Current issues of e-cash and Fair tracing

1

• Current issues of e-cash and Fair tracing
• Network Security Term Project
• Kim Byeong Gon
• Cais Lab of ICU
• 2002.10.10

2
Contents
Fair tracing

• Overview of e-cash
• Classification
• Curren issues
• Goal
• Basic Protocol
• Examples of Countermeasures
• Fair tracing
• Building blocks
• Previous work
• Future work
• References

Network Security Term Project
3
Overview of e-cash
Fair tracing

• Similar names areElectronic money, Cyber money,
  e-cash, virtual currency
• Classification of Electronic payment

• By functionality

By Payment

• By Settlement

Network Security Term Project
4
Classification (1/3)
Fair tracing

• Classification by functionality

• IC card type
• Open - Value transfer is possible
  between card owner
• - Perfect
• E-wallet is needterminal is need
• - Mondex
• Closed
• - Value transfer is impossible between
  card owner
• - VisaCash

• Network type
• Re-charge is easy
• Use network
• suitable for e-commerce

Network Security Term Project
5
Classification (2/3)
Fair tracing

• Classification by Settlement

Credit E-mail First Virtual CyberCash Micr
osoft/Visa Netscape/MasterCard

• Token
• DigiCash
• NetCash

Cash Mondex
Prepaid(Debit) BankNet FSTC Electronic
Checks
Network Security Term Project
6
Classification (3/3)
Fair tracing

• Classification by payment

e-cash IC card type

Network type Visa International
Visa Cash
DigiCash E-Cash Electronic Payment
Service SmartCash CyberCash
CyberCoin Mondex International
Mondex
California Univ. NetCash
Micro-payment system Millicent PayWord MicroMint
Credit card (Network type) CyberCash Cyber
Card Service First Virtual Holdings
International Payment System SET
e-check (Network type) Checkfree Checkfree
Payment Service STC Electronic Check California
Univ. NetCheque NetChex Echeque
Account transfer (Network type) Intuit Quicken
Microsoft Money Meca Software Managing Your
Money SFNB(Security First Network
Bank) NetBill MetaLand
Network Security Term Project
7
Current Issues
Fair tracing

• E-cash requirements
• Anonymity Untraceability
• Anonymous revocation Traceability
• Double spent prevention
• Off-line
• Transferability
• Divisibility
• Bank robbery attack
• Bank framing Unforgeability
• Etc.

Network Security Term Project
8
Goals
Fair tracing

• In this term project, I will suggest an enhanced
  scheme for fair tracing or fair exchange of
  e-cash.

Network Security Term Project
9
Basic Protocol(1/2)
Fair tracing

• Notations
• SKB Banks secrete key
• PKB Banks public key
• MSK Message and its signature under key SK
• A first-Try Protocol
• Withdrawal Protocol
• 1. User tells Bank she would like to withdraw
  10.
• 2. Bank returns a 10 bill which looks like this
  
• I am a 10 bill, 4527SKB
• and withdraw 10 from User account.
• 3. User checks the signature and if it is valid
  accepts the bill.

Network Security Term Project
10
Basic Protocol(2/2)
Fair tracing

• Payment Protocol
• 1. The User pays the Vendor with the bill.
• 2. The Vendor checks the signature and if it is
  valid, accepts the bill.
• Deposit Protocol
• 1. The Vendor gives the bill to the Bank.
• 2. The Bank checks the signature and if it is
  valid, credits the Vendors account
• Basic problems of this scheme are
• - Duplicate, Double-spending
• - Anonymity Bank can link user and serial
  number, therefore bank know where the user
  spent the coin.
• - Many other issues

Network Security Term Project
11
Examples of Countermeasures (1/2)
Fair tracing

• Anonymity Problem
• ? Blind Signature
• Bank cannot know which bill is whos one.
• But, user can cheat the bank about real amount.
• ? Fixing the dollar amount
• Use several PKiB for each bills of i dollars.
• ? Cut and Choose
• 1. User makes up 100 20 bills.
• 2. Blinds them using ri ?R Zp and gives it to
  the Bank
• 3. Bank picks one to sign(at random), User
  unblind all of the rest.
• Ensures that all of the bills that were
  unblinded were correct.
• Return one signed 20 bill.
• (1/100 probability of cheating)

Network Security Term Project
12
Examples of Countermeasures (2/2)
Fair tracing

• double Spending Problem (off-line)
• ? RIS(Random Identity String)
• During the payment, the User is forced to write
  RIS on the bill.
• RIS must have the following properties,
• - must be different for every payment of the
  coin
• - only the user can create a valid RIS
• - two different RIS on the same coin should
  allow the Bank to retrieve the User name
• ex) The User prepares 100 bills of 20 which
  look like this
• Mi (Im 20 bill, 4527i, yi1,yi1,
  yi2,yi2,. yik,yik)
• where i 1..100, yij H(xij), yij H(xij),
  
• where xij ? xij User name for all i,j

Network Security Term Project
13
Fair Tracing
Fair tracing

• Unconditional anonymityvSN92
• This may be misused for untraceable blackmailing
  of customers(perfect crime)
• Revocable anonymitySPC95,DFTY97
• One or more TTP can link the the withdrawal and
  the deposit of coins
• Coin tracing Is the withdrawn coin is
  deposited?
• Owner tracing Who is the withdrawer of this
  deposited coin?
• Fair Tracing problemKV01
• Legal Tracing If it has been permitted by a
  judge or by the withdrawer.
• Illegal Tracing If is is used without the
  permission of a judge or of withdrawer
• Fair Tracing Legal tracing is always possible,
  but illegal tracing is inhibited.
• This is optimistic because illegal tracing can
  be detected later.

Network Security Term Project
14
Building Blocks
Fair tracing

• Okamoto-Schnorr Blind Signature
• p,q two large primes such that q/p-1
• g1, g2 ? Zp with order q

Public key pair of signer Choose s1, s2 ?R Zq y
g1s1 g2s2 mod p Secrete (s1,s2) Public (g1,
g2,y)
Customer
Bank
2. Blinds a with ß,?,d ?R Zq a ag1ß g2?yd
mod p e H(m, a ) - d mod q 4. ? S1 ß
mod q, s S2 ? mod q signature is (a, ?,
s) for message m
1. Select k1,k2 ?R Zq a g1k1 g2k2 mod
p 3. S1 k1 es1 mod q, S2 k2 es2 mod q
which satisfies a g1S1 g2S2ye mod p
a
e
(S1,S2)
Verifty a ? g1? g2syH(m, a ) mod p g1S1ß
g2S2?yed g1S1 g2S2ye (g1ß g2?yd) a(a/a)
Network Security Term Project
15
Previous Work
Fair tracing

• Kügler and VogtKV01 proposed marking mechanism
  based on a variant of an Okamoto-Schnorr Blind
  SignatureOka92 in combination with a Chaum-van
  Antwerpen undeniable signatureCha90.
• Notations
• p,q two large primes such that q/p-1
• g1,g2,g3 ? Zp with order q
• (s1,s2) ?R Zq is the blind signature private key
  of the bank
• v g1s1g2s2 mod p is the blind signature public
  key of the bank
• x ?R Zq is the undeniable signature private
  key of the bank
• y g3x mod p is the undeniable signature public
  key of the bank

Network Security Term Project
16
Previous Work
Fair tracing

• Marking and Withdrawal
• Customer Bank

Once per withdrawal r ?R Zq a g1r mod p
new random generator ? ax mod p undeniable
sig
For every coin d ?R Zq a ad mod p ? ?d
axd ax mod p
a ,?
a
c
S1,S2
Network Security Term Project
17
Previous Work
Fair tracing

• Tracing Capabilities

• Coin tracing
• - Chooses and stores a random undeniable
  signature key xm such that
• The bank test
  for all stored marking keys xm
• Tracing authority
• The tracing capability can be transfered to a
  separate tracing authority.
• marking is invisible even for the bank. (Refer
  to KV01)
• Fair tracing
• Revealing key x has no impact on the security of
  the Okamoto-Schnorr signature. undeniable
  sig is independent to blind sig
• Customer can detect marking by testing But
  he needs additional info. Sigbank (a,?,customer
  ID, coin generation)

Network Security Term Project
18
Future work
Fair tracing

• Detail analysis about fair tracing
• Study other fair tracing scheme
• Develop enhanced scheme.

Network Security Term Project
19
References
Fair tracing

• KV01 D. Kügler and H. Vogt. Fair tracing
  without trustees. In Financial Cryptography
  FC2001. Preproceedings, 2001.
• vSN92 B. Von Solms and D. Naccache. On blind
  signatures and perfect rimes. Computers and
  Security, 11(6)581-583, 1992.
• SPC95 M. Stadler, J.-M. Piveteau, and J.
  Camenisch. Fair blind signatures. In Advances
  in Cryptology - EUROCRYPT 95, volume 921of
  Lecture Notes in Computer Science, pages
  209-219. Springer-Verlag, 1995
• DFTY97 G. Davida, Y. Frankel, Y. Tsiounis, and
  M. Yung. Anonymity control in e-cash systems,
  In Financial Cryptography - FC97, volume 1318
  of LNCS, pages 1-16. Springer-Verlag, 1997
• Oka92 T.Okamoto, Provably Secure and Practical
  Identification Schemes and Corresponding
  Signature Schemes , Advances in Cryptology-Crypto
  92, LNCS Vol.740, pages 31 53,
  Springer-Verlag,1992.
• Cha90 D.Chaum. Zero-knowledge undeniable
  signatures. In Advances in Cryptology
  EUROCRYPT 90, volume 473 of LNCS, pages
  458-464. Springer-Verlag, 1990
• JKC01 Jinho Kim, Kwangjo Kim, Chulsoo Lee, An
  Efficient and Provably Secure Threshold Blind
  Signature, In ICISC 2001, volume 2288 of LNCS,
  pages 318 327. Springer-Verlag, 2002

Network Security Term Project