1. WISA2003 1 An Efficient On-line Electronic Cash with Unlinkable Exact Payments Toru Nakanishi, Mitsuaki Shiota and Yuji Sugiyama Dept. of Communication Network Engineering, Okayama Univ., Japan

2. WISA2003 2 What’s on-line e-cash ? Bank User Withdrawal Coins of amounts w Payment for a merchant User’s account -w User Bank Coins of amounts p Merchant’s account +p e-cash: By circulating information called coin, a payment from a user to a merchant is performed A bank issues coins, and manages payments On-line: The payment transaction from a user to a merchant involves with the bank

3. WISA2003 3 Requirements Security…unforgeability, no over-spending,… Privacy protection…unlinkability (>anonymity) Unknown whether two payments were made by the same user Convenience…Exact payments (payments of arbitrary amounts) User A payment Bank Coins of amounts p User Bank Coins of amounts p’ Another payment Unlinkable

4. WISA2003 4 Previous work On-line system [3] with unlinkable exact payments User anonymously obtains changes User Payment of $25 Bank $50 $5 $20 [3] Brickell et.al., “Trustee-based tracing extensions to anonymous cash and the making of anonymous change”, SODA95 Note: coin amounts are public

5. WISA2003 5 Assume there are coin types with all payable amounts( e.g., ￠ 1 coin type ～ $1,000 coin type) A payment T1 Another payment T2 Use a coin with $27.46 Problems of [3] Payment of $22.54 Specific amount $27.46 in a lot of amounts($0.01 ～ $1000.00) largely reduces the number of candidates to link → weaken unlinkability User Bank $50$27.46

6. WISA2003 6 Problems of [3] (Cont.) Assume there are coin types with amounts 2 i (1, 2, 4, 8, …) N : the number of payable amounts Then, to express any amount, O(log N) coins needed In case of N=100,000( ￠ 1 ～ $1,000), 17 coins Protocol [3] needs about10 multi-exp’s per a coin Total cost of a payment is more than 100 multi-exp’s Inefficient (Similar in case of other coin types) [3] does not satisfy unlinkability or efficiency

7. WISA2003 7 Our contributions On-line e-cash with unlinkable exact payments satisfying both efficiency and unlinkability A payment needs only 1 coin → Efficient Coin amounts are kept secret → Protect linking via coin amounts

8. WISA2003 8 Our approach Use changes A coin is assigned to any amount Every coin amount is kept secret, but correctness of amounts of old and new coins is ensured by a ZPK (Zero- knowledge Proof of Knowledge) Bank User amount m - p amount m payment of amount p

9. WISA2003 9 Used tool:Camenisch- Lysyanskaya signature scheme[4] RSA type Multiple messages signed A coin : Sign(x,m) w.r.t. Bank’s key x: a secret of user, m: coin amount [4] Camenisch, Lysyanskaya, “A signature scheme with efficient protocols,” SCN02 Note: Sign(x,m)… unforgeability Secrecy of x … used to detect double-spending coin (the detail is omitted here)

10. WISA2003 10 Protocols in [4] A ZPK of ownership of Sign(x,m) without revealing Sign(x,m), x, m A protocol to sign, where x, m are kept secret for the signer Com(x, m) (Commitment of x and m) Sign(Com(x, m)) Signer Receiver Sign(x, m)

11. WISA2003 11 Idea of our system (unlinkability & correctness in payment) Payment of $p Bank User Old coin of $m : Sign(x,m) Com(x’, m’) ZPK of ownership of Sign(x,m) ZPK of equation m’= m – p ZPK of inequation p ≦ m No information revealed → unlinkability, amounts secrecy ZPK of Sign → ownership of old coin ZPK of m’=m-p → consistency of coin amounts ZPK of p ≦ m → no over-spending Sign(Com(x’, m’)) New coin of $m’: Sign(x’,m’)

12. WISA2003 12 Conclusion Efficient on-line e-cash with unlinkable exact payments O(1) efficiency w.r.t. N In detail, about 20 multi-exp’s in a payment

13. WISA2003 13 Future works Strict security considerations Further efficiency improvements