Divisible e-cash can be truly anonymous
Sébastien Canard* and Aline Gouget **
* France Télécom R&D Division, France.
** Gemalto, Security Labs, France.
Wednesday, May 23, 2007.
Outline
 Electronic cash
 Divisible e-cash schemes
 General construction of a strong unlinkable and truly
anonymous divisible e-cash scheme
 Application using the construction of Nakanishi-Sugiyama
 Conclusion
Sébastien Canard, Aline Gouget
2
Electronic cash systems
Detection of doublespending
Deposit
Identify
Verify Guilt
Withdraw
Sébastien Canard, Aline Gouget
Spend
3
Security properties
 Unforgeability of coins
 Anonymity
 Weak anonymity: anonymity of the user
 Strong anonymity: anonymity of the user + unlinkability of the spendings
 Identification of cheaters
 Exculpability
Sébastien Canard, Aline Gouget
4
Divisible e-cash
 A user first withdraws a divisible coin and next spends it part by part
 Each divisible coin of monetary value 2L is assigned to a binary tree
of L+1 levels
 Divisibility rule: When a node N is used, none of the descendant and
ancestor nodes can be used, and no node can be used more than
once
 This rule is satisfied iff over-spending is protected
Sébastien Canard, Aline Gouget
5
Divisible e-cash schemes
 Many off-line divisible e-cash schemes have been proposed
 First « practical » divisible e-cash scheme
 Proposed by [Okamoto, Crypto’95] and improved by [Chan, Frankel and
Tsiounis, Eurocrypt’98]
 Both schemes provide anonymity of users but not unlinkability
– it is possible to link several spends from a single divisible coin
 First unlinkable divisible e-cash scheme
 Proposed by [Nakanishi and Sugiyama, ISW’00]
 Requires a TTP
 The unlinkability is not strong since the merchant and the bank know which
part of the coin is spent
 None of the divisible e-cash schemes of the state of the art
provides both strong unlinkability and truly anonymity of users
Sébastien Canard, Aline Gouget
6
Overview of our « truly anonymous » e-cash system
 Withdrawal phase between B and U
 B signs in a blind manner U’s secret key and a « master serial number »
 Spending phase between U and M
 U computes a valid serial number S (→ allows to detect double-spending)
 U computes a valid security tag T (→ masks the spender identity)
 U proves that S and T are well-formed
 The identity of the spender is recovered only in case of double-spending
Sébastien Canard, Aline Gouget
7
General description
 Each divisible coin of monetary value 2L is assigned to a binary tree
of L+2 levels
Sébastien Canard, Aline Gouget
8
General description
 Each node of the tree (including the leaves) is related to a tag key
with the following properties:
 From the tag key Ki,b0 of a node N, it is possible for everyone to compute the
tag keys related to the descendants of N
F : ( K i ,b0 , b, Params)  K i 1,b  F ( K i ,b0 , b, Params)
 From the tag key of a node, it is impossible to compute a tag key which is not
related to a descendant of the targeted node
 Withdrawal protocol
 The root tag key and the user secret key are signed (in a blind manner) by the
bank
Sébastien Canard, Aline Gouget
9
General description
 Spending protocol
 U computes the tag key of the node N (at level i=L-n) he wants to spend
 From the tag key of N, U computes the serial number S
– Concatenation of the tag keys related to the two direct descendants of the spent node
 From the tag key of N, U computes the security tag T
– Verifiable encryption of the user identity (including randomness)
 U proves to M that S and T are well-formed
 A spending corresponds to a triplet (S,T,Φ)
 Detection of double-spending
 From S and i, B can compute all the tag keys of the descendant leaves of S
– Without knowing which node has been spent
Sébastien Canard, Aline Gouget
10
Identification of a double-spender
 Double spending : (S=Kj,0||Kj,1,T,Φ) (S’=Kj’,0||Kj’,1,T’,Φ’)
 S=S’
– The cheater identity can be recovered from T and T’
 S’ is an ancestor of S
– The secret tag key used to compute T can be recovered using S’
Sébastien Canard, Aline Gouget
11
Divisible e-Cash System DCS
 Based on the binary tree proposed by [Nakanishi and Sugiyama, ISW’00]
 The function F used to compute the tag keys is the modular exponentiation
 For each level i, there are three linked generators:
 gi,0 for the left child
 gi,1 for the right child
 gi,2 to compute the security tag
 Example:
 The tag key of a node of level i-1 is denoted by:
 Computation of the left children tag key:
K i 1,b0
K i ,b  g i , 0i1,b0
K
 Computation of the security tag related to the tag key Ki,b:
Sébastien Canard, Aline Gouget
K R
T  pkU gi 1i ,b, 2
12
Withdrawal protocol
 Camenisch-Lysyanskaya signature scheme [Crypto’04]
 Efficient protocol for a user to get a signature from a signer on committed
values
 Efficient proof of knowledge of a signature on committed values
Sébastien Canard, Aline Gouget
13
Spending protocol
 U wants to spend a sub-coin of value 2n from his divisible coin C=(s,u,r,)
 U chooses an unspent coin of level i=L-n
 U receives from M a random value rand and computes:
R  H ( pk M rand )
V g
... g
i ,b
s
S  g iV1, 0 g iV1,1
T  pkU g iV.1R, 2
 U has to prove the validity of S and T
 U computes a zero-knowledge proof of knowledge of a signature of B on the values (s,u,r) and
that S and T are correctly computed, using the Fiat-Shamir heuristic
 Strong unlinkability is achieved using proofs of the "OR" statement (one per level)
Sébastien Canard, Aline Gouget
14
Security arguments
Theorem: In the random oracle model, the DCS scheme is secure:
 If the CL signature scheme is unforgeable, then DCS is unforgeable.
 Under the DDH assumption, DCS is unlinkable.
 If the CL signature scheme is unforgeable, then DCS permits the
identification of double-spenders
 Under the DL assumption, DCS has the exculpability property.
Sébastien Canard, Aline Gouget
15
Conclusion and open problems
 We proposed the first off-line divisible e-cash scheme providing
both strong unlinkability and true anonymity
 The true anonymity of users is achieved without impacting the performance
of the spending protocol
 However, the spending of a small number of coins at a time is still
expensive due to the use of double-exponentiation proofs during the
spending phase
 Open problems:
 Improve the efficiency of the spending phase
 Find a method to detect double-spending without computing 2L serial
numbers for a divisible coin of monetary value 2L
Sébastien Canard, Aline Gouget
16
Zero-knowledge proof of knowledge
  PK ( , s, u , r , ~
r , 1 ,  ,  i 1 , 
~ ~ s ~ ~r ~ ~ g s ~ ~ 1
  Sign ( s, pkU ; r )  V0  g h  V1  g1  V1  g1 
~ ~ g1,10 ~ ~ g1,11
~ ~ 2
(V  g
V  g
) V  g 
2
2
2
2
2
2
~
~
~
g i,i0
g i,1i
~
~
~  i1 
(Vi 1  g i 1  Vi 1  g i 1 )  Vi 1  g
i 1
LK  g ii11, 0  RK  g ii11,1  T  pkU g iR1, 2i1 )
Sébastien Canard, Aline Gouget
17
Proof of unlinkability
 In fact, we embed an instance of the Matching Multi Diffie-Hellman (MMDH)
problem
 MMDH can be used to solve DDH




Matching Multi Diffie-Hellman (MMDH) problem
Decisional Multi Diffie-Hellman (DMDH) problem
Derived Decisional Diffie-Hellman (DDDH) problem
Decisional Diffie-Hellman (DDH)
Decision oracles are equivalent to matching oracles
[Handschuh, Tsiounis, Yung, PKC’99]
( g, g x , g y , g z )  ( g1  g, g2  g x , g1a  g y , g2b  g z )
MMDH  DMDH  DDDH  DDH

gb
( g1 , g 2 , g1a , g 2b )  (h  g1 , h1 , h2  g 2 , h  g1a , h1h2  h1 2 )
Sébastien Canard, Aline Gouget
18