How to Make E-cash with
Non-Repudiation and Anonymity
Ronggong Song, Larry Korba
Proceedings of the International Conference on Information Technology:
Coding and Computing
Vol. 2, Apr. 2004,
pp. 167-172
2004-12-22
Adviser: Dr. Min-Shiang Hwang
Speaker: 鍾松剛
1
The Motivations


E-Cash: Easy duplicated
 Bank needs to implement double-spending checking
Double-spending checking does not provide a non-repudiation
service
 Non-repudiation service needs a signature
 Signature violates the anonymous of e-cash
Bank
?!
Thief
2004-12-22
?!
2
Partial Blind Digital Signature



M. Abe and E. Fujisaki, “How to Date Blind Signatures”,
Advances in Cryptology--ASIACRYPT '96, pp. 244-251
Allows a signer to sign a partially blinded message that
include pre-agreed information such as expiry date or
collateral conditions in unblinded form.
Designed to protect the bank’s database from growing
without limits

2004-12-22
Expired e-cash can be removed
3
Example: Partial blind digital signature
Alice
Bank
v is a predefined message by the bank
and contains an expiration date
Randomly choose m, r in Z*n
Compute α≡revH(m) mod n
α,v
t
Compute s≡r -1t mod n
≡H(m)(ev)-1 mod n
e-cash (m, s, v)
e, d
Verify the correctness of v
Compute t≡ α(ev)-1 mod n
≡ r H(m)(ev)-1 mod n
Deduct w dollars
Merchant
Deposit
(m, s, v)
(m, s, v)
Verify v
sev≡H(m) mod n
2004-12-22
Verify
Add w dollars to
payee’s account
4
Architecture
CA
Bank
Alice
Merchant
2004-12-22
5
Protocol’s Sketch Map
Bank
(temporal PK)Blind_sign
(buy e-cash)
Alice
(temporal PK)Blind_sign
(e-cash)temporal SK
Deducts w dollars
verify
(license)SK_M
…
verify
Reply
e-cash
Useless
2004-12-22
Merchant
6
E-cash Issue Protocol
Alice
PKT = (et, nt)
SKT = (dt, pt, qt)
eA, dA
v’s format
Bank
dd/mm/yyyy
$xxx.xx
eb , db
α≡rebv H(et||nt) mod nb
SignA = [H(IDA, AccountA, PKA, α, v, TimeA)]dA mod nA
IDA, AccountA, PKA, α, v, TimeA, SignA
et, nt
Expiration date
Balance
SignB
Verify TimeB, SignB
s≡r -1 β mod nb
e-cash (et, nt, v, s)
2004-12-22
Verify AccountA,
TimeA, SignA, v
β = α(ebv)-1 mod nb
= r H(et||nt)(epv)-1
SignB = [H(IDA, IDB, β, TimeB)]db mod nb
Debit $$ from AccountA
IDA, IDP, β, TimeB, SignB
7
On-line Shopping Protocol
Alice
Merchant
Bank
PKT = (et, nt)
SKT = (dt, pt, qt)
s=H(et||nt)(epv)
-1
eP, dP
e-cash (et, nt, v, s)
Select e-goods
Signt = [H(Cost, AccountM, e-cash, TimeA) || H(e-goods)]dt mod nt
e-goods, Cost, AccountM, e-cash, TimeA, Signt
Verify
EMD=h(e-goods)
Cost, AccountM, e-cash, TimeA, EMD, Signt
Verify
s’ = [H(et, nt, v, s, RM)]db mod nb
SignB = [H(ReceiptM, e-cash, RM,
s’, TimeB)]db mod nb
ReceiptM, e-cash, RM, s’, TimeB, SignB
Verify
SignM = [H(License, ReceiptA, e-cash, RM,
s’, TimeM)]dM mod nM
License, ReceiptA, e-cash, RM, s’, TimeM, SignM
e-cash (et, nt, v, s, RM, s’)
2004-12-22
8
E-cash Renew Protocol
Alice
eA, dA
Bank
s’ = [H(et, nt, v, s, RM)]db mod nb
v’s format
eb, db
dd/mm/yyyy
Fill a new e-cash form v’
α≡rebv’ H(et||nt) mod nb
Signt = [ h(α, v, et, nt, v’, s’, Timet) ]dt mod nt
$xxx.xx
α, v, et, nt, v’, s’, Timet Signt
Verify
-1
β = α(ebv ’) mod nb
= r H(et||nt)(epv ’)
-1
SignB = [H(et, nt, v’, s’, β, TimeB)]db mod nb
Verify TimeB, SignB
s’’≡r -1 β mod nb
e-cash (et, nt, v’, s’’)
2004-12-22
et, nt, v’, s’, β, TimeB SignB
9
Protocol Characteristics

Strong privacy protection




Non-repudiation


A anonymous temporary public key is embedded into
the partial blind signature
Unlinkability: no one can determine the customer
The format and content of message v are same with
other e-cashes.
Signature is useful if there is a dispute later
Strong safety protection

2004-12-22
Other person cannot spend the e-cash without the
private key
10
Security Analysis

Passive attacks


All messages are protected with the SSL security
channels
Active attacks

Replay attacks


Modification attacks

2004-12-22
Can be defeated by time stamp
Can be defeated by signature
11
Conclusion
Denying
Bank
Doublespending
Losing
Merchant
misusing
Customer
2004-12-22
stealing
12