A flexible date-attachment scheme on e-cash Authors: Chin-Chen Chang and Yeu-Pong Lai Source: Computers & Security, Vol. 22, No. 2, pp. 160-166, 2003 Reporter: Jung-Wen Lo(駱榮問) Date: 2004/08/26

Outline Introduction Review The proposed scheme Comparison Conclusions Online e-cash payment system Four Phases Review Chaum’s Untraceable electronic cash Fan et al.’s Date attachable electronic cash The proposed scheme Comparison Conclusions Comments

Introduction- Online e-cash payment system 2. Deduct Bank Databse 1. Withdraw 6. Deposit Bank 3. E_Cash 5. Deposit Customer 4. Pay E_Cash ※ Electronic cash scheme: Original: D. Chaum, 1990 Partially blind signature: Abe-Fujisaki, 1996 Date attached: Fan et al., 2000 Merchant

Four Phases Initializing Withdrawing Unblinding Depositing Bank RSA Public key pair Withdrawing Customer Withdrawal Blind signature Unblinding Unblinding signature Depositing Customer Pay money Merchant Deposit Bank Double spending check

Chaum’s Untraceable electronic cash Phase Bank Customer Merchant PK: (e, n) PV: d Initial Withdraw random r, m α=reH(m) mod n α t=αd mod n (deduct w) t s=r-1t mod n Unblind (m,s) Deposit se?≡H(m) mod n (m, s) Verify as Merchant (deposit w)

Fan et al.’s Date attachable electronic cash Phase Bank Customer Merchant PK: (e, n) PV: d Initial Withdraw C: random r, x1,…,x6 m=H100(x1)||H100(x2)||H12(x3)||H12(x4)||H31(x5)||H31(x6) α=reH(m) mod n α t=αd mod n (deduct w) t Unblind s=r-1t mod n C: α1=Ha(x1), α2=H100-a(x2), α3=Hb(x3), α4=H12-b(x4), α5=Hc(x5), α6=H31-c(x6) Deposit s,a,b,c,α1,α2, α3,α4,α5,α6 se?≡H(H100(α1)|| H100(α2)||H12(α3)|| H12(α4)||H31(α5)|| H31(α6)) mod n s,a,b,c,α1,α2, α3,α4,α5,α6 Verify as Merchant (deposit w)

The proposed scheme Phase Bank Customer Merchant PK: (e,n) ; (e*,n*) PV: d ; d* 1.Initial random r1, m α=r1eH(m) mod n 2.Withdraw α t1=αd mod n (deduct w) t1 s=r1-1t1 mod n β=r2e*G(s) mod n* β 3.Unblind ※δ(date slip) =Gd*(s) mod n* t2=βd* mod n t2 δ=r2-1t2 mod n* 4.Date-attach δe*?=G(s) mod n* s’ =Gd*(s||a||b||c) δ,s,(a,b,c) s’ (m,s,a,b,c),s’ 5.Deposit se?≡H(m) mod n s’ e*?≡G(s||a||b||c) mod n* (m,s,a,b,c),s’ Verify as Merchant (deposit w)

Comparison

Conclusions Untraceability Correctness Unforgeability Flexibility Phase 1, 2, 3 Bank knows customer but not e-cash (m,s) Phase 4, 5 No customer information but only e-cash Correctness Only original customer can modify date because only he knows δ Unforgeability Date is sealed in s’ and protected with G() and RSA scheme Merchant cannot forge e-cash because cannot drive m from s Flexibility The date can be change after e-cash has been deposited Customer and merchant agree to change date and customer redo Phase 4 and 5 to get a new s’

Comments Withdraw phase (Customer-Bank) Unconvenient: Use the whole money for once Channel is insecure Impersonation Cannot against interruption attack