Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of...
-
Upload
marion-horton -
Category
Documents
-
view
216 -
download
2
Transcript of Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of...
Current issues of e-cash and Fair tracing
Network Security Term Project
Kim Byeong GonCais Lab of ICU
2002.10.10
Contents
Overview of e-cash Classification
Curren issues Goal Basic Protocol Examples of Countermeasures Fair tracing
Building blocks Previous work
Future work References
Network Security Term Project
Fair tracing
Overview of e-cash
Similar names areElectronic money, Cyber money, e-cash, virtual currency
Classification of Electronic payment
Network Security Term Project
Fair tracing
By functionalityBy functionality
By PaymentBy Payment By SettlementBy Settlement
Classification (1/3)
Classification by functionality
Network Security Term Project
Fair tracing
IC card type
Open - Value transfer is possible between card owner - Perfect
E-wallet is needterminal is need
- Mondex
Closed - Value transfer is impossible between card owner - VisaCash
IC card type
Open - Value transfer is possible between card owner - Perfect
E-wallet is needterminal is need
- Mondex
Closed - Value transfer is impossible between card owner - VisaCash
Network type
Re-charge is easy
Use network
suitable for e-commerce
Network type
Re-charge is easy
Use network
suitable for e-commerce
Classification (2/3)
Classification by Settlement
Network Security Term Project
Fair tracing
Credit
E-mail First VirtualCyberCashMicrosoft/VisaNetscape/MasterCard
Credit
E-mail First VirtualCyberCashMicrosoft/VisaNetscape/MasterCard
Token
DigiCashNetCash
Token
DigiCashNetCash
Cash
Mondex
Cash
Mondex
Prepaid(Debit)
BankNet FSTC Electronic Checks
Prepaid(Debit)
BankNet FSTC Electronic Checks
Classification (3/3)
Classification by payment
Network Security Term Project
Fair tracing
e-cash IC card type Network type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash
e-cash IC card type Network type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash
Micro-payment system
MillicentPayWordMicroMint
Micro-payment system
MillicentPayWordMicroMint
Credit card (Network type)
CyberCash : Cyber Card ServiceFirst Virtual Holdings : International Payment SystemSET
Credit card (Network type)
CyberCash : Cyber Card ServiceFirst Virtual Holdings : International Payment SystemSET
e-check (Network type)
Checkfree : Checkfree Payment ServiceSTC : Electronic CheckCalifornia Univ. : NetChequeNetChexEcheque
e-check (Network type)
Checkfree : Checkfree Payment ServiceSTC : Electronic CheckCalifornia Univ. : NetChequeNetChexEcheque
Account transfer (Network type)Intuit : Quicken Microsoft : MoneyMeca Software : Managing Your MoneySFNB(Security First Network Bank)NetBillMetaLand
Account transfer (Network type)Intuit : Quicken Microsoft : MoneyMeca Software : Managing Your MoneySFNB(Security First Network Bank)NetBillMetaLand
Current Issues E-cash requirements
Anonymity : Untraceability Anonymous revocation : Traceability Double spent prevention Off-line Transferability Divisibility Bank robbery attack Bank framing : Unforgeability Etc.
Network Security Term Project
Fair tracing
Goals
In this term project, I will suggest an enhanced scheme for fair tracing or fair exchange of e-cash.
Network Security Term Project
Fair tracing
Basic Protocol(1/2)
Network Security Term Project
Fair tracing
NotationsSKB : Bank’s secrete key PKB : Bank’s public key{M}SK : Message and its signature under key SK
A first-Try Protocol Withdrawal Protocol
1. User tells Bank she would like to withdraw $10.
2. Bank returns a $10 bill which looks like this :{I am a $10 bill, #4527}SKB
and withdraw $10 from User account.
3. User checks the signature and if it is valid accepts the bill.
Basic Protocol(2/2)
Network Security Term Project
Fair tracing
Payment Protocol1. The User pays the Vendor with the bill.
2. The Vendor checks the signature and if it is valid, accepts the bill.
Deposit Protocol1. The Vendor gives the bill to the Bank.
2. The Bank checks the signature and if it is valid, credits the Vendor’s account
Basic problems of this scheme are- Duplicate, Double-spending
- Anonymity : Bank can link user and serial number, therefore bank know where the user spent the coin.
- Many other issues
Examples of Countermeasures (1/2)
Network Security Term Project
Fair tracing
Anonymity Problem
▶ Blind Signature Bank cannot know which bill is who’s one.But, user can cheat the bank about real amount.
▶ Fixing the dollar amount Use several PKiB for each bills of i dollars.
▶ Cut and Choose 1. User makes up 100 $20 bills.2. Blinds them using ri R Zp and gives it to the Bank3. Bank picks one to sign(at random), User unblind all of the rest. Ensures that all of the bills that were unblinded were correct. Return one signed $20 bill. (1/100 probability of cheating)
Examples of Countermeasures (2/2)
Network Security Term Project
Fair tracing
double Spending Problem (off-line)
▶ RIS(Random Identity String)During the payment, the User is forced to write RIS on the bill.RIS must have the following properties,
- must be different for every payment of the coin- only the user can create a valid RIS- two different RIS on the same coin should allow the Bank to retrieve the User name
ex) The User prepares 100 bills of $20 which look like this :Mi = (I’m $20 bill, #4527i, yi1,yi1’, yi2,yi2’,…. yik,yik’)where i = 1..100, yij = H(xij), yij’= H(xij’), where xij ⊕ xij’ = User name for all i,j
Fair Tracing
Network Security Term Project
Fair tracing
Unconditional anonymity[vSN92]This may be misused for untraceable blackmailing of customers(perfect crime)
Revocable anonymity[SPC95,DFTY97]One or more TTP can link the the withdrawal and the deposit of coinsCoin tracing : Is the withdrawn coin is deposited?Owner tracing : Who is the withdrawer of this deposited coin?
Fair Tracing problem[KV01]Legal Tracing : If it has been permitted by a judge or by the withdrawer.Illegal Tracing : If is is used without the permission of a judge or of withdrawerFair Tracing : Legal tracing is always possible, but illegal tracing is inhibited.
This is optimistic because illegal tracing can be detected later.
Building Blocks
Network Security Term Project
Fair tracing
Okamoto-Schnorr Blind Signaturep,q : two large primes such that q/p-1g1, g2 Zp
* with order qPublic key pair of signerChoose s1, s2 R Zq y = g1
s1 g2s2 mod p
Secrete (s1,s2)Public (g1, g2,y)
2. Blinds a with β,γ,δ R Zq α = ag1
β g2γyδ mod p
e = H(m, α ) - δ mod q
4. ρ= S1 + β mod q, σ = S2 + γ mod q signature is (α, ρ, σ) for message m
1. Select k1,k2 R Zq a = g1
k1 g2k2 mod p
3. S1= k1 – es1 mod q, S2= k2– es2 mod q which satisfies a = g1
S1 g2S2ye mod p
Customer Bank
a
e
(S1,S2)
Verifty α =? g1ρ g2
σyH(m, α ) mod p ≡ g1S1+β g2
S2+γye+δ ≡ g1S1 g2
S2ye (g1β g2
γyδ) ≡ a(α/a)
Previous Work
Network Security Term Project
Fair tracing
Kügler and Vogt[KV01] proposed marking mechanism based on a variant of an Okamoto-Schnorr Blind Signature[Oka92] in combination with a Chaum-van Antwerpen undeniable signature[Cha90].
Notations
p,q : two large primes such that q/p-1g1,g2,g3 Zp
* with order q(s1,s2) R Zq is the blind signature private key of the bankv = g1
s1g2s2 mod p is the blind signature public key of the bank
x R Zq is the undeniable signature private key of the banky = g3
x mod p is the undeniable signature public key of the bank
Previous Work
Network Security Term Project
Fair tracing
Marking and WithdrawalCustomer Bank
Once per withdrawal :r R Zq
*
α = g1r mod p : new random generator
ω = αx mod p : undeniable sig’
For every coin :δ R Zq
* α’ = αδ mod p ω’ = ωδ ≡ αxδ ≡ α’x mod p
α ,ω
qrcskS
qcskS
pga
Z
kk
q
mod
mod
modα
)k,(k
1222
111
1
R21
21
)ω',α','S,'S,c'(m,:coin
vα'?'
modβδ'
modβ'
mod'
)',α',('
vα''
γ),β,(β
21
c'''1
221-
2
111
γββ1
R21
21
21PK)sig'blind:(v
SS
q
ga
qSS
qSS
qrcc
amHc
gaa
Z
a
c
S1,S2
Previous Work
Network Security Term Project
Fair tracing
Tracing Capabilities
Coin tracing - Chooses and stores a random undeniable signature key xm such that
- The bank test for all stored marking keys xm
Tracing authority- The tracing capability can be transfered to a separate tracing authority. marking is invisible even for the bank. (Refer to [KV01])
Fair tracing- Revealing key x has no impact on the security of the Okamoto-Schnorr signature. : undeniable sig’ is independent to blind sig’- Customer can detect marking by testing But he needs additional info. Sigbank =(α,ω,customer ID, coin generation)
p modαω mx
)ω',α','S,'S,c'(m,:coin 21
p modα'ω' mx
p modαω x
)generationcoin ID,Customer p, mod (gSig Cert m
3judgejudgex
Future work
Network Security Term Project
Fair tracing
Detail analysis about fair tracing
Study other fair tracing scheme
Develop enhanced scheme.
References
Network Security Term Project
Fair tracing
[KV01] D. Kügler and H. Vogt. Fair tracing without trustees. In Financial Cryptography – FC2001. Preproceedings, 2001.
[vSN92] B. Von Solms and D. Naccache. On blind signatures and perfect rimes. Computers and Security, 11(6):581-583, 1992.
[SPC95] M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In Advances in Cryptology - EUROCRYPT ’95, volume 921of Lecture Notes in Computer Science, pages 209-219. Springer-Verlag, 1995
[DFTY97] G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung. Anonymity control in e-cash systems, In Financial Cryptography - FC’97, volume 1318 of LNCS, pages 1-16. Springer-Verlag, 1997
[Oka92] T.Okamoto, Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , Advances in Cryptology-Crypto ’92, LNCS Vol.740, pages 31 –53, Springer-Verlag,1992.
[Cha90] D.Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology – EUROCRYPT ’90, volume 473 of LNCS, pages 458-464. Springer-Verlag, 1990
[JKC01] Jinho Kim, Kwangjo Kim, Chulsoo Lee, An Efficient and Provably Secure Threshold Blind Signature, In ICISC 2001, volume 2288 of LNCS, pages 318 – 327. Springer-Verlag, 2002