How to Make E-cash with Non-Repudiation and Anonymity

1. How to Make E-cash with Non-Repudiation and Anonymity Ronggong Song, Larry Korba Proceedings of the International Conference on Information Technology: Coding and Computing Vol. 2, Apr. 2004, pp. 167-172 Adviser: Dr. Min-Shiang Hwang Speaker: 鍾松剛

2. Bank The Motivations • E-Cash: Easy duplicated • Bank needs to implement double-spending checking • Double-spending checkingdoes not provide a non-repudiation service • Non-repudiation service needs a signature • Signatureviolates the anonymous of e-cash ?! Thief ?!

3. Partial Blind Digital Signature • M. Abe and E. Fujisaki, “How to Date Blind Signatures”, Advances in Cryptology--ASIACRYPT '96, pp. 244-251 • Allows a signer to sign a partially blinded message that include pre-agreed information such as expiry date or collateral conditions in unblinded form. • Designed to protect the bank’s database from growing without limits • Expired e-cash can be removed

4. Example: Partial blind digital signature Alice (m, s, v) Bank v is a predefined message by the bank and contains an expiration date e, d Randomly choose m, r in Z*n Compute α≡revH(m) mod n Verify the correctness of v Compute t≡ α(ev)-1 mod n ≡ r H(m)(ev)-1 mod n Deduct w dollars α,v t Compute s≡r -1t mod n ≡H(m)(ev)-1 mod n e-cash (m, s, v) Merchant Deposit (m, s, v) Verify Add w dollars to payee’s account Verify v sev≡H(m) mod n

5. Architecture CA Bank Alice Merchant

6. Protocol’s Sketch Map Alice Bank e-cash Useless (temporal PK)Blind_sign (buy e-cash) (temporal PK)Blind_sign Deducts w dollars (e-cash)temporal SK … verify verify (license)SK_M Reply Merchant

7. E-cash Issue Protocol Alice et, nt Expiration date Balance SignB Bank v’s format PKT = (et, nt) SKT = (dt, pt, qt) eA, dA eb, db α≡rebv H(et||nt) mod nb SignA = [H(IDA, AccountA, PKA, α, v, TimeA)]dA mod nA IDA, AccountA, PKA, α, v, TimeA, SignA Verify AccountA, TimeA, SignA, v β = α(ebv)-1 mod nb = r H(et||nt)(epv)-1 SignB = [H(IDA, IDB, β, TimeB)]db mod nb Debit $$ from AccountA Verify TimeB, SignB s≡r -1 β mod nb e-cash (et, nt, v, s) IDA, IDP, β, TimeB, SignB

8. On-line Shopping Protocol Alice Bank Merchant PKT = (et, nt) SKT = (dt, pt, qt) s=H(et||nt)(epv) -1 e-cash (et, nt, v, s) eP, dP Select e-goods Signt = [H(Cost, AccountM, e-cash, TimeA) || H(e-goods)]dt mod nt e-goods, Cost, AccountM, e-cash, TimeA, Signt Verify EMD=h(e-goods) Cost, AccountM, e-cash, TimeA, EMD, Signt Verify s’ = [H(et, nt, v, s, RM)]db mod nb SignB = [H(ReceiptM, e-cash, RM, s’, TimeB)]db mod nb ReceiptM, e-cash, RM, s’, TimeB, SignB Verify SignM = [H(License, ReceiptA, e-cash, RM, s’, TimeM)]dM mod nM License, ReceiptA, e-cash, RM, s’, TimeM, SignM e-cash (et, nt, v, s, RM, s’)

9. E-cash Renew Protocol Alice Bank eA, dA s’ = [H(et, nt, v, s, RM)]db mod nb v’s format eb, db Fill a new e-cash form v’ α≡rebv’H(et||nt) mod nb Signt = [ h(α, v, et, nt, v’, s’, Timet) ]dt mod nt α, v, et, nt, v’, s’, TimetSignt Verify β = α(ebv ’)-1 mod nb = r H(et||nt)(epv ’)-1 SignB = [H(et, nt, v’, s’, β, TimeB)]db mod nb et, nt, v’, s’, β,TimeBSignB Verify TimeB, SignB s’’≡r -1 β mod nb e-cash (et, nt, v’, s’’)

10. Protocol Characteristics • Strong privacy protection • A anonymous temporary public key is embedded into the partial blind signature • Unlinkability: no one can determine the customer • The format and content of message v are same with other e-cashes. • Non-repudiation • Signature is useful if there is a dispute later • Strong safety protection • Other person cannot spend the e-cash without the private key

11. Security Analysis • Passive attacks • All messages are protected with the SSL security channels • Active attacks • Replay attacks • Can be defeated by time stamp • Modification attacks • Can be defeated by signature

12. Conclusion Merchant Bank Customer Denying Double-spending Losing misusing stealing