1 / 18

Divisible e-cash can be truly anonymous

Divisible e-cash can be truly anonymous. Sébastien Canard* and Aline Gouget  ** * France Télécom R&D Division, France. ** Gemalto, Security Labs, France. Wednesday, May 23, 2007. . Outline. Electronic cash Divisible e-cash schemes

anika
Download Presentation

Divisible e-cash can be truly anonymous

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Divisible e-cash can be truly anonymous Sébastien Canard* and Aline Gouget *** France Télécom R&D Division, France. ** Gemalto, Security Labs, France. Wednesday, May 23, 2007.

  2. Outline • Electronic cash • Divisible e-cash schemes • General construction of a strong unlinkable and truly anonymous divisible e-cash scheme • Application using the construction of Nakanishi-Sugiyama • Conclusion

  3. Withdraw Electronic cash systems Detection of double-spending Deposit Identify Verify Guilt Spend

  4. Security properties • Unforgeability of coins • Anonymity • Weak anonymity: anonymity of the user • Strong anonymity: anonymity of the user + unlinkability of the spendings • Identification of cheaters • Exculpability

  5. Divisible e-cash • A user first withdraws a divisible coin and next spends it part by part • Each divisible coin of monetary value 2L is assigned to a binary tree of L+1 levels • Divisibility rule: When a node N is used, none of the descendant and ancestor nodes can be used, and no node can be used more than once • This rule is satisfied iff over-spending is protected

  6. Divisible e-cash schemes • Many off-line divisible e-cash schemes have been proposed • First « practical » divisible e-cash scheme • Proposed by [Okamoto, Crypto’95] and improved by [Chan, Frankel and Tsiounis, Eurocrypt’98] • Both schemes provide anonymity of users but not unlinkability • it is possible to link several spends from a single divisible coin • First unlinkable divisible e-cash scheme • Proposed by [Nakanishi and Sugiyama, ISW’00] • Requires a TTP • The unlinkability is not strong since the merchant and the bank know which part of the coin is spent • None of the divisible e-cash schemes of the state of the art provides both strong unlinkability and truly anonymity of users

  7. Overview of our « truly  anonymous » e-cash system • Withdrawal phase between B and U • B signs in a blind manner U’s secret key and a « master serial number » • Spending phase between U and M • U computes a valid serial number S (→ allows to detect double-spending) • U computes a valid security tag T (→ masks the spender identity) • U proves that S and T are well-formed • The identity of the spender is recovered only in case of double-spending

  8. General description • Each divisible coin of monetary value 2L is assigned to a binary tree of L+2 levels

  9. General description • Each node of the tree (including the leaves) is related to a tag key with the following properties: • From the tag key Ki,b0 of a node N, it is possible for everyone to compute the tag keys related to the descendants of N • From the tag key of a node, it is impossible to compute a tag key which is not related to a descendant of the targeted node • Withdrawal protocol • The root tag key and the user secret key are signed (in a blind manner) by the bank

  10. General description • Spending protocol • U computes the tag key of the node N (at level i=L-n) he wants to spend • From the tag key of N, U computes the serial number S • Concatenation of the tag keys related to the two direct descendants of the spent node • From the tag key of N, U computes the security tag T • Verifiable encryption of the user identity (including randomness) • U proves to M that S and T are well-formed • A spending corresponds to a triplet (S,T,Φ) • Detection of double-spending • From S and i, B can compute all the tag keys of the descendant leaves of S • Without knowing which node has been spent

  11. Identification of a double-spender • Double spending : (S=Kj,0||Kj,1,T,Φ) (S’=Kj’,0||Kj’,1,T’,Φ’) • S=S’ • The cheater identity can be recovered from T and T’ • S’ is an ancestor of S • The secret tag key used to compute T can be recovered using S’

  12. Divisible e-Cash System DCS • Based on the binary tree proposed by [Nakanishi and Sugiyama, ISW’00] • The function F used to compute the tag keys is the modular exponentiation • For each level i, there are three linked generators: • gi,0 for the left child • gi,1 for the right child • gi,2 to compute the security tag • Example: • The tag key of a node of level i-1 is denoted by: • Computation of the left children tag key: • Computation of the security tag related to the tag key Ki,b:

  13. Withdrawal protocol • Camenisch-Lysyanskaya signature scheme [Crypto’04] • Efficient protocol for a user to get a signature from a signer on committed values • Efficient proof of knowledge of a signature on committed values

  14. Spending protocol • U wants to spend a sub-coin of value 2n from his divisible coin C=(s,u,r,) • U chooses an unspent coin of level i=L-n • U receives from M a random value rand and computes: • U has to prove the validity of S and T • U computes a zero-knowledge proof of knowledge of a signature of B on the values (s,u,r) and that S and T are correctly computed, using the Fiat-Shamir heuristic • Strong unlinkability is achieved using proofs of the "OR" statement (one per level)

  15. Security arguments Theorem: In the random oracle model, the DCS scheme is secure: • If the CL signature scheme is unforgeable, then DCS is unforgeable. • Under the DDH assumption, DCS is unlinkable. • If the CL signature scheme is unforgeable, then DCS permits the identification of double-spenders • Under the DL assumption, DCS has the exculpability property.

  16. Conclusion and open problems • We proposed the first off-line divisible e-cash scheme providing both strong unlinkability and true anonymity • The true anonymity of users is achieved without impacting the performance of the spending protocol • However, the spending of a small number of coins at a time is still expensive due to the use of double-exponentiation proofs during the spending phase • Open problems: • Improve the efficiency of the spending phase • Find a method to detect double-spending without computing 2L serial numbers for a divisible coin of monetary value 2L

  17. Zero-knowledge proof of knowledge

  18. Proof of unlinkability • In fact, we embed an instance of the Matching Multi Diffie-Hellman (MMDH) problem • MMDH can be used to solve DDH • Matching Multi Diffie-Hellman (MMDH) problem • Decisional Multi Diffie-Hellman (DMDH) problem • Derived Decisional Diffie-Hellman (DDDH) problem • Decisional Diffie-Hellman (DDH) Decision oracles are equivalent to matching oracles [Handschuh, Tsiounis, Yung, PKC’99]

More Related