2004-12-22 1

How to Make E-cash with Non-Repudiation and Anonymity

Ronggong Song, Larry KorbaProceedings of the International Conference on Information Technology:

Coding and ComputingVol. 2, Apr. 2004,

pp. 167-172

Adviser: Dr. Min-Shiang Hwang Speaker: 鍾松剛

2004-12-22 2

The Motivations

E-Cash: Easy duplicated Bank needs to implement double-spending checking

Double-spending checking does not provide a non-repudiation service Non-repudiation service needs a signature Signature violates the anonymous of e-cash

Bank

Thief

?!

?!

2004-12-22 3

Partial Blind Digital Signature

M. Abe and E. Fujisaki, “How to Date Blind Signatures”,

Advances in Cryptology--ASIACRYPT '96, pp. 244-251 Allows a signer to sign a partially blinded message that

include pre-agreed information such as expiry date or

collateral conditions in unblinded form.

Designed to protect the bank’s database from growing

without limits Expired e-cash can be removed

2004-12-22 4

Example: Partial blind digital signature

Alice Bankv is a predefined message by the bankand contains an expiration date

Randomly choose m, r in Z*n

Compute α≡revH(m) mod n α,vVerify the correctness of vCompute t≡ α(ev)-1 mod n ≡ r H(m)(ev)-1 mod nDeduct w dollars

t

Compute s≡r -1t mod n ≡H(m)(ev)-1 mod ne-cash (m, s, v)

Deposit

(m, s, v)

Verify v sev≡H(m) mod n

(m, s, v)VerifyAdd w dollars to payee’s account

Merchant

e, d

2004-12-22 5

Architecture

AliceBank

CA

Merchant

2004-12-22 6

Protocol’s Sketch Map

Alice

Bank

(buy e-cash)

(temporal PK)Blind_sign

(temporal PK)Blind_sign Deducts w dollars

(e-cash)temporal SK verify … verify

Reply(license)SK_M

Merchant

e-cash

Useless

2004-12-22 7

E-cash Issue ProtocolAlice

IDA, AccountA, PKA, α, v, TimeA, SignA

IDA, IDP, β, TimeB, SignB

PKT = (et, nt)SKT = (dt, pt, qt)

α≡rebv H(et||nt) mod nb

SignA = [H(IDA, AccountA, PKA, α, v, TimeA)]dA mod nA

eb, db

Verify AccountA, TimeA, SignA, v

eA, dA

β = α(ebv)-1 mod nb

= r H(et||nt)(epv)-1

SignB = [H(IDA, IDB, β, TimeB)]db mod nb

Debit $$ from AccountA

Verify TimeB, SignB

s≡r -1 β mod nb

e-cash (et, nt, v, s)

et, nt

Expiration dateBalanceSignB

Bank

dd/mm/yyyy

$xxx.xx

v’s format

2004-12-22 8

On-line Shopping ProtocolAlice

e-goods, Cost, AccountM, e-cash, TimeA, Signt

ReceiptM, e-cash, RM, s’, TimeB, SignB

PKT = (et, nt)SKT = (dt, pt, qt)

s=H(et||nt)(epv) -1

e-cash (et, nt, v, s)Select e-goodsSignt = [H(Cost, AccountM, e-cash, TimeA) || H(e-goods)]dt mod nt

eP, dP

Verify

s’ = [H(et, nt, v, s, RM)]db mod nb

SignB = [H(ReceiptM, e-cash, RM, s’, TimeB)]db mod nb

e-cash (et, nt, v, s, RM, s’)

Merchant Bank

VerifyEMD=h(e-goods)

Cost, AccountM, e-cash, TimeA, EMD, Signt

Verify SignM = [H(License, ReceiptA, e-cash, RM, s’, TimeM)]dM mod nMLicense, ReceiptA, e-cash, RM, s’, TimeM, SignM

2004-12-22 9

E-cash Renew ProtocolAlice

α, v, et, nt, v’, s’, Timet Signt

Fill a new e-cash form v’α≡rebv’ H(et||nt) mod nb

Signt = [ h(α, v, et, nt, v’, s’, Timet) ]dt mod nt

eb, db

Verify

eA, dA

β = α(ebv ’)-1 mod nb

= r H(et||nt)(epv ’)-1

SignB = [H(et, nt, v’, s’, β, TimeB)]db mod nb

Verify TimeB, SignB

s’’≡r -1 β mod nb

e-cash (et, nt, v’, s’’)

Bank

dd/mm/yyyy

$xxx.xx

v’s formats’ = [H(et, nt, v, s, RM)]db mod nb

et, nt, v’, s’, β, TimeB SignB

2004-12-22 10

Protocol Characteristics

Strong privacy protection A anonymous temporary public key is embedded into t

he partial blind signature Unlinkability: no one can determine the customer The format and content of message v are same with ot

her e-cashes. Non-repudiation

Signature is useful if there is a dispute later Strong safety protection

Other person cannot spend the e-cash without the private key

2004-12-22 11

Security Analysis

Passive attacks All messages are protected with the SSL security

channels Active attacks

Replay attacks Can be defeated by time stamp

Modification attacks Can be defeated by signature

2004-12-22 12

Conclusion

Customer

Bank

Merchant

Denying

Double-spending

Losing

misusing

stealing