Secure Electronic Cash Scheme with Anonymity Revocation

Kang, Baoyuan; Xu, Danhui

doi:https://doi.org/10.1155/2016/2620141

Mobile Information Systems

On this page

Abstract Introduction Conclusion Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2016 | Article ID 2620141 | https://doi.org/10.1155/2016/2620141

Secure Electronic Cash Scheme with Anonymity Revocation

Baoyuan Kang¹and Danhui Xu¹

Academic Editor: Francesco Gringoli

Received08 Sept 2015

Revised14 Dec 2015

Accepted01 Mar 2016

Published26 Apr 2016

Abstract

In a popular electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an -cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. There are a number of requirements for an electronic cash scheme, such as, anonymity, unforgeability, unreusability, divisibility, transferability, and portability. Anonymity property of electronic cash schemes can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. proposed a novel electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity for -cash. But, in this paper we point out that Chen et al.’s scheme is subjected to some drawbacks. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

1. Introduction

Due to the fast progress of computer networks and Internet, information technology is used in electronic commerce. Many electronic commerce services can be found over the internet. So, an electronic payment mechanism is necessary for electronic commerce. And electronic payment is one of the key issues of electronic commerce development. To realize the digitalization of traditional cash and electronic payment, in 1983, Chaum suggested the first electronic cash scheme [1]. Popularly, in an electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an -cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. For security and efficiency, there are a number of requirements for an electronic cash scheme, such as anonymity, unforgeability, unreusability, divisibility, transferability, and portability [2]. Some of them are listed below.

Anonymity/Unlinkability. The customer of the cash must be anonymous. As long as the coin is spent legitimately, neither the merchant nor the bank can identify the customer of the coin.

Unforgeability. Only authorized banks can generate electronic cash.

Unreusability. The electronic cash cannot be reused. The scheme can detect the malicious customer, who spends the cash twice.

Electronic cash schemes can be divided into two categories: online and offline. In online schemes, as paying a coin to a merchant, the bank must attend to validate the coin and detect its reuse. But, in offline schemes, double spending can only be figured out when the merchant deposits the coin to the bank in the next phase. After Chaum’s scheme, a lot of electronic cash schemes [3–9] have been proposed based on blind signatures and restrictive blind signatures. Afterward, many more complex schemes have been proposed [10–13]. Recently, Eslami and Talebi proposed an untraceable electronic cash scheme [2] and claimed that their scheme satisfies all main security requirements, such as anonymity, unreusability, and date attachability. However, Baseri et al. [14] showed that Eslami and Talebi’s scheme is subjected to some weaknesses in perceptibility of double spender, unforgeability, and date attachability. Baseri et al. also contributed a novel electronic cash scheme.

Untraceable electronic cash is an attractive payment tool for electronic commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. [15] proposed an electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity of the owner of an -cash. Chen et al. claimed that their scheme is the first attempt to incorporate mutual authentication and key agreement into -cash protocols and their scheme satisfies the security requirements of untraceability, verifiability, unforgeability, and anonymity revocation. But, in 2012, Chang [16] claimed that he finds some weaknesses of Chen et al.’s scheme. Then, Chen et al. [17] immediately provided a response to rebut Chang’s attacks. By thoroughly investigating Chen et al.’s scheme, we find that, despite Chang’s attacks being really wrong, Chen et al.’s scheme is surely insecure. Chen et al.’s scheme is subjected to some drawbacks. (1) The first flaw is the attack on the unforgeability by the dishonest customer. (2) The second flaw is the attack on double spending owner tracing. (3) The third flaw is the potential bank attack.

To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

The remainder of this paper is organized as follows. Related concept of bilinear pairing and CDH problem are introduced in Section 2. In Section 3, we show some weaknesses of Chen et al.’s scheme. In Section 4 we propose a new electronic cash scheme with anonymity revocation. In Section 5 we show the verifiability of the proposed scheme. Double spender detection is covered in Section 6. In Section 7 we show that the proposed scheme satisfies uncheatability of merchants. Provable security of our scheme is covered in Section 8. In Section 9 we compare our scheme with the others. Finally conclusions are given in Section 10.

2. Preliminary

2.1. The Bilinear Pairing

Let be a cyclic additive group generated by , whose order is a prime , and let be a cyclic multiplicative group of the same order. Let be a pairing map which satisfies the following conditions:(1)Bilinearity: for any , we have . In particular, for any , .(2)Nondegeneracy: there exists , such that .(3)Computability: there is an efficient algorithm to compute for all .

2.2. The CDH Problem

Let be a cyclic additive group of prime order and a generator of . The computational Diffie-Hellman (CDH) problem is to compute for given .

3. Effective Attacks on Chen et al.’s Scheme

In this section, we show the drawbacks of Chen et al.’s scheme [15]. For the sake of brevity, we omit the review of Chen et al.’s scheme. To know Chen et al.’s scheme in detail, readers can read literature [15].

3.1. Attack on the Unforgeability by the Dishonest Customer

When the customer obtains an -cash , he can randomly select and forge -cash , because the -cash satisfiesSo,Then,That is to say, the customer forges a valid -cash .

Of course, in payment protocol, when the merchant gets an -cash from customers, he also can similarly forge -cash. Further, these forged -cash make the scheme fail in double spending owner tracing, because it is impossible to find the customer identity from .

Note that is a signature on and . Furthermore, does not play distinction function to an -cash. is only a randomly selected number. Any customer can randomly choose any for their -cash. If has some function, it is only to certain customer. It is not strange that different customers may choose same for their -cash. So, this attack is a successful forgery.

3.2. Attack by the Dishonest Merchant

In practice, there are always many merchants from different shops. After receiving an -cash from a customer, the merchant may spend to another merchant. This attack is correct due to the fact that the verification equation is only related to . And no extra information should be provided by customers in the verification process. Later, even if the bank finds double spending, the bank and the trustee cannot find real double spender, because the double spender may not be the customer himself.

3.3. Potential Attack by the Bank

However, in payment protocol, the only verification to the -cash is to examine whether the following equation holds:But, when let ( is a randomly selected number in ) in the above equation, thenSo, the bank can randomly select and . Then Let , to generate an -cash .

This apparently violates the withdrawal protocol above the customer and the bank together performing a blind signature function to complete the -cash withdrawal.

4. Our Proposed Scheme

Based on an id-based signature scheme [21] proposed by Hess and an efficient id-based blind signature [22] proposed by Zhang and Kim, we propose an offline electronic cash scheme with anonymity revocation. In the proposed scheme there are four participants: Trustee , the bank , the customer , and the merchant . There are five protocols: license issuing, withdrawal, payment, deposit, and -cash owner tracing. Here any communication between any two entities should be encrypted, and this can be done by incorporating mutual authentication and key agreement protocols, likely in [15]. Here, for brevity, we omit those encryptions in five protocols.

4.1. System Setup

In this stage, the Key Generation Center (KGC) chooses a cyclic additive group which is generated by with prime order and chooses a cyclic multiplicative group of the same order and a bilinear map . KGC also chooses a random as the master key and sets public and chooses cryptographic hash functions , . The system parameter list is .

When the customer submits his identity, to the KGC, the KGC computes the public key and private key for the customer . Similarly, the KGC generates the public/private key pairs , , and for Trustee , the Bank , and the Merchant , respectively.

4.2. License-Issuing Protocol

Before withdrawing -cash from the bank, customer needs to ask trustee to issue him a license. The following steps describe the protocol, which is also illustrated in Box 1.

(1) Customer selects four random numbers, , and sends to Trustee .

(2) chooses a random number, , and computes as . Here is a symmetric encryption algorithm, and is a secret key.

(3) To sign on , trustee selects a random number, , and computes

The trustee also signs on ; here , . , and . selects a random number, , and computes

After that, trustee stores to the database and sends to the customer .

(4) The customer computes

and checks whether

If so, The customer obtains the license, and the signature on .

4.3. Withdrawal Protocol

To complete the -cash withdrawal, customer and bank together perform the following steps. This protocol is also illustrated in Box 2.

(1) Customer sends to the bank .

(2) first computesand checks whether

If so, the bank selects a random number, , computes , and sends to the customer .

(3) The customer selects two random numbers, , computesand sends to the bank .

(4) The bank computesand sends to the customer .

(5) Customer computesand checks whetherIf so, the customer obtains an -cash .

4.4. Payment Protocol

When the customer wants to spend his cash at the shop, the customer and the merchant do the following steps. This protocol is also illustrated in Box 3.

(1) Customer sends to the merchant .

(2) The merchant checks whetherIf so, he selects a random number and computesThen he sends to the customer .

(3) The customer computesand checks whetherIf so, he computesThen he sends to the merchant .

(4) The merchant checks whetherand computesand checks whetherIf so, the merchant accepts the payment.

4.5. Deposit Protocol

When the merchant wants to deposit the received -cash into his account in the bank , the following steps are done between the bank and the merchant . This protocol is also illustrated in Box 4.

(1) The merchant sends to the bank .

(2) The bank first checks whether the coin exists in its deposit. If the coin exists, it runs the double spender detection procedure. Else, the bank computesand checks whetherIf the above four equations hold, the bank accepts the coin, stores it in the deposit table, and transfers money to the merchant .

4.6. Revoking the Anonymity

In the case that an -cash is abused by a criminal, whether the cash is spent twice or not, the trustee can revoke the anonymity of the -cash by the provided by the bank. As soon as the trustee receives the request of revoking anonymity, checks his database to find record and computes the identity information by using his secret key .

5. Verifiability of the Proposed Scheme

Firstly, we show that the blind license can be verified by equationSince.

Secondly, we show that the -cash can be verified by equationIn fact,

Thirdly, we show that the signature on by merchant can be verified by equationSince.

Fourthly, we show that the information can be verified by the equationsIn fact,

Finally, we show that the signature on by trustee can be verified by the equationSince

6. Double Spender Detection

In the case that the customer spends an -cash twice or more, the bank can computeThen, the bank checks its databases in the withdrawal protocol to find the record and knows the identity information of the malicious customer .

Here and are information the customer sends to the merchant in payment phase in twice consumption, respectively. In fact,So,Hence, the bank can compute and obtain the identity information of the malicious customer .

7. Uncheatability of Merchants

When the customer sends -cash to the merchant, the merchant computes signature on . When the merchant sends to the customer, the customer first verifies it using the public key of the merchant . When satisfies the verification equation, the customer sends to the merchant. If later the merchant uses -cash and to spend to other merchants and cheats the customer, the customer can show the merchant’s signature to some arbitration agency. So, the scheme can effectively resist merchants cheat attack.

8. Provable Security

In this section, we show that the proposed scheme satisfies the property of unlinkability and unforgeability.

Definition 1 (the linkability game). Let be a security parameter and let and be two customers. , and the bank are involved in the following game.
Step 1. The bank outputs two Licenses and .
Step 2. We randomly choose a bit and place and on the private input tapes of and , respectively. The bit will not be disclosed to the bank .
Step 3. The bank and two customers perform the withdrawal protocol of the proposed scheme.
Step 4. If and output two -cash and on their private tapes, respectively, we give the two 3 tuples in a random order to the bank; otherwise, is given to .
Step 5. The bank outputs as the guess of . wins the game if . We define the advantage of as

Definition 2 (unlinkability). The proposed scheme satisfies the unlinkability property if the advantage is negligible.

Theorem 3. The proposed scheme satisfies the unlinkability property.

Proof of Theorem 3. We consider the condition in Definition 1. Let be one of the two -cash given to the bank and let be the view of the bank in one of the withdrawal protocols. It is sufficient to show that there exist two random factors that map to . We knowSo, by equation , there is a unique . Then, by equation , there is a unique . Furthermore, when and are correctly computed, the following equation holds:So, it holds when . It is to say that always exists regardless of the values and . Therefore, even an infinitely powerful bank outputs a correct value with probability of exactly . So, the proposed scheme satisfies the unlinkability property.

Definition 4 (the forgeability game). The adversary F and the challenger A play the following game.
Step 1. The challenger A takes a security parameter and generates the public parameters params and sends params to the adversary F.
Step 2. The adversary F can perform polynomially bounded number of hash queries, extract queries, and -cash queries. These three kinds of queries answer the hash function, private key, and -cash query by the adversary F, respectively.
Step 3. The adversary F outputs a tuple . This tuple satisfies the following requirements:(1) is a valid -cash with regard to the bank .(2)The adversary F has never requested the private key of the bank .(3) has never been queried during the -cash query.

Definition 5 (unforgeability). An adversary F is said to be an -forger if it has advantage at least in the above game, runs in time at most , and makes at most , , and extract, -cash, and hashing queries, respectively. A scheme is said to be -secure against A in the sense of unforgeable against -cash existential forgery attack if no -forger exists.

Theorem 6. If the CDH problem is hard, then the proposed scheme is secure against -cash existential forgery attack.

Proof of Theorem 6. Suppose that F is a forger who can forge -cash in the proposed scheme. A CDH instance is given for , By using the forgery algorithm F, we will construct an algorithm A which outputs the CDH solution in . Algorithm A performs the following simulation by interacting with the forger F.
Setup. Algorithm A sets and starts by giving F the system parameters including .
At any time, F can query the random oracle and extract and cash queries. To answer these queries, A does the following.
-Queries. At any time F can query the random oracle . To respond to these queries, A maintains a list -list of tuples as explained below. When an identity is submitted to the oracle, A responds as follows: If the query already appears on the -list in a tuple , A responds with . Otherwise, A generates a random coin . If then A computes for a random ; If then A computes . A adds the tuple to -list and responds to F with .
-Queries. To respond to -Queries, A maintains a list referred to as -list of tuples . When F queries the oracle at , A responds as follows: If the query already appears on the -list in a tuple , then A responds with . Otherwise, A generates a random and adds the tuples to -list and responds to F with .
Extract Queries. When F queries the private key corresponding to , A first finds the corresponding from the -list. If , then A fails and halts. Otherwise, A computes the private key by using the tuple in the -list and responds to F with .
Cash Queries. If F requests an -cash on under , A responds to this query as follows: A first finds the corresponding tuple from -list and chooses one random number and computes . If already appears on the -list, A chooses another and tries again. Otherwise, A computes and stores on the -list. Then A responds to F with . Indeed, the output is valid -cash on for . In fact,Output. If A does not abort as a result of F’s extract query, then F’s view is identical to its view in the real attack. By Forking Lemma, after replying F with the same random tape, A obtains two valid -cash:Correspondingly, there are two valid signatures and , becauseSo, by the security proof of [22], A obtains .
This completes the proof.

9. Comparisons

In this section, we compare our scheme with [15, 18–20] in some features, communication efficiency, and computation cost. The features are anonymity/unlinkability, unforgeability, verification, double-spending owner tracing, anonymity revocation, and uncheatability of merchant. Our scheme satisfies all of above features, but the others do not. We show the comparison result in Table 1. In Table 2, we compare the communication efficiency of our scheme with other schemes. Fan et al.’s scheme [18] and Zhang et al.’s scheme [20] are not trustee based, and therefore they do not have license-issuing protocol and owner tracing protocol. Juang’s scheme [19] also does not have license-issuing protocol and owner tracing protocol but has the initializing phase and recovering phase. For comparison, the numbers of rounds of initializing phase and recovering phase in Juang’s scheme are computed to license-issuing protocol and owner tracing protocol, respectively. By Table 2, the proposed scheme demonstrates better communication efficiency under enhanced security. Our scheme and schemes [15, 20] are all id-based scheme using bilinear pairings. So, in Table 3, we compare the computation cost of our scheme with schemes [15, 20]. It is necessary to illustrate that Zhang et al.’s scheme [20] has no license-issuing protocol and owner tracing protocol and for fair comparison, we have not computed the computation cost of encryption and its related computation cost in Chen et al.’s scheme. Compared with Chen et al.’s scheme, there are eleven more pairings computations in the proposed scheme. These eleven pairings computations are in payment protocol and deposit protocol and useful to prevent the merchant from cheat. In practice, we can use elliptic curves to reduce the computation cost of bilinear pairings.

10. Conclusion

In this paper, we show that Chen et al.’s electronic cash scheme is suffering from some weaknesses in unforgeability and merchant frauds. To contribute a secure scheme, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).

References

D. Chaum, “Blind signatures for untraceable payments,” in Crypto 82, pp. 199–203, Plenum Press, New York, NY, USA, 1983.
View at: Google Scholar
Z. Eslami and M. Talebi, “A new untraceable off-line electronic cash system,” Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59–66, 2011.
View at: Publisher Site | Google Scholar
R. Anderson, C. Manifavas, and C. Sutherland, “NetCard—a practical electronic-cash system,” in Security Protocols, vol. 1189 of Lecture Notes in Computer Science, pp. 49–57, Springer, Berlin, Germany, 1997.
View at: Publisher Site | Google Scholar
G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung, “Anonymity control in e-cash systems,” in Financial Cryptography, vol. 1318 of Lecture Notes in Computer Science, pp. 1–16, Springer, Berlin, Germany, 1997.
View at: Publisher Site | Google Scholar
G. Maitland and C. Boyd, “Fair electronic cash based on a group signature scheme,” in Information and Communication Security, pp. 461–465, Springer, 2001.
View at: Google Scholar
D. Chaum and S. Brands, “‘Minting’ electronic cash,” IEEE Spectrum, vol. 34, no. 2, pp. 30–34, 1997.
View at: Publisher Site | Google Scholar
J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash,” in Advances in Cryptology—EUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 302–321, Springer, 2005.
View at: Publisher Site | Google Scholar
H. Wang and Y. Zhang, “Untraceable off-line electronic cash flow in e-commerce,” in Proceedings of the 24th Australasian Computer Science Conference (ACSC '01), pp. 191–198, IEEE, Gold Coast, Australia, January-February 2001.
View at: Publisher Site | Google Scholar
S. Brands, “Untraceable off-line cash in wallet with observers,” in Advances in Cryptology—CRYPTO '93, pp. 302–318, Springer, 1994.
View at: Google Scholar
C.-Y. Ku, C.-J. Tsao, Y.-H. Lin, and C.-Y. Chen, “An escrow electronic cash system with limited traceability,” Information Sciences, vol. 164, no. 1–4, pp. 17–30, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
T. Cao, D. Lin, and R. Xue, “A randomized RSA-based partially blind signature scheme for electronic cash,” Computers & Security, vol. 24, no. 1, pp. 44–49, 2005.
View at: Publisher Site | Google Scholar
W.-S. Juang, “D-cash: a flexible pre-paid e-cash scheme for date-attachment,” Electronic Commerce Research and Applications, vol. 6, no. 1, pp. 74–80, 2007.
View at: Publisher Site | Google Scholar
C. Fan and W. Sun, “Efficient encoding scheme for date attachable electronic cash,” in Proceedings of the 24th Workshop on Combinatorial Mathematics and Computation Theory (CMCT '07), pp. 405–410, Nantou, Taiwan, 2007.
View at: Google Scholar
Y. Baseri, B. Takhtaei, and J. Mohajeri, “Secure untraceable off-line electronic cash system,” Scientia Iranica, vol. 20, no. 3, pp. 637–646, 2013.
View at: Publisher Site | Google Scholar
Y. Chen, J.-S. Chou, H.-M. Sun, and M.-H. Cho, “A novel electronic cash system with trustee-based anonymity revocation from pairing,” Electronic Commerce Research and Applications, vol. 10, no. 6, pp. 673–682, 2011.
View at: Publisher Site | Google Scholar
Y.-F. Chang, “A critique of ‘a novel electronic cash system with trustee-based anonymity revocation from pairing,’ by Chen, Chou, Sun and Cho (2011),” Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 441–442, 2012.
View at: Publisher Site | Google Scholar
Y. L. Chen, J.-S. Chou, H.-M. Sun, and M.-S. Cho, “A response to a critique of ‘A novel electronic cash system with trustee-based anonymity revocation from pairing,’ by Chen, Chou, Sun and Cho (2011),” Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 443–444, 2012.
View at: Publisher Site | Google Scholar
C.-I. Fan, V. S. Huang, and Y.-C. Yu, “User efficient recoverable off-line e-cash scheme with fast anonymity revoking,” Mathematical and Computer Modelling, vol. 58, no. 1-2, pp. 227–237, 2013.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
W.-S. Juang, “RO-cash: an efficient and practical recoverable pre-paid offline e-cash scheme using bilinear pairings,” Journal of Systems and Software, vol. 83, no. 4, pp. 638–645, 2010.
View at: Publisher Site | Google Scholar
L. Zhang, F. Zhang, B. Qin, and S. Liu, “Provably-secure electronic cash based on certificateless partially-blind signatures,” Electronic Commerce Research and Applications, vol. 10, no. 5, pp. 545–552, 2011.
View at: Publisher Site | Google Scholar
F. Hess, “Efficient identity based signature schemes based on pairings,” in Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002 St. John's, Newfoundland, Canada, August 15-16, 2002 Revised Papers, vol. 2595 of Lecture Notes in Computer Science, pp. 310–324, Springer, Berlin, Germany, 2003.
View at: Google Scholar
F. Zhang and F. Kim, “Efficient ID-based blind signature and proxy signature from bilinear pairings,” in Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP '03), Wollongong, Australia, July 2003, Lecture Notes in Computer Science, pp. 312–323, Springer, 2003.
View at: Google Scholar

Copyright

Copyright © 2016 Baoyuan Kang and Danhui Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1170

Downloads

773

Citations