190 likes | 208 Views
Explore classification, issues, goals, and protocols of e-cash, with insights on fair tracing in network security. Learn about countermeasures to address anonymity and double-spending concerns.
E N D
Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of ICU 2002.10.10
Fair tracing Contents • Overview of e-cash • Classification • Curren issues • Goal • Basic Protocol • Examples of Countermeasures • Fair tracing • Building blocks • Previous work • Future work • References Network Security Term Project
Fair tracing Overview of e-cash • Similar names areElectronic money, Cyber money, e-cash, virtual currency • Classification of Electronic payment By functionality By Payment By Settlement Network Security Term Project
Fair tracing Classification (1/3) • Classification by functionality IC card type • Open - Value transfer is possible between card owner - Perfect E-wallet is needterminal is need - Mondex • Closed - Value transfer is impossible between card owner - VisaCash Network type • Re-charge is easy • Use network • suitable for e-commerce Network Security Term Project
Fair tracing Classification (2/3) • Classification by Settlement Credit E-mail First Virtual CyberCash Microsoft/Visa Netscape/MasterCard Token DigiCash NetCash Prepaid(Debit) BankNet FSTC Electronic Checks Cash Mondex Network Security Term Project
Fair tracing Classification (3/3) • Classification by payment e-cash IC card typeNetwork type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash Micro-payment system Millicent PayWord MicroMint Credit card (Network type) CyberCash : Cyber Card Service First Virtual Holdings : International Payment System SET e-check (Network type) Checkfree : Checkfree Payment Service STC : Electronic Check California Univ. : NetCheque NetChex Echeque Account transfer (Network type) Intuit : Quicken Microsoft : Money Meca Software : Managing Your Money SFNB(Security First Network Bank) NetBill MetaLand Network Security Term Project
Fair tracing Current Issues • E-cash requirements • Anonymity : Untraceability • Anonymous revocation : Traceability • Double spent prevention • Off-line • Transferability • Divisibility • Bank robbery attack • Bank framing : Unforgeability • Etc. Network Security Term Project
Fair tracing Goals • In this term project, I will suggest an enhanced scheme for fair tracing or fair exchange of e-cash. Network Security Term Project
Fair tracing Basic Protocol(1/2) • Notations SKB : Bank’s secrete key PKB : Bank’s public key {M}SK : Message and its signature under key SK • A first-Try Protocol Withdrawal Protocol 1. User tells Bank she would like to withdraw $10. 2. Bank returns a $10 bill which looks like this : {I am a $10 bill, #4527}SKB and withdraw $10 from User account. 3. User checks the signature and if it is valid accepts the bill. Network Security Term Project
Fair tracing Basic Protocol(2/2) Payment Protocol 1. The User pays the Vendor with the bill. 2. The Vendor checks the signature and if it is valid, accepts the bill. Deposit Protocol 1. The Vendor gives the bill to the Bank. 2. The Bank checks the signature and if it is valid, credits the Vendor’s account • Basic problems of this scheme are • - Duplicate, Double-spending • - Anonymity : Bank can link user and serial number, therefore bank know where the user spent the coin. • - Many other issues Network Security Term Project
Fair tracing Examples of Countermeasures (1/2) • Anonymity Problem • ▶Blind Signature • Bank cannot know which bill is who’s one. • But, user can cheat the bank about real amount. • ▶ Fixing the dollar amount • Use several PKiB for each bills of i dollars. • ▶ Cut and Choose • 1. User makes up 100 $20 bills. • 2. Blinds them using riR Zpand gives it to the Bank • 3. Bank picks one to sign(at random), User unblind all of the rest. • Ensures that all of the bills that were unblinded were correct. • Return one signed $20 bill. • (1/100 probability of cheating) Network Security Term Project
Fair tracing Examples of Countermeasures (2/2) • double Spending Problem (off-line) • ▶ RIS(Random Identity String) • During the payment, the User is forced to write RIS on the bill. • RIS must have the following properties, • - must be different for every payment of the coin • - only the user can create a valid RIS • - two different RIS on the same coin should allow the Bank to retrieve the User name • ex) The User prepares 100 bills of $20 which look like this : • Mi = (I’m $20 bill, #4527i, yi1,yi1’, yi2,yi2’,…. yik,yik’) • where i = 1..100, yij = H(xij), yij’= H(xij’), • where xij ⊕xij’ = User name for all i,j Network Security Term Project
Fair tracing Fair Tracing • Unconditional anonymity[vSN92] • This may be misused for untraceable blackmailing of customers(perfect crime) • Revocable anonymity[SPC95,DFTY97] • One or more TTP can link the the withdrawal and the deposit of coins • Coin tracing : Is the withdrawn coin is deposited? • Owner tracing : Who is the withdrawer of this deposited coin? • Fair Tracing problem[KV01] • Legal Tracing : If it has been permitted by a judge or by the withdrawer. • Illegal Tracing : If is is used without the permission of a judge or of withdrawer • Fair Tracing : Legal tracing is always possible, but illegal tracing is inhibited. • This is optimistic because illegal tracing can be detected later. Network Security Term Project
Fair tracing Building Blocks • Okamoto-Schnorr Blind Signature • p,q : two large primes such that q/p-1 • g1, g2 Zp* with order q Public key pair of signer Choose s1, s2R Zq y = g1s1 g2s2 mod p Secrete (s1,s2) Public (g1, g2,y) Customer Bank 2. Blinds a withβ,γ,δR Zq α = ag1β g2γyδ mod p e = H(m, α ) - δ mod q 4. ρ= S1+ β mod q, σ = S2 + γ mod q signature is (α, ρ, σ) for message m 1. Select k1,k2R Zq a = g1k1 g2k2 mod p 3. S1= k1 – es1 mod q, S2= k2– es2 mod q which satisfies a = g1S1 g2S2ye mod p a e (S1,S2) Verifty α =? g1ρ g2σyH(m, α ) mod p ≡ g1S1+β g2S2+γye+δ ≡ g1S1 g2S2ye (g1β g2γyδ) ≡ a(α/a) Network Security Term Project
Fair tracing Previous Work Kügler and Vogt[KV01] proposed marking mechanism based on a variant of an Okamoto-Schnorr Blind Signature[Oka92] in combination with a Chaum-van Antwerpen undeniable signature[Cha90]. • Notations p,q : two large primes such that q/p-1 • g1,g2,g3 Zp* with order q • (s1,s2)R Zq is the blind signature private key of the bank • v = g1s1g2s2 mod p is the blind signature public key of the bank • xR Zq is the undeniable signature private key of the bank • y = g3x mod p is the undeniable signature public key of the bank Network Security Term Project
Fair tracing Previous Work • Marking and Withdrawal Customer Bank For every coin : δR Zq* α’ = αδ mod p ω’ = ωδ≡αxδ ≡α’xmod p Once per withdrawal : rR Zq* α = g1r mod p : new random generator ω = αxmod p : undeniable sig’ α ,ω a c S1,S2 Network Security Term Project
Fair tracing Previous Work • Tracing Capabilities • Coin tracing - Chooses and stores a random undeniable signature key xm such that • The bank test for all stored marking keys xm • Tracing authority • The tracing capability can be transfered to a separate tracing authority. • marking is invisible even for the bank. (Refer to [KV01]) • Fair tracing • Revealing key x has no impact on the security of the Okamoto-Schnorr signature. : undeniable sig’ is independent to blind sig’ • Customer can detect marking by testing But he needs additional info. Sigbank =(α,ω,customer ID, coin generation) Network Security Term Project
Fair tracing Future work • Detail analysis about fair tracing • Study other fair tracing scheme • Develop enhanced scheme. Network Security Term Project
Fair tracing References [KV01] D. Kügler and H. Vogt. Fair tracing without trustees. In Financial Cryptography – FC2001. Preproceedings, 2001. [vSN92] B. Von Solms and D. Naccache. On blind signatures and perfect rimes. Computers and Security, 11(6):581-583, 1992. [SPC95] M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In Advances in Cryptology - EUROCRYPT ’95, volume 921of Lecture Notes in Computer Science, pages 209-219. Springer-Verlag, 1995 [DFTY97] G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung. Anonymity control in e-cash systems, In Financial Cryptography - FC’97, volume 1318 of LNCS, pages 1-16. Springer-Verlag, 1997 [Oka92] T.Okamoto, Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , Advances in Cryptology-Crypto ’92, LNCS Vol.740, pages 31 –53, Springer-Verlag,1992. [Cha90] D.Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology – EUROCRYPT ’90, volume 473 of LNCS, pages 458-464. Springer-Verlag, 1990 [JKC01] Jinho Kim, Kwangjo Kim, Chulsoo Lee, An Efficient and Provably Secure Threshold Blind Signature, In ICISC 2001, volume 2288 of LNCS, pages 318 – 327. Springer-Verlag, 2002 Network Security Term Project