How to Make E-cash with Non-Repudiation and Anonymity Ronggong Song, Larry Korba Proceedings of the International Conference on Information Technology: Coding and Computing Vol. 2, Apr. 2004, pp Adviser: Dr. Min-Shiang Hwang Speaker: 鍾松剛

The Motivations E-Cash: Easy duplicated  Bank needs to implement double-spending checking Double-spending checking does not provide a non-repudiation service  Non-repudiation service needs a signature  Signature violates the anonymous of e-cash Bank Thief ?!

Partial Blind Digital Signature M. Abe and E. Fujisaki, “How to Date Blind Signatures”, Advances in Cryptology--ASIACRYPT '96, pp Allows a signer to sign a partially blinded message that include pre-agreed information such as expiry date or collateral conditions in unblinded form. Designed to protect the bank’s database from growing without limits  Expired e-cash can be removed

Example: Partial blind digital signature Alice Bank v is a predefined message by the bank and contains an expiration date Randomly choose m, r in Z * n Compute α≡r ev H(m) mod n α,v Verify the correctness of v Compute t≡ α (ev) -1 mod n ≡ r H(m) (ev) -1 mod n Deduct w dollars t Compute s≡r -1 t mod n ≡H(m) (ev) -1 mod n e-cash (m, s, v) Deposit (m, s, v) Verify v s ev ≡H(m) mod n (m, s, v) Verify Add w dollars to payee’s account Merchant e, d

Architecture Alice Bank CA Merchant

Protocol’s Sketch Map Alice Bank (buy e-cash) (temporal PK) Blind_sign Deducts w dollars (e-cash) temporal SK verify … Reply (license) SK_M Merchant e-cash Useless

E-cash Issue Protocol Alice ID A, Account A, PK A, α, v, Time A, Sign A ID A, ID P, β, Time B, Sign B PK T = (e t, n t ) SK T = (d t, p t, q t ) α≡r e b v H(e t ||n t ) mod n b Sign A = [H(ID A, Account A, PK A, α, v, Time A )] d A mod n A e b, d b Verify Account A, Time A, Sign A, v e A, d A β = α (e b v) -1 mod n b = r H(e t ||n t ) (e p v) -1 Sign B = [H(ID A, ID B, β, Time B )] d b mod n b Debit $$ from Account A Verify Time B, Sign B s≡r -1 β mod n b e-cash (e t, n t, v, s) e t, n t Expiration date Balance Sign B Bank dd/mm/yyyy $xxx.xx v’s format

On-line Shopping Protocol Alice e-goods, Cost, Account M, e-cash, Time A, Sign t Receipt M, e-cash, RM, s’, Time B, Sign B PK T = (e t, n t ) SK T = (d t, p t, q t ) s=H(e t ||n t ) (e p v) -1 e-cash (e t, n t, v, s) Select e-goods Sign t = [H(Cost, Account M, e-cash, Time A ) || H(e-goods)] d t mod n t e P, d P Verify s’ = [H(e t, n t, v, s, RM)] d b mod n b Sign B = [H(Receipt M, e-cash, RM, s’, Time B )] d b mod n b e-cash (e t, n t, v, s, RM, s’) Merchant Bank Verify EMD=h(e-goods) Cost, Account M, e-cash, Time A, EMD, Sign t Verify Sign M = [H(License, Receipt A, e-cash, RM, s’, Time M )] d M mod n M License, Receipt A, e-cash, RM, s’, Time M, Sign M

E-cash Renew Protocol Alice α, v, e t, n t, v’, s’, Time t Sign t Fill a new e-cash form v’ α≡r e b v’ H(e t ||n t ) mod n b Sign t = [ h(α, v, e t, n t, v’, s’, Time t ) ] d t mod n t e b, d b Verify e A, d A β = α (e b v ’) -1 mod n b = r H(e t ||n t ) (e p v ’) -1 Sign B = [H(e t, n t, v’, s’, β, Time B )] d b mod n b Verify Time B, Sign B s’’≡r -1 β mod n b e-cash (e t, n t, v’, s’’) Bank dd/mm/yyyy $xxx.xx v’s format s’ = [H(e t, n t, v, s, RM)] d b mod n b e t, n t, v’, s’, β, Time B Sign B

Protocol Characteristics Strong privacy protection  A anonymous temporary public key is embedded into the partial blind signature  Unlinkability: no one can determine the customer  The format and content of message v are same with other e-cashes. Non-repudiation  Signature is useful if there is a dispute later Strong safety protection  Other person cannot spend the e-cash without the private key

Security Analysis Passive attacks  All messages are protected with the SSL security channels Active attacks  Replay attacks Can be defeated by time stamp  Modification attacks Can be defeated by signature

Conclusion Customer Bank Merchant Denying Double- spending Losing misusing stealing