Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of...

Current issues of e-cash and Fair tracing

Network Security Term Project

Kim Byeong GonCais Lab of ICU

2002.10.10

Contents

Overview of e-cash Classification

Curren issues Goal Basic Protocol Examples of Countermeasures Fair tracing

Building blocks Previous work

Future work References


Fair tracing

Overview of e-cash

Similar names areElectronic money, Cyber money, e-cash, virtual currency

Classification of Electronic payment


Fair tracing

By functionalityBy functionality

By PaymentBy Payment By SettlementBy Settlement

Classification (1/3)

Classification by functionality


Fair tracing

IC card type

Open - Value transfer is possible between card owner - Perfect

E-wallet is needterminal is need

- Mondex

Closed - Value transfer is impossible between card owner - VisaCash

IC card type

Open - Value transfer is possible between card owner - Perfect

E-wallet is needterminal is need

- Mondex

Closed - Value transfer is impossible between card owner - VisaCash

Network type

Re-charge is easy

Use network

suitable for e-commerce

Network type

Re-charge is easy

Use network

suitable for e-commerce


Classification by Settlement


Fair tracing

Credit

E-mail First VirtualCyberCashMicrosoft/VisaNetscape/MasterCard

Credit

E-mail First VirtualCyberCashMicrosoft/VisaNetscape/MasterCard

Token

DigiCashNetCash

Token

DigiCashNetCash

Cash

Mondex

Cash

Mondex

Prepaid(Debit)

BankNet FSTC Electronic Checks

Prepaid(Debit)

BankNet FSTC Electronic Checks


Classification by payment


Fair tracing

e-cash IC card type Network type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash

e-cash IC card type Network type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash

Micro-payment system

MillicentPayWordMicroMint

Micro-payment system

MillicentPayWordMicroMint

Credit card (Network type)

CyberCash : Cyber Card ServiceFirst Virtual Holdings : International Payment SystemSET

Credit card (Network type)

CyberCash : Cyber Card ServiceFirst Virtual Holdings : International Payment SystemSET

e-check (Network type)

Checkfree : Checkfree Payment ServiceSTC : Electronic CheckCalifornia Univ. : NetChequeNetChexEcheque

e-check (Network type)

Checkfree : Checkfree Payment ServiceSTC : Electronic CheckCalifornia Univ. : NetChequeNetChexEcheque

Account transfer (Network type)Intuit : Quicken Microsoft : MoneyMeca Software : Managing Your MoneySFNB(Security First Network Bank)NetBillMetaLand

Account transfer (Network type)Intuit : Quicken Microsoft : MoneyMeca Software : Managing Your MoneySFNB(Security First Network Bank)NetBillMetaLand

Current Issues E-cash requirements

Anonymity : Untraceability Anonymous revocation : Traceability Double spent prevention Off-line Transferability Divisibility Bank robbery attack Bank framing : Unforgeability Etc.


Fair tracing

Goals

In this term project, I will suggest an enhanced scheme for fair tracing or fair exchange of e-cash.


Fair tracing

Basic Protocol(1/2)


Fair tracing

NotationsSKB : Bank’s secrete key PKB : Bank’s public key{M}SK : Message and its signature under key SK

A first-Try Protocol Withdrawal Protocol

1. User tells Bank she would like to withdraw $10.

2. Bank returns a $10 bill which looks like this :{I am a $10 bill, #4527}SKB

and withdraw $10 from User account.

3. User checks the signature and if it is valid accepts the bill.

Basic Protocol(2/2)


Fair tracing

Payment Protocol1. The User pays the Vendor with the bill.

2. The Vendor checks the signature and if it is valid, accepts the bill.

Deposit Protocol1. The Vendor gives the bill to the Bank.

2. The Bank checks the signature and if it is valid, credits the Vendor’s account

Basic problems of this scheme are- Duplicate, Double-spending

- Anonymity : Bank can link user and serial number, therefore bank know where the user spent the coin.

- Many other issues

Examples of Countermeasures (1/2)


Fair tracing

Anonymity Problem

▶ Blind Signature Bank cannot know which bill is who’s one.But, user can cheat the bank about real amount.

▶ Fixing the dollar amount Use several PKiB for each bills of i dollars.

▶ Cut and Choose 1. User makes up 100 $20 bills.2. Blinds them using ri R Zp and gives it to the Bank3. Bank picks one to sign(at random), User unblind all of the rest. Ensures that all of the bills that were unblinded were correct. Return one signed $20 bill. (1/100 probability of cheating)

Examples of Countermeasures (2/2)


Fair tracing

double Spending Problem (off-line)

▶ RIS(Random Identity String)During the payment, the User is forced to write RIS on the bill.RIS must have the following properties,

- must be different for every payment of the coin- only the user can create a valid RIS- two different RIS on the same coin should allow the Bank to retrieve the User name

ex) The User prepares 100 bills of $20 which look like this :Mi = (I’m $20 bill, #4527i, yi1,yi1’, yi2,yi2’,…. yik,yik’)where i = 1..100, yij = H(xij), yij’= H(xij’), where xij ⊕ xij’ = User name for all i,j

Fair Tracing


Fair tracing

Unconditional anonymity[vSN92]This may be misused for untraceable blackmailing of customers(perfect crime)

Revocable anonymity[SPC95,DFTY97]One or more TTP can link the the withdrawal and the deposit of coinsCoin tracing : Is the withdrawn coin is deposited?Owner tracing : Who is the withdrawer of this deposited coin?

Fair Tracing problem[KV01]Legal Tracing : If it has been permitted by a judge or by the withdrawer.Illegal Tracing : If is is used without the permission of a judge or of withdrawerFair Tracing : Legal tracing is always possible, but illegal tracing is inhibited.

This is optimistic because illegal tracing can be detected later.

Building Blocks


Fair tracing

Okamoto-Schnorr Blind Signaturep,q : two large primes such that q/p-1g1, g2 Zp

* with order qPublic key pair of signerChoose s1, s2 R Zq y = g1

s1 g2s2 mod p

Secrete (s1,s2)Public (g1, g2,y)

2. Blinds a with β,γ,δ R Zq α = ag1

β g2γyδ mod p

e = H(m, α ) - δ mod q

4. ρ= S1 + β mod q, σ = S2 + γ mod q signature is (α, ρ, σ) for message m

1. Select k1,k2 R Zq a = g1

k1 g2k2 mod p

3. S1= k1 – es1 mod q, S2= k2– es2 mod q which satisfies a = g1

S1 g2S2ye mod p

Customer Bank

a

e

(S1,S2)

Verifty α =? g1ρ g2

σyH(m, α ) mod p ≡ g1S1+β g2

S2+γye+δ ≡ g1S1 g2

S2ye (g1β g2

γyδ) ≡ a(α/a)

Previous Work


Fair tracing

Kügler and Vogt[KV01] proposed marking mechanism based on a variant of an Okamoto-Schnorr Blind Signature[Oka92] in combination with a Chaum-van Antwerpen undeniable signature[Cha90].

Notations

p,q : two large primes such that q/p-1g1,g2,g3 Zp

* with order q(s1,s2) R Zq is the blind signature private key of the bankv = g1

s1g2s2 mod p is the blind signature public key of the bank

x R Zq is the undeniable signature private key of the banky = g3

x mod p is the undeniable signature public key of the bank

Previous Work


Fair tracing

Marking and WithdrawalCustomer Bank

Once per withdrawal :r R Zq

*

α = g1r mod p : new random generator

ω = αx mod p : undeniable sig’

For every coin :δ R Zq

* α’ = αδ mod p ω’ = ωδ ≡ αxδ ≡ α’x mod p

α ,ω

qrcskS

qcskS

pga

Z

kk

q

mod

mod

modα

)k,(k

1222

111

1

R21

21

)ω',α','S,'S,c'(m,:coin

vα'?'

modβδ'

modβ'

mod'

)',α',('

vα''

γ),β,(β

21

c'''1

221-

2

111

γββ1

R21

21

21PK)sig'blind:(v

SS

q

ga

qSS

qSS

qrcc

amHc

gaa

Z

a

c

S1,S2

Previous Work


Fair tracing

Tracing Capabilities

Coin tracing - Chooses and stores a random undeniable signature key xm such that

- The bank test for all stored marking keys xm

Tracing authority- The tracing capability can be transfered to a separate tracing authority. marking is invisible even for the bank. (Refer to [KV01])

Fair tracing- Revealing key x has no impact on the security of the Okamoto-Schnorr signature. : undeniable sig’ is independent to blind sig’- Customer can detect marking by testing But he needs additional info. Sigbank =(α,ω,customer ID, coin generation)

p modαω mx

)ω',α','S,'S,c'(m,:coin 21

p modα'ω' mx

p modαω x

)generationcoin ID,Customer p, mod (gSig Cert m

3judgejudgex

Future work


Fair tracing

Detail analysis about fair tracing

Study other fair tracing scheme

Develop enhanced scheme.

References


Fair tracing

[KV01] D. Kügler and H. Vogt. Fair tracing without trustees. In Financial Cryptography – FC2001. Preproceedings, 2001.

[vSN92] B. Von Solms and D. Naccache. On blind signatures and perfect rimes. Computers and Security, 11(6):581-583, 1992.

[SPC95] M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In Advances in Cryptology - EUROCRYPT ’95, volume 921of Lecture Notes in Computer Science, pages 209-219. Springer-Verlag, 1995

[DFTY97] G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung. Anonymity control in e-cash systems, In Financial Cryptography - FC’97, volume 1318 of LNCS, pages 1-16. Springer-Verlag, 1997

[Oka92] T.Okamoto, Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , Advances in Cryptology-Crypto ’92, LNCS Vol.740, pages 31 –53, Springer-Verlag,1992.

[Cha90] D.Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology – EUROCRYPT ’90, volume 473 of LNCS, pages 458-464. Springer-Verlag, 1990

[JKC01] Jinho Kim, Kwangjo Kim, Chulsoo Lee, An Efficient and Provably Secure Threshold Blind Signature, In ICISC 2001, volume 2288 of LNCS, pages 318 – 327. Springer-Verlag, 2002

Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of...

Documents

Transcript of Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of...