150 likes | 287 Views
How to Make E-cash with Non-Repudiation and Anonymity. Authors: Ronggong Song and Larry Korba Source: Information Technology: Coding and Computing, 2004. Proceedings of International Conference on ITCC 2004, Vol. 2, 2004, pp.167-172 Presenter: Jung-wen Lo ( 駱榮問 ) Date: 2004/09/23.
E N D
How to Make E-cash with Non-Repudiation and Anonymity Authors: Ronggong Song and Larry Korba Source: Information Technology: Coding and Computing, 2004. Proceedings of International Conference on ITCC 2004, Vol. 2, 2004, pp.167-172 Presenter: Jung-wen Lo (駱榮問) Date: 2004/09/23
Outline • Introduction • Motivation • Abe-Fujisaki’s protocol • The proposed scheme • Architecture • Protocol • E-cash Issue • On-line shopping • E-cash renew • Protocol Characteristics • Analysis • Conclusions • Comment
Introduction • Chaum: Blind signature (1982) • Authenticity • Integrity • Nonrepuditation • Blind to signer • May not be traced by the signer after the signature is revealed • E_cash • Easily duplicate => Double-spending • Bank implement double-spending checking => Lack of nonrepudiaion
Introduction-Online e-cash payment system 2. Deduct BankDatabse 1. Withdraw 6. Deposit Bank 3. E_Cash 5. Deposit Customer 4. Pay E_Cash • ※ Electronic cash scheme: • Untraceable: D. Chaum, 1990 • Partially blind signature: Abe-Fujisaki, 1996 e-store
Abe-Fujisaki’s protocol Stage Customer Bank Payee ※v: predefined by bank contains expired date PK: (e, n)PV: (d, p, q) Initial random r, m, vα=revH(m) mod n Withdraw α,v chk v format dv=(ev)-1modΦ(n) β=αdv mod n Deduct β Unblind s=r-1β mod n (m,s) Deposit sev?≡H(m) mod n sev=(r-1β)ev=(r-1α(ev)-1)ev=r-ev(revH(m))(ev)-1(ev)=H(m) (m, s) Verify as Payee Deposit
New e-cash protocol(E-cash Issue) Stage Customer(A) Bank(B) PK: (eA, nA),PV: (dA, pA, qA) Initial PK: (eb, nb), PV: (db, pb, qb) ※v : Expired date, Money amount, … Temp. PK: (et, nt)Temp. PV: (dt, pt, qt) random r, vα=rebvH(et||nt) mod nb E-cash Issue(Withdraw) SignA= (H(IDA,AccountA,PKA,α,v,TimeA))dA mod nA (IDA,AccountA,PKA,α,v,TimeA),SignA chk v format dv=(ebv)-1 β=αdv mod nb SignB=(H(IDA,IDB,β,TimeB))db mod nA (IDA,IDB,β,TimeB),SignB Check TimeB & SignBs=r-1β mod nb Unblind ※e-cash: (et,nt,v,s)
New e-cash protocol (Online Shopping) MerchanteStore(ES) Stage Customer(A) Bank(B) Signt= (H(Cost,AccountES,et,nt,v,s,TimeA)|| H(E-goods))dt mod nA Shopping E-goods,(Cost,AccountES,et,nt,v,s,TimeA),Signt (Deposit) Verify Cost,AccountES,TimeA,Signtsebv?≡H(et||nt) mod nbEMD=H(E-goods) (Cost,AccountES,et,nt,v,s,TimeA),Signt,EMD Verify AccountES,TimeA,Signts’ =H(et,nt,v,s,RM)db mod nbSignB=(H(ReceiptES,et,nt,v,s,RM,s’,TimeB))db mod nb (ReceiptES,et,nt,v,s,RM,s’,TimeB),SignB Verify all messagesSignES=(H(License,ReceiptA,et,nt,v,s,RM,s’,TimeES))dES mod nES (License,ReceiptA,et,nt,v,s,RM,s’,TimeES),SignES ※EMD : E-goods message digestRM: Remainder e-cash
The digital e-cash The remainder digital e-cash E-cash Renew
New e-cash protocol (E-cash Renew) Customer(A) Stage Bank(B) Renew Choose new et’,nt’,dt’Signt= (H(α,v,et’,nt’,v’,s’,Timet))dt mod ntα’=rebv’H(et’||nt’) mod nb (α’,v,et’,nt’,v’,s’,TimeA),Signt Verify messages dv=(ebv’ )-1 β=(α’)dv mod nbSignB= (H(et’,nt’,v’,s’,β,TimeB))db mod nb (et’,nt’,v’,s’,β,TimeB),SignB s’=r-1β mod nb
Protocol Characteristics • Strong privacy protection • Bank and merchant cannot determine buyer • Non-repudiation • All message are signed • Strong safety protection • Only authorize e-cash owner can use the e-cash
Analysis • Anonymity analysis • Partial blind signature • Anonymous temporary public key • Non-repudiation analysis • E-cash issue • The message is signed with the customer’s certificate • Online shopping • The messages are signed with the private key of the e-cash
Analysis • Security analysis • Passive attacks • Transmiting messages are protected with SSL security channel • Bank cannot determine who holds the temporary public key • Active attacks • Replay attack: Time stamp “Time” • Modification attack: Verify signature “Sign”
Conclusions • Strong privacy protection • Non-repudiation services • Against denying, double-spending, losting, misusing and stealing of the e-cash • Could be implmented with XML and SSL security channel
Comments • Bank should verify s and v in on-line shoping stage • How to use remainder money? • Bank records e-cahs (et,nt,v,s) and remainder e-cash RM • Future work • Implemented in public network? • Without CA?