1 / 19

MSRC: (M)icropayment (S)cheme with Ability to (R)eturn (C)hanges

MSRC: (M)icropayment (S)cheme with Ability to (R)eturn (C)hanges. Source: Journal of Information Science and Engineering in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/11/ 26. Outline. Introduction M otivation Scheme Security analysis Comparison Advantage vs. weakness

huslu
Download Presentation

MSRC: (M)icropayment (S)cheme with Ability to (R)eturn (C)hanges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MSRC: (M)icropayment (S)cheme with Ability to (R)eturn (C)hanges Source: Journal of Information Science and Engineering in review Presenter: Tsuei-Hung Sun (孫翠鴻) Date: 2010/11/26

  2. Outline • Introduction • Motivation • Scheme • Security analysis • Comparison • Advantage vs. weakness • Comment

  3. R. Rivest, A. Shamir, 1996, “PayWord and MicroMint:two simple micropayment schemes,” Proceedings of theInternational Workshop on Security Protocols, LNCS Vol. 1189, pp. 69-87. Introduction • Payword • Credit-based • Chains of hash values • Ex. A=(a0,a1,…,an)where ai = h(ai+1), i = n-1, n-2, …, 0. • Every chain has a face value d. • a0 is used as an anchor for verification. • PayWord Certificate

  4. Introduction • Micropayment Scheme Using Single-PayWord Chain (MSSC) • Only one denomination. • Micropayment Scheme Using Multi-PayWord Chains (MSMC) • Multiple denomination. • Combining several single-payword chains with different denomination values. • Using to reduce the length of hash chain and the hash operations of verification.

  5. Micropayment Scheme Using Single-Payword Chain(MSSC) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) PSR = {IDC , n, IDV} GeneratesA=(a0, a1, …, an) satisfies ai = h(ai+1), i= n-1, n-2, …, 0 total money = n x dA Pay (am, m) Replace anchor a0 by am. Verifies am is legal or not. If legal, deposits (m x dA) to Vendor’s account and store am, If not, reject transaction. PSR: Payment-chain service request. PK: Public key. PV: Private key. ID: Identity. n: Payord chain of length. dA: Face value. a0: An initially anchors used to verify A-chain.

  6. Pay (bM, M) (am, m) Micropayment Scheme Using Multi-Payword Chains(MSMC) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) PSR = {IDC,n,IDV} dA < dB A=(a0, a1, …, an), satisfies ai = h(ai+1), i = n-1, n-2, …, 0 B = (b0, b1, …, bn), satisfies bj = h(bj+1), j = n-1, n-2, …, 0 Chain A total money = n x dA Chain B total money = n x dB replace anchor a0 by am, b0 by bM. Verifies am, bM are legal or not. If legal, deposits (M x dB + m x dA) to Vendor’s account and store am, bM. If not, reject transaction.

  7. Motivation • Problems of MSMC • Find the minimum hash chain in a payment. • Equally spend every single chain. • This paper propose three approaches to handle above two problems and supporting the ability of returning changes.

  8. Scheme • Three approaches methods • MSRC-I: counter-mode encryption. • MSRC-II: hashing function. • MSRC-III: keyed hashing function.

  9. PSR = {IDC,n,r,IDV} ,ai = h(ai+1), i = n-1, n-2, …, 0 ,bj = h(bj+1), j = n-1, n-2, …, 0 MSRC-I: Counter-Mode Encryption(1/2) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) EK: Counter-mode encryption using a secret key K. M x dB: Customer pay total money. n: Length of payment chain. r: Length of return-change chain. m x dA: Vendor return money.

  10. MSRC-I: Counter-Mode Encryption(2/2) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) Pay (bM, M) Replace anchor b0 by bM. Return Than can get chain (an+1,…an+m) and worth (m x dA) dollars. Verifies a’n+m, bM are legal or not. If legal, deposits (M x dB + m x dA) to Vendor’ account and store a’n+m, bM. If not, reject transaction.

  11. PSR = {IDC,n,r,IDV} MSRC-II: Hash Function(1/2) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB)

  12. MSRC-II: Hash Function(2/2) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) Pay (bM, M) Replace anchor b0 by bM. Return Than can get chain (an+1,a’n+1),…,(an+m,a’n+m) and worth (m x dA) dollars. Verifies a’n+m, bM are legal or not. If legal, deposits (M x dB + m x dA) to Vendor’ account and store . If not, reject transaction. K: secret key for keyed hash function

  13. MSRC-III: Keyed Hash Function(1/2) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) PSR = {IDC,n,r,IDV} , ai = hK(ai+1), i = n+r-1, n+r-2, …, 0 ,ai = hK(ai+1), i = n+r-1, n+r-2, …, 0 ,bj = h(bj+1), j = n-1, n-2, …, 0

  14. MSRC-III: Keyed Hash Function(2/2) Vendor(PKV, PVV,IDV) Customer(PKC, PVC,IDC) Broker(PKB, PVB,IDB) Pay (bM, M) Replace anchor b0 by bM. Return Than can get chain (an+1,…an+m) and worth (m x dA) dollars. Verifies a’n+m+1, bM are legal or not. If legal, deposits (M x dB) to Vendor’ account and store . If not, reject transaction.

  15. Security analysis • Counterfeit attack • Attacker: Returned change a'n+i and an+i. • Customer: Changea'n+i and an+i. • Reuse attack • Customer: Double spending and over-spending. • Vendor: Double returning and over-returning. • Redemption attack • Vendor: Anchor ai and (ai,a’i).

  16. Comparison Fig. The chains of returned changes for our MSRC.

  17. Comparison Table. Comparison of micropayment schemes H: The operation of a hash function h(.). H’: Operation of a keyed hash function hK(.). D:Counter-mode decryption. d: Denomination. M: Vendorverifying the payment (bj,M). m: Customer verifying and obtaining the returned changes.

  18. Advantage vs. weakness • Advantage • It can be implemented on mobile devices feasibly. • The return change is useful for avoid some special pay word chain be exhausted. • All three mode are well protect, and the overhead of these mode are not very heavy, so Customer can choose one is better for him or her. • Weakness • Customer may need to maintain many kind of pay word chains.

  19. Comment • If the kind of face value of e-coin are many, that will be come a burden of Customer, Broker, and Vendor. • This is very inconvenient to trade only once, because Customer and Vendor need to redeem them cash after transaction. • Customer still using return changes after it expired that may incur collusion attack. • The largest denomination may incur some attack, because it didn’t have any protect.

More Related