How to Make E-cash with Non-Repudiation and Anonymity

Transcription

1 How to Make E-cash with Non-Repuiation an Anonymity Ronggong Song an Larry Korba Institute for Information Technology National Research Council of Canaa Ottawa, Ontario K1A 0R6, Canaa {Ronggong.Song, Abstract Current e-cash systems enable anonymity services to protect users' privacy, but most of them o not provie the non-repuiation service such that many problems exist in the systems like enying, losing, misusing, stealing, an ouble-spening, etc. This paper proposes an e-cash system in which a one-time public key is embee in the partial blin signature to provie the non-repuiation service against the above attacks. The article also emonstrates that the combination of the partial blin igital signature an anonymous igital signature makes the e-cash systems more robust an fair than before. 1. Introuction Internet is esigne to allow computers to easily interconnect an to assure that network connections will be maintaine even when various links may be amage. But this versatility also makes it easy to compromise ata security an privacy. In orer to provie security an privacy protection for e- commerce applications, Chaum [1] propose a blin signature scheme in The blin signature scheme not only retains the properties of traitional igital signatures but also supports the properties: (1) the message content is blin to the signer; (2) the message may not be trace by the signer after the signature is reveale. These properties can be use for many e-commerce applications, e.g. electronic cash (e-cash) systems [1, 2, 3, 4, 6, 9]. One feature of e-cash is that it is easily uplicate. This makes it is necessary for the bank to implement ouble-spening checking. However, the ouble-spening checking oes not provie a nonrepuiation service, i.e. the bank cannot prove whether the e-cash is spent by the real owner or just a thief since the non-repuiation service nees the customer's signature which may expose the customer's ientity. In orer to provie strong privacy an nonrepuiation protection for the customers an buil a fair e-cash system, we propose a new e-cash system using a moifie partial blin signature scheme propose by Abe [5]. In the new system, the customers first nee to buy the e-cash from their bank. When the customers want to use the e-cash for online shopping through Internet later, they coul use the e- cash for the payment. In the moifie partial blin signature scheme, we embe a temporary anonymous public key into the blin message, which oes not contain any information about the customer. Since only the owner of the e-cash has the private key corresponing to the temporary anonymous public key, the new e-cash system provies a non-repuiation service with the anonymous signature of the owner of the e-cash, i.e. if the customer really spent the e-cash before, he cannot eny the action because the bank has the signature to prove the own of the e-cash has spent it but the bank still oes not know who the customer is. In aition, except for the strong privacy protection, the customer can get another benefit from the new protocol no other person but the owner can prove that they are the owner of the e-cash even if other person has a copy of the e-cash. This makes the e-cash safer than before. The rest of the paper is organize as follows. Abe an Fujisaki's partial blin signature protocol is briefly reviewe in the next section. In Section 3, the new e- cash architecture an protocols are propose. In Section 4, the characteristics of the new system are escribe. In Section 5, the privacy an security of the new protocols are analyze. Finally, concluing remarks are given in Section Review of Abe an Fujisaki's Protocol 2.1. Terminology an Notations Terminology an notations use in the paper are efine as follows. A: a customer

2 B: a bank ES: an e-commerce store ID A : customer A's ientity H(): one-way hash function Z n : the integers moulo n * Z n : the multiplicative group of Z n M mo n: resiue of M ivie by n Time A : time stamp mae by customer A Sign A : customer A's signature gc(m, n) : greatest common ivisor of m an n A B:M: customer A sens message M to the bank B RM: remainer money after A purchases the e-goos EMD: e-goos message igest 2.2. Abe an Fujisaki's Partial Blin Signature Abe an Fujisaki's partial blin signature scheme is esigne to protect the bank's atabase from growing without limits since the bank nees to store all spent e- cash in its atabase for ouble-spening checking. In the scheme, each e-cash ocument issue by the bank contains an expiration ate such that all expire e-cash recore in the bank's atabase can be remove. The partial blin signature scheme is escribe as follows. (1) Initializing Base on RSA public key cryptosystem [7], the bank ranomly chooses two large prime numbers p an q, an computes n = p q an (n) = (p-1)(q-1). It then etermines a pair of public an private keys (e, ), satisfying e 1 (mo (n)) with gc(e, (n)) = 1, an both e an less than (n). The bank publishes (e, n) an a one-way hash function H, an keeps (, p, q) secret. Let every e-cash issue by the bank worth w ollars. (2) Withrawing If a customer ecies to withraw e-cash from the bank, he/she ranomly chooses two integers m an r in, an computes (r ev H(m) mo n) where v is a * Z n message preefine by the bank an contains an expiration ate of the e-cash. The customer then sens an v to the bank. After receiving (, v), the bank first verifies whether or not v is correct. If it is correct, 1 ( ev) the bank sens ( mo n) to the customer an eucts w ollars from the customer account in the bank. (3) Unblining After receiving, the customer computes s (r -1 mo n) an gets his/her e-cash (m, s, v). (4) Depositing When the customer uses the e-cash, the payee first verifies whether or not both v is correct an s ev H(m) mo n. If they are correct, he/she then calls the bank to check whether the e-cash has been alreay spent, i.e. ouble-spening checking. If the e-cash has not been spent, the payee accepts the payment an eposits the e-cash into his/her account, an the bank stores (m, s, v) in its atabase for ouble-spening checking, an as w ollars to the payee's account. 3. A New E-cash System 3.1. Architecture The new e-cash system consists of several components: bank, merchant, customer, an certificate authority (CA). In the new system, the bank, merchant, an customer first nee to apply an get their certificates from CA. Then, all secure communications between them can be establishe by Transport Layer Security channel ( or TLS [8, 10]) through Internet. Figure 1 epicts the new system architecture. CA Customer Figure 1. The new e-cash system architecture 3.2. Protocols Internet Merchant Bank Base on the above partial blin signature scheme an the new e-cash system architecture, the new e- cash scheme consists of several protocols as follows.

3 (1) E-cash Issue protocol In the e-cash issue protocol, we moify the above partial blin signature scheme an embe a temporary anonymous public key into the blin message such that it better suits e-cash systems an supports the non-repuiation service. When a customer wants to o online shopping, he/she first nees to buy some e- cashes issue by the bank using the following protocol where all communications are supporte by the security channel. 1. A B: ID A, Account A, PK A,, v, Time A, Sign A 2. B A: ID A, ID B,, Time B, Sign B In the above protocol, base on RSA public key cryptosystem, assume that the public an private key of the bank are ( eb, nb ) an ( b, pb, qb ), an the public an private key of the customer are ( ea, na ) an ( A, pa, qa ), respectively. The protocol is escribe as follows. Step 1: If a customer ecies to buy an e-cash from the bank, he/she first makes a temporary public key (e t, n t ), an keeps its private key ( t, p t, q t ) secret (using RSA public key cryptosystem). The customer * then chooses a ranom integer r in, an e b v Z nb computes ( r H(et n t ) mo n b ) where enotes the concatenation symbol, an v contains the following basic information preefine by the bank, i.e. expiration ate an money. /mm/yyyy $xxx.xx (Expiration ate) (How much money) The customer then computes the signature Sign A as follows. Sign A (H(ID A, Account A, PK A,, v, Time A ). n A ) A mo Finally, the customer uses the security channel to sen the messages (ID A, Account A, PK A,, v, Time A, Sign A ) to the bank. Step 2: After receiving the above messages through the security channel, the bank verifies whether or not the messages: Account A, Time A, Sign A, an v are correct. If they are correct, the bank 1 ( e b v) computes ( mo n ) an the signature: b ) b b Sign B (H(ID A, ID B,, Time B ) mo n. It then uses the security channel to sen the messages (ID A, ID B,, Time B, Sign B ) to the customer. In the meantime the bank eucts the money from the customer's account. e t, n t /mm/yyyy $xxx.xx Finally, after receiving the messages sent by the bank through the security channel, the customer verifies whether or not the messages: Time B an Sign B are correct. If they are correct, he/she then computes s (r -1 mo n b ) as the signature of the bank an gets his/her e-cash (e t, n t, v, s) epicte in Figure 2. (2) Online Shopping Protocol Temporary public key Expiration ate How much money Signature of the bank Figure 2. The igital e-cash When the customer wants to o online shopping for some e-goos like e-book, software, an movie, etc., since it is not necessary for the shipping service, he/she coul use the following protocol an e-cash to purchase an ownloa the licenses of the e-goos if he/she wants to hie his/her ientity. In the protocol, we assume that the communications also are protecte with the security channels. 1. A ES: E-goos, Cost, Account ES, e t, n t, v, s, Time A, Sign t 2. ES B: Cost, Account ES, e t, n t, v, s, Time A, EMD, Sign t 3. B ES: Receipt ES, e t, n t, v, s, RM, s', Time B, Sign B 4. ES A: License, Receipt A, e t, n t, v, s, RM, s', Time ES, Sign ES Step 1: If the customer wants to o online shopping for some e-goos using the e-cash, he/she first selects the e-goos, an computes the following signature Sign t with the private key corresponing to the temporary public key of the e-cash, Sign t (H(Cost, Account ES, e t, n t, v, s, Time A ) H(E-goos) ) t mo n t.

4 The customer then uses the security channel to sen the messages (E-goos, Cost, Account ES, e t, n t, v, s, Time A, Sign t ) to the merchant. Step 2: After receiving the above messages through the security channel, the merchant verifies whether or not the messages: Cost, Account ES, Time A, Sign t, an s e b v (H(e t n t ) mo nb ) are correct. If they are correct, it then computes the e- goos message igest EMD = H(E-goos) an forwars the messages (Cost, Account ES, e t, n t, v, s, Time A, EMD, Sign t ) to the bank, which issue the e- cash, through the security channel. Step 3: The bank verifies whether or not the messages: Account ES, Time A, an Sign t are correct. If they are correct, it then eposits the money into the merchant's account an eucts the money from the e- cash. The bank then computes the remainer money RM an the signature b s' (H(e t, n t, v, s, RM) ) mo nb. Sign B (H(Receipt ES, e t, n t, v, s, RM, s', Time B ) b mo n. ) b Finally, the bank makes a statement (receipt) for the merchant an sens the messages (Receipt ES, e t, n t, v, s, RM, s', Time B, Sign B ) to the merchant through the security channel. Step 4: The merchant verifies whether all messages are correct. If correct, it makes a receipt for the customer an computes the signature Sign ES (H(License, Receipt A, e t, n t, v, s, RM, s', Time ES,) ES mo n. e t, n t /mm/yyyy $xxx.xx (ol) $xx.xx (new) ) ES Temporary public key Expiration ate Original money Bank's ol signature s Remainer money Bank's new signature s' Figure 3. The remainer igital e-cash Finally, the merchant sens the messages (License, Receipt A, e t, n t, v, s, RM, s', Time ES, Sign ES ) to the customer through the security channel. After receiving the messages, the customer gets the licenses of the e-goos an his/her remainer e-cash. Figure 3 epicts the remainer e-cash. (3) E-cash Renew Protocol In this protocol, the customer can renew his/her e- cash when the e-cash is close to the expiration ate through the following protocol. In aition, the bank also cannot buil a relationship between the ol e-cash an the new e-cash through the protocol. 1. A B:, v, e t ', n t ', v ', s ', Time t, Sign t 2. B A: e t ', n t ', v ', s ',, Time B, Sign B Step 1: The customer first fills a new e-cash form an computes the new blin messages an v as the above e-cash issue protocol, an then uses the ol e- cash to compute the signature Sign t (H(, v, e ' t, n ' t, v ', s ', Time t ) ) t mo n t. Finally, the customer sens the messages (, v, e t ', n t ', v ', s ', Time t, Sign t ) to the bank through the security channel. Step 2: After receiving the messages, the bank verifies whether or not the messages are correct. If they are correct, the bank computes ( mo ) an the signature n b 1 ( e b v) ) b b Sign B (H(e ' t, n ' t, v ', s ',, Time B ) mo n. It then recors that the ol e-cash is cancelle until the expiration ate. After the expiration ate, the bank coul elete the all information about the ol e-cash. Finally, the bank sens the new e-cash to the customer through the security channel. 4. Protocol Characteristics (1) Strong Privacy Protection In the new system, anyone incluing the bank an merchant cannot etermine to who purchases the e- goos. The bank an merchant know nothing about the customer except for how much money the customer spens for e-cashes. This provies strong privacy protection for the customers.

5 (2) Non-repuiation Since all transferre messages are signe with the signatures of the owners of the messages in the new protocols, they can ask a Court to juge it if there is a ispute later, i.e. the new protocol provies the nonrepuiation service. On the other han, the signatures of the customers o not expose their private information (see etail analysis in Section 5). (3) Strong Safety Protection The new protocols only authorize the owner of the e-cash to use the e-cash. Other person incluing the bank an merchant cannot use the e-cash since they cannot make the signature without the private key of the e-cash an proof that they are the owner of the e- cash. Hence, the customers nee not worry about the losing, misusing, an stealing of their e-cashes. 5. Privacy an Security Analysis In this section, we first emonstrate that the new protocols o provie strong privacy protection for customers, an non-repuiation of acquire services, an then examine the security of the new protocols against other passive an active attacks Anonymity Analysis This new protocols support the anonymity of customers through the use of partial blin signatures an anonymous temporary public key. Since the temporary public key is embee into the blin message of the partial blin signature scheme, an the format an content of the message v are the as same as the other e-cashes, the bank an merchant cannot trace the ientity information of the owner of the e-cash when the customer uses the e-cash later, i.e. the bank an merchant oes not know who purchases the e- goos using the e-cash. This provies an unlinkability property inherent to a (partial) blin signature protocol. In aition, since the e-cash is unlinkable with the owner ientity, the bank woul know nothing about the customer except how much money the customer exchanges for the e-cash. On the other han, since the merchant only woul have the recor message about the e-cash, it also woul know no more about its customers, as woul any outsier. Hence, it gives the customers strong privacy protection Non-repuiation Analysis The new protocols provie non-repuiation services in each step of the protocols with the signatures. First, in the e-cash issue protocol, the message that the customer sens to the bank is signe with the customer's certificate. If the customer enies this action, the bank can show the customer's signature to the Court. On the other han, if the customer oes not o this, the bank also cannot charge the customer since it cannot give an evience (i.e., signature) to prove it. Seconly, in the online shopping protocol, the messages sent to the merchant also are signe with the private key of the e-cash. Since only the owner of the e-cash has the private key, the owner cannot eny his/her action if he/she signe the message. On the other han, this also makes the e-cash safer since other person cannot spen the e-cash without the private key. In aition, as we mentione in the above anonymity analysis, this signature oes not expose the ientity of the owner of the e-cash since the temporary public key oes not inclue any information about the ientity of the owner, an also is embee in the blin message in the e-cash issue protocol Security Analysis (1) Passive Attacks In the new protocols, all messages sent to the intene receiver are protecte with the security channels. Thus, an aversary other than the intene receiver cannot etermine the content of the messages just by looking at them, i.e. the outsiers know nothing about the communication contents. On the other han, in the e-cash issue protocol, since the temporary public key (e t, n t ) is embee in e the blin message ( r b v H(et n t ) mo n b ), the bank also oes not know r an H(e t n t ), i.e. the bank cannot reaily etermine who hols the temporary public key. (2) Active Attacks The new protocols also provie protection against replay an moification attacks. Using the time stamp "Time" in each message, the receiver can easily iscover a replaye message. Aitionally, if some aversaries want to change the messages or impersonate the customer/bank/merchant, the intene receiver can easily fin out by verifying the signature "Sign" since all messages sent to the receiver have

6 been hashe, an the hashing value has been signe, i.e. other person cannot change or make the messages without the private key. 6. Conclusion We have presente a new e-cash system with strong privacy an non-repuiation protection. This new system has the following avantages over traitionally e-cash system: Proviing strong privacy protection for customers, Proviing non-repuiation services, Protecting the customer, bank, an merchant against the enying, ouble-spening, losing, misusing, an stealing of the e-cashes, Coul be easily implemente with XML an the security channel. ACKNOWLEDGMENT We woul like to thank all members of IIT at the NRC of Canaa an the Communications Security Establishment of Canaa for their support towars our Security an Privacy R&D program. We are also grateful to the anonymous referees for helpful comments. References [1] D. Chaum. Blin Signature for Untraceable Payments. Avances in Cryptology Crypto'82, pp , [2] D. Chaum, A. Fiat, an M. Naor. Untraceable Electronic Cash. Avances in Cryptology Crypto'88 (LNCS 403), pp , [3] J. K. Liu, V. K. Wei, an S. H. Wong. Recoverable an Untraceable E-cash. EUROCON 2001, Trens in Communications, International Conference on, Volume: 1, July [4] Jens Bo Friis. Digicash Implementation. June, [5] M. Abe an E. Fujisaki. How to Date Blin Signatures. Avances in Cryptology ASIACRYPT'96 (LNCS 1163), pp , [6] P. L. Yu an C. L. Lei. An User Efficient Fair E-cash Scheme with Anonymous Certificates. Electrical an Electronic Technology, TENCON. Proceeings of IEEE Region 10 International Conference on, Vol. 1, Aug [7] R. L. Rivest, A. Shamir, an L. Aleman. A Metho For Obtaining Digital Signatures an Public-key Cryptosystems. Communications of ACM, Vol.21, No.2, pp , Feb [8] 3.0 Specification [9] T. Okamoto an K. Ohta. Universal Electronic Cash. Avances in Cryptology Crypto'91 (LNCS 576), pp , [10] The TLS Protocol Version 1.0. RFC 2246 (Propose Stanar). ftp://ftp.rfc-eitor.org/in-notes/rfc2246.txt