Handy Compact E-cash System S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1 1 France 2
Telecom R&D, 42 rue des Coutures, BP 6243, F-14066 Caen Cedex, France Gemalto, 6 rue de la Verrerie, F-92190 Meudon, France.
This paper presents an off-line anonymous e-cash scheme with features useful for a practical use. The quantity of coins withdrawn by the user is no longer predetermined by the system whereas the anonymity of users is preserved. Moreover, the number of coins withdrawn by the user is not necessarily a power of two which allows more flexibility. During the withdrawal protocol, the user can from now on choose the value of each coin in a predetermined set of values. This feature is particularly interesting from a practical point of view since it allows to improve the efficiency of the spending protocol and also the deposit protocol. Another result of this paper is the addition of a validity date for each coin. The proposed handy compact e-cash scheme integrates these new features without significatively impact the compactness of the electronic wallet. Keywords. E-cash, anonymity, group signature, proof of knowledge.
1 Introduction Electronic cash systems allow users to withdraw electronic coins from a bank, and then to pay a merchant using electronic coins preferably without communicating with the bank or a trusted party during the payment. Finally, the merchant deposits the spent coins to the bank. Electronic cash provides user anonymity against both the bank and the merchant during a purchase in order to emulate the perceived anonymity of regular cash transaction. Then, it must for instance be impossible to link two spending protocols and also a spending protocol to a withdrawal protocol. As it is easy to duplicate electronic data, an e-cash system must prevent a user from double-spending. Ideally, the anonymity of honest users must be protected and the identity of cheaters must be recovered without using a trusted third party. An electronic payment system must also prevent a merchant from depositing the same coin twice. To be practical, an e-cash system must be based on efficient protocols. The most critical protocol is the spending phase between the user and the merchant that must be reasonably efficient. It should also be possible to withdraw or spend several coins more efficiently than repeating several times a single withdrawal or spending protocol. Another practical property that should be considered is the size of the electronic wallet.
1.1 Related Works Camenisch et al. [4] proposed an efficient compact e-cash system that allows a user to withdraw a wallet with 2L coins such that the space required to store these coins, and the complexity of the withdrawal protocol are proportional to L rather than to 2L . The compact e-cash scheme uses an innovative system of serial numbers and security tags. This scheme fulfills the anonymity and unlinkability properties usually required for electronic cash schemes. An important practical drawback of this e-cash system is the efficiency of the spending protocol which should be improve to get a practical e-cash system. Another practical drawback is that the size of the wallet is a predetermined value of the system meaning that when a user wants to withdraw coins from a bank, he must withdraw exactly 2L coins. Moreover the compact e-cash system manages only one monetary value. The issues of electronic coupon systems are closely related to those of electronic cash systems. In [6], the problem of the flexibility of the size of multi-coupons has been addressed. Moreover, a proposal allowing
S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1 to manage several types of coupon in the same system has been proposed. Shifting these features from coupon systems towards e-cash systems could be very interesting from a practical point of view. However, even if the issues of electronic money and electronic coupons are closely related, it remains a gap. For instance, the problem of detecting the double-redemption of a coupon appears to be easier as the problem of detecting the double-spending of a coin. Indeed, in a coupon system, every coupon is redeemed to the service provider that has previously delivered it whereas, in an electronic coin system, the merchant cannot detect a double-spending during a payment protocol since the coins delivered by the bank can be spent at several merchants. Thus, the adaptation of the new features proposed in [6] for coupon systems to e-cash systems should be done carefully.
1.2 Our Contribution In this paper, we adapt the features presented in [6] to the electronic cash setting. These features are very interesting for practical e-cash schemes. Indeed, from the user point of view, it is useful to choose the monetary value he wants to withdraw. Moreover managing several monetary values in the same system could be one solution to improve the efficiency of the spending phase. As the coupon scheme proposed in [6], the handy compact e-cash scheme uses the innovative system of serial numbers and security tags proposed in [4] and thus inherits the compactness of the electronic wallet. However, in order to get a more compact electronic wallet, the handy compact e-cash scheme relies on the BBS signature scheme instead of the ACJT signature scheme as it was done in [4]. Thus, we present a handy compact e-cash scheme allowing the user to choose the quantity of coins in his wallet and to manage several monetary values of coins in the same electronic wallet. We also deal with the problem of the bank’s database that grows very faster after each transaction. For this purpose, we propose to add a validity date to each withdrawn coin. The main issue of adding this validity date is to keep the anonymity of users and the unlinkability of spendings since this validity date should not be revealed during a spend protocol.
1.3 Organization of the paper This paper is organized as follows. Section 2 describes the security model and Section 3 presents the cryptographic tools we need. Section 4 is the main one: it contains the new handy compact e-cash system. Section 5 gives the security theorem of our scheme together with the proof.
2 Security Model The algorithms used to describe the handy compact e-cash scheme are based on the algorithms of the compact e-cash scheme [4].
2.1 Algorithms An e-cash system involves three player types: a user U , a bank B and a merchant M . The set of authorized values for the coins is defined to be V = {V1 , . . . ,Vn }, where n is the number of possible monetary values. During the withdrawing phase, U is able to specify the number Ji of coins of value Vi he wants to withdraw. A wallet W is formed by a wallet identifier I and a set S = {(Ji ,Vi ); i ∈ [1, n]}. The e-cash scheme is defined by the following algorithms. • BKeyGen(1k , params) is a key generation algorithm for B . It takes on inputs the security parameter 1k and the public parameters of the scheme. It outputs the secret and public keys of the bank denoted by (skB , pkB ) respectively; we assume that skB also contains the public parameters params. • UKeyGen(1k , params) is the key generation algorithm for U . It outputs (skU , pkU ); we assume that skU also contains the public parameters params. Note that, in an e-cash system, the merchants can be seen as users and so they get their keys using the UKeyGen algorithm.
Handy Compact E-cash System • Withdraw(U (pkB , skU , J1 , . . . , Jn ), B (pkU , skB )) is an interactive protocol between B and U . It allows U to withdraw a wallet W of J1 + . . . + Jn coins. U ’s output is a wallet W , i.e. an identifier I and the set S = {(Ji ,Vi ); i ∈ [1, n]}, or an error message. B ’output is its view VBWithdraw of the protocol. • Spend(U (W, pkM , S ), M (skM , pkB )) is an interactive protocol between U and M enabling U to spend a coin of value V j of his choice. M ’s output is a serial number S of a coin of value V j with a proof of validity π and U ’s output is an updated wallet W 0 i.e. the identifier I and the set {(Ji0 ,Vi ); i ∈ [1, n]} where J 0j = J j − 1 and Ji0 = Ji , i ∈ [1, n] and i 6= j or an error message. • Deposit(M (skM , S, π, pkB ), B (pkM , skB )) is an interactive protocol between M and the B allowing M to deposit a coin S into its account. B adds (S, π) to the list of spent coins. • Identify(params, S, π1 , π2 ) is an algorithm allowing to identify double-spenders using a serial number S. It outputs a public key pkU and a proof ΠG . • VerifyGuilt(params, S, pkU , ΠG ) is an algorithm allowing to publicly verify the proof ΠG that the user owning the public key pkU is guilty of double-spending the coin S.
2.2 Security Model We informally describe the security statements of our scheme; formal definitions can be found in [4]. Correctness If an honest user runs a Withdraw protocol with an honest bank, then, neither will output an error message. If an honest user run a Spend protocol with an honest merchant, then the merchant always accepts the coin. Unforgeability From the bank point of view, what matters is that no coalition of users can ever spend more coins than they withdrew. We can briefly describe the game in the following way: let A be a p.p.t. Turing Machine that has access to the public key pkB of the system and to the public parameters params. A executes in a concurrent manner Withdraw and Deposit protocols with the bank. A can legitimately withdraw f wallets; let A f be the list of the serial numbers associated to these Withdraw executions. A wins the game if for some f , in some Deposit protocol, the honest bank accepts a coin with serial number S ∈ / A f . We require that no probabilistic polynomial-time adversary succeeds in this game with non-negligible probability. Identification of double-spenders Suppose the bank is honest and M1 , M2 are to honest merchants who ran the Spend protocol with the adversary such that M1 ’output is (S, π1 ) and M2 ’output is (S, π2 ). Then, with high probability, the algorithm Identify(params, S, π1 , π2 ) outputs a key pkU and a proof ΠG such that VerifyGuilt(params, S, pkU , ΠG ) accepts. The game is as follows. Let A be a p.p.t. Turing Machine that has access to the public key pkB of the system and to the public parameters params. A executes the Withdraw and Spend protocol as many time as it wishes. Let Ai be the list of serial numbers that belongs to the public key pki . A wins the game if for some f , in some Spend protocol, the bank, simulating an honest merchant, accepts a coin with serial number S ∈ Ai twice. Anonymity From the privacy point of view, what matters to users is that the bank, even when cooperating with any collection of malicious users and merchants, cannot learn anything about a user’s spending other that what is available from side information from the environment. In this game, the adversary A forms the bank’s public key pkB and has access to several oracles he can query as many times as it wants, in any order: PK of i: A can request and receive the public key pki of a user i, honestly generated; Withdraw with i: A executes the Withdraw query with user i. We note the user’s output after the j’th Withdraw query by W j .
S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1 Spend from wallet W j : if the wallet W j is defined, A executes the Spend protocol from this wallet. We say that A wins the game if he can distinguish whether he is playing Game R(eal) or Game I(deal) below with non-negligible advantage: Game R: the queries A issues are answered as described before, Game I: in the Spend query, instead of interacting with U (W j ), A interacts with a simulator. Exculpability This property guarantees that only users who really are guilty of double-spending a coin ever get convicted of being a double-spender. The weak exculpability means that only users who double-spend some coin can be convicted while strong exculpability means that a guilty user would only be responsible for the coins that he indeed double-spent. In this game, the system parameters params are generated and the user’s keys pkU , skU are chosen. The adversary chooses the bank’s public key pkB in an adversarial fashion. The adversary A issues queries to interact with the user U , as follows: Withdraw wallet j: A plays the bank’s side of the Withdraw protocol with U . The user outputs the wallet W . Spend from wallet j: A plays the merchant’s side of the Spend protocol where U ’s input is wallet W j . For each wallet, A is allowed to execute this query as many times as he wishes. As a result of this query, U may produce a serial number that he had already produced before. Let A j be the set of all serial numbers that U has produced in a Spend protocol for wallet j so far. If for any j, the size of A j is larger than the maximal number of coins (i.e. J j,1 + . . . + J j,n ), then A is given the sets of serial number AW j0 for all wallets W j0 . Let A0j be the set of serial numbers for wallet W j that are known by A . Thus, we have A0j = A j if no double-spending has ever occurred, and we have A0j = AW j otherwise. Let Ads be the set of serial numbers that U has produced more than once. Success criterion: At the end, A outputs the values (S, Π) and wins he game if one of the following conditions occurs: 1. for all j, we have s ∈ / A0j and yet VerifyGuilt(params, S, Π, pkU ) accepts, 0 2. for all j , we have |A j0 | < J j0 ,1 + . . . + J j0 ,n , S ∈ A j for some integer j and yet the algorithm VerifyGuilt(params, S, Π, pkU ) accepts, 3. S ∈ / Ads and VerifyGuilt(params, S, Π, pkU ) accepts.
3 Useful Tools 3.1 Notations Throughout the paper, the symbol k denotes the concatenation of two strings. The notation “x ∈R E” means that x is chosen uniformly at random from the set E. For an integer p, Z p denotes the residue class ring modulo p and Z∗p the multiplicative group of invertible elements in Z p . G denotes a cyclic group. PK(α : f (α, . . .)) denote a proof of knowledge of a value α that verifies the predicate f (c.f. section 3.3). PedCom(x1 , . . . , xl ) is the Pedersen commitment on values x1 , . . . , xl (c.f. section 3.4).
3.2 Complexity Assumptions Definition 1 (q-Strong Diffie-Hellman Problem) The q-SDH problem in (G1 , G2 ) is defined as follows: γ
(γ2 )
q
(γ )
1/(γ+x)
given a (q + 2)-tuple (g1 , g2 , g2 , g2 , . . . , g2 ) as input, output a pair (g1
, x) where x ∈ Z∗p .
Handy Compact E-cash System Definition 2 (q-Strong Diffie-Hellman Assumption) We say that an algorithm A has advantage ε in solving q-SDH in (G1 , G2 ) if 1 £ ¤ (γq ) γ Pr A (g1 , g2 , g2 , . . . , g2 ) = (g1γ+x , x) ≥ ε The (q,t, ε)-SDH assumption holds in (G1 , G2 ) if no t-time algorithm has advantage at least ε in solving the q-SDH problem in (G1 , G2 ). Definition 3 (y-Decisional Diffie-Hellman Inversion assumption [1]) Given a random generator g ∈ G y where G has prime order p and the values (g, gx , . . . , gx ) for a random x ∈ Z p , and a value R ∈ G , it is hard to decide if R = g1/x or not.
3.3 Proofs of knowledge The zero-knowledge proofs of knowledge above are constructed over a cyclic group G =< g > of prime order q. The base of each building block is the Schnorr authentication scheme [18]. These are interactive proofs of knowledge where the prover sends a commitment and then responds to a challenge from the verifier. In our scheme, we need the proof of knowledge of a representation, the proof of equality of two known representations [10, 7], the proof of the OR statement [11, 17] and the two following proofs.
3.3.1 Proof that a committed value is more than a public value. A proof that a committed value in more than a public value, that is the proof of knowledge of (x, r) such that C = gx hr and a ≤ x with C, g, h ∈ G and a a defined integer is denoted by PK(α, β/C = gα hβ ∧ a ≤ α). In case x and a are l-bit integers with l relatively small, that is x = x0 + x1 2 + . . . + xl−1 2l−1 and a = a0 + a1 2 + . . . + al−1 2l−1 , the proof can be done as follows. 1. The prover randomly chooses r, r0 , . . . , rl−1 ∈R Z p , and computes C C0 C1 Cl−1
= = = ... =
C˜
=
gx hr gx0 hr0 gx1 hr1 gxl−1 hrl−1 l−1
i
∏ Ci2 i=0
Note that the element C˜ can be computed by both the prover and the verifier. Moreover, note that C˜ = gx˜ hr˜ and consequently that CC˜ −1 = gx−x˜ hr−˜r . 2. Then, the prover and the verifier make the following interactive proof of knowledge. This proof shows that the value x is correctly binary represented by the commitments C0 , · · · , Cl − 1. Then, for each bit of x, there is a comparison with the same bit of a until there is a difference. ³ PK α, β, γ0 , . . . , γl−1 , δ/ (C0 = hγ0 ∨C0 /g = hγ0 ) ∧ . . . ∧ (Cl−1 = hγl−1 ∨Cl−1 /g = hγl−1 )∧ C = gα hβ ∧CC˜ −1 = hδ ∧ (Cl−1 /g = hγl−1 ∧ al−1 = 0) ∨ . . . ∨ a (Cl−1 /g l−1 = hγl−1 ∧Cl−2 /g = hγl−2 ∧ al−2 = 0) ∨ . .´. ∨ ¢ (Cl−1 /gal−1 = hγl−1 ∧ . . . ∧C1 /ga1 = hγ1 ∧ a0 = 0) .
S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1
3.3.2 Proof that a committed value is less than another committed value A proof that a committed value is less than another committed value consists in proving that 0 ≤ x < y where x and y are committed with C = gx hr and D = gy hw . This interactive proof is denoted by PK(α, β, γ, δ/C = gα hβ ∧ D = gγ hδ ∧ 0 ≤ α < γ). In case x and y are l-bit integers with l relatively small, that is x = x0 + x1 2 + . . . + xl−1 2l−1 and y = y0 + y1 2 + . . . + yl−1 2l−1 , the proof can be done as follows. 1. The prover randomly chooses r, r0 , . . . , rl−1 ∈R Z p , w, w0 , . . . , wl−1 ∈R Z p and computes C = gx hr C0 = gx0 hr0 C1 = gx1 hr1 ... xl−1 rl−1 Cl−1 = g h l−1
i C˜ = ∏ Ci2
i=0
D = gy hw D0 = gy0 hw0 D1 = gy1 hw1 Dl−1 = gyl−1 hwl−1 l−1
i D˜ = ∏ D2i
i=0
Note that the elements C˜ and D˜ can be both computed by the prover and the verifier. Moreover, note that C˜ = gx˜ hr˜ and D˜ = gy˜ hw˜ and consequently that CC˜ −1 = gx−x˜ hr−˜r and DD˜ −1 = gy−y˜ hw−w˜ . 2. Then, the prover and the verifier make the following interactive proof of knowledge. This proof is close to the previous one except that the binary representation of y is not known. ³ PK α, β, γ0 , . . . , γl−1 , δ, ε, ζ, η0 , . . . , ηl−1 , θ/ (C0 = hγ0 ∨C0 /g = hγ0 ) ∧ . . . ∧ (Cl−1 = hγl−1 ∨Cl−1 /g = hγl−1 )∧ (D0 = hη0 ∨ D0 /g = hη0 ) ∧ . . . ∧ (Dl−1 = hηl−1 ∨ Dl−1 /g = hηl−1 )∧ C = gα hβ ∧CC˜ −1 = hδ ∧ D = gε hζ ∧ DD˜ −1 = hθ ∧ ¡ (Cl−1 /Dl−1 = hγl−1 /hηl−1 ∧Cl−2 = hγl−2 ∧ Dl−2 /g = hηl−2 )∨ γ (Cl−1 /Dl−1 = h l−1 /hηl−1 ∧Cl−2 /Dl−2 = hγl−2 /hηl−2 ∧Cl−3 = hγl−3 ∧ Dl−3 /g = hηl−3´) ∨ . . . ∨ ¢ (Cl−1 /Dl−1 = hγl−1 /hηl−1 ∧ . . . ∧C1 /D1 = hγ1 /hη1 ∧C0 = hγ0 ∧ D0 /g = hη0 ) .
3.4 CL type signature schemes with Pedersen commitment A Pedersen commitment scheme [15] permits a user to commit some values (v1 , . . . vL ) ∈ ZLq without revealing them, using some public elements of a cyclic group G of prime order q with generators (g0 , . . . , gL ). To do that, the user chooses a random value r ∈ Zq and computes the commitment C = gr0 ∏Li=1 gvi i . Camenisch et Lysyanskaya [5] proposed various signature schemes where they add some specific protocols: • an efficient protocol between a user and a signer that permits the user to obtain from the signer a signature σ of some committed values unknown from the signer. • an efficient proof of knowledge of a signature of some committed values. The proof is divided into two parts: the computing of a witness(σ) and the following proof of knowledge PK(α1 , . . . , αL , β/β = Sign(α1 , . . . , αL )). These constructions are quite close to group signature schemes. This is the case of the following example, based on the BBS group signature scheme [2], secure under the q-SDH assumption.
Handy Compact E-cash System Public parameter. The signer chooses a group G of prime order q, a secret γ ∈ Zq and random generators γ (g1 , g2 , h1 , . . . , hL ) in G . Finally, the signer compute w = g2 . Signing algorithm. To sign a block of messages m1 , . . . , mL , the signer chooses a random prime number x 1
i x+γ and computes A such that A = (g1 ∏Li=1 h−m ) . The signature on m = (m1 , . . . , mL ) is the couple i (A, x). i Verification algorithm. This signature can be verified by checking that Ax+γ ∏Li=1 hm i = g1 , that is by verifying the following equation.
L
e(A, wgx2 ) ∏ e(hi , g2 )mi = e(g1 , g2 ). i=1
Proof of knowledge of a signature. A proof of knowledge of a signature (A, x) on a message m1 , . . . , mL is denoted by PK(α1 , . . . , αL , β, δ/(β, δ) = Sign(α1 , . . . , αL )) PK(α1 , . . . , αL , β, δ/βδ+s ∏Li=1 hαi i = g1 ) PK(α1 , . . . , αL , β, δ/e(β, wgδ2 ) ∏Li=1 e(hi , g2 )αi = e(g1 , g2 )) This proof is divided into two parts. The first one consists in computing witness(A, x), that is T = Ahr1 . i From this equation and the relation Ax+γ ∏Li=1 hm i = g1 , we obtain L
e(T, g2 )x e(h1 , g2 )m1 −rx ∏ e(hi , g2 )mi e(h1 , w)−r = e(g1 , g2 )e(T, w)−1 i=2
The second part of the proof consequently consists in the following proof of knowedge PK(α, α2 , . . . , αL , β, δ/ e(T, g2 )β e(h1 , g2 )α ∏Li=2 e(hi , g2 )αi e(h1 , w)−δ = e(g1 , g2 )e(T, w)−1
3.5 Dodis-Yampolskiy pseudorandom function A cryptographically secure pseudorandom function (PRF) is an efficient algorithm that when given a seed and an argument returns a new string that is undistinguishable from a truly random function. Such function takes as input some public parameters, a seed s and a value x and outputs a pseudorandom value (plus a proof of validity). In our paper, we use the Dodis-Yampolskiy pseudorandom function [12] which is secure under the y-DDHI assumption. The construction of Dodis and Yampolskiy works as follows. Let G be a group of order p, g a generator of G and s a seed in Z p . The Dodis-Yampolskiy pseudorandom function f takes as input x ∈ Z p and outputs 1
fg,s (x) = g s+x+1 .
4 The handy compact e-cash system 4.1 Setup We consider a group G of order prime order q. The elements g, g1 , g2 , h0 , · · · , hn+3 , g˜1 , · · · , g˜n are random generators of G , where n is the number of possible monetary values. They define the public parameters Params. The bank B computes its key pair (skB , pkB ) by choosing at random its secret key γ ∈ Z∗p and computing its public key pkB = gγ (mod p). A user U (resp. a merchant M ) can compute its key pair (skU , pkU ) (resp. (skM , pkM )) by choosing randomly u ∈ [0, oG [ (resp. m ∈ [0, oG [) and computing gu (resp. gm ). The value u (resp m) is the private key skU (resp. skM ) and gu (resp. gm ) is equal to the public key pkU (resp. pkM ). In the following, we assume that H is a collision-resistant hash function.
S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1
4.2 Withdrawal protocol During a withdrawal protocol, U interacts with B . U ’s inputs are pkB , skU , pkU and Params, and B ’s inputs are pkU , skB , pkB and Params. The withdrawal protocol permits U to obtain a new wallet by interacting with B as described in Figure 1. A wallet corresponds to a (blind) signature done by B on the secrets s and t and the secret key u of U .
U
B
J1 , . . . , Jn ∈ Z p s0 ,t, r ∈R Z p 0 C0 = hr0 hun+1 hsn+2 htn+3 β U = PK(α, β, δ, θ/C0 = hα0 hn+1 hδn+2 hθn+3 ∧ pkU = gβ ) pkU , J1 , . . . , Jn ,C0 ,U d ∈R Z p s00 ∈R Z p 00 C = C0 hsn+2 hdn+4 ∏ni=1 hJi i x ∈R Z p 1 A = C x+γ
s00 , d, (A, x) s = s0 + s00
?
e(A, g)x e(A, pkB )e(h0 , g)−r ∏ni=1 e(hi , g)−Ji e(hn+1 , g)−u e(hn+2 , g)−s e(hn+3 , g)−t e(hn+4 , g)−d = e(g, g) S = {(Ji ,Vi ); i ∈ [1, n]} W = (s,t, r, d, (A, x), S )
Fig. 1: Withdrawal protocol
The signature is also related to the numbers J1 , · · · , Jn of coins for each monetary value the user wants to withdraw and the validity date d of these coins. This signature (A, x) is valid if the following relation is verified. n
e(A, g)x e(A, pkB )e(h0 , g)−r ∏ e(hi , g)−Ji e(hn+1 , g)−u e(hn+2 , g)−s e(hn+3 , g)−t e(hn+4 , g)−d = e(g, g) i=1
Both U and B participate to the randomness of the secret s. At the end of the Withdraw protocol, U gets a wallet W = (u, s,t, r, d, (A, x), S ) with S = {(Ji ,Vi ); i ∈ [1, n]}.
4.3 Spending protocol When a user wants to spend a coin from his wallet W = (u, s,t, r, d, (A, x), S ), he first has to choose the value Vi of the coin he wants to spend. Then, he chooses the rank j of the coin he wants to spend in the set of all possible coins of value Vi , that is between 0 and Ji − 1. Then, the user receives from the merchant a value D ∈ Z∗p corresponding to the current date and some in f o related to the transaction. Then, the user has to do the following. 1. Compute R = H (pkM kDkin f o). 2. Compute the coin’s identifier as the Dodis-Yampolskiy pseudorandom function with seed s and generator g˜i associated to the monetary value Vi , on the input j: 1
S = g˜is+ j+1 . 3. Compute the security tag T using the secret t, its public key pkU and the random value R: 1
T = pkU (g˜it+ j+1 )R .
Handy Compact E-cash System Compute several Pedersen commitments on secret values r, J1 , . . . , Jn , u, s,t, d, j. Cr = gr1 gw2 r ,
wJ CJ1 = gJ11 g2 1 , Ct = gt1 gw2 t ,
Cu = gu1 gw2 u , ··· , w Cd = gd1 g2 d ,
Cs = gs1 gw2 s ,
(1)
w CJn = gJ1n g2 Jn , j w C j = g1 g2 j .
(2) (3)
4. Compute a proof of validity Φ of this coin, that is • a proof of knowledge of all committed values, that is the knowledge of α0 = r, α1 = J1 , · · · , αn = Jn , αn+1 = u, αn+2 = s, αn+3 = t, αn+4 = d, αn+5 = j, η0 = wr , η1 = wJ1 , · · · , ηn = wJn , ηn+1 = wu , ηn+2 = ws , ηn+3 = wt , ηn+4 = wd and ηn+5 = w j such that Cr ,Cu ,Cs ,CJ1 , · · · ,CJn ,Ct ,Cd ,C j are well-formed. • a proof of knowledge of a signature from B on the committed values (r, J1 , . . . , Jn , u, s,t, d). This proof can be done as it is described in Section 3.4 and corresponds to the proof of knowledge of α0 , · · · , αn+4 , β, δ such that (β, δ) = Sign(α0 , · · · , αn+4 ) where α0 = r, α1 = J1 , · · · , αn = Jn , αn+1 = u, αn+2 = s, αn+3 = t, αn+4 = d, β = A and δ = x. This proof uses the computation of the value P = Ahw1 . • a proof that the current date D is less or equal to the validity date d of the spent coin (without revealing d), using the proof that a committed value is more than a public value described in Section 3.3. • a proof that the selected j belongs to the set Ji = {0, . . . , Ji − 1} (without revealing j nor the Ji ’s), using the proof that a committed value is less than another committed value described in Section 3.3. • a proof that the value S is well computed, using commited values s and j (and thus that s is the same as the one that has been signed by the bank). This proof is done by noticing that 1
rs +r j
g1 = (CsC j g1 ) s+ j+1 g2s+ j+1 . Thus, the user has to prove that he knows θ and ζ such that S = g˜θi r +r ζ and g1 = (CsC j g1 )θ g2 where θ = s+1j+1 and ζ = s+s j+1j . • a proof that the value T is well computed, using commited values t, j and u (and thus that u and t are the same as the ones that has been signed by the bank). This proof is done by noticing 1
rt +r j
that g1 = (Ct C j g1 ) t+ j+1 g2t+ j+1 . Thus, the user has to prove that he knows ι and κ such that rt +r j 1 ι κ T = gαn+1 g˜R.ι i and g1 = (Ct C j g1 ) g2 where αn+1 = u (again), ι = t+ j+1 and ζ = t+ j+1 . 5. The output of the merchant consists here in the serial number S and the proof of validity π = (R, in f o, pkM , D, T,C,Vi ,Cr ,Cu ,Cs ,CJ1 , · · · ,CJn ,Ct ,Cd ,C j , P, Φ).
4.4 Deposit protocol When M wants to deposit a coin (S, π) to B , M just sends the coin (S, π) to B . The proof π should include the security tag T , the proof of knowledge Φ and the random data R provided by the merchant. B checks the validity of Φ and the consistency with S. If (S, π) is not a valid coin, B rejects the deposit. Else, B checks if there is already an entry (S, π0 ) in the database. If there is no entry in the database for the serial number S, then B accepts the deposit of the coin (S, π), credits the pkM ’s account and add (S, π) to the database of spent coins. Else, there is an entry (S, π0 ) in the database. Then, B checks the freshness of merchant randomness R in π compared to π0 . If it not fresh, M is a cheat and B refused the deposit. If R is fresh, B accepts the deposit of the coin (S, π), credits the pkM ’s account and adds (S, π, π0 ) to the list of double-spenders. For every entry of the database of double-spenders, B can execute the Identify algorithm.
S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1
4.5 Identify The bank can execute the Identify algorithm for every entry (S, π1 , π2 ) of the database of double-spenders. 1
From π1 and π2 , the bank can obtain the values T1 ∈ π1 and T2 ∈ π2 , where necessarily† T1 = gu (g˜it+ j+1 )R1 1
and T2 = gu (g˜it+ j+1 )R2 with the same pkU . Due to the Deposit protocol, it is necessary that R1 6= R2 . Thus, the bank can compute ³ T R1 ´(R1 −R2 )−1 2 T1R2
R1 .R2
=
³ gu.R1 g˜ t+ j+1 ´(R1 −R2 )−1 i
R1 .R2 t+ j+1
gu.R2 g˜i
=
³ gu.R1 ´(R1 −R2 )−1 gu.R2
= gu = pkU
The proof of guilt is then ΠG = (π1 , π2 ).
4.6 Verify Guilt From a proof of guilt ΠG = (π1 , π2 ), it is possible for everyone to execute the same procedure as the Identify algorithm to check that the public pkU is the correct one.
5 Security Arguments Theorem 1 In the random oracle model, under the y-DDHI assumption and the q-SDH assumption, the e-cash system described in Section 4 is secure w.r.t. the security model described in Section 2.
5.1 Correctness The correctness is verified by construction.
5.2 Unforgeability Let A be an adversary who executes f Withdraw protocols with an honest bank. Assume A can break the unforgeability of our scheme. Then, we can construct a machine E with access to A that can break the CL signature scheme based on BBS described in Section 3. We suppose that the machine E has access to a signature oracle SBBS that takes as input a commitment and that outputs a signature on committed values, using the BBS signature scheme. The keys of the signature scheme are chosen and the public key pkB = gγ is given to E . E chooses a group G of order p and random elements g, h0 , . . . , hn+3 , g˜1 , . . . , g˜n ∈ G . A is given the public key pkB and the previous values. When A executes a Withdraw protocol, E plays the role of the bank as follows: • E first receives the Ji ’s and the commitment C0 . Using the interactive proof of knowledge U, E is able to extract r, u, s0 ,t, by rewinding A . • E chooses d and s00 and computes the commitment C. He then asks its oracle SBBS a signature on (s = s0 + s00 , r, u, t, d, x, J1 , . . . , Jn ). SBBS is given C and outputs the signature A and a value x. • E then sends a, x, d, and s00 to A . After f executions of the Withdraw protocol, A gets f wallets Wi . Let A f = {Si, j , i ∈ [1, f ], j ∈ [0, Ji − 1]} be the list of serial numbers (i.e. coins) after f executions of the Withdraw protocol. Now, suppose that A convinces an honest bank B to accept the valid coin (S, π) during a Deposit protocol, where S ∈ / A f and π is a proof of validity of the coin, that is, a proof of knowledge of a B signature on the secrets (r, J1 , . . . , Jn , u, s, t, d), plus a proof that the date D is less than the validity date d of the spent coin and a proof that the selected coin belongs to the set Ji = {0, . . . , Ji − 1}. Due to the soundness of the underlying proof of knowledge protocols, we know that A f contains all valid coins that A can produce, except with negligible probability. Thus, if A is to succeed at its game, it must convince an honest B to accept a serial number, that is, proves the following statements: †
Either this is true or an adversary has succeeded in forging a coin, which is not possible as we see in the next section.
Handy Compact E-cash System 1. A knows a signature from B on the opening of the Pedersen commitments on r, J1 , . . . , Jn , u, s, t, d. A can prove it only with negligible probability assuming the BBS signature is secure under the q-SDH assumption. 2. D is less than the validity date d of the spent coin. A can prove it only with negligible probability under the discrete logarithm assumption. 3. PedCom( j; r j ) opens to an integer in [1, . . . , Ji − 1]. This happens with negligible probability under the Discrete Logarithm assumption. 4. S is well formed. This is possible only with negligible probability under the discrete logarithm assumption (this assumption will later be subsumed by the y-DDHI assumption [12]). Thus A succeeds in this case with negligible probability. In this proof, we need to rewind the proofs of knowledge to extract the values from an adversary A . So, our theorem is only valid against sequential attacks. In a concurrent setting, our machine may be forced to rewind an exponential number of times. This drawback could be overcome using well-known techniques which would require from the user to encrypt s0 , r,t, u in a verifiable manner [7].
5.3 Identification of double-spenders Let E be an extractor that interacts with the adversary A during the Spend protocol to extract a set of valid serial numbers A f = {Si, j , i ∈ [1, f ], j ∈ [0, Ji − 1]}, as we have done previously for the unforgeability property. Now, suppose the honest merchant M accepts two coins (S, π1 ) and (S, π2 ) for some S ∈ A f . We saw, in the unforgeability property that the adversary cannot get an honest merchant to accept S ∈ / Af . Each πi can be parsed as (Ri , Ti , Φi ). Since M is honest, we know that Ri are randomly chosen and so R1 6= R2 with high probability. 1
Since S is valid, we have S = g˜is+ j+1 for some value j in [0, Ji −1] and s ∈ Z∗p such that A knows a signature 1
1
on (u, s, t, r, d) for some value (u, r, t) E extracted. Further , T1 = gu (g˜ t+ j+1 )R1 and T2 = gu (g˜ t+ j+1 )R2 are the unique valid security tags to accompany the serial number S in these two transactions. To deviate from these tags during the Spend protocol, A must fake the proof Φ and we saw in the unforgeability proof, that this is possible only with negligible probability. Thus, Identify can output the public key of the double-spender user along with the proof. Because the VerifyGuilt is only a re-execution of the Identify protocol, it follows that the VerifyGuilt protocol will always accept an honest output of Identify.
5.4 Anonymity Let the adversary A , representing a colluding bank and merchant, create and publish a public key pkB . Next, A may request the public key pki of any user. The adversary can engage in the Withdraw protocol with any user i as many times as he likes. Finally, A will be asked to engage in a legal number of Spend protocols with some real user j (with a real wallet W j ) or a simulator S (without W j or even the knowledge of j). The simulator S is given as input the global parameters and is given control of the input-output access to the adversary A . S executes each new Spend request by A as follows: 1. S fixes its output for the random oracle to be an arbitrary value R ∈ Z∗p . 1
1
2. S chooses random values t, s and a random j ∈ [0, Ji −1] and computes S = g˜is+ j+1 and T = pki (g˜it+ j+1 )R . 3. S sends to A the coin (S, π), where π = (R, T, Φ) and Φ is the following simulated signature proof: (a) C j = PedCom( j), CJ1 , = PedCom(J1 ), . . . ,CJn = PedCom(Jn ) and a proof that C j is a commitment to an integer in the interval [0, . . . Ji − 1],
S´ebastien Canard 1 , Aline Gouget 2 , Emeline Hufschmitt 1 (b) Cd = PedCom(d) and a proof that D is less than the validity date d of the spent coin, (c) Cr = PedCom(r), Cu = PedCom(u), Cs = PedCom(s), Ct = PedCom(t) and a simulated proof of knowledge of a signature from B on (r, u, s, t, d, J1 , . . . , Jn ) (this simulad proof is done using a BBS proof simulator [2]). 1
1
(d) and a real proof that S = g˜is+ j+1 and T = pki (g˜it+ j+1 )R . The output of S is computationally indistinguishable from the output of a real user. And we claim that during the Withdraw protocol, A did not learn anything meaningful about the set of secrets that is signed, due to the security of the BBS signature. A coin is a tuple (S, R, T, Φ) where R is chosen by A or the random oracle, thus, it is indistinguishable between the schemes. Due to the security of the Dodis Yampolskiy PRF [12], the coin parts S and T are computationally indistinguishable from random values in G . Finally, the proof is simulated using a BBS signature proof simulator [5], and thus, by the security of the BBS signature, A distinguishes between Game R and Game I, with only negligible probability, based on the q-SDH assumption.
5.5 Exculpability Let A be an adversary against the strong exculpability of our scheme. To succeed, A need to produce to accepted coins (S, π1 ) and (S, π2 ) and the proof of guilt is Π = (π1 , π2 ). Furthermore, since the two coins are valid, the proofs πi includes a proof of knowledge of the user secret skU = u. Thus, • either A is successful at producing a false proof Π which means he is also successful at producing a proof of knowledge, which is possible only with negligible probability, • or, (S, π1 ) and (S, π2 ) are both valid coins because they are registered to different users and so the Identify algorithm will not be able to recover a user’s public key.
Acknowledgements This work has been partially financially supported by the European Commission through the IST Program under Contract IST-2002-507932 ECRYPT. We are grateful to C´eline Dulong and Jacques Traor´e for their suggestions of improvement.
References [1] D. Boneh and X. Boyen. Short signatures without random oracles. Advances in Cryptology - Eurocrypt’04, volume 3027 of LNCS, 2004. [2] D. Boneh, X. Boyen, and H. Shacham. Short group signatures. Advances in Cryptology - Crypto’04, volume 3152 of LNCS, pages 41-55, 2004. [3] F. Boudot. Efficient proofs that a committed number lies in an interval. Advances in Cryptology Eurocrypt’00, volume 1807 of LNCS, pages 431-444, 2000. [4] J. Camenisch, S. Hohenberger, and A. Lysyanskaya. Compact e-cash. Advances in Cryptology - Eurocrypt’05, volume 3494 of LNCS, pages 302-321, 2005. [5] J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. Advances in Cryptology - Crypto’04, volume 3152 of LNCS, pages 56-72, 2004. [6] S. Canard, A. Gouget, and E. Hufschmitt. A handy multi-coupon system. Applied Cryptography and Network Security - ACNS 2006, volume 3989 of LNCS, pages 66-81, 2006. [7] J. Camenisch and M. Michels. Proving in zero-knowledge that a number is the product of two safe primes. Advances in Cryptology - Eurocrypt’99, volume 1592 of LNCS, pages 107-122, 1999.
Handy Compact E-cash System [8] S. Canard and J. Traor´e. On fair e-cash systems based on group signature schemes. ACISP’03, volume 2727 of LNCS, pages 237-248, 2003. [9] A.H. Chan, Y. Frankel, and Y. Tsiounis. Easy come - easy go divisible cash. Advances in Cryptology Eurocrypt’98, volume 1403 of LNCS, pages 561-575, 1998. [10] D. Chaum and T. Pedersen. Transferred cash grows in size. Advances in Cryptology - Eurocrypt’92, volume 658 of LNCS, pages 390-407, 1993. [11] R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. Advances in Cryptology - Crypto’94, volume 839 of LNCS, pages 174-187, 1994. [12] Y. Dodis and A. Yampolskiy. A verifiable random function with short proofs and keys. PKC’05, volume 3386 of LNCS, pages 416-431, 2005. [13] E. Fujisaki and T. Okamoto. Statistical zero-knowledge protocols to prove modular polynomial relations. Advances in Cryptology - Crypto’97, volume 1294 of LNCS, pages 16-30, 1997. [14] M. Girault. An identity-based identification scheme based on discrete logarithms modulo a composite number. Advances in Cryptology - Eurocrypt’90, volume 473 of LNCS, pages 481-486, 1991. [15] T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptology - Crypto’91, volume 576 of LNCS, pages 129-140, 1992. [16] G. Poupard and J. Stern. Security analysis of a practical “on the fly” authentication and Signature Generation. Advances in Cryptology - Eurocrypt’98, volume 1403 of LNCS, pages 422-436, 1998. [17] A. De Santis, G. Di Crescenzo, G. Persiano, and M. Yung. On Monotone Formula Closure of SZK. FOCS 1994, pages 454-465, 1994. [18] C. P. Schnorr. Efficient identification and signatures for smart cards. Advances in Cryptology Crypto’89, volume 435 of LNCS, pages 239-252, 1990. [19] M. Trolin. A stronger definition for anonymous electronic cash. Cryptology ePrint Archive: Report 2006/241. 2006.
