The Lucre e-cash implementation is not secure #218
Comments
More supporting details:
|
Thanks a lot! After we restructured and decoupled the OT source code we will look into this. |
1: Amiller is correct that Lucre was written to get around Chaum's patents, as well as the fact that the patent has since expired. He's also correct that there's no particular need for Lucre anymore -- except for the fact that it's the only cash algorithm in OT. Once we add another cash algorithm we can talk about removing Lucre. 2: Re: de-anonymization attacks. If the server gives one user a different mint file than was given to all the other users, then it becomes possible to trace the cash withdrawn by that user. The solution is to distribute the mint file in a public channel so all users download it from the same place. Alternately the clients could just compare notes on the mint file hash, to make sure they are all using the same one. I believe this same attack is possible with other cash algorithms, it's not specific to Lucre. For example, if we used Chaum instead, and gave a different mint file to one user than we gave the other users, the same attack would be possible with Chaum. 3: "the e-cash protocol would still be vulnerable to the server undetectably forging coins." If you have a server that ONLY issues digital cash tokens, then you must trust that server, and as Amiller says, the server has the power to inflate the coins. However, it is not so simple in OT, which mitigates this quite a bit. In OT, when you withdraw cash, the funds are moved from your account into the server's cash reserve account, before the coins are issued to you. Then when Bob deposits the coins, the funds are then moved from the cash reserve account into Bob's account. So even if the server issues inflated coins, a recipient cannot REDEEM those coins without pulling funds from the cash reserve account. And once the cash reserve account goes to a 0 balance, then deposits will start to fail. This could result in a failed audit, thus kicking the fraudulent server out of the voting pool. This means even if the server inflates coins, they still cannot be REDEEMED in a greater amount than the amount of legitimate withdrawals. If an evil server wants to avoid this, he would have to add the corresponding funds to the cash reserve account, whenever inflating coins. (But of course this would also cause a failed audit.) Therefore I think the server could inflate a small number of coins (it would have to be a small percentage of the amount in the cash reserve account) but any more, and he will fail an audit. This is "pretty good" security for the cash, and as I said, would most likely be the same situation for any other cash algorithm, not just Lucre. However, if there are even better algorithms, that sounds great too. Waiting on a pull request from Amiller. |
Isn't the use of Diffie-Hellman scheme makes the keys shorter which means better for mobile payment ? |
A better solution would be to replace the Lucre e-cash protocol with an auditable E-Cash protocol, such as the one used in Zerocoin.
http://link.springer.com/chapter/10.1007/3-540-45472-1_5
http://zerocoin.org/media/pdf/ZerocoinOakland.pdf
The text was updated successfully, but these errors were encountered: