OFF-LINE ELECTRONIC CASH SYSTEMS BASED ON A SECURE COALITION-RESISTANT GROUP BLIND SIGNATURE SCHEME

Size: px

Start display at page:

Download "OFF-LINE ELECTRONIC CASH SYSTEMS BASED ON A SECURE COALITION-RESISTANT GROUP BLIND SIGNATURE SCHEME"

Janel Bates
5 years ago
Views:

1 Analele Universităţii Oradea Fasc. Matematica, Tom XIV (2007), OFF-LINE ELECTRONIC CASH SYSTEMS BASED ON A SECURE COALITION-RESISTANT GROUP BLIND SIGNATURE SCHEME CONSTANTIN POPESCU AND HOREA OROS Abstract. Secure and efficient electronic payment systems are significant for electronic commerce. Fangguo [9] proposed a fair electronic cash system with multiple banks based on a group signature scheme of Camenisch [5] and the group blind signature scheme of Lysyanskaya [11]. Ateniese proved in [1] that these group signature schemes does not satisfy the property of coalition-resistance. In this paper we extend the electronic cash system of Fangguo by using a secure coalition-resistant group blind signature scheme. The main benefits of our off-line electronic cash system, compared to the scheme of Fangguo, relate to the underlying group signature scheme s improved efficiency and provable security. 1. Introduction The first electronic cash system was suggested by Chaum [7] in Chaum used the technique of blind signatures in order to guarantee the privacy of users. Von Solms and Naccache showed in [18] that anonymity could be used for blackmailing or money laundering by criminals without revealing their identities. Fair electronic cash systems have been suggested independently by Brickell, Gemmel and Kravitz [3] and Stadler, Piveteau and Camenisch 2000 Mathematics Subject Classification. 94A60, 11T71, 14G50. Key words and phrases. Cryptography, electronic cash system, group blind signatures. 175

2 176 CONSTANTIN POPESCU AND HOREA OROS [16] as a solution to prevent blackmailing and money laundering. The efficiency and the security of the scheme in [3] have been later improved in [10]. Also, various fair electronic cash systems using group signature schemes have been proposed in [6], [12], [14], [17]. Traore [17] proposed a solution that combine a group signature scheme and a blind signature scheme in order to design a fair off-line electronic cash. Recently, Qiu et al. [15] presented a new electronic cash system using a combination of a group signature scheme and a blind signature scheme. Canard and Traore [6] and Choi, Zhang and Kim [8] suggested that the Qiu s system does not provide the anonymity of the customers. In the above electronic cash systems, the electronic coins are issued by one bank. However, in practice it is more convenient to use electronic coins issued by multiple banks from a country. Each of these banks can issue electronic coins of its own. These banks form a group under control of an authorized party such as the Central Bank of the country. Fangguo [9] proposed a fair electronic cash system with multiple banks based on a group signature scheme of Camenisch [5] and the group blind signature scheme of Lysyanskaya [11]. In their payment system, they used a group signature scheme of Camenisch and Stadler [5] for large groups which is not secure. Ateniese proved in [1] that this group signature scheme does not satisfy the property of coalition-resistance. In this paper we extend the electronic cash system of Fangguo [9] by using a secure coalition-resistant group blind signature scheme [13]. The remainder of this paper is organized as follows. In the next section, we present a model for off-line electronic cash systems with multiple banks. Then, we present our off-line electronic payment system in Section 3. Furthermore, we discuss some aspects of security and efficiency in Section 4. Finally, Section 5 concludes the work of this paper.

3 ELECTRONIC CASH SYSTEMS BASED ON GROUP BLIND SIGNATURE The Model for Off-line Electronic Cash Systems In the model of Fangguo [9] there are many banks. These banks form a group under control of the Central Bank. The Central Bank plays the role of the group manager in a group signature scheme. In an off-line electronic cash system with multiple banks [9], the following parties are involved: the Central Bank B, many local banks B 1, B 2,..., B t, a trusted third party T, some customers C 1, C 2,..., C z and some merchants M. The basic model for off-line electronic cash system with multiple banks is presented in Figure 1. The model includes the following protocols: (1) Registration Protocol. The customer C establishes the relationship of his identity to the trusted third party. So, the trusted third party can revoke the customer anonymity when is necessary. At the same time the customer gets a certificate issued by the trusted third party that proves his registration. (2) Open account Protocol. The customer C i opens his account in his bank B i. (3) Withdrawal Protocol. The customer C i withdraws an electronic coin from his bank B i. (4) Payment Protocol. The customer C i purchases goods in the merchant M and pays the coin to the merchant M. (5) Deposit Protocol. The merchant M deposits the received coin to his account in his bank B j. (6) Trace Protocol. When illegal acts like blackmailing, money laundering and illegal purchases are disclosed, the bank B j sends the received coin to the Central Bank. Then the Central Bank finds the bank B i and the customer C i can be traced with the help of the trusted third party.

4 178 CONSTANTIN POPESCU AND HOREA OROS 3. The Proposed Off-line Electronic Cash System In the proposed electronic cash system all banks form a group with the Central Bank as group manager and all customers also form a group with a trusted third party as group manager. Each bank can issue coins using the technique of group blind signature scheme Registration Protocol. The Central Bank uses the group signature scheme of Ateniese, Camenisch, Joye and Tsudik [13] in order to select the following parameters: (1) Let k, l p and ɛ > 1 be security parameters and let λ 1, λ 2, γ 1, γ 2 denote lengths satisfying λ 1 > ɛ(λ 2 + k) + 2, λ 2 > 4l p, γ 1 > ɛ(γ 2 + k) + 2 and γ 2 > λ Define the integral ranges Λ =]2 λ 1 2 λ 2, 2 λ λ 2 [ and Γ =]2 γ 1 2 γ 2, 2 γ γ 2 [. (2) Select random secret l p -bit primes p, q such that p = 2p + 1 and q = 2q + 1 are prime. Set the modulus n = pq. It is a good habit to restrict operation to the subgroup of quadratic residues modulo n, i.e., the cyclic subgroup QR (n) generated by an element of order p q. This is because the order p q of QR (n) has no small factors. (3) Choose random elements a, a 0, g, h QR (n) of order p q. (4) Choose a random secret element x Z p q and set y = gx mod n. (5) Finally, let H be a collision-resistant hash function H : {0, 1} {0, 1} k. (6) The group public key is P = (n, a, a 0, H, y, g, h, l G, λ 1, λ 2, γ 1, γ 2 ). (7) The corresponding secret key is S = (p, q, x). This is the Central Bank s secret key. The trusted third party executes the same steps as the Central Bank to setup parameters with the following modifications: (1) Choose random elements a, a 0, g, h QR (n) of order p q. (2) Choose a random secret element x Z p q and set y = g x mod n.

5 ELECTRONIC CASH SYSTEMS BASED ON GROUP BLIND SIGNATURE 179 (3) The group public key is P = (n, a, a 0, H, y, g, h, l G, λ 1, λ 2, γ 1, γ 2 ). (4) The corresponding secret key is S = (p, q, x ). This is the secret key of the trusted third party. A bank B i joins the group of banks and gets its membership certificate. To obtain its membership certificate, each bank B i must perform the following protocol with the Central Bank: (1) Generates a secret key x i Λ. The corresponding public key is y i = a x i mod n. The bank B i also proves to the Central Bank that the discrete logarithm of y i with respect to base a lies in the interval Λ (see [4]). (2) The Central Bank sends to the bank B i the new membership certificate (A i, e i ), where e i is a random prime chosen by the Central Bank such that e i Γ and A i has been computed by the Central Bank as A i = (y i a 0 ) 1/e i mod n. (3) The Central Bank creates a new entry in the membership table and stores (A i, e i ) in the new entry. When a customer C i registers in the trusted third party, he gets a membership certificate and become a legal member of the customer group. To obtain his membership certificate, each customer C i must perform the following protocol with the trusted third party: (1) Generates a secret key x i Λ. The corresponding public key is = a x i mod n. The customer C i also proves to the trusted y i third party that the discrete logarithm of y i with respect to base a lies in the interval Λ (see [4]). (2) The trusted third party sends to the customer C i the new membership certificate (A i, e i), where e i is a random prime chosen by the trusted third party such that e i Γ and A i has been computed by the trusted third party as A i = (y ia 0 ) 1/e i mod n. (3) The trusted third party creates a new entry in the membership table and stores (A i, e i) in the new entry.

6 180 CONSTANTIN POPESCU AND HOREA OROS 3.2. The Withdrawal Protocol. The withdrawal protocol involves the customers and the banks. A customer has his account number in his bank B i. When the customer wants to withdraw an electronic coin, he first performs a protocol with B i to authenticate his identity and his account number. If succeed, the customer generates an electronic coin m and gets the group blind signature of B i on m by performing the following protocol: The bank B i does the following: (1) Computes: Ã = A i y x i ( mod n), B = g x i ( mod n), D = g e i h x i ( mod n) (3.1) (2) Chooses random values r 1 ± {0, 1} ɛ(γ2+k), r 2 ± {0, 1} ɛ(λ2+k), r 3 ± {0, 1} ɛ(γ 1+2l p+k+1), r 4 ± {0, 1} ɛ(2lp+k) and computes: t 1 = Ã r 1 / ( a r 2 y ) r 3, t 2 = B r 1 /g r 3, t 3 = g r 4, t 4 = g r 1 h r 4 (3.2) (3) Sends (Ã, B, D, t 1, t 2, t 3, t 4 ) to the customer. In turn, the customer does the following: (1) Chooses α 1, α 2, α 3, α 4, δ R {0, 1} ɛ(lp+k) and computes: t 1 = a δ t 0 1 Ã α 1 δ2 γ 1 /(a α 2 δ2 λ 1 y α 3 ), t 2 = t 2 Bα 1 δ2 γ 1 /g α 3 (3.3) t 3 = t Bδ 3 g α 4, t 4 = t Dδ 4 g α 1 h α 4 (3.4) (2) Computes: c = H(m g h y a 0 a Ã B D t 1 t 2 t 3 t 4 ) (3.5) c = c δ (3.6) (3) Sends c to the signer. The bank B i does the following: (1) Computes: s 1 = r 1 c(e i 2 γ 1 ), s 2 = r 2 c(x i 2 λ 1 ) (3.7) s 3 = r 3 ce i x i, s 4 = r 4 cx i (3.8)

7 ELECTRONIC CASH SYSTEMS BASED ON GROUP BLIND SIGNATURE 181 (2) Sends ( s 1, s 2, s 3, s 4 ) to the user. The customer does the following: (1) Computes: s 1 = s 1 + α 1, s 2 = s 2 + α 2 s 3 = s 3 + α 3 (3.9) s 4 = s 4 + α 4, A = ÃH(c s 1 s 2 s 3 s 4 ) mod n (3.10) B = B H(c s 1 s 2 s 3 s 4 ) mod n, D = D H(c s 1 s 2 s 3 s 4 A B) mod(3.11) n (2) The resulting group blind signature of a message m is (c, s 1, s 2, s 3, s 4, A, B, D) The Payment Protocol. The payment protocol involves the customers and the merchant. (1) The customer sends to the merchant the group blind signature σ = (c, s 1, s 2, s 3, s 4, A, B, D) of the message m. (2) The merchant first verifies the validity of the group blind signature σ = (c, s 1, s 2, s 3, s 4, A, B, D) with the public key P as follows: (a) Computes: b 1 = 1/H(c s 1 s 2 s 3 s 4 ) (3.12) b 2 = 1/H(c s 1 s 2 s 3 s 4 A B) (3.13) t 1 = a c 0A b 1(s 1 c2 γ 1 ) /(a s 2 c2 λ 1 y s 3 ) mod n (3.14) t 2 = B b 1(s 1 c2 γ 1 ) /g s 3 mod n (3.15) t 3 = B cb 1 g s 4 mod n (3.16) t 4 = D cb 2 g s 1 c2 γ 1 h s 4 mod n (3.17) c = H(m g h y a 0 a A b 1 B b 1 D b 2 t 1 t 2 t 3 t 4) (3.18)

8 182 CONSTANTIN POPESCU AND HOREA OROS (b) Accept the group blind signature if and only if: c =c (3.19) s 1 ± {0, 1} ɛ(γ 2+k)+1, s 2 ±{0, 1} ɛ(λ 2+k)+1 (3.20) s 3 ± {0, 1} ɛ(λ 1+2l p+k+1)+1, s 4 ±{0, 1} ɛ(2lp+k)+1 (3.21) (3) The customer computes m = H(c s 1 s 2 s 3 s 4 A B D) and signs m using the group signature scheme proposed by Ateniese, Camenisch, Joye and Tsudik [13]: (a) Chooses a random integer w {0, 1} 2lp and computes: T 1 = A iy w ( mod n), T 2 = g w ( mod n), T 3 = g e i h w ( mod n) (3.22) (b) Randomly chooses: r 1 ± {0, 1} ɛ(γ 2+k), r 2 ±{0, 1} ɛ(λ 2+k) (3.23) r 3 ± {0, 1} ɛ(γ 1+l p+k+1), r 4 ±{0, 1} ɛ(2lp+k) (3.24) (c) Computes: d 1 = T r 1 1 /(a r 2 y r 3 ), d 2 = T r 1 2 /g r 3, d 3 = g r 4, d 4 = g r 1 h r 4 (3.25) (d) Computes: c 1 = H(m g h y a 0 a T 1 T 2 T 3 d 1 d 2 d 3 d 4 ) (3.26) s 1 = r 1 c 1 (e i 2 γ 1 ), s 2 = r 2 c 1 (x i 2 λ 1 ) (3.27) s 3 = r 3 c 1 e iw, s 4 = r 4 c 1 w (3.28) (e) The resulting group signature of a message m is (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ). (4) The customer sends the merchant the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) of the message m. (5) The merchant verifies the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) of the message m with public key P as follows:

9 ELECTRONIC CASH SYSTEMS BASED ON GROUP BLIND SIGNATURE 183 (a) Computes: d 1 =a c 1 0 T s 1 c 12 γ 1 1 /(a s 2 c 12 λ 1 y s 3 ) mod n (3.29) d 2 =T s 1 c 12 γ 1 2 /g s 3 mod n (3.30) d 3 =T c 1 2 g s 4 mod n (3.31) d 4 =T c 1 3 g s 1 c 12 γ 1 h s 4 mod n (3.32) c 1 =H(m g h y a 0 a T 1 T 2 T 3 d 1 d 2 d 3 d 4) (3.33) (b) Accept the group signature if and only if: c 1 =c 1 (3.34) s 1 ± {0, 1} ɛ(γ 2+k)+1, s 2 ±{0, 1} ɛ(λ 2+k)+1 (3.35) s 3 ± {0, 1} ɛ(γ 1+l p+k+1)+1, s 4 ±{0, 1} ɛ(2lp+k)+1 (3.36) 3.4. The Deposit Protocol. The deposit protocol involves the merchant and the bank B j as follows: (1) The merchant sends to the bank B j the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) on the message m and the group blind signature σ = (c, s 1, s 2, s 3, s 4, A, B, D) of the message m. (2) The bank B j first verifies the validity of the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) using the same operations as the merchant (see step 5 from subsection 3.3). (3) If the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) is valid, the bank B j verifies the validity of the group blind signature σ = (c, s 1, s 2, s 3, s 4, A, B, D) using the same operations as the merchant (see step 2 from subsection 3.3). If the group blind signature σ is valid and the coin m was not deposited before, the bank B j accepts the coin m and then the merchant sends the goods to the customer.

10 184 CONSTANTIN POPESCU AND HOREA OROS If the coin m was deposited before, double spending is found. Then the bank B i and the trusted third party can identify the identity of the dishonest customer The Trace Protocol. The bank B j can legally trace the customer of a paid coin with the help of the Central Bank. The bank B j sends the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) and the group blind signature σ = (c, s 1, s 2, s 3, s 4, A, B, D) of the message m to the Central Bank. The Central Bank will find the bank B i who issued the coin m using the open protocol of the group blind signature scheme [Popescu]. When the bank B i is found, the bank B i and the trusted third party will find the dishonest customer using the open protocol of group signature scheme [Ateniese]. To open a group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) and reveal the identity of the dishonest customer (e.g., double spender) who created a given group signature, the trusted third party performs the following steps: (1) Verifies the validity of the group signature (c 1, s 1, s 2, s 3, s 4, T 1, T 2, T 3 ) with public key P using the same operations as the merchant (see step 3 from subsection E). (2) Computes A i = T 1 /T x 2 mod n and generates a proof that: log g y = log T2 T 1 /A i. (3) Search through the group member list to get the identity of the customer C i corresponding to A i. 4. Security Considerations In this section we discuss some aspects of security of our off-line electronic cash system with multiple banks. We will state the theorems and sketch the proofs, showing that the proposed system satisfies the following properties: unforgeability of coins, security against money laundering and anonymity of honest customer.

11 ELECTRONIC CASH SYSTEMS BASED ON GROUP BLIND SIGNATURE 185 Theorem 4.1. If the group blind signature scheme is secure against forgery and the hash function H is collision-resistant, the e-cash system is secure against forgery of the coin. Proof. Since the group blind signature scheme is secure against forgery, this allows only the legal bank to generate the blind signature for the coin m. As the hash function H is collision-resistant, the customer cannot forge the coin m. Furthermore, from the property of coalition-resistance of a group blind signature scheme, the banks will not collude each other, such that the issued group blind signature could not be open by the Central Bank. Theorem 4.2. Assuming that the group signature scheme and the group blind signature scheme are computationally secure, the off-line e- cash system with multiple banks is secure against money laundering. Proof. Since the trusted third party knows the relation between customer s identification and his secret key, money laundering is prevented. When money laundering happens, the trusted third party reveals the identity of dishonest customer using the trace protocol. Theorem 4.3. The e-cash system achieves anonymity with respect to the bank, that is, it is infeasible for the bank to trace legal customers without the help of the trusted third party. Proof. Assuming that the group signature scheme and the group blind signature scheme are computationally secure, our system is secure against tracing a honest customer by the bank. Identifying the actual honest customer is computationally hard for everyone, but the trusted third party, due to the group signature scheme. Also, since the group blind signature σ can not give any information for the coin m, the bank can not link the blind coin with the identity of the customer. Therefore, it is infeasible for the bank to trace honest customers without the help of the trusted third party.

12 186 CONSTANTIN POPESCU AND HOREA OROS 5. Conclusion In this paper we proposed an off-line electronic cash system with multiple banks based on a secure coalition-resistant group blind signature scheme. Our scheme is an extension of the electronic cash scheme of Fangguo. Also, the main benefits of our off-line electronic cash system, compared to the scheme of Fangguo, relate to the underlying group signature scheme s improved efficiency and provable security. References [1] G. Ateniese, G. Tsudik, Some open issues and new directions in group signatures, Proceedings of Financial Cryptography (FC 99), Anguilla, British West Indies, 1999, [2] G. Ateniese, J. Camenisch, M. Joye, G. Tsudik, A Practical and Provably Secure Coalition-Resistant Group Signature Scheme, Proceedings of Crypto 2000, Santa Barbara, USA, 2000, [3] E. Brickell, P. Gemmel, and D. Kravitz, Trustee-based tracing extensions to anonymous cash and the making of anonymous change, Proceedings of The 6th ACM-SIAM, pp , [4] J. Camenisch, M. Michels, A group signature scheme with improved efficiency, Proceedings of Asiacrypt 98, Beijing, China, 1998, [5] J. Camenisch, M. Stadler, Efficient group signature schemes for large groups, Proceedings of Crypto 97, Santa Barbara, USA, 1997, [6] S. Canard, and J. Traore, On fair e-cash systems based on group signature schemes, Proceedings of ACISP 2003, pp , [7] D. Chaum, Blind signatures for untraceable payments, Proceedings of EURO- CRYPT 82, pp , [8] H. Choi, F. Zhang, and K. Kim, Electronic cash system based on group signatures with revokable anonymity. Proceedings of Workshop of Korea Information Security Institute, pp , [9] Z. Fangguo, Z. Futai, W. Yumin, An off-line electronic cash systems with multiple banks, Proceedings of Information Security for Global Information Infrastructures, pp , [10] M. Gaud, and J. Traore, On the anonymity of fair off-line e-cash systems, Proceedings of Financial Cryptography, pp , 2003.

13 ELECTRONIC CASH SYSTEMS BASED ON GROUP BLIND SIGNATURE 187 [11] A. Lysyanskaya, Z. Ramzan, Group blind signature: A scalable solution to electronic cash, Proceedings of Financial Cryptography (FC 98), Anguilla, British West Indies, 1998, [12] G. Maitland, C. Boyd, Fair electronic cash based on a group signature scheme, Proceedings of ICICS 2001, Xian, China, 2001, [13] C. Popescu, A Secure and Efficient Group Blind Signature Scheme, Studies in Informatics and Control Journal, vol. 12(4), , [14] C. Popescu, Svein J. Knapskog, An Off-line Payment System Based on a Group Blind Signature Scheme, Proceedings of the 3rd Conference on Security and Network Architectures (SAR 04), La Londe - Cote d azur, France, pp , [15] W. Qiu, K. Chen, and D. Gu, A new off-line privacy protecting e-cash system with revokable anonymity. Proceedings of ISC 2002, pp , [16] M. Stadler, J.M. Piveteau, and J. Camenisch, Fair blind signatures, Proceedings of Eurocrypt 95, pp , [17] J. Traore, Group signatures and their relevance to privacy-protecting off-line electronic cash systems, Proceedings of Information Security and Privacy, Wollongong, Australia, 1999, [18] B. Von Solms, D. Naccache, On blind signatures and perfect crimes, Computers and Security, 11 (6), 1992, Received 9 January 2007 Department of Mathematics and Computer Science, University of Oradea, Str. Universitatii 1, Oradea, Romania address: cpopescu@uoradea.ro