1. A flexible date-attachment scheme on e-cash
Authors: Chin-Chen Chang and Yeu-Pong Lai
Source: Computers & Security, Vol. 22, No. 2, pp , 2003
Reporter: Jung-Wen Lo(駱榮問)
Date: 2004/08/26

2. Outline Introduction Review The proposed scheme Comparison Conclusions
Online e-cash payment system
Four Phases
Review
Chaum’s Untraceable electronic cash
Fan et al.’s Date attachable electronic cash
The proposed scheme
Comparison
Conclusions
Comments

3. Introduction- Online e-cash payment system
2. Deduct
Bank Databse
1. Withdraw
6. Deposit
Bank
3. E_Cash
5. Deposit
Customer
4. Pay E_Cash
※ Electronic cash scheme:
Original: D. Chaum, 1990
Partially blind signature: Abe-Fujisaki, 1996 Date attached: Fan et al., 2000
Merchant

4. Four Phases Initializing Withdrawing Unblinding Depositing Bank
RSA Public key pair
Withdrawing
Customer
Withdrawal
Blind signature
Unblinding
Unblinding signature
Depositing
Customer
Pay money
Merchant
Deposit
Bank
Double spending check

5. Chaum’s Untraceable electronic cash
Phase
Bank
Customer
Merchant
PK: (e, n) PV: d
Initial
Withdraw
random r, m α=reH(m) mod n α
t=αd mod n
(deduct w) t
s=r-1t mod n
Unblind
(m,s)
Deposit
se?≡H(m) mod n
(m, s)
Verify as Merchant
(deposit w)

6. Fan et al.’s Date attachable electronic cash
Phase
Bank
Customer
Merchant
PK: (e, n) PV: d
Initial
Withdraw
C: random r, x1,…,x6 m=H100(x1)||H100(x2)||H12(x3)||H12(x4)||H31(x5)||H31(x6) α=reH(m) mod n α
t=αd mod n
(deduct w) t
Unblind
s=r-1t mod n
C: α1=Ha(x1), α2=H100-a(x2), α3=Hb(x3), α4=H12-b(x4), α5=Hc(x5), α6=H31-c(x6)
Deposit
s,a,b,c,α1,α2, α3,α4,α5,α6
se?≡H(H100(α1)|| H100(α2)||H12(α3)|| H12(α4)||H31(α5)|| H31(α6)) mod n
s,a,b,c,α1,α2, α3,α4,α5,α6
Verify as Merchant
(deposit w)

7. The proposed scheme Phase Bank Customer Merchant
PK: (e,n) ; (e*,n*) PV: d ; d*
1.Initial
random r1, m α=r1eH(m) mod n
2.Withdraw α
t1=αd mod n
(deduct w) t1
s=r1-1t1 mod n β=r2e*G(s) mod n* β
3.Unblind
※δ(date slip) =Gd*(s) mod n*
t2=βd* mod n t2
δ=r2-1t2 mod n*
4.Date-attach
δe*?=G(s) mod n* s’ =Gd*(s||a||b||c)
δ,s,(a,b,c) s’
(m,s,a,b,c),s’
5.Deposit
se?≡H(m) mod n s’ e*?≡G(s||a||b||c) mod n*
(m,s,a,b,c),s’
Verify as Merchant
(deposit w)

8. Comparison

9. Conclusions Untraceability Correctness Unforgeability Flexibility
Phase 1, 2, 3
Bank knows customer but not e-cash (m,s)
Phase 4, 5
No customer information but only e-cash
Correctness
Only original customer can modify date because only he knows δ
Unforgeability
Date is sealed in s’ and protected with G() and RSA scheme
Merchant cannot forge e-cash because cannot drive m from s
Flexibility
The date can be change after e-cash has been deposited
Customer and merchant agree to change date and customer redo Phase 4 and 5 to get a new s’

10. Comments Withdraw phase (Customer-Bank)
Unconvenient: Use the whole money for once
Channel is insecure
Impersonation
Cannot against interruption attack