with an a’ smaller than both a and b, until a and be are replaced by d and 0. We further show that this d is the smallest, positive, non-zero element in I, hence the gcd of a and b.

That’s the plan.

**The nature of the ideal I**

Among all the numbers in I, select two z1 and z2 such that d = z1 – z2 is as small as possible from numbers in I. Since z1 = i1 * a + j1 * b and z2 = i2 * a + j2 * b, for some integers i1, i2, j1 and j2 (because all numbers in I are of this form), then d = (i1 – i2) * a + (j1 – j2 ) *b. That is, d is in I as well. So the smallest, positive, non-zero number in I is d and everything in d is a multiple of d (if not, suppose some z in I is not a multiple of d, then z and k * d will closer then d together, for k = z ÷ d, contradicting the choice of d).

Since a and b are in I, a and b are both multiples of d, so d is a common divisor of a and b hence divides the greatest common divisor of a and b. Further more, anything that divides both a and b divides anything of the form i * a + j * b, and d is of this form, so any common divisor of a and b divides d. Therefore d is the greatest common divisor.

**Finding d**

The existence of d is assured mathematically, but how to find it? Given an infinite set of numbers, how to find two such that their difference minimizes any possible difference between two distinct numbers in that infinite set? The Euclidean algorithm finds d by starting with any two numbers in I, say a and b, and continually replacing the larger of the two with a number also in I and smaller than both (but non-negative) until the two numbers are d and 0. We show why d is the smallest, positive, non-zero number in I.

Suppose a is replaced with a’, where a’ = a%b. Another way to write a’ is a’ = a – k * b where k = a ÷ b.

Then the set I = { i * a + j * b } is the same as the set I’ = { i * a’ + j * b }. The reason for that is everything in I’ can be written as something in I and vice versa. Because a’ is a linear combination of a and b, then everything in I’ is a linear combination of a and b, and any linear combination of a and b can be rewritten to be linear combination of a’ and b.

So each step in the Euclidean algorithm gives the same set I, until I = { i * d + j * 0 = i * d }. In this set, obviously d is the smallest, positive, non-zero element.

**Examples and coding**

TO BE CONTINUED

]]>*The structure of square roots mod p=3 (4)*

Given a prime p = 3 (4), either x or -x has a square root. Consequently, -1 does not have a square root. If -1 had a square root, then the fourth roots of 4, i.e. 1, -1, i, and -i (for the “imaginary quantity” i) would for a subgroup of the group of units mod p, hence 4|(p-1), which is does not since p-1=2(4).

Since x and -x have the same square, we can pair up (p-1)/2 elements, and unless for some pair (x,-x) there are y and y’ such that y^2=x and y’^2=-x, exactly one of the pair is a square (by a counting argument, a.k.a. the pigeonhole principal). In the former case, y/y’ would be a square root of -1, hence exactly one of x and -x has a square root, for all x.

Therefore, if y has a square root, exactly one of the two square roots itself has a square root, and that is called the principal square root.

*The structure of square roots mod a Blum Integer*

Since x^2=y(pq) would give x^2=y(p) and x^2=y(q), x is a QR mod pq iff x is a QR mod p and mod q simultaneously. If the factorization of pq is known, the square root is easily computed from the Chinese Remainder Theorem and the fact that x^2 = x^((p+1)/4) (p) for a prime p which is 3 mod 4. Continuing to work simultaneously, if y has a square root, it has exactly four square roots (corresponding to the lift by the CRT from Zp x Zq to Zpq of (xp,xq), (-xp,xq), (xp,-xq) and (-xp,-xq), where xp^2=y(p) and xq^2=y(q)), and exactly one among these four itself has a square root, and is called the principal square root.

Of the three square roots of a square y which are not themselves squares, two are easily identified has not being squares by calculation of the jacobi symbol. However, if xp is the principal square root of y mod p, and xq is the principal square root of y mod q, then the lift of (-xp,-xq) to mod n will have Jacobi Symbol of 1, and cannot by that method be identified as a non-square. This pair can also be identified as square roots x of y such that x = -x and neither x nor -x is a square. Such numbers are called pseudo-squares, and deciding for a given x, which is either a square or a pseudo-square, it is conjectured to be as hard as factoring (more or less) to decide between whether the number is a square or a pseudo-square.

The remaining two square roots of y are negatives of each other, both have Jacobi Symbol 1, and exactly one (the principal square root) is itself a square. The squaring map is a permutation on the set of squares, and looks like a disjoint collection of cycles, if one were to visualize the situation as a graph where x and x^2 are connected by a (directed) edge. 1 is a self-loop this graph.

]]>Challenge-response and one-time passwords mold the information to mitigate the vulnerabilities of password systems. Challenge-response protocols harden against eavesdroppers, or untrusted parties receiving the “password” but keeping the knowledge secret, and just providing an aspect of that knowledge for verification, i.e. the value of a function evaluated on the combination password and random challenge. The password is not revealed even to the authenticating party. One-time passwords disqualify the knowledge on use.

Some very interesting protocols use Zero-knowledge techniques. Zero-knowledge can prove that the subject has secret information in such a way that the authenticating party learns nothing other than that the subject knows the secret. Nothing further is learned. The authenticating party cannot impersonate the subject because it has not learned enough in order to carry out the impersonation.

These protocols depend on complexity based cryptography. This means that the security depends on the fact that certain computations, although possible, take too long. Even though computers continually increase in speed, it is possible to propose problems that increase in difficulty as the computer increases in speed, continually outrunning to an ever greater margin the increase in computing power.

On such problem is taking a square root in the system of integers modulo n, where n is the product of two distinct primes, each which is 3 modulo 4. There is no efficient way, given an X for which there is an x such that x^{2} = X modulo n, to actually calculate out the x when n is of said form unless the two distinct primes whose product is n are known. To factor n is too hard to be considered a practical threat against this protocol.

Suppose the knowledge that proves identity is the square root of a publicly known X. While the prover P can prove knowledge of the square root by producing it, i.e. an x such that x^{2}=X mod n, then the verifier V learns too much. I learns not only that P knows a square root, it learns the square root. This is so much information that now V can impersonate P.

To show that P knows x without providing any additional information, P and V engage in the following protocol:

P picks a random R (which has a square root mod n) and sends it to V. V can decide whether to ask P to reveal the square root of R, or the square root of R*X. P does as asked, giving an r such that r^{2}=R mod n or and r’ such that r’^{2}=R*X mod n.

*Argument the first:* If P is honest in all respects, it can answer either of these questions, although it will only reveal the answer to one of them. It therefore can demonstrate knowledge of r and r’, and hence it must also know r’/r = x. (What is knowledge: knowledge anything you can compute in reasonable time from what you know. The ratio of two known quantities is something you know, because it can be computed easily).

*Argument the second:* If P is lucky, it can answer on of these questions without knowledge of x. P must predict V’s choice. If V will ask for the square root of R, P generates R by picking a random r and revealing R = r^{2} mod n. If V will ask for the square root of R*X, then P picks are random r and reveals R = r^{2}/X. In both cases, P answers r correctly to V’s choice.

*Argument the third:* By repeated play of this game, P’s luck can be made to run out. How often can it guess V’s choice, assuming V makes its choice from an unbiased coin not under P’s control? Hence after repeated plays, V can assume with only a small possibility of error that P knows x.

*Argument the fourth:* However, what has V learned? The coin flips cannot contain the secret of x, and therefore why not let V play the role of P, except that it does know the result of the last coin flip. So V can send itself either r^{2} or r^{2}/X, as required for r to be the answer to V’s inevitable question (to itself). Hence the entire protocol can be accomplished without P at all, and hence nothing could have been learned from P.

*Argument the fourth, alternate:* Let’s modify the protocol by introducing a negotiator N. N is interposed between P and V and does not let V see the R sent by P until it receives the choice from V. It then releases the choice to P and sends the R and the appropriate square root to V. From P’s point of view, nothing has changed. From V’s point of view the order is different — rather than getting the commitment to R and the sending its choice, it first sends its choice and then receives R and the appropriate square root.

That said, N can stop asking P, maybe P doesn’t want to be bothered anymore, and by the techniques of argument the second, N can go on and complete the protocol without P, and without knowledge of x. Therefore V can be receiving no knowledge from N, since there is no knowledge to give. But how will it get more knowledge if N asks P, rather than answering V itself. After all, V can detect absolutely no difference during the times P is on break and N answers, or when P answers.

*Argument the fifth:* The difference between with or without N is that the answer, when it comes in the proper time sequence, is authenticated. Therefore we learn the identity of of the Prover. If we don’t learn the identity of the prover, it might as well be N answering, and we learn nothing at all.

Another possibility is to run-length encode, and as an example scheme to consider since the average waiting time for a 1 is 1/p, to set aside k=(-log 1/p) bits to store a count of consecutive zeros. A count of 0 means a one appeared. So the string 0010000001100000001 would encode, for k=3 as 010 000 110 000 000 111 000. (or 0010 1 0110 1 1 0111 1 to encode every counter be beginning by a 0, and compress 000 into a single 1).

]]>Therefore either a or -a is a quadratic residue.

Since 4 divides (p+1), it is possible to take a to the power (p+1)/4, a^{(p+1)/4}=b. Since b^{4}=a^{p+1}=a^{p-1}a^{2}=a^{2}, b is either a or -a, whichever has a square root.

I like to draw graphs of the squaring map, where nodes are the elements of the group, and edges are from x to x^{2}. 1 has a self loop in this graph, and the component of elements connected to 1 has translates over certain of the other elements. Elements with no incoming arrows are non-residues. The case of p=3 (4) is particularly simple, and shows that among the two square roots of a number, of which itself has a square root.

The following is an example for the prime 11. The graphical notation shows “looping back” by a star character.

-1 2 7 6 8 | | | | | 1 -* 4 -> 5 -> 3 -> 9 -* squares mod 11]]>

def egcd(a,b): # a > b > 0

___""" Extended great common divisor, returns x , y and gcd(a,b) so ax + by = gcd(a,b) """

___if a%b==0:

______return (0,1,b)

___q=[]

___while a%b != 0:

______q.append(-1*(a//b))

______(a,b)=(b,a%b)

___(a,b,gcd)=(1,q.pop(),b)

___while q:

______(a,b)=(b,b*q.pop()+a)

___return (a,b,gcd)

For information about Idle on the PC and Mac, see Python on Mac web page (it links to the downloads page for installers for both Windows and OSX).

]]>A description of some of the extensions to FMS: http://www.netstumbler.org/showpost.php?p=89036&postcount=11

I think there is also notations inside the code.

This is copied from an older wiki entry.

*This article is brought forward from a wiki page dated 2006/05/18 11:43.
*