180 likes | 306 Views
Divisible e-cash can be truly anonymous. Sébastien Canard* and Aline Gouget ** * France Télécom R&D Division, France. ** Gemalto, Security Labs, France. Wednesday, May 23, 2007. Outline. Electronic cash Divisible e-cash schemes
E N D
Divisible e-cash can be truly anonymous Sébastien Canard* and Aline Gouget *** France Télécom R&D Division, France. ** Gemalto, Security Labs, France. Wednesday, May 23, 2007.
Outline • Electronic cash • Divisible e-cash schemes • General construction of a strong unlinkable and truly anonymous divisible e-cash scheme • Application using the construction of Nakanishi-Sugiyama • Conclusion
Withdraw Electronic cash systems Detection of double-spending Deposit Identify Verify Guilt Spend
Security properties • Unforgeability of coins • Anonymity • Weak anonymity: anonymity of the user • Strong anonymity: anonymity of the user + unlinkability of the spendings • Identification of cheaters • Exculpability
Divisible e-cash • A user first withdraws a divisible coin and next spends it part by part • Each divisible coin of monetary value 2L is assigned to a binary tree of L+1 levels • Divisibility rule: When a node N is used, none of the descendant and ancestor nodes can be used, and no node can be used more than once • This rule is satisfied iff over-spending is protected
Divisible e-cash schemes • Many off-line divisible e-cash schemes have been proposed • First « practical » divisible e-cash scheme • Proposed by [Okamoto, Crypto’95] and improved by [Chan, Frankel and Tsiounis, Eurocrypt’98] • Both schemes provide anonymity of users but not unlinkability • it is possible to link several spends from a single divisible coin • First unlinkable divisible e-cash scheme • Proposed by [Nakanishi and Sugiyama, ISW’00] • Requires a TTP • The unlinkability is not strong since the merchant and the bank know which part of the coin is spent • None of the divisible e-cash schemes of the state of the art provides both strong unlinkability and truly anonymity of users
Overview of our « truly anonymous » e-cash system • Withdrawal phase between B and U • B signs in a blind manner U’s secret key and a « master serial number » • Spending phase between U and M • U computes a valid serial number S (→ allows to detect double-spending) • U computes a valid security tag T (→ masks the spender identity) • U proves that S and T are well-formed • The identity of the spender is recovered only in case of double-spending
General description • Each divisible coin of monetary value 2L is assigned to a binary tree of L+2 levels
General description • Each node of the tree (including the leaves) is related to a tag key with the following properties: • From the tag key Ki,b0 of a node N, it is possible for everyone to compute the tag keys related to the descendants of N • From the tag key of a node, it is impossible to compute a tag key which is not related to a descendant of the targeted node • Withdrawal protocol • The root tag key and the user secret key are signed (in a blind manner) by the bank
General description • Spending protocol • U computes the tag key of the node N (at level i=L-n) he wants to spend • From the tag key of N, U computes the serial number S • Concatenation of the tag keys related to the two direct descendants of the spent node • From the tag key of N, U computes the security tag T • Verifiable encryption of the user identity (including randomness) • U proves to M that S and T are well-formed • A spending corresponds to a triplet (S,T,Φ) • Detection of double-spending • From S and i, B can compute all the tag keys of the descendant leaves of S • Without knowing which node has been spent
Identification of a double-spender • Double spending : (S=Kj,0||Kj,1,T,Φ) (S’=Kj’,0||Kj’,1,T’,Φ’) • S=S’ • The cheater identity can be recovered from T and T’ • S’ is an ancestor of S • The secret tag key used to compute T can be recovered using S’
Divisible e-Cash System DCS • Based on the binary tree proposed by [Nakanishi and Sugiyama, ISW’00] • The function F used to compute the tag keys is the modular exponentiation • For each level i, there are three linked generators: • gi,0 for the left child • gi,1 for the right child • gi,2 to compute the security tag • Example: • The tag key of a node of level i-1 is denoted by: • Computation of the left children tag key: • Computation of the security tag related to the tag key Ki,b:
Withdrawal protocol • Camenisch-Lysyanskaya signature scheme [Crypto’04] • Efficient protocol for a user to get a signature from a signer on committed values • Efficient proof of knowledge of a signature on committed values
Spending protocol • U wants to spend a sub-coin of value 2n from his divisible coin C=(s,u,r,) • U chooses an unspent coin of level i=L-n • U receives from M a random value rand and computes: • U has to prove the validity of S and T • U computes a zero-knowledge proof of knowledge of a signature of B on the values (s,u,r) and that S and T are correctly computed, using the Fiat-Shamir heuristic • Strong unlinkability is achieved using proofs of the "OR" statement (one per level)
Security arguments Theorem: In the random oracle model, the DCS scheme is secure: • If the CL signature scheme is unforgeable, then DCS is unforgeable. • Under the DDH assumption, DCS is unlinkable. • If the CL signature scheme is unforgeable, then DCS permits the identification of double-spenders • Under the DL assumption, DCS has the exculpability property.
Conclusion and open problems • We proposed the first off-line divisible e-cash scheme providing both strong unlinkability and true anonymity • The true anonymity of users is achieved without impacting the performance of the spending protocol • However, the spending of a small number of coins at a time is still expensive due to the use of double-exponentiation proofs during the spending phase • Open problems: • Improve the efficiency of the spending phase • Find a method to detect double-spending without computing 2L serial numbers for a divisible coin of monetary value 2L
Proof of unlinkability • In fact, we embed an instance of the Matching Multi Diffie-Hellman (MMDH) problem • MMDH can be used to solve DDH • Matching Multi Diffie-Hellman (MMDH) problem • Decisional Multi Diffie-Hellman (DMDH) problem • Derived Decisional Diffie-Hellman (DDDH) problem • Decisional Diffie-Hellman (DDH) Decision oracles are equivalent to matching oracles [Handschuh, Tsiounis, Yung, PKC’99]