Research ArticleSecure Electronic Cash Scheme with Anonymity Revocation
Baoyuan Kang and Danhui Xu
School of Computer Science and Software Tianjin Polytechnic University Tianjin 300387 China
Correspondence should be addressed to Baoyuan Kang baoyuankangaliyuncom
Received 8 September 2015 Revised 14 December 2015 Accepted 1 March 2016
Academic Editor Francesco Gringoli
Copyright copy 2016 B Kang and D Xu This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
In a popular electronic cash scheme there are three participants the bank the customer and the merchant First a customer opensan account in a bankThen he withdraws an 119890-cash from his account and pays it to a merchant After checking the electronic cashrsquosvalidity the merchant accepts it and deposits it to the bank There are a number of requirements for an electronic cash schemesuch as anonymity unforgeability unreusability divisibility transferability and portability Anonymity property of electronic cashschemes can ensure the privacy of payers However this anonymity property is easily abused by criminals In 2011 Chen et alproposed a novel electronic cash systemwith trustee-based anonymity revocation frompairingOndemand the trustee can disclosethe identity for 119890-cash But in this paper we point out that Chen et alrsquos scheme is subjected to some drawbacks To contributesecure electronic cash schemes we propose a new offline electronic cash scheme with anonymity revocation We also provide theformally security proofs of the unlinkability and unforgeability Furthermore the proposed scheme ensures the property of avoidingmerchant frauds
1 Introduction
Due to the fast progress of computer networks and Internetinformation technology is used in electronic commerceMany electronic commerce services can be found over theinternet So an electronic payment mechanism is necessaryfor electronic commerce And electronic payment is oneof the key issues of electronic commerce development Torealize the digitalization of traditional cash and electronicpayment in 1983 Chaum suggested the first electronic cashscheme [1] Popularly in an electronic cash scheme there arethree participants the bank the customer and the merchantFirst a customer opens an account in a bank Then he with-draws an 119890-cash from his account and pays it to a merchantAfter checking the electronic cashrsquos validity the merchantaccepts it and deposits it to the bank For security and effi-ciency there are a number of requirements for an electroniccash scheme such as anonymity unforgeability unreusabil-ity divisibility transferability and portability [2] Some ofthem are listed below
AnonymityUnlinkability The customer of the cash must beanonymous As long as the coin is spent legitimately neither
the merchant nor the bank can identify the customer of thecoin
Unforgeability Only authorized banks can generate electroniccash
Unreusability The electronic cash cannot be reused Thescheme can detect the malicious customer who spends thecash twice
Electronic cash schemes can be divided into two cate-gories online and offline In online schemes as paying a cointo a merchant the bank must attend to validate the coinand detect its reuse But in offline schemes double spendingcan only be figured out when the merchant deposits thecoin to the bank in the next phase After Chaumrsquos schemea lot of electronic cash schemes [3ndash9] have been proposedbased on blind signatures and restrictive blind signaturesAfterwardmanymore complex schemes have been proposed[10ndash13] Recently Eslami and Talebi proposed an untraceableelectronic cash scheme [2] and claimed that their schemesatisfies all main security requirements such as anonymityunreusability and date attachability However Baseri et al
Hindawi Publishing CorporationMobile Information SystemsVolume 2016 Article ID 2620141 10 pageshttpdxdoiorg10115520162620141
2 Mobile Information Systems
[14] showed that Eslami and Talebirsquos scheme is subjectedto some weaknesses in perceptibility of double spenderunforgeability and date attachability Baseri et al also con-tributed a novel electronic cash scheme
Untraceable electronic cash is an attractive payment toolfor electronic commerce because its anonymity propertycan ensure the privacy of payers However this anonymityproperty is easily abused by criminals In 2011 Chen et al[15] proposed an electronic cash system with trustee-basedanonymity revocation from pairing On demand the trusteecan disclose the identity of the owner of an 119890-cash Chen etal claimed that their scheme is the first attempt to incor-porate mutual authentication and key agreement into 119890-cashprotocols and their scheme satisfies the security requirementsof untraceability verifiability unforgeability and anonymityrevocation But in 2012 Chang [16] claimed that he findssomeweaknesses ofChen et alrsquos schemeThenChen et al [17]immediately provided a response to rebut Changrsquos attacksBy thoroughly investigating Chen et alrsquos scheme we findthat despite Changrsquos attacks being really wrong Chen et alrsquosscheme is surely insecure Chen et alrsquos scheme is subjected tosomedrawbacks (1)Thefirst flaw is the attack on the unforge-ability by the dishonest customer (2) The second flaw is theattack on double spending owner tracing (3) The third flawis the potential bank attack
To contribute secure electronic cash schemes we proposea new offline electronic cash scheme with anonymity revoca-tion Furthermore the proposed scheme ensures the propertyof avoiding merchant frauds
The remainder of this paper is organized as followsRelated concept of bilinear pairing and CDH problem areintroduced in Section 2 In Section 3 we show some weak-nesses of Chen et alrsquos scheme In Section 4 we propose anew electronic cash scheme with anonymity revocation InSection 5 we show the verifiability of the proposed schemeDouble spender detection is covered in Section 6 In Section 7we show that the proposed scheme satisfies uncheatability ofmerchants Provable security of our scheme is covered in Sec-tion 8 In Section 9 we compare our scheme with the othersFinally conclusions are given in Section 10
2 Preliminary
21 The Bilinear Pairing Let 1198661be a cyclic additive group
generated by119875 whose order is a prime 119902 and let1198662be a cyclic
multiplicative group of the same order Let 119890 1198661times 1198661rarr 1198662
be a pairing map which satisfies the following conditions
(1) Bilinearity for any119875119876 119877 isin 1198661 we have 119890(119875+119876 119877) =
119890(119875 119877)119890(119876 119877)
In particular for any 119886 119887 isin 119885119902 119890(119886119875 119887119875) = 119890(119875
119886119887119875) = 119890(119886119887119875 119875) = 119890(119875 119875)119886119887
(2) Nondegeneracy there exists 119875119876 isin 1198661 such that
119890(119875 119876) = 1
(3) Computability there is an efficient algorithm tocompute 119890(119875 119876) for all 119875119876 isin 119866
1
22 The CDH Problem Let 119866 be a cyclic additive group ofprime order 119902 and 119875 a generator of 119866 The computationalDiffie-Hellman (CDH) problem is to compute 119886119887119875 for given119875 119886119875 119887119875 isin 119866
3 Effective Attacks on Chen et alrsquos Scheme
In this section we show the drawbacks of Chen et alrsquos scheme[15] For the sake of brevity we omit the review of Chen et alrsquosscheme To know Chen et alrsquos scheme in detail readers canread literature [15]
31 Attack on the Unforgeability by the Dishonest CustomerWhen the customer obtains an 119890-cash 119862119873119874 119871119878119879 (119877 119878) hecan randomly select 119886 isin 119885lowast
119902and forge 119890-cash 119862119873119874 119886 sdot 119871119878119879
(119886 sdot 119877 119886 sdot 119878) because the 119890-cash 119862119873119874 119871119878119879 (119877 119878) satisfies
119890 (119878 119875) = 119890 (1198673(CNO) 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (1)
So
119890 (119878 119875)119886= 119890 (119867
3(CNO) 119876
119861 119877)119886
sdot 119890 (LST sdot 119876119861 119875pub)
119886
(2)
Then
119890 (119886 sdot 119878 119875) = 119890 (1198673(CNO) 119876
119861 119886 sdot 119877)
sdot 119890 (119886 sdot LST sdot 119876119861 119875pub)
(3)
That is to say the customer forges a valid 119890-cash 119862119873119874 119886 sdot119871119878119879 (119886 sdot 119877 119886 sdot 119878)
Of course in payment protocol when the merchant getsan 119890-cash from customers he also can similarly forge 119890-cashFurther these forged 119890-cash make the scheme fail in doublespending owner tracing because it is impossible to find thecustomer identity from 119886 sdot 119871119878119879
Note that (119877 119878) is a signature on 119862119873119874 and 119871119878119879 Further-more 119862119873119874 does not play distinction function to an 119890-cash119862119873119874 is only a randomly selected number Any customer canrandomly choose any119862119873119874 for their 119890-cash If119862119873119874 has somefunction it is only to certain customer It is not strange thatdifferent customers may choose same 119862119873119874 for their 119890-cashSo this attack is a successful forgery
32 Attack by the Dishonest Merchant In practice there arealways many merchants from different shops After receivingan 119890-cash 119862119873119874 119871119878119879 (119877 119878) from a customer the merchantmay spend 119862119873119874 119871119878119879 (119877 119878) to another merchant Thisattack is correct due to the fact that the verification equation
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (4)
is only related to 119862119873119874 119871119878119879 119877 119878 And no extra informationshould be provided by customers in the verification processLater even if the bank finds double spending the bank andthe trustee cannot find real double spender because thedouble spender may not be the customer himself
Mobile Information Systems 3
33 Potential Attack by the Bank However in payment pro-tocol the only verification to the 119890-cash 119862119873119874 119871119878119879 (119877 119878) isto examine whether the following equation holds
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (5)
But when let 119877 = 119886119875pub (119886 is a randomly selected number in119885lowast
119902) in the above equation then
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119886119875pub)
sdot 119890 (LST sdot 119876119861 119875pub)
= 119890 (119886 sdot 1198673(CNO) sdot 119876
119861 119875pub)
sdot 119890 (LST sdot 119876119861 119875pub)
= 119890 ((119886 sdot 1198673(CNO) + LST) sdot 119876
119861 119875pub)
= 119890 ((119886 sdot 1198673(CNO) + LST) sdot 119878
119861 119875)
(6)
So the bank can randomly select 119862119873119874 and 119871119878119879 Then Let119877 = 119886119875pub 119878 = (119886 sdot1198673(119862119873119874)+119871119878119879) sdot 119878119861 to generate an 119890-cash119862119873119874 119871119878119879 (119877 119878)
This apparently violates the withdrawal protocol abovethe customer and the bank together performing a blindsignature function to complete the 119890-cash withdrawal
4 Our Proposed Scheme
Based on an id-based signature scheme [21] proposed byHessand an efficient id-based blind signature [22] proposed byZhang andKim we propose an offline electronic cash schemewith anonymity revocation In the proposed scheme thereare four participants Trustee 119879 the bank 119861 the customer 119862and themerchant119872There are five protocols license issuingwithdrawal payment deposit and 119890-cash owner tracingHere any communication between any two entities shouldbe encrypted and this can be done by incorporating mutualauthentication and key agreement protocols likely in [15]Here for brevity we omit those encryptions in five protocols
41 System Setup In this stage the Key Generation Center(KGC) chooses a cyclic additive group 119866
1which is generated
by 119875 with prime order 119902 and chooses a cyclic multiplicativegroup 119866
2of the same order and a bilinear map 119890 119866
1times1198661rarr
1198662 KGC also chooses a random 119904 isin 119885
lowast
119902as the master key
and sets 119875pub = 119904119875 public and chooses cryptographic hashfunctions119867
1 0 1
lowastrarr 11986611198672 0 1
lowastrarr 119885lowast
119902 The system
parameter list is params = (1198661 1198662 119890 119875 119875pub 1198671 1198672)
When the customer 119862 submits his identity ID119862to the
KGC the KGC computes the public key 119876119862= 1198671(ID119862) and
private key 119878119862= 119904119876119862for the customer 119862 Similarly the KGC
generates the publicprivate key pairs (119876119879 119878119879) (119876119861 119878119861) and
(119876119872 119878119872) for Trustee 119879 the Bank 119861 and the Merchant 119872
respectively
42 License-Issuing Protocol Before withdrawing 119890-cashfrom the bank customer119862 needs to ask trustee119879 to issue him
a license The following steps describe the protocol which isalso illustrated in Box 1
(1) Customer 119862 selects four random numbers 119887 119911 1199081
1199082isin 119885lowast
119902 and sends ID
119862 119887 119911 119908
1 1199082 to Trustee 119879
(2) 119879 chooses a random number 119909 isin 119885lowast
119902 and computes
119871119878119879 as 119871119878119879 = 119864119870119879(ID119862oplus 119909) Here 119864 is a symmetric
encryption algorithm and119870119879 is a secret key(3) To sign on 119887minus1119871119878119879 trustee119879 selects a randomnumber
119903 isin 119885lowast
119902 and computes
119877 = 119890 (119875 119875)119903
119906 = 1198672(119887minus1LST 119877)
119881 = 119906119878119879+ 119903119875
(7)
The trustee 119879 also signs on1198601+1198602+1198603+1198604 here119860
1=
(119887119911 + 119911)119875pub 1198602 = (1199081+ 1199082)119875pub 1198603 = 119908
1119875pub and 1198604 =
119887119911119875pub 119879 selects a random number 119910 isin 119885lowast119902 and computes
119884 = 119890 (119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
119865 = 119889119878119879+ 119910119875
(8)
After that trustee 119879 stores (119871119878119879 119909) to the database andsends (119871119878119879 119906 119881 119889 119865) to the customer 119862
(4) The customer 119862 computes
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
(9)
and checks whether
119906 = 1198672(119887minus1119871119878119879 119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(10)
If so The customer 119862 obtains the license (119871119878119879 119906 119881) andthe signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
43 Withdrawal Protocol To complete the 119890-cash with-drawal customer 119862 and bank 119861 together perform the follow-ing steps This protocol is also illustrated in Box 2
(1) Customer119862 sends ID119862 (119887minus1119871119878119879 119906 119881) to the bank 119861
(2) 119861 first computes
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1 (11)
and checks whether
119906 = 1198672(119887minus1119871119878119879 119877
1015840) (12)
If so the bank 119861 selects a random number 119896 isin 119885lowast
119902
computes 119870 = 119896119876119861 and sends 119870 to the customer 119862
4 Mobile Information Systems
Customer TrusteeSelects random numbers119887 119911 119908
1 1199082isin 119885lowast
119902
ID1198621198871199111199081 1199082997888997888997888997888997888997888997888997888997888997888997888rarr
Chooses random number119909 isin 119885
lowast
119902 computes
119871119878119879 = 119864119870119879(ID119862oplus 119909)
Selects a random number119903 isin 119885
lowast
119902 computes
119877 = 119890(119875 119875)119903
119906 = 1198672(119887minus1119871119878119879119877)
119881 = 119906119878119879+ 119903119875
Selects random number119910 isin 119885
lowast
119902 and computes
119884 = 119890(119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)119884)
119865 = 119889119878119879+ 119910119875
(119871119878119879119906119881119889119865)
larr997888997888997888997888997888997888997888997888997888
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
And checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Obtains the license (119871119878119879 119906 119881)and the signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
Box 1 License-issuing protocol
Customer BankID119862(119887minus1119871119878119879119906119881)997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
Checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
Selects random number119896 isin 119885
lowast
119902 computes
119870 = 119896119876119861
119870
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Selects two random number119886 119888 isin 119885
lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879119870
1015840) + 119888
ℎ
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes119878 = (119896 + ℎ)119878
119861
119878
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198781015840= 119886119878
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840119876119861 119875pub)
Obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
Box 2 Withdrawal protocol
Mobile Information Systems 5
Customer Merchant(119871119878119879119870
10158401198781015840)
997888997888997888997888997888997888997888997888rarr
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
Selects random number119897 isin 119885lowast
119902 computes
119871 = 119890(119875 119875)119897
119895 = 1198672(119871119878119879119870
10158401198781015840119871)
119863 = 119895119878119872+ 119897119875
(119895119863)
larr997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198711015840= 119890(119863 119875)119890(119895119876
119872 119875pub)
minus1
Checks whether119895 = 119867
2(119871119878119879119870
101584011987810158401198711015840)
Computes1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(1198911 1198912 1198601 1198602 1198603 1198604 119895119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Checks whether119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119889 = 119867
2((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Accepts the payment
Box 3 Payment protocol
(3) The customer 119862 selects two random numbers 119886 119888 isin119885lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879 119870
1015840) + 119888
(13)
and sends ℎ to the bank 119861(4) The bank 119861 computes
119878 = (119896 + ℎ) 119878119861 (14)
and sends 119878 to the customer 119862(5) Customer 119862 computes
1198781015840= 119886119878 (15)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (16)
If so the customer 119862 obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
44 Payment Protocol When the customer 119862wants to spendhis cash at the shop the customer 119862 and the merchant119872 dothe following steps This protocol is also illustrated in Box 3
(1) Customer 119862 sends (1198711198781198791198701015840 1198781015840) to the merchant119872(2) The merchant119872 checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (17)
If so he selects a random number 119897 isin 119885lowast119902and computes
119871 = 119890 (119875 119875)119897
119895 = 1198672(LST 1198701015840 1198781015840 119871)
119863 = 119895119878119872+ 119897119875
(18)
Then he sends (119895 119863) to the customer 119862(3) The customer 119862 computes
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1 (19)
and checks whether
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (20)
If so he computes
1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(21)
Then he sends (1198911 1198912 1198601 1198602 1198603 1198604 119895 119889 119865) to themerchant
119872(4) The merchant119872 checks whether
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602) (22)
6 Mobile Information Systems
Merchant Bank(119871119878119879119870
101584011987810158401198911 1198912 1198951198601 1198602 1198603 1198604 119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
119890(1198911119876119879 119875pub) = 119890(119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Checks whether the 119890-cash is being double spentif it is fresh reedits the merchantrsquos account
Box 4 Deposit protocol
and computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (23)
and checks whether
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (24)
If so the merchant accepts the payment
45Deposit Protocol When themerchant119872wants to depositthe received 119890-cash into his account in the bank 119861 the follow-ing steps are done between the bank 119861 and the merchant119872This protocol is also illustrated in Box 4
(1) The merchant 119872 sends (1198711198781198791198701015840 1198781015840 1198911 1198912 119895 1198601 1198602
1198603 1198604 119889 119865) to the bank 119861
(2) The bank 119861 first checks whether the coin exists in itsdeposit If the coin exists it runs the double spender detectionprocedure Else the bank computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (25)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(26)
If the above four equations hold the bank accepts the coinstores it in the deposit table and transfers money to themerchant119872
46 Revoking the Anonymity In the case that an 119890-cash(119871119878119879119870
1015840 1198781015840) is abused by a criminal whether the cash is spent
twice or not the trustee can revoke the anonymity of the 119890-cash by the 119871119878119879 provided by the bank As soon as the trustee119879 receives the request of revoking anonymity 119879 checks hisdatabase to find record (119871119878119879 119909) and computes the identityinformation ID
119862= 119863119870119879(119871119878119879)oplus119909 by using his secret key119870119879
5 Verifiability of the Proposed Scheme
Firstly we show that the blind license 119887minus1119871119878119879 can be verifiedby equation
119906 = 1198672(119887minus1LST 1198771015840) (27)
Since
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
= 119890 (119881 119875) 119890 (minus119906119878119879 119875)
= 119890 (119881 minus 119906119878119879 119875) = 119890 (119903119875 119875) = 119877
(28)
119906 = 1198672(119887minus1119871119878119879 119877) = 119867
2(119887minus1119871119878119879 119877
1015840)
Secondly we show that the 119890-cash can be verified byequation
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (29)
In fact
119890 (1198781015840 119875) = 119890 (119886119878 119875) = 119890 (119886 (119896 + ℎ) 119878
119861 119875)
= 119890 (119886 (119896 + 119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
= 119890 (119886119896119876119861+ 119886119888119876
119861+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(30)
Thirdly we show that the signature (119895 119863) on (LST 1198701015840 1198781015840)by merchant can be verified by equation
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (31)
Since
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1
= 119890 (119863 119875) 119890 (minus119895119878119872 119875)
= 119890 (119863 minus 119895119878119872 119875) = 119890 (119897119875 119875) = 119871
(32)
119895 = 1198672(119871119878119879 119870
1015840 1198781015840 119871) = 119867
2(119871119878119879 119870
1015840 1198781015840 1198711015840)
Fourthly we show that the information (1198911 1198912) can be
verified by the equations
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
(33)
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
2 Mobile Information Systems
[14] showed that Eslami and Talebirsquos scheme is subjectedto some weaknesses in perceptibility of double spenderunforgeability and date attachability Baseri et al also con-tributed a novel electronic cash scheme
Untraceable electronic cash is an attractive payment toolfor electronic commerce because its anonymity propertycan ensure the privacy of payers However this anonymityproperty is easily abused by criminals In 2011 Chen et al[15] proposed an electronic cash system with trustee-basedanonymity revocation from pairing On demand the trusteecan disclose the identity of the owner of an 119890-cash Chen etal claimed that their scheme is the first attempt to incor-porate mutual authentication and key agreement into 119890-cashprotocols and their scheme satisfies the security requirementsof untraceability verifiability unforgeability and anonymityrevocation But in 2012 Chang [16] claimed that he findssomeweaknesses ofChen et alrsquos schemeThenChen et al [17]immediately provided a response to rebut Changrsquos attacksBy thoroughly investigating Chen et alrsquos scheme we findthat despite Changrsquos attacks being really wrong Chen et alrsquosscheme is surely insecure Chen et alrsquos scheme is subjected tosomedrawbacks (1)Thefirst flaw is the attack on the unforge-ability by the dishonest customer (2) The second flaw is theattack on double spending owner tracing (3) The third flawis the potential bank attack
To contribute secure electronic cash schemes we proposea new offline electronic cash scheme with anonymity revoca-tion Furthermore the proposed scheme ensures the propertyof avoiding merchant frauds
The remainder of this paper is organized as followsRelated concept of bilinear pairing and CDH problem areintroduced in Section 2 In Section 3 we show some weak-nesses of Chen et alrsquos scheme In Section 4 we propose anew electronic cash scheme with anonymity revocation InSection 5 we show the verifiability of the proposed schemeDouble spender detection is covered in Section 6 In Section 7we show that the proposed scheme satisfies uncheatability ofmerchants Provable security of our scheme is covered in Sec-tion 8 In Section 9 we compare our scheme with the othersFinally conclusions are given in Section 10
2 Preliminary
21 The Bilinear Pairing Let 1198661be a cyclic additive group
generated by119875 whose order is a prime 119902 and let1198662be a cyclic
multiplicative group of the same order Let 119890 1198661times 1198661rarr 1198662
be a pairing map which satisfies the following conditions
(1) Bilinearity for any119875119876 119877 isin 1198661 we have 119890(119875+119876 119877) =
119890(119875 119877)119890(119876 119877)
In particular for any 119886 119887 isin 119885119902 119890(119886119875 119887119875) = 119890(119875
119886119887119875) = 119890(119886119887119875 119875) = 119890(119875 119875)119886119887
(2) Nondegeneracy there exists 119875119876 isin 1198661 such that
119890(119875 119876) = 1
(3) Computability there is an efficient algorithm tocompute 119890(119875 119876) for all 119875119876 isin 119866
1
22 The CDH Problem Let 119866 be a cyclic additive group ofprime order 119902 and 119875 a generator of 119866 The computationalDiffie-Hellman (CDH) problem is to compute 119886119887119875 for given119875 119886119875 119887119875 isin 119866
3 Effective Attacks on Chen et alrsquos Scheme
In this section we show the drawbacks of Chen et alrsquos scheme[15] For the sake of brevity we omit the review of Chen et alrsquosscheme To know Chen et alrsquos scheme in detail readers canread literature [15]
31 Attack on the Unforgeability by the Dishonest CustomerWhen the customer obtains an 119890-cash 119862119873119874 119871119878119879 (119877 119878) hecan randomly select 119886 isin 119885lowast
119902and forge 119890-cash 119862119873119874 119886 sdot 119871119878119879
(119886 sdot 119877 119886 sdot 119878) because the 119890-cash 119862119873119874 119871119878119879 (119877 119878) satisfies
119890 (119878 119875) = 119890 (1198673(CNO) 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (1)
So
119890 (119878 119875)119886= 119890 (119867
3(CNO) 119876
119861 119877)119886
sdot 119890 (LST sdot 119876119861 119875pub)
119886
(2)
Then
119890 (119886 sdot 119878 119875) = 119890 (1198673(CNO) 119876
119861 119886 sdot 119877)
sdot 119890 (119886 sdot LST sdot 119876119861 119875pub)
(3)
That is to say the customer forges a valid 119890-cash 119862119873119874 119886 sdot119871119878119879 (119886 sdot 119877 119886 sdot 119878)
Of course in payment protocol when the merchant getsan 119890-cash from customers he also can similarly forge 119890-cashFurther these forged 119890-cash make the scheme fail in doublespending owner tracing because it is impossible to find thecustomer identity from 119886 sdot 119871119878119879
Note that (119877 119878) is a signature on 119862119873119874 and 119871119878119879 Further-more 119862119873119874 does not play distinction function to an 119890-cash119862119873119874 is only a randomly selected number Any customer canrandomly choose any119862119873119874 for their 119890-cash If119862119873119874 has somefunction it is only to certain customer It is not strange thatdifferent customers may choose same 119862119873119874 for their 119890-cashSo this attack is a successful forgery
32 Attack by the Dishonest Merchant In practice there arealways many merchants from different shops After receivingan 119890-cash 119862119873119874 119871119878119879 (119877 119878) from a customer the merchantmay spend 119862119873119874 119871119878119879 (119877 119878) to another merchant Thisattack is correct due to the fact that the verification equation
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (4)
is only related to 119862119873119874 119871119878119879 119877 119878 And no extra informationshould be provided by customers in the verification processLater even if the bank finds double spending the bank andthe trustee cannot find real double spender because thedouble spender may not be the customer himself
Mobile Information Systems 3
33 Potential Attack by the Bank However in payment pro-tocol the only verification to the 119890-cash 119862119873119874 119871119878119879 (119877 119878) isto examine whether the following equation holds
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (5)
But when let 119877 = 119886119875pub (119886 is a randomly selected number in119885lowast
119902) in the above equation then
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119886119875pub)
sdot 119890 (LST sdot 119876119861 119875pub)
= 119890 (119886 sdot 1198673(CNO) sdot 119876
119861 119875pub)
sdot 119890 (LST sdot 119876119861 119875pub)
= 119890 ((119886 sdot 1198673(CNO) + LST) sdot 119876
119861 119875pub)
= 119890 ((119886 sdot 1198673(CNO) + LST) sdot 119878
119861 119875)
(6)
So the bank can randomly select 119862119873119874 and 119871119878119879 Then Let119877 = 119886119875pub 119878 = (119886 sdot1198673(119862119873119874)+119871119878119879) sdot 119878119861 to generate an 119890-cash119862119873119874 119871119878119879 (119877 119878)
This apparently violates the withdrawal protocol abovethe customer and the bank together performing a blindsignature function to complete the 119890-cash withdrawal
4 Our Proposed Scheme
Based on an id-based signature scheme [21] proposed byHessand an efficient id-based blind signature [22] proposed byZhang andKim we propose an offline electronic cash schemewith anonymity revocation In the proposed scheme thereare four participants Trustee 119879 the bank 119861 the customer 119862and themerchant119872There are five protocols license issuingwithdrawal payment deposit and 119890-cash owner tracingHere any communication between any two entities shouldbe encrypted and this can be done by incorporating mutualauthentication and key agreement protocols likely in [15]Here for brevity we omit those encryptions in five protocols
41 System Setup In this stage the Key Generation Center(KGC) chooses a cyclic additive group 119866
1which is generated
by 119875 with prime order 119902 and chooses a cyclic multiplicativegroup 119866
2of the same order and a bilinear map 119890 119866
1times1198661rarr
1198662 KGC also chooses a random 119904 isin 119885
lowast
119902as the master key
and sets 119875pub = 119904119875 public and chooses cryptographic hashfunctions119867
1 0 1
lowastrarr 11986611198672 0 1
lowastrarr 119885lowast
119902 The system
parameter list is params = (1198661 1198662 119890 119875 119875pub 1198671 1198672)
When the customer 119862 submits his identity ID119862to the
KGC the KGC computes the public key 119876119862= 1198671(ID119862) and
private key 119878119862= 119904119876119862for the customer 119862 Similarly the KGC
generates the publicprivate key pairs (119876119879 119878119879) (119876119861 119878119861) and
(119876119872 119878119872) for Trustee 119879 the Bank 119861 and the Merchant 119872
respectively
42 License-Issuing Protocol Before withdrawing 119890-cashfrom the bank customer119862 needs to ask trustee119879 to issue him
a license The following steps describe the protocol which isalso illustrated in Box 1
(1) Customer 119862 selects four random numbers 119887 119911 1199081
1199082isin 119885lowast
119902 and sends ID
119862 119887 119911 119908
1 1199082 to Trustee 119879
(2) 119879 chooses a random number 119909 isin 119885lowast
119902 and computes
119871119878119879 as 119871119878119879 = 119864119870119879(ID119862oplus 119909) Here 119864 is a symmetric
encryption algorithm and119870119879 is a secret key(3) To sign on 119887minus1119871119878119879 trustee119879 selects a randomnumber
119903 isin 119885lowast
119902 and computes
119877 = 119890 (119875 119875)119903
119906 = 1198672(119887minus1LST 119877)
119881 = 119906119878119879+ 119903119875
(7)
The trustee 119879 also signs on1198601+1198602+1198603+1198604 here119860
1=
(119887119911 + 119911)119875pub 1198602 = (1199081+ 1199082)119875pub 1198603 = 119908
1119875pub and 1198604 =
119887119911119875pub 119879 selects a random number 119910 isin 119885lowast119902 and computes
119884 = 119890 (119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
119865 = 119889119878119879+ 119910119875
(8)
After that trustee 119879 stores (119871119878119879 119909) to the database andsends (119871119878119879 119906 119881 119889 119865) to the customer 119862
(4) The customer 119862 computes
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
(9)
and checks whether
119906 = 1198672(119887minus1119871119878119879 119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(10)
If so The customer 119862 obtains the license (119871119878119879 119906 119881) andthe signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
43 Withdrawal Protocol To complete the 119890-cash with-drawal customer 119862 and bank 119861 together perform the follow-ing steps This protocol is also illustrated in Box 2
(1) Customer119862 sends ID119862 (119887minus1119871119878119879 119906 119881) to the bank 119861
(2) 119861 first computes
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1 (11)
and checks whether
119906 = 1198672(119887minus1119871119878119879 119877
1015840) (12)
If so the bank 119861 selects a random number 119896 isin 119885lowast
119902
computes 119870 = 119896119876119861 and sends 119870 to the customer 119862
4 Mobile Information Systems
Customer TrusteeSelects random numbers119887 119911 119908
1 1199082isin 119885lowast
119902
ID1198621198871199111199081 1199082997888997888997888997888997888997888997888997888997888997888997888rarr
Chooses random number119909 isin 119885
lowast
119902 computes
119871119878119879 = 119864119870119879(ID119862oplus 119909)
Selects a random number119903 isin 119885
lowast
119902 computes
119877 = 119890(119875 119875)119903
119906 = 1198672(119887minus1119871119878119879119877)
119881 = 119906119878119879+ 119903119875
Selects random number119910 isin 119885
lowast
119902 and computes
119884 = 119890(119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)119884)
119865 = 119889119878119879+ 119910119875
(119871119878119879119906119881119889119865)
larr997888997888997888997888997888997888997888997888997888
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
And checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Obtains the license (119871119878119879 119906 119881)and the signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
Box 1 License-issuing protocol
Customer BankID119862(119887minus1119871119878119879119906119881)997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
Checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
Selects random number119896 isin 119885
lowast
119902 computes
119870 = 119896119876119861
119870
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Selects two random number119886 119888 isin 119885
lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879119870
1015840) + 119888
ℎ
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes119878 = (119896 + ℎ)119878
119861
119878
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198781015840= 119886119878
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840119876119861 119875pub)
Obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
Box 2 Withdrawal protocol
Mobile Information Systems 5
Customer Merchant(119871119878119879119870
10158401198781015840)
997888997888997888997888997888997888997888997888rarr
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
Selects random number119897 isin 119885lowast
119902 computes
119871 = 119890(119875 119875)119897
119895 = 1198672(119871119878119879119870
10158401198781015840119871)
119863 = 119895119878119872+ 119897119875
(119895119863)
larr997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198711015840= 119890(119863 119875)119890(119895119876
119872 119875pub)
minus1
Checks whether119895 = 119867
2(119871119878119879119870
101584011987810158401198711015840)
Computes1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(1198911 1198912 1198601 1198602 1198603 1198604 119895119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Checks whether119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119889 = 119867
2((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Accepts the payment
Box 3 Payment protocol
(3) The customer 119862 selects two random numbers 119886 119888 isin119885lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879 119870
1015840) + 119888
(13)
and sends ℎ to the bank 119861(4) The bank 119861 computes
119878 = (119896 + ℎ) 119878119861 (14)
and sends 119878 to the customer 119862(5) Customer 119862 computes
1198781015840= 119886119878 (15)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (16)
If so the customer 119862 obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
44 Payment Protocol When the customer 119862wants to spendhis cash at the shop the customer 119862 and the merchant119872 dothe following steps This protocol is also illustrated in Box 3
(1) Customer 119862 sends (1198711198781198791198701015840 1198781015840) to the merchant119872(2) The merchant119872 checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (17)
If so he selects a random number 119897 isin 119885lowast119902and computes
119871 = 119890 (119875 119875)119897
119895 = 1198672(LST 1198701015840 1198781015840 119871)
119863 = 119895119878119872+ 119897119875
(18)
Then he sends (119895 119863) to the customer 119862(3) The customer 119862 computes
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1 (19)
and checks whether
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (20)
If so he computes
1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(21)
Then he sends (1198911 1198912 1198601 1198602 1198603 1198604 119895 119889 119865) to themerchant
119872(4) The merchant119872 checks whether
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602) (22)
6 Mobile Information Systems
Merchant Bank(119871119878119879119870
101584011987810158401198911 1198912 1198951198601 1198602 1198603 1198604 119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
119890(1198911119876119879 119875pub) = 119890(119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Checks whether the 119890-cash is being double spentif it is fresh reedits the merchantrsquos account
Box 4 Deposit protocol
and computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (23)
and checks whether
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (24)
If so the merchant accepts the payment
45Deposit Protocol When themerchant119872wants to depositthe received 119890-cash into his account in the bank 119861 the follow-ing steps are done between the bank 119861 and the merchant119872This protocol is also illustrated in Box 4
(1) The merchant 119872 sends (1198711198781198791198701015840 1198781015840 1198911 1198912 119895 1198601 1198602
1198603 1198604 119889 119865) to the bank 119861
(2) The bank 119861 first checks whether the coin exists in itsdeposit If the coin exists it runs the double spender detectionprocedure Else the bank computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (25)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(26)
If the above four equations hold the bank accepts the coinstores it in the deposit table and transfers money to themerchant119872
46 Revoking the Anonymity In the case that an 119890-cash(119871119878119879119870
1015840 1198781015840) is abused by a criminal whether the cash is spent
twice or not the trustee can revoke the anonymity of the 119890-cash by the 119871119878119879 provided by the bank As soon as the trustee119879 receives the request of revoking anonymity 119879 checks hisdatabase to find record (119871119878119879 119909) and computes the identityinformation ID
119862= 119863119870119879(119871119878119879)oplus119909 by using his secret key119870119879
5 Verifiability of the Proposed Scheme
Firstly we show that the blind license 119887minus1119871119878119879 can be verifiedby equation
119906 = 1198672(119887minus1LST 1198771015840) (27)
Since
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
= 119890 (119881 119875) 119890 (minus119906119878119879 119875)
= 119890 (119881 minus 119906119878119879 119875) = 119890 (119903119875 119875) = 119877
(28)
119906 = 1198672(119887minus1119871119878119879 119877) = 119867
2(119887minus1119871119878119879 119877
1015840)
Secondly we show that the 119890-cash can be verified byequation
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (29)
In fact
119890 (1198781015840 119875) = 119890 (119886119878 119875) = 119890 (119886 (119896 + ℎ) 119878
119861 119875)
= 119890 (119886 (119896 + 119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
= 119890 (119886119896119876119861+ 119886119888119876
119861+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(30)
Thirdly we show that the signature (119895 119863) on (LST 1198701015840 1198781015840)by merchant can be verified by equation
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (31)
Since
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1
= 119890 (119863 119875) 119890 (minus119895119878119872 119875)
= 119890 (119863 minus 119895119878119872 119875) = 119890 (119897119875 119875) = 119871
(32)
119895 = 1198672(119871119878119879 119870
1015840 1198781015840 119871) = 119867
2(119871119878119879 119870
1015840 1198781015840 1198711015840)
Fourthly we show that the information (1198911 1198912) can be
verified by the equations
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
(33)
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 3
33 Potential Attack by the Bank However in payment pro-tocol the only verification to the 119890-cash 119862119873119874 119871119878119879 (119877 119878) isto examine whether the following equation holds
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119877) sdot 119890 (LST sdot 119876
119861 119875pub) (5)
But when let 119877 = 119886119875pub (119886 is a randomly selected number in119885lowast
119902) in the above equation then
119890 (119878 119875) = 119890 (1198673(CNO) sdot 119876
119861 119886119875pub)
sdot 119890 (LST sdot 119876119861 119875pub)
= 119890 (119886 sdot 1198673(CNO) sdot 119876
119861 119875pub)
sdot 119890 (LST sdot 119876119861 119875pub)
= 119890 ((119886 sdot 1198673(CNO) + LST) sdot 119876
119861 119875pub)
= 119890 ((119886 sdot 1198673(CNO) + LST) sdot 119878
119861 119875)
(6)
So the bank can randomly select 119862119873119874 and 119871119878119879 Then Let119877 = 119886119875pub 119878 = (119886 sdot1198673(119862119873119874)+119871119878119879) sdot 119878119861 to generate an 119890-cash119862119873119874 119871119878119879 (119877 119878)
This apparently violates the withdrawal protocol abovethe customer and the bank together performing a blindsignature function to complete the 119890-cash withdrawal
4 Our Proposed Scheme
Based on an id-based signature scheme [21] proposed byHessand an efficient id-based blind signature [22] proposed byZhang andKim we propose an offline electronic cash schemewith anonymity revocation In the proposed scheme thereare four participants Trustee 119879 the bank 119861 the customer 119862and themerchant119872There are five protocols license issuingwithdrawal payment deposit and 119890-cash owner tracingHere any communication between any two entities shouldbe encrypted and this can be done by incorporating mutualauthentication and key agreement protocols likely in [15]Here for brevity we omit those encryptions in five protocols
41 System Setup In this stage the Key Generation Center(KGC) chooses a cyclic additive group 119866
1which is generated
by 119875 with prime order 119902 and chooses a cyclic multiplicativegroup 119866
2of the same order and a bilinear map 119890 119866
1times1198661rarr
1198662 KGC also chooses a random 119904 isin 119885
lowast
119902as the master key
and sets 119875pub = 119904119875 public and chooses cryptographic hashfunctions119867
1 0 1
lowastrarr 11986611198672 0 1
lowastrarr 119885lowast
119902 The system
parameter list is params = (1198661 1198662 119890 119875 119875pub 1198671 1198672)
When the customer 119862 submits his identity ID119862to the
KGC the KGC computes the public key 119876119862= 1198671(ID119862) and
private key 119878119862= 119904119876119862for the customer 119862 Similarly the KGC
generates the publicprivate key pairs (119876119879 119878119879) (119876119861 119878119861) and
(119876119872 119878119872) for Trustee 119879 the Bank 119861 and the Merchant 119872
respectively
42 License-Issuing Protocol Before withdrawing 119890-cashfrom the bank customer119862 needs to ask trustee119879 to issue him
a license The following steps describe the protocol which isalso illustrated in Box 1
(1) Customer 119862 selects four random numbers 119887 119911 1199081
1199082isin 119885lowast
119902 and sends ID
119862 119887 119911 119908
1 1199082 to Trustee 119879
(2) 119879 chooses a random number 119909 isin 119885lowast
119902 and computes
119871119878119879 as 119871119878119879 = 119864119870119879(ID119862oplus 119909) Here 119864 is a symmetric
encryption algorithm and119870119879 is a secret key(3) To sign on 119887minus1119871119878119879 trustee119879 selects a randomnumber
119903 isin 119885lowast
119902 and computes
119877 = 119890 (119875 119875)119903
119906 = 1198672(119887minus1LST 119877)
119881 = 119906119878119879+ 119903119875
(7)
The trustee 119879 also signs on1198601+1198602+1198603+1198604 here119860
1=
(119887119911 + 119911)119875pub 1198602 = (1199081+ 1199082)119875pub 1198603 = 119908
1119875pub and 1198604 =
119887119911119875pub 119879 selects a random number 119910 isin 119885lowast119902 and computes
119884 = 119890 (119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
119865 = 119889119878119879+ 119910119875
(8)
After that trustee 119879 stores (119871119878119879 119909) to the database andsends (119871119878119879 119906 119881 119889 119865) to the customer 119862
(4) The customer 119862 computes
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
(9)
and checks whether
119906 = 1198672(119887minus1119871119878119879 119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(10)
If so The customer 119862 obtains the license (119871119878119879 119906 119881) andthe signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
43 Withdrawal Protocol To complete the 119890-cash with-drawal customer 119862 and bank 119861 together perform the follow-ing steps This protocol is also illustrated in Box 2
(1) Customer119862 sends ID119862 (119887minus1119871119878119879 119906 119881) to the bank 119861
(2) 119861 first computes
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1 (11)
and checks whether
119906 = 1198672(119887minus1119871119878119879 119877
1015840) (12)
If so the bank 119861 selects a random number 119896 isin 119885lowast
119902
computes 119870 = 119896119876119861 and sends 119870 to the customer 119862
4 Mobile Information Systems
Customer TrusteeSelects random numbers119887 119911 119908
1 1199082isin 119885lowast
119902
ID1198621198871199111199081 1199082997888997888997888997888997888997888997888997888997888997888997888rarr
Chooses random number119909 isin 119885
lowast
119902 computes
119871119878119879 = 119864119870119879(ID119862oplus 119909)
Selects a random number119903 isin 119885
lowast
119902 computes
119877 = 119890(119875 119875)119903
119906 = 1198672(119887minus1119871119878119879119877)
119881 = 119906119878119879+ 119903119875
Selects random number119910 isin 119885
lowast
119902 and computes
119884 = 119890(119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)119884)
119865 = 119889119878119879+ 119910119875
(119871119878119879119906119881119889119865)
larr997888997888997888997888997888997888997888997888997888
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
And checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Obtains the license (119871119878119879 119906 119881)and the signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
Box 1 License-issuing protocol
Customer BankID119862(119887minus1119871119878119879119906119881)997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
Checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
Selects random number119896 isin 119885
lowast
119902 computes
119870 = 119896119876119861
119870
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Selects two random number119886 119888 isin 119885
lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879119870
1015840) + 119888
ℎ
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes119878 = (119896 + ℎ)119878
119861
119878
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198781015840= 119886119878
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840119876119861 119875pub)
Obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
Box 2 Withdrawal protocol
Mobile Information Systems 5
Customer Merchant(119871119878119879119870
10158401198781015840)
997888997888997888997888997888997888997888997888rarr
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
Selects random number119897 isin 119885lowast
119902 computes
119871 = 119890(119875 119875)119897
119895 = 1198672(119871119878119879119870
10158401198781015840119871)
119863 = 119895119878119872+ 119897119875
(119895119863)
larr997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198711015840= 119890(119863 119875)119890(119895119876
119872 119875pub)
minus1
Checks whether119895 = 119867
2(119871119878119879119870
101584011987810158401198711015840)
Computes1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(1198911 1198912 1198601 1198602 1198603 1198604 119895119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Checks whether119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119889 = 119867
2((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Accepts the payment
Box 3 Payment protocol
(3) The customer 119862 selects two random numbers 119886 119888 isin119885lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879 119870
1015840) + 119888
(13)
and sends ℎ to the bank 119861(4) The bank 119861 computes
119878 = (119896 + ℎ) 119878119861 (14)
and sends 119878 to the customer 119862(5) Customer 119862 computes
1198781015840= 119886119878 (15)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (16)
If so the customer 119862 obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
44 Payment Protocol When the customer 119862wants to spendhis cash at the shop the customer 119862 and the merchant119872 dothe following steps This protocol is also illustrated in Box 3
(1) Customer 119862 sends (1198711198781198791198701015840 1198781015840) to the merchant119872(2) The merchant119872 checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (17)
If so he selects a random number 119897 isin 119885lowast119902and computes
119871 = 119890 (119875 119875)119897
119895 = 1198672(LST 1198701015840 1198781015840 119871)
119863 = 119895119878119872+ 119897119875
(18)
Then he sends (119895 119863) to the customer 119862(3) The customer 119862 computes
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1 (19)
and checks whether
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (20)
If so he computes
1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(21)
Then he sends (1198911 1198912 1198601 1198602 1198603 1198604 119895 119889 119865) to themerchant
119872(4) The merchant119872 checks whether
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602) (22)
6 Mobile Information Systems
Merchant Bank(119871119878119879119870
101584011987810158401198911 1198912 1198951198601 1198602 1198603 1198604 119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
119890(1198911119876119879 119875pub) = 119890(119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Checks whether the 119890-cash is being double spentif it is fresh reedits the merchantrsquos account
Box 4 Deposit protocol
and computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (23)
and checks whether
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (24)
If so the merchant accepts the payment
45Deposit Protocol When themerchant119872wants to depositthe received 119890-cash into his account in the bank 119861 the follow-ing steps are done between the bank 119861 and the merchant119872This protocol is also illustrated in Box 4
(1) The merchant 119872 sends (1198711198781198791198701015840 1198781015840 1198911 1198912 119895 1198601 1198602
1198603 1198604 119889 119865) to the bank 119861
(2) The bank 119861 first checks whether the coin exists in itsdeposit If the coin exists it runs the double spender detectionprocedure Else the bank computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (25)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(26)
If the above four equations hold the bank accepts the coinstores it in the deposit table and transfers money to themerchant119872
46 Revoking the Anonymity In the case that an 119890-cash(119871119878119879119870
1015840 1198781015840) is abused by a criminal whether the cash is spent
twice or not the trustee can revoke the anonymity of the 119890-cash by the 119871119878119879 provided by the bank As soon as the trustee119879 receives the request of revoking anonymity 119879 checks hisdatabase to find record (119871119878119879 119909) and computes the identityinformation ID
119862= 119863119870119879(119871119878119879)oplus119909 by using his secret key119870119879
5 Verifiability of the Proposed Scheme
Firstly we show that the blind license 119887minus1119871119878119879 can be verifiedby equation
119906 = 1198672(119887minus1LST 1198771015840) (27)
Since
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
= 119890 (119881 119875) 119890 (minus119906119878119879 119875)
= 119890 (119881 minus 119906119878119879 119875) = 119890 (119903119875 119875) = 119877
(28)
119906 = 1198672(119887minus1119871119878119879 119877) = 119867
2(119887minus1119871119878119879 119877
1015840)
Secondly we show that the 119890-cash can be verified byequation
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (29)
In fact
119890 (1198781015840 119875) = 119890 (119886119878 119875) = 119890 (119886 (119896 + ℎ) 119878
119861 119875)
= 119890 (119886 (119896 + 119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
= 119890 (119886119896119876119861+ 119886119888119876
119861+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(30)
Thirdly we show that the signature (119895 119863) on (LST 1198701015840 1198781015840)by merchant can be verified by equation
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (31)
Since
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1
= 119890 (119863 119875) 119890 (minus119895119878119872 119875)
= 119890 (119863 minus 119895119878119872 119875) = 119890 (119897119875 119875) = 119871
(32)
119895 = 1198672(119871119878119879 119870
1015840 1198781015840 119871) = 119867
2(119871119878119879 119870
1015840 1198781015840 1198711015840)
Fourthly we show that the information (1198911 1198912) can be
verified by the equations
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
(33)
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
4 Mobile Information Systems
Customer TrusteeSelects random numbers119887 119911 119908
1 1199082isin 119885lowast
119902
ID1198621198871199111199081 1199082997888997888997888997888997888997888997888997888997888997888997888rarr
Chooses random number119909 isin 119885
lowast
119902 computes
119871119878119879 = 119864119870119879(ID119862oplus 119909)
Selects a random number119903 isin 119885
lowast
119902 computes
119877 = 119890(119875 119875)119903
119906 = 1198672(119887minus1119871119878119879119877)
119881 = 119906119878119879+ 119903119875
Selects random number119910 isin 119885
lowast
119902 and computes
119884 = 119890(119875 119875)119910
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)119884)
119865 = 119889119878119879+ 119910119875
(119871119878119879119906119881119889119865)
larr997888997888997888997888997888997888997888997888997888
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
And checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Obtains the license (119871119878119879 119906 119881)and the signature (119889 119865) on 119860
1+ 1198602+ 1198603+ 1198604
Box 1 License-issuing protocol
Customer BankID119862(119887minus1119871119878119879119906119881)997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198771015840= 119890(119881 119875)119890(119906119876
119879 119875pub)
minus1
Checks whether119906 = 119867
2(119887minus1119871119878119879119877
1015840)
Selects random number119896 isin 119885
lowast
119902 computes
119870 = 119896119876119861
119870
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Selects two random number119886 119888 isin 119885
lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879119870
1015840) + 119888
ℎ
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes119878 = (119896 + ℎ)119878
119861
119878
larr997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198781015840= 119886119878
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840119876119861 119875pub)
Obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
Box 2 Withdrawal protocol
Mobile Information Systems 5
Customer Merchant(119871119878119879119870
10158401198781015840)
997888997888997888997888997888997888997888997888rarr
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
Selects random number119897 isin 119885lowast
119902 computes
119871 = 119890(119875 119875)119897
119895 = 1198672(119871119878119879119870
10158401198781015840119871)
119863 = 119895119878119872+ 119897119875
(119895119863)
larr997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198711015840= 119890(119863 119875)119890(119895119876
119872 119875pub)
minus1
Checks whether119895 = 119867
2(119871119878119879119870
101584011987810158401198711015840)
Computes1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(1198911 1198912 1198601 1198602 1198603 1198604 119895119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Checks whether119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119889 = 119867
2((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Accepts the payment
Box 3 Payment protocol
(3) The customer 119862 selects two random numbers 119886 119888 isin119885lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879 119870
1015840) + 119888
(13)
and sends ℎ to the bank 119861(4) The bank 119861 computes
119878 = (119896 + ℎ) 119878119861 (14)
and sends 119878 to the customer 119862(5) Customer 119862 computes
1198781015840= 119886119878 (15)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (16)
If so the customer 119862 obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
44 Payment Protocol When the customer 119862wants to spendhis cash at the shop the customer 119862 and the merchant119872 dothe following steps This protocol is also illustrated in Box 3
(1) Customer 119862 sends (1198711198781198791198701015840 1198781015840) to the merchant119872(2) The merchant119872 checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (17)
If so he selects a random number 119897 isin 119885lowast119902and computes
119871 = 119890 (119875 119875)119897
119895 = 1198672(LST 1198701015840 1198781015840 119871)
119863 = 119895119878119872+ 119897119875
(18)
Then he sends (119895 119863) to the customer 119862(3) The customer 119862 computes
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1 (19)
and checks whether
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (20)
If so he computes
1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(21)
Then he sends (1198911 1198912 1198601 1198602 1198603 1198604 119895 119889 119865) to themerchant
119872(4) The merchant119872 checks whether
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602) (22)
6 Mobile Information Systems
Merchant Bank(119871119878119879119870
101584011987810158401198911 1198912 1198951198601 1198602 1198603 1198604 119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
119890(1198911119876119879 119875pub) = 119890(119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Checks whether the 119890-cash is being double spentif it is fresh reedits the merchantrsquos account
Box 4 Deposit protocol
and computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (23)
and checks whether
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (24)
If so the merchant accepts the payment
45Deposit Protocol When themerchant119872wants to depositthe received 119890-cash into his account in the bank 119861 the follow-ing steps are done between the bank 119861 and the merchant119872This protocol is also illustrated in Box 4
(1) The merchant 119872 sends (1198711198781198791198701015840 1198781015840 1198911 1198912 119895 1198601 1198602
1198603 1198604 119889 119865) to the bank 119861
(2) The bank 119861 first checks whether the coin exists in itsdeposit If the coin exists it runs the double spender detectionprocedure Else the bank computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (25)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(26)
If the above four equations hold the bank accepts the coinstores it in the deposit table and transfers money to themerchant119872
46 Revoking the Anonymity In the case that an 119890-cash(119871119878119879119870
1015840 1198781015840) is abused by a criminal whether the cash is spent
twice or not the trustee can revoke the anonymity of the 119890-cash by the 119871119878119879 provided by the bank As soon as the trustee119879 receives the request of revoking anonymity 119879 checks hisdatabase to find record (119871119878119879 119909) and computes the identityinformation ID
119862= 119863119870119879(119871119878119879)oplus119909 by using his secret key119870119879
5 Verifiability of the Proposed Scheme
Firstly we show that the blind license 119887minus1119871119878119879 can be verifiedby equation
119906 = 1198672(119887minus1LST 1198771015840) (27)
Since
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
= 119890 (119881 119875) 119890 (minus119906119878119879 119875)
= 119890 (119881 minus 119906119878119879 119875) = 119890 (119903119875 119875) = 119877
(28)
119906 = 1198672(119887minus1119871119878119879 119877) = 119867
2(119887minus1119871119878119879 119877
1015840)
Secondly we show that the 119890-cash can be verified byequation
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (29)
In fact
119890 (1198781015840 119875) = 119890 (119886119878 119875) = 119890 (119886 (119896 + ℎ) 119878
119861 119875)
= 119890 (119886 (119896 + 119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
= 119890 (119886119896119876119861+ 119886119888119876
119861+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(30)
Thirdly we show that the signature (119895 119863) on (LST 1198701015840 1198781015840)by merchant can be verified by equation
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (31)
Since
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1
= 119890 (119863 119875) 119890 (minus119895119878119872 119875)
= 119890 (119863 minus 119895119878119872 119875) = 119890 (119897119875 119875) = 119871
(32)
119895 = 1198672(119871119878119879 119870
1015840 1198781015840 119871) = 119867
2(119871119878119879 119870
1015840 1198781015840 1198711015840)
Fourthly we show that the information (1198911 1198912) can be
verified by the equations
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
(33)
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 5
Customer Merchant(119871119878119879119870
10158401198781015840)
997888997888997888997888997888997888997888997888rarr
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
Selects random number119897 isin 119885lowast
119902 computes
119871 = 119890(119875 119875)119897
119895 = 1198672(119871119878119879119870
10158401198781015840119871)
119863 = 119895119878119872+ 119897119875
(119895119863)
larr997888997888997888997888997888997888997888997888997888997888997888997888997888
Computes1198711015840= 119890(119863 119875)119890(119895119876
119872 119875pub)
minus1
Checks whether119895 = 119867
2(119871119878119879119870
101584011987810158401198711015840)
Computes1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(1198911 1198912 1198601 1198602 1198603 1198604 119895119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Checks whether119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119889 = 119867
2((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Accepts the payment
Box 3 Payment protocol
(3) The customer 119862 selects two random numbers 119886 119888 isin119885lowast
119902 computes
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(119871119878119879 119870
1015840) + 119888
(13)
and sends ℎ to the bank 119861(4) The bank 119861 computes
119878 = (119896 + ℎ) 119878119861 (14)
and sends 119878 to the customer 119862(5) Customer 119862 computes
1198781015840= 119886119878 (15)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (16)
If so the customer 119862 obtains an 119890-cash (1198711198781198791198701015840 1198781015840)
44 Payment Protocol When the customer 119862wants to spendhis cash at the shop the customer 119862 and the merchant119872 dothe following steps This protocol is also illustrated in Box 3
(1) Customer 119862 sends (1198711198781198791198701015840 1198781015840) to the merchant119872(2) The merchant119872 checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (17)
If so he selects a random number 119897 isin 119885lowast119902and computes
119871 = 119890 (119875 119875)119897
119895 = 1198672(LST 1198701015840 1198781015840 119871)
119863 = 119895119878119872+ 119897119875
(18)
Then he sends (119895 119863) to the customer 119862(3) The customer 119862 computes
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1 (19)
and checks whether
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (20)
If so he computes
1198911= 119887119895119911 + 119908
1
1198912= 119895119911 + 119908
2
(21)
Then he sends (1198911 1198912 1198601 1198602 1198603 1198604 119895 119889 119865) to themerchant
119872(4) The merchant119872 checks whether
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602) (22)
6 Mobile Information Systems
Merchant Bank(119871119878119879119870
101584011987810158401198911 1198912 1198951198601 1198602 1198603 1198604 119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
119890(1198911119876119879 119875pub) = 119890(119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Checks whether the 119890-cash is being double spentif it is fresh reedits the merchantrsquos account
Box 4 Deposit protocol
and computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (23)
and checks whether
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (24)
If so the merchant accepts the payment
45Deposit Protocol When themerchant119872wants to depositthe received 119890-cash into his account in the bank 119861 the follow-ing steps are done between the bank 119861 and the merchant119872This protocol is also illustrated in Box 4
(1) The merchant 119872 sends (1198711198781198791198701015840 1198781015840 1198911 1198912 119895 1198601 1198602
1198603 1198604 119889 119865) to the bank 119861
(2) The bank 119861 first checks whether the coin exists in itsdeposit If the coin exists it runs the double spender detectionprocedure Else the bank computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (25)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(26)
If the above four equations hold the bank accepts the coinstores it in the deposit table and transfers money to themerchant119872
46 Revoking the Anonymity In the case that an 119890-cash(119871119878119879119870
1015840 1198781015840) is abused by a criminal whether the cash is spent
twice or not the trustee can revoke the anonymity of the 119890-cash by the 119871119878119879 provided by the bank As soon as the trustee119879 receives the request of revoking anonymity 119879 checks hisdatabase to find record (119871119878119879 119909) and computes the identityinformation ID
119862= 119863119870119879(119871119878119879)oplus119909 by using his secret key119870119879
5 Verifiability of the Proposed Scheme
Firstly we show that the blind license 119887minus1119871119878119879 can be verifiedby equation
119906 = 1198672(119887minus1LST 1198771015840) (27)
Since
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
= 119890 (119881 119875) 119890 (minus119906119878119879 119875)
= 119890 (119881 minus 119906119878119879 119875) = 119890 (119903119875 119875) = 119877
(28)
119906 = 1198672(119887minus1119871119878119879 119877) = 119867
2(119887minus1119871119878119879 119877
1015840)
Secondly we show that the 119890-cash can be verified byequation
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (29)
In fact
119890 (1198781015840 119875) = 119890 (119886119878 119875) = 119890 (119886 (119896 + ℎ) 119878
119861 119875)
= 119890 (119886 (119896 + 119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
= 119890 (119886119896119876119861+ 119886119888119876
119861+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(30)
Thirdly we show that the signature (119895 119863) on (LST 1198701015840 1198781015840)by merchant can be verified by equation
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (31)
Since
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1
= 119890 (119863 119875) 119890 (minus119895119878119872 119875)
= 119890 (119863 minus 119895119878119872 119875) = 119890 (119897119875 119875) = 119871
(32)
119895 = 1198672(119871119878119879 119870
1015840 1198781015840 119871) = 119867
2(119871119878119879 119870
1015840 1198781015840 1198711015840)
Fourthly we show that the information (1198911 1198912) can be
verified by the equations
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
(33)
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
6 Mobile Information Systems
Merchant Bank(119871119878119879119870
101584011987810158401198911 1198912 1198951198601 1198602 1198603 1198604 119889119865)
997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888997888rarr
Computes1198841015840= 119890(119865 119875)119890(119889119876
119879 119875pub)
minus1
Checks whether119890(1198781015840 119875) = 119890(119870
1015840+ 1198672(119871119878119879119870
1015840)119876119861 119875pub)
119890((1198911+ 1198912)119876119879 119875pub) = 119890(119876119879 1198951198601 + 1198602)
119890(1198911119876119879 119875pub) = 119890(119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604)1198841015840)
Checks whether the 119890-cash is being double spentif it is fresh reedits the merchantrsquos account
Box 4 Deposit protocol
and computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (23)
and checks whether
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (24)
If so the merchant accepts the payment
45Deposit Protocol When themerchant119872wants to depositthe received 119890-cash into his account in the bank 119861 the follow-ing steps are done between the bank 119861 and the merchant119872This protocol is also illustrated in Box 4
(1) The merchant 119872 sends (1198711198781198791198701015840 1198781015840 1198911 1198912 119895 1198601 1198602
1198603 1198604 119889 119865) to the bank 119861
(2) The bank 119861 first checks whether the coin exists in itsdeposit If the coin exists it runs the double spender detectionprocedure Else the bank computes
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1 (25)
and checks whether
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(26)
If the above four equations hold the bank accepts the coinstores it in the deposit table and transfers money to themerchant119872
46 Revoking the Anonymity In the case that an 119890-cash(119871119878119879119870
1015840 1198781015840) is abused by a criminal whether the cash is spent
twice or not the trustee can revoke the anonymity of the 119890-cash by the 119871119878119879 provided by the bank As soon as the trustee119879 receives the request of revoking anonymity 119879 checks hisdatabase to find record (119871119878119879 119909) and computes the identityinformation ID
119862= 119863119870119879(119871119878119879)oplus119909 by using his secret key119870119879
5 Verifiability of the Proposed Scheme
Firstly we show that the blind license 119887minus1119871119878119879 can be verifiedby equation
119906 = 1198672(119887minus1LST 1198771015840) (27)
Since
1198771015840= 119890 (119881 119875) 119890 (119906119876
119879 119875pub)
minus1
= 119890 (119881 119875) 119890 (minus119906119878119879 119875)
= 119890 (119881 minus 119906119878119879 119875) = 119890 (119903119875 119875) = 119877
(28)
119906 = 1198672(119887minus1119871119878119879 119877) = 119867
2(119887minus1119871119878119879 119877
1015840)
Secondly we show that the 119890-cash can be verified byequation
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub) (29)
In fact
119890 (1198781015840 119875) = 119890 (119886119878 119875) = 119890 (119886 (119896 + ℎ) 119878
119861 119875)
= 119890 (119886 (119896 + 119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
= 119890 (119886119896119876119861+ 119886119888119876
119861+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(30)
Thirdly we show that the signature (119895 119863) on (LST 1198701015840 1198781015840)by merchant can be verified by equation
119895 = 1198672(LST 1198701015840 1198781015840 1198711015840) (31)
Since
1198711015840= 119890 (119863 119875) 119890 (119895119876
119872 119875pub)
minus1
= 119890 (119863 119875) 119890 (minus119895119878119872 119875)
= 119890 (119863 minus 119895119878119872 119875) = 119890 (119897119875 119875) = 119871
(32)
119895 = 1198672(119871119878119879 119870
1015840 1198781015840 119871) = 119867
2(119871119878119879 119870
1015840 1198781015840 1198711015840)
Fourthly we show that the information (1198911 1198912) can be
verified by the equations
119890 ((1198911+ 1198912) 119876119879 119875pub) = 119890 (119876119879 1198951198601 + 1198602)
119890 (1198911119876119879 119875pub) = 119890 (119876119879 1198603 + 1198951198604)
(33)
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 7
In fact
119890 ((1198911+ 1198912) 119876119879 119875pub)
= 119890 ((119887119895119911 + 1199081+ 119895119911 + 119908
2) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879+ (1199081+ 1199082) 119876119879 119875pub)
= 119890 ((119887119895119911 + 119895119911)119876119879 119875pub) 119890 ((1199081 + 1199082) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119895119911) 119875pub) 119890 (119876119879 (1199081 + 1199082) 119875pub)
= 119890 (119876119879 1198951198601) 119890 (119876119879 1198602) = 119890 (119876
119879 1198951198601+ 1198602)
119890 (1198911119876119879 119875pub) = 119890 ((119887119895119911 + 1199081) 119876119879 119875pub)
= 119890 (119876119879 (119887119895119911 + 119908
1) 119875pub) = (119876119879 1198603 + 1198951198604)
(34)
Finally we show that the signature (119889 119865) on 1198601+ 1198602+
1198603+ 1198604by trustee can be verified by the equation
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840) (35)
Since
1198841015840= 119890 (119865 119875) 119890 (119889119876
119879 119875pub)
minus1
= 119890 (119865 119875) 119890 (minus119889119878119879 119875)
= 119890 (119865 minus 119889119878119879 119875) = 119890 (119910119875 119875) = 119884
119889 = 1198672((1198601+ 1198602+ 1198603+ 1198604) 119884)
= 1198672((1198601+ 1198602+ 1198603+ 1198604) 1198841015840)
(36)
6 Double Spender Detection
In the case that the customer spends an 119890-cash twice or morethe bank 119861 can compute
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
119887minus1119871119878119879
(37)
Then the bank 119861 checks its databases in the withdrawalprotocol to find the record ID
119862 (119887minus1LST 119906 119881) and knows
the identity information ID119862of the malicious customer 119862
Here (1198911 1198912) and (1198911015840
1 1198911015840
2) are information the customer
119862 sends to the merchant 119872 in payment phase in twiceconsumption respectively In fact
1198911= 1198871198951119911 + 1199081
1198911015840
1= 1198871198952119911 + 1199081
1198912= 1198951119911 + 1199082
1198911015840
2= 1198952119911 + 1199082
(38)
So
119887 =
1198911minus 1198911015840
1
1198912minus 1198911015840
2
(39)
Hence the bank 119862 can compute 119887minus1119871119878119879 and obtain theidentity information ID
119862of the malicious customer 119862
7 Uncheatability of Merchants
When the customer sends 119890-cash (1198711198781198791198701015840 1198781015840) to the mer-
chant the merchant computes signature (119895 119863) on (11987111987811987911987010158401198781015840) When the merchant sends (119895 119863) to the customer the
customer first verifies it using the public key 119876119872
of themerchant119872 When (119895 119863) satisfies the verification equationthe customer sends (119891
1 1198912 1198601 1198602 1198603 1198604 119889 119865) to the mer-
chant If later the merchant uses 119890-cash (1198711198781198791198701015840 1198781015840) and
(1198911 1198912 1198601 1198602 1198603 1198604 119889 119865) to spend to other merchants and
cheats the customer the customer can show the merchantrsquossignature to some arbitration agency So the scheme caneffectively resist merchants cheat attack
8 Provable Security
In this section we show that the proposed scheme satisfiesthe property of unlinkability and unforgeability
Definition 1 (the linkability game) Let 120578 be a security param-eter and let119862
1and119862
2be two customers119862
1 1198622 and the bank
119861 are involved in the following game
Step 1 The bank 119861 outputs two Licenses 1198711198781198790and 119871119878119879
1
Step 2 We randomly choose a bit 1198871015840 isin 0 1 and place(1198701198871015840 119871119878119879
1198871015840) and (119870
1minus1198871015840 119871119878119879
1minus1198871015840) on the private input tapes
of 1198621and 119862
2 respectively The bit 1198871015840 will not be disclosed to
the bank 119861
Step 3 The bank 119861 and two customers 1198621 1198622perform the
withdrawal protocol of the proposed scheme
Step 4 If 1198621and 119862
2output two 119890-cash (119871119878119879
1198871015840 1198701015840
1198871015840 1198781015840
1198871015840) and
(1198711198781198791minus1198871015840 1198701015840
1minus1198871015840 1198781015840
1minus1198871015840) on their private tapes respectively we
give the two 3 tuples in a randomorder to the bank otherwiseperp is given to 119861
Step 5 The bank 119861 outputs 1198871015840lowast isin 0 1 as the guess of 1198871015840 119861wins the game if 1198871015840lowast = 1198871015840 We define the advantage of 119861 as
AdvTraceality119861
(120578) =
100381610038161003816100381610038162119901 [1198871015840lowast= 1198871015840] minus 1
10038161003816100381610038161003816 (40)
Definition 2 (unlinkability) The proposed scheme satisfiesthe unlinkability property if the advantage AdvTraceality
119861(120578) is
negligible
Theorem 3 The proposed scheme satisfies the unlinkabilityproperty
Proof ofTheorem3 Weconsider the condition inDefinition 1Let (1198711198781198791198701015840 1198781015840) be one of the two 119890-cash given to the bankand let (119870 ℎ 119878) be the view of the bank in one of thewithdrawal protocols It is sufficient to show that there existtwo random factors (119886 119888) that map (119870 ℎ 119878) to (1198711198781198791198701015840 1198781015840)We know
1198701015840= 119886119870 + 119886119888119876
119861
ℎ = 119886minus11198672(LST 1198701015840) + 119888
1198781015840= 119886119878
(41)
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
8 Mobile Information Systems
So by equation 1198781015840 = 119886119878 there is a unique 119886 Then byequation ℎ = 119886
minus11198672(119871119878119879 119870
1015840) + 119888 there is a unique 119888
Furthermore when 119878 and 1198781015840 are correctly computed the
following equation holds
119890 (119878 119875) = 119890 (119870 + (119886minus11198672(LST 1198701015840) + 119888)119876
119861 119875pub)
119890 (1198781015840 119875) = 119890 (119870
1015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
(42)
So it holds when 1198701015840 = 119886119870+119886119888119876119861 It is to say that (119886 119888) always
exists regardless of the values (1198711198781198791198701015840 1198781015840) and (119870 ℎ 119878)Therefore even an infinitely powerful bank outputs a correctvalue 1198871015840 with probability of exactly 12 So the proposedscheme satisfies the unlinkability property
Definition 4 (the forgeability game) The adversary F and thechallenger A play the following game
Step 1 The challenger A takes a security parameter andgenerates the public parameters params and sends params tothe adversary F
Step 2 The adversary F can perform polynomially boundednumber of hash queries extract queries and 119890-cash queriesThese three kinds of queries answer the hash function privatekey and 119890-cash query by the adversary F respectively
Step 3 The adversary F outputs a tuple 120590 = ((1198711198781198791198701015840
1198781015840) ID119861) This tuple satisfies the following requirements
(1) (1198711198781198791198701015840 1198781015840) is a valid 119890-cash with regard to the bank119861
(2) The adversary F has never requested the private keyof the bank 119861
(3) 120590 = ((1198711198781198791198701015840 1198781015840) ID119861) has never been queried
during the 119890-cash query
Definition 5 (unforgeability) An adversary F is said to bean (120576 119905 119902
119864 119902119868 119902119867)-forger if it has advantage at least 120576 in the
above game runs in time at most 119905 and makes at most 119902119864
119902119868 and 119902
119867extract 119890-cash and hashing queries respectively
A scheme is said to be (120576 119905 119902119864 119902119868 119902119867)-secure against A in the
sense of unforgeable against 119890-cash existential forgery attackif no (120576 119905 119902
119864 119902119868 119902119867)-forger exists
Theorem 6 If the CDH problem is hard then the proposedscheme is secure against 119890-cash existential forgery attack
Proof of Theorem 6 Suppose that F is a forger who can forge119890-cash in the proposed schemeACDH instance (119875 119909119875 119910119875) isgiven for 119909 119910 isin
119877119885lowast
119902 By using the forgery algorithm F we will
construct an algorithm A which outputs the CDH solution119909119910119875 in 119866 Algorithm A performs the following simulation byinteracting with the forger F
Setup Algorithm A sets 119875pub = 119909119875 and starts by giving F thesystem parameters including (119875 119875pub)
Table 1 Comparison of features of our schemewith recent schemes
F1 F2 F3 F4 F5 F6Chen et al [15] Yes Fail Yes Yes Yes FailFan et al [18] Yes Yes No Yes Yes NoJuang [19] Yes Yes Yes Yes No NoZhang et al [20] Yes Yes Yes No No NoOurs Yes Yes Yes Yes Yes YesF1 anonymityunlinkability F2 unforgeability F3 verification F4 double-spending owner tracing F5 anonymity revocation F6 uncheatability ofmerchant
Table 2 Required number of rounds for each protocol in comparedschemes
P1 P2 P3 P4 P5Chen et al [15] 2 2 1 1 1Fan et al [18] mdash 4 3 1 mdashJuang [19] 3 3 1 1 2Zhang et al [20] mdash 3 2 1 mdashOurs 2 4 3 1 1P1 license-issuing protocol P2 withdrawal protocol P3 payment protocolP4 deposit protocol P5 owner tracing
At any time F can query the random oracle 1198671 1198672and
extract and cash queries To answer these queries A does thefollowing
1198671-Queries At any time F can query the random oracle 119867
1
To respond to these queries A maintains a list 1198671-list of
tuples (ID119882 119905 119890) as explained below When an identity IDis submitted to the 119867
1oracle A responds as follows If the
query ID already appears on the1198671-list in a tuple (ID119882 119905 119890)
A responds with 1198671(ID) = 119882 Otherwise A generates a
random coin 119890 isin 0 1 If 119890 = 0 then A computes119882 = 119905(119910119875)
for a random 119905 isin 119885lowast
119902 If 119890 = 1 then A computes119882 = 119905119875 A
adds the tuple (ID119882 119905 119890) to 1198671-list and responds to F with
1198671(ID) = 119882
1198672-Queries To respond to 119867
2-Queries A maintains a list
referred to as1198672-list of tuples (119871119878119879 1198701015840 119889) When F queries
the 1198672oracle at (119871119878119879 119870
1015840) A responds as follows If the
query (119871119878119879 1198701015840) already appears on the 119867
2-list in a tuple
(119871119878119879 1198701015840 119889) then A responds with119867
2(119871119878119879 119870
1015840) = 119889 isin 119885
119902
Otherwise A generates a random 119889 isin 119885119902and adds the tuples
(119871119878119879 1198701015840 119889) to 119867
2-list and responds to F with 119867
2(119871119878119879
1198701015840) = 119889
Extract Queries When F queries the private key correspond-ing to ID A first finds the corresponding (ID119882 119905 119890) fromthe 119867
1-list If 119890 = 0 then A fails and halts Otherwise A
computes the private key 119878ID = 119905 sdot 119875pub = 119905(119909119875) by using thetuple (ID119882 119905 119890) in the119867
1-list and responds to F with 119878ID
Cash Queries If F requests an 119890-cash on 119871119878119879 under ID Aresponds to this query as follows A first finds the corre-sponding tuple (ID119882 119905 119890) from 119867
1-list and chooses one
random number 119897 119889 isin 119885lowast
119902and computes 1198701015840 = 119897119875 minus 119889119882
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mobile Information Systems 9
Table 3 Comparison of computation costs
P1 P2 P3 P4 P5Chen et al [15] E + 2H + 3B 4H + 6B H + 3B H + 3B DZhang et al [20] mdash 2H + 2B + L 2H + 3B 2H + 3B mdashOurs E + 4H + 5B + 2L 2H + 4B 4H + 9B 2H + 8B DP1 license-issuing protocol P2 withdrawal protocol P3 payment protocol P4 deposit protocol P5 owner tracingE symmetrical encryption D symmetrical decryption H hash computation B bilinear pairings L modular exponentiation
If (119871119878119879 1198701015840 119889) already appears on the 119867
2-list A chooses
another 119897 119889 isin 119885lowast
119902and tries again Otherwise A computes
1198781015840= 119897 sdot 119875pub and stores (119871119878119879 119870
1015840 119889) on the 119867
2-list Then A
responds to F with (1198781015840 1198701015840) Indeed the output is valid 119890-cashon 119871119878119879 for ID In fact
119890 (1198701015840+ 1198672(LST 1198701015840)119876
119861 119875pub)
= 119890 (119897119875 minus 119889119882 + 119889119882119875pub) = 119890 (119897119875 119875pub)
= 119890 (119897119875pub 119875) = 119890 (1198781015840 119875)
(43)
Output If A does not abort as a result of Frsquos extract querythen Frsquos view is identical to its view in the real attack ByForking Lemma after replying F with the same random tapeA obtains two valid 119890-cash
(1198711198781198791198701015840 1198781015840)
(1198711198781198791198701015840 1198781015840lowast)
(44)
Correspondingly there are two valid signatures (119878 119870) and(119878lowast 119870) because
119878 = (119896 + ℎ) 119878119861
119878lowast= (119896 + ℎ
lowast) 119878119861
(45)
So by the security proof of [22] A obtains (119909119910)119875 = 119878119861=
(ℎ minus ℎlowast)minus1(119878 minus 119878
lowast)
This completes the proof
9 Comparisons
In this section we compare our scheme with [15 18ndash20] insome features communication efficiency and computationcost The features are anonymityunlinkability unforgeabil-ity verification double-spending owner tracing anonymityrevocation and uncheatability of merchant Our schemesatisfies all of above features but the others do not We showthe comparison result in Table 1 In Table 2 we compare thecommunication efficiency of our schemewith other schemesFan et alrsquos scheme [18] and Zhang et alrsquos scheme [20] are nottrustee based and therefore they do not have license-issuingprotocol and owner tracing protocol Juangrsquos scheme [19] alsodoes not have license-issuing protocol and owner tracingprotocol but has the initializing phase and recovering phaseFor comparison the numbers of rounds of initializing phase
and recovering phase in Juangrsquos scheme are computed tolicense-issuing protocol and owner tracing protocol respec-tively By Table 2 the proposed scheme demonstrates bettercommunication efficiency under enhanced security Ourscheme and schemes [15 20] are all id-based scheme usingbilinear pairings So in Table 3 we compare the computationcost of our scheme with schemes [15 20] It is necessary toillustrate that Zhang et alrsquos scheme [20] has no license-issuingprotocol and owner tracing protocol and for fair comparisonwe have not computed the computation cost of encryptionand its related computation cost in Chen et alrsquos schemeCompared with Chen et alrsquos scheme there are eleven morepairings computations in the proposed scheme These elevenpairings computations are in payment protocol and depositprotocol and useful to prevent the merchant from cheatIn practice we can use elliptic curves to reduce the computa-tion cost of bilinear pairings
10 Conclusion
In this paper we show thatChen et alrsquos electronic cash schemeis suffering from some weaknesses in unforgeability andmerchant frauds To contribute a secure scheme we proposea new offline electronic cash scheme with anonymity revo-cation We also provide the formally security proofs of theunlinkability and unforgeability Furthermore the proposedscheme ensures the property of avoiding merchant frauds
Competing Interests
The authors declare that they have no competing interests
Acknowledgments
This work is supported by the Applied Basic and AdvancedTechnology Research Programs of Tianjin (no 15JCY-BJC15900)
References
[1] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inCrypto 82 pp 199ndash203 Plenum Press New York NY USA1983
[2] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[3] R Anderson C Manifavas and C Sutherland ldquoNetCardmdasha practical electronic-cash systemrdquo in Security Protocols vol
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
10 Mobile Information Systems
1189 of Lecture Notes in Computer Science pp 49ndash57 SpringerBerlin Germany 1997
[4] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in e-cash systemsrdquo in Financial Cryptography vol 1318of Lecture Notes in Computer Science pp 1ndash16 Springer BerlinGermany 1997
[5] GMaitland andC Boyd ldquoFair electronic cash based on a groupsignature schemerdquo in Information and Communication Securitypp 461ndash465 Springer 2001
[6] D Chaum and S Brands ldquolsquoMintingrsquo electronic cashrdquo IEEESpectrum vol 34 no 2 pp 30ndash34 1997
[7] J Camenisch S Hohenberger and A Lysyanskaya ldquoCompacte-cashrdquo in Advances in CryptologymdashEUROCRYPT 2005 RCramer Ed vol 3494 of Lecture Notes in Computer Science pp302ndash321 Springer 2005
[8] H Wang and Y Zhang ldquoUntraceable off-line electronic cashflow in e-commercerdquo in Proceedings of the 24th AustralasianComputer Science Conference (ACSC rsquo01) pp 191ndash198 IEEEGold Coast Australia January-February 2001
[9] S Brands ldquoUntraceable off-line cash in wallet with observersrdquoinAdvances in CryptologymdashCRYPTO rsquo93 pp 302ndash318 Springer1994
[10] C-Y Ku C-J Tsao Y-H Lin and C-Y Chen ldquoAn escrowelectronic cash system with limited traceabilityrdquo InformationSciences vol 164 no 1ndash4 pp 17ndash30 2004
[11] T Cao D Lin and R Xue ldquoA randomized RSA-based partiallyblind signature scheme for electronic cashrdquo Computers ampSecurity vol 24 no 1 pp 44ndash49 2005
[12] W-S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[13] C Fan and W Sun ldquoEfficient encoding scheme for date attach-able electronic cashrdquo in Proceedings of the 24th Workshop onCombinatorial Mathematics and Computation Theory (CMCTrsquo07) pp 405ndash410 Nantou Taiwan 2007
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 no 3 pp637ndash646 2013
[15] Y Chen J-S Chou H-M Sun and M-H Cho ldquoA novel elec-tronic cash system with trustee-based anonymity revocationfrom pairingrdquo Electronic Commerce Research and Applicationsvol 10 no 6 pp 673ndash682 2011
[16] Y-F Chang ldquoA critique of lsquoa novel electronic cash system withtrustee-based anonymity revocation from pairingrsquo by ChenChou Sun and Cho (2011)rdquo Electronic Commerce Research andApplications vol 11 no 4 pp 441ndash442 2012
[17] Y L Chen J-S ChouH-M Sun andM-S Cho ldquoA response toa critique of lsquoA novel electronic cash system with trustee-basedanonymity revocation from pairingrsquo by Chen Chou Sun andCho (2011)rdquo Electronic Commerce Research and Applicationsvol 11 no 4 pp 443ndash444 2012
[18] C-I Fan V S Huang and Y-C Yu ldquoUser efficient recoverableoff-line e-cash scheme with fast anonymity revokingrdquo Mathe-matical and Computer Modelling vol 58 no 1-2 pp 227ndash2372013
[19] W-S Juang ldquoRO-cash an efficient and practical recoverablepre-paid offline e-cash scheme using bilinear pairingsrdquo Journalof Systems and Software vol 83 no 4 pp 638ndash645 2010
[20] L Zhang F Zhang B Qin and S Liu ldquoProvably-secure elec-tronic cash based on certificateless partially-blind signaturesrdquoElectronic Commerce Research and Applications vol 10 no 5pp 545ndash552 2011
[21] F Hess ldquoEfficient identity based signature schemes based onpairingsrdquo in Selected Areas in Cryptography 9th Annual Inter-nationalWorkshop SAC 2002 St Johnrsquos Newfoundland CanadaAugust 15-16 2002 Revised Papers vol 2595 of Lecture Notes inComputer Science pp 310ndash324 Springer BerlinGermany 2003
[22] F Zhang and F Kim ldquoEfficient ID-based blind signature andproxy signature from bilinear pairingsrdquo in Proceedings of the8thAustralasianConference on Information Security and Privacy(ACISP rsquo03) Wollongong Australia July 2003 Lecture Notes inComputer Science pp 312ndash323 Springer 2003
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
