180 likes | 301 Views
Recoverable and Untraceable E-Cash. Dr. Joseph K. Liu The Chinese University of HongKong. Outline. Introduction of E-cash Our Proposed Recoverable and Untraceable E-Cash Concept Construction Extension Conclusion. Electronic Cash. Digital Analogy of paper cash
E N D
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong
Outline • Introduction of E-cash • Our Proposed Recoverable and Untraceable E-Cash • Concept • Construction • Extension • Conclusion
Electronic Cash • Digital Analogy of paper cash • According to [1], ideal e-cash has 6 main properties: • Independence • Security • Privacy • Off-line payment • Transferability • Divisibility • [1] Tatsuaki Okamoto and Kazuo Ohta. “Universal electronic cash”. In J. Feigenbaum, editor, Advances in Cryptology – CRYPTO ’91, Lecture Notes in Computer Science, pages 324-337. Springer-Verlag, 1992.
Electronic Cash • Advantages of Electronic Cash over other kinds of payment systems: • Privacy • Off-line payment • Suitable for Small Amount Payment • Examples of Electronic Cash System: • Mondex • Octopus Card
A New Recoverable and Untraceable Electronic Cash • Recoverability and untraceability are two conflicting properties! • Most of the e-cash papers only focus on the 6 main properties. • We propose a new scheme that can support recoverabilityand untraceability.
A New Recoverable and Untraceable Electronic Cash • The Basic Idea – we use an indirect method: • How much e-cash lost • =How much e-cash withdraw • – how much e-cash spent • If we give up untraceability, it is easy! • In our system, we append an additional number to each e-coin. This number gives no information about the identity of the user.
A New Recoverable and Untraceable Electronic Cash • Our system is motivated from S. Brand’s Single Term E-Cash [2] protocol. • Brief introduction of his protocol: • Setup of the System • Bank B, Customer U and Shop S. • [2] S. Brands. Untraceable off-line cash in wallet with observers. In Advances in Cryptology – CRYPTO ’93, Lecture Notes in Computer Science, pages 302-318. Springer-Verlag, 1993.
A New Recoverable and Untraceable Electronic Cash • The Withdrawal Protocol • After withdrawing e-cash from the bank, U obtains {A, B, sign(A, B)} as the coin. • The Payment Protocol • S sends a challenge to U. • U computes the responses {r1, r2} and sends them back to U together with the coin {A, B, sign(A, B)} . • S checks the responses and the coins. Accept it if both are valid.
A New Recoverable and Untraceable Electronic Cash • The Deposit Protocol • S sends the coin {A, B, sign(A, B)} ,the responses {r1, r2} and the date/time of the transactions to the B after some time. • B checks whether this coin has been deposited before. • If not, accept it. Otherwise, B uses the information provided by S to find out the identity of the double-spent user.
A New Recoverable and Untraceable Electronic Cash • The Proposed Protocol: • The Withdrawal Protocol • There are 4 parties: Bank, Customer Alice, Shop and the Trusted Third Party (TTP). • After withdraws coins from the bank, Alice goes to the TTP to get an additional number, xi, for 1 <= i <= n, for each coin. This additional number has the following properties: • H(x1) = H(x2) = H(x3) ….. = H(xn) = y
A New Recoverable and Untraceable Electronic Cash • The TTP maintains a list that records down all the serial number of the coins. If the coin is in the list, terminate the process. • The TTP checks the signature on the coin. If valid, it gives another signature, such that • Sc = SignTTP{ A, B, Sign(A, B), xi } • Now the coin contains the following: • { A, B, Sign(A, B), xi, Sc }
A New Recoverable and Untraceable Electronic Cash • The TTP gives another signature on y and n. Let Sb = SignTTP{ y, n }.Sb will be given to Alice. Alice should keep {Sb , y, n} in a safe place. • The Payment Protocol • The basic payment protocol based on S. Brand’s protocol. • The shop checks also the signature of the TTP. • The shop hashes the xi of the coin to produce its hash value and checks whether the coin is in the blacklist .
A New Recoverable and Untraceable Electronic Cash • The Deposit Protocol • The basic deposit protocol based on S. Brand’s protocol. • The bank hashes the xi of the coin to produce its hash value and checks whether the coin is in the blacklist . • The Recovery Protocol • If Alice has lost her remaining coins, she has to do the following:
A New Recoverable and Untraceable Electronic Cash • She has to reveal her identity to the bank and present the back-up number { Sb , y, n } to the bank. • The bank checks the signature ofSbon{y, n}. • It looks up its database to find out all the coins with their hashed values of xi are equal to y. These coins are those Alice has already spent. • Finally the bank can calculate the difference D between the total amount Alice has withdrawn and the total amount she has spent.
A New Recoverable and Untraceable Electronic Cash • In order to prevent Alice pretend losing the coins but in fact she does not, the following steps must be taken immediately: • The bank adds the number y to the blacklist and broadcast it to all the shops. • The shop adds this y to the blacklist.
A New Recoverable and Untraceable Electronic Cash • Security Analysis • Conditional Untraceability • If Alice does not re-claim her lost e-coin, her anonymity is preserved. (Untraceable) • If Alice re-claims her lost e-coin, she has to give up her anonymity.
A New Recoverable and Untraceable Electronic Cash • Extension • Customers can choose whether to “buy” the recoverable service or not. • Pre-calculate the hash value: the TTP can produce many groups of xi, j such that • H(x1,j) = H(x2,j) = H(x3,j) ….. = H(xn,j) = yj
Conclusion • We propose a new e-cash system with Recoverability and Untraceability • We believe it can provide more convenience to users • Make e-cash more popular