msrc: (m)icropayment (s)cheme with ability to (r)eturn (c)hanges

MSRC: (M)icropayment (S)cheme with Ability to (R)eturn (C)hanges

Source: Journal of Information Science and Engineering in review

Presenter: Tsuei-Hung Sun (孫翠鴻 )

Date: 2010/11/26

2

Outline

Introduction Motivation Scheme Security analysis Comparison Advantage vs. weakness Comment

3

Introduction

PaywordCredit-basedChains of hash values

Ex. A=(a0,a1,…,an) where ai = h(ai+1), i = n-1, n-2, …, 0. Every chain has a face value d. a0 is used as an anchor for verification.

PayWord Certificate

R. Rivest, A. Shamir, 1996, “PayWord and MicroMint: two simple micropayment schemes,” Proceedings of the International Workshop on Security Protocols, LNCS Vol. 1189, pp. 69-87.

4

Introduction

Micropayment Scheme Using Single-PayWord Chain (MSSC)Only one denomination.

Micropayment Scheme Using Multi-PayWord Chains (MSMC)Multiple denomination.Combining several single-payword chains with differen

t denomination values.Using to reduce the length of hash chain and the hash o

perations of verification.

5

Micropayment Scheme Using Single-Payword Chain (MSSC)

PSR = {IDC , n, IDV}

PSR: Payment-chain service request. PK: Public key. PV: Private key. ID: Identity.n: Payord chain of length. dA: Face value. a0: An initially anchors used to verify A-chain.

Generates A = (a0, a1, …, an)satisfies ai = h(ai+1), i = n-1, n-2, …, 0total money = n x dA

CPKA}{CC PVPKAA }}{{ BPVa }{ 0

BB PKPVaa }}{{ 00

Pay (am, m))(

?

0 mm aha

Replace anchora0 by am.VPVmVC aIDID },,{

VV PKPVmVCmVC aIDIDaIDID }},,{{),,( Verifies am is legal or not.If legal, deposits (m x dA) to Vendor’s account and store am,If not, reject transaction.

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

6

Micropayment Scheme Using Multi-Payword Chains (MSMC)

PSR = {IDC,n,IDV}

dA < dB

A = (a0, a1, …, an), satisfies ai = h(ai+1), i = n-1, n-2, …, 0

B = (b0, b1, …, bn), satisfies bj = h(bj+1), j = n-1, n-2, …, 0

Chain A total money = n x dA

Chain B total money = n x dBCPKBA },{

CC PVPKBABA }},{{),( BPVba },{ 00

BB PKPVbaba }},{{),( 0000

)(?

0 mm aha

replace anchor a0 by am, b0 by bM.

VPVMmVC baIDID },,,{

VV PKPVMmVCMmVC baIDIDbaIDID }},,,{{),,,( Verifies am, bM are legal or not.If legal, deposits (M x dB + m x dA) to Vendor’s account and store am, bM.If not, reject transaction.

Pay (bM, M) (am, m)

)(?

0 MM bhb

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

7

Motivation

Problems of MSMC Find the minimum hash chain in a payment.Equally spend every single chain.

This paper propose three approaches to handle above two problems and supporting the ability of returning changes.

8

Scheme

Three approaches methodsMSRC-I: counter-mode encryption.MSRC-II: hashing function.MSRC-III: keyed hashing function.

9

MSRC-I: Counter-Mode Encryption (1/2)

PSR = {IDC,n,r,IDV}

CPKKBA },,{

CC PVPKKBAKBA }},,{{),,( VPKAba },,{ 00

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

VV PVPKAbaAba }}',,{{),,( 0000

EK: Counter-mode encryption using a secret key K. M x dB: Customer pay total money. n: Length of payment chain. r: Length of return-change chain. m x dA: Vendor return money.

))(),...,1((),...,( 11 rEaEaaaA KrnKnrnn

),...,,(

))(),...,1((),...,(

),...,,(

10

11'

10

n

KrnKnrnn

n

BA

bbbB

rEaEaaaA

aaaA

dd

, ai = h(ai+1), i = n-1, n-2, …, 0

, bj = h(bj+1), j = n-1, n-2, …, 0

10

MSRC-I: Counter-Mode Encryption (2/2)

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

VPVMmnVC baIDID },,,{

VV PKPVMmnVCMmnVC baIDIDbaIDID }},,,{{),,,(

Verifies a’n+m, bM are legal or not.If legal, deposits (M x dB + m x dA) to Vendor’ account and store a’n+m, bM.If not, reject transaction.

Return ),( ma mn

)(),...,(),(

)(

)(

21121

?

1

nnmnmnmnmn

mnm

n

Kmnmn

ahaahaaha

aha

mEaa

Than can get chain (an+1,…an+m) and worth (m x dA) dollars.

Replace anchorb0 by bM.

Pay (bM, M) )(?

0 MM bhb

11

MSRC-II: Hash Function (1/2)

PSR = {IDC,n,r,IDV}

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

0,...,2,1),(),,...,,(

0,...,2,1),( and )(satisfy

),...,,(),...,,(

),...,,(),...,,(

110

11

211021

211021

nnjbhbbbbB

rnrniahaaha

aaaaaaAAA

aaaaaaAAA

dd

jjn

iiii

rnnnn

rnnnn

BA

CPKBAA },,{ 1

CC PVPKBAABAA }},,{{),,( 11

VPKAbaa },,,{ 2000

VV PVPKAbaaAbaa }},,,{{),,,( 20002000

12

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

Return ),( ma mn

)(),...,(),(

)(

21121

?

nnmnmnmnmn

mnm

n

ahaahaaha

aha

MSRC-II:

Hash Function (2/2)

Than can get chain (an+1,a’n+1),…,(an+m,a’n+m) and worth (m x dA) dollars. VPVMmnVC baIDID },,,{

VPKMmnVCMmnVC baIDIDbaIDID },,,{{),,,( Verifies a’n+m, bM are legal or not.If legal, deposits (M x dB + m x dA) to Vendor’ account and store .If not, reject transaction.

Mmm baa ,,

Replace anchorb0 by bM.

K: secret key for keyed hash function

Pay (bM, M))(

?

0 MM bhb

13

MSRC-III: Keyed Hash Function (1/2)

PSR = {IDC,n,r,IDV}

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

),...,,(

),...,,(

),...,,(

10

21'

10

n

rnnn

n

BA

bbbB

aaaA

aaaA

dd

, ai = hK(ai+1), i = n+r-1, n+r-2, …, 0

, ai = hK(ai+1), i = n+r-1, n+r-2, …, 0

, bj = h(bj+1), j = n-1, n-2, …, 0

CPKKBA },,{

CC PVPKKBAKBA }},,{{),,( VPKKAba },,,{ 00

VV PVPKKAbaKAba }},,,{{),,,( 0000

14

MSRC-III: Keyed Hash Function (2/2)

Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)

VPVMmnVC baIDID },,,{ 1

VPKMmnVCMmnVC baIDIDbaIDID },,,{{),,,( 11 Verifies a’n+m+1, bM are legal or not.If legal, deposits (M x dB) to Vendor’ account and store .If not, reject transaction.

Mmn ba ,1

)(),...,(),(

)(

2111

11

?

nKnmnKmnmnKmn

mnmKn

ahaahaaha

aha

Than can get chain (an+1,…an+m) and worth (m x dA) dollars.

Replace anchorb0 by bM.

Pay (bM, M))(

?

0 MM bhb

Return ),( 1 ma mn

15

Security analysis

Counterfeit attackAttacker: Returned change a'n+i and an+i.Customer: Change a'n+i and an+i.

Reuse attackCustomer: Double spending and over-spending.Vendor: Double returning and over-returning.

Redemption attackVendor: Anchor ai and (ai,a’i).

16

Comparison

Fig. The chains of returned changes for our MSRC.

17

Comparison

H: The operation of a hash function h(.). H’: Operation of a keyed hash function hK(.). D: Counter-mode decryption. d: Denomination.M: Vendor verifying the payment (bj,M). m: Customer verifying and obtaining the returned changes.

Table. Comparison of micropayment schemes

18

Advantage vs. weakness

Advantage It can be implemented on mobile devices feasibly.The return change is useful for avoid some special

pay word chain be exhausted.All three mode are well protect, and the overhead

of these mode are not very heavy, so Customer can choose one is better for him or her.

WeaknessCustomer may need to maintain many kind of pay

word chains.

19

Comment

If the kind of face value of e-coin are many, that will be come a burden of Customer, Broker, and Vendor.

This is very inconvenient to trade only once, because Customer and Vendor need to redeem them cash after transaction.

Customer still using return changes after it expired that may incur collusion attack.

The largest denomination may incur some attack, because it didn’t have any protect.