research article secure electronic cash scheme with anonymity research article secure electronic...

Download Research Article Secure Electronic Cash Scheme with Anonymity Research Article Secure Electronic Cash

Post on 23-Mar-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Research Article Secure Electronic Cash Scheme with Anonymity Revocation

    Baoyuan Kang and Danhui Xu

    School of Computer Science and Software, Tianjin Polytechnic University, Tianjin 300387, China

    Correspondence should be addressed to Baoyuan Kang; baoyuankang@aliyun.com

    Received 8 September 2015; Revised 14 December 2015; Accepted 1 March 2016

    Academic Editor: Francesco Gringoli

    Copyright Β© 2016 B. Kang and D. Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

    In a popular electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank.Then, he withdraws an 𝑒-cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. There are a number of requirements for an electronic cash scheme, such as, anonymity, unforgeability, unreusability, divisibility, transferability, and portability. Anonymity property of electronic cash schemes can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. proposed a novel electronic cash systemwith trustee-based anonymity revocation frompairing.Ondemand, the trustee can disclose the identity for 𝑒-cash. But, in this paper we point out that Chen et al.’s scheme is subjected to some drawbacks. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

    1. Introduction

    Due to the fast progress of computer networks and Internet, information technology is used in electronic commerce. Many electronic commerce services can be found over the internet. So, an electronic payment mechanism is necessary for electronic commerce. And electronic payment is one of the key issues of electronic commerce development. To realize the digitalization of traditional cash and electronic payment, in 1983, Chaum suggested the first electronic cash scheme [1]. Popularly, in an electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he with- draws an 𝑒-cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. For security and effi- ciency, there are a number of requirements for an electronic cash scheme, such as anonymity, unforgeability, unreusabil- ity, divisibility, transferability, and portability [2]. Some of them are listed below.

    Anonymity/Unlinkability. The customer of the cash must be anonymous. As long as the coin is spent legitimately, neither

    the merchant nor the bank can identify the customer of the coin.

    Unforgeability. Only authorized banks can generate electronic cash.

    Unreusability. The electronic cash cannot be reused. The scheme can detect the malicious customer, who spends the cash twice.

    Electronic cash schemes can be divided into two cate- gories: online and offline. In online schemes, as paying a coin to a merchant, the bank must attend to validate the coin and detect its reuse. But, in offline schemes, double spending can only be figured out when the merchant deposits the coin to the bank in the next phase. After Chaum’s scheme, a lot of electronic cash schemes [3–9] have been proposed based on blind signatures and restrictive blind signatures. Afterward,manymore complex schemes have been proposed [10–13]. Recently, Eslami and Talebi proposed an untraceable electronic cash scheme [2] and claimed that their scheme satisfies all main security requirements, such as anonymity, unreusability, and date attachability. However, Baseri et al.

    Hindawi Publishing Corporation Mobile Information Systems Volume 2016, Article ID 2620141, 10 pages http://dx.doi.org/10.1155/2016/2620141

  • 2 Mobile Information Systems

    [14] showed that Eslami and Talebi’s scheme is subjected to some weaknesses in perceptibility of double spender, unforgeability, and date attachability. Baseri et al. also con- tributed a novel electronic cash scheme.

    Untraceable electronic cash is an attractive payment tool for electronic commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. [15] proposed an electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity of the owner of an 𝑒-cash. Chen et al. claimed that their scheme is the first attempt to incor- porate mutual authentication and key agreement into 𝑒-cash protocols and their scheme satisfies the security requirements of untraceability, verifiability, unforgeability, and anonymity revocation. But, in 2012, Chang [16] claimed that he finds someweaknesses ofChen et al.’s scheme.Then,Chen et al. [17] immediately provided a response to rebut Chang’s attacks. By thoroughly investigating Chen et al.’s scheme, we find that, despite Chang’s attacks being really wrong, Chen et al.’s scheme is surely insecure. Chen et al.’s scheme is subjected to somedrawbacks. (1)Thefirst flaw is the attack on the unforge- ability by the dishonest customer. (2) The second flaw is the attack on double spending owner tracing. (3) The third flaw is the potential bank attack.

    To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revoca- tion. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

    The remainder of this paper is organized as follows. Related concept of bilinear pairing and CDH problem are introduced in Section 2. In Section 3, we show some weak- nesses of Chen et al.’s scheme. In Section 4 we propose a new electronic cash scheme with anonymity revocation. In Section 5 we show the verifiability of the proposed scheme. Double spender detection is covered in Section 6. In Section 7 we show that the proposed scheme satisfies uncheatability of merchants. Provable security of our scheme is covered in Sec- tion 8. In Section 9 we compare our scheme with the others. Finally conclusions are given in Section 10.

    2. Preliminary

    2.1. The Bilinear Pairing. Let 𝐺 1 be a cyclic additive group

    generated by𝑃, whose order is a prime π‘ž, and let𝐺 2 be a cyclic

    multiplicative group of the same order. Let 𝑒 : 𝐺 1 Γ— 𝐺 1 β†’ 𝐺 2

    be a pairing map which satisfies the following conditions:

    (1) Bilinearity: for any𝑃,𝑄, 𝑅 ∈ 𝐺 1 , we have 𝑒(𝑃+𝑄, 𝑅) =

    𝑒(𝑃, 𝑅)𝑒(𝑄, 𝑅).

    In particular, for any π‘Ž, 𝑏 ∈ 𝑍 π‘ž , 𝑒(π‘Žπ‘ƒ, 𝑏𝑃) = 𝑒(𝑃,

    π‘Žπ‘π‘ƒ) = 𝑒(π‘Žπ‘π‘ƒ, 𝑃) = 𝑒(𝑃, 𝑃) π‘Žπ‘.

    (2) Nondegeneracy: there exists 𝑃,𝑄 ∈ 𝐺 1 , such that

    𝑒(𝑃, 𝑄) ΜΈ= 1.

    (3) Computability: there is an efficient algorithm to compute 𝑒(𝑃, 𝑄) for all 𝑃,𝑄 ∈ 𝐺

    1 .

    2.2. The CDH Problem. Let 𝐺 be a cyclic additive group of prime order π‘ž and 𝑃 a generator of 𝐺. The computational Diffie-Hellman (CDH) problem is to compute π‘Žπ‘π‘ƒ for given 𝑃, π‘Žπ‘ƒ, 𝑏𝑃 ∈ 𝐺.

    3. Effective Attacks on Chen et al.’s Scheme

    In this section, we show the drawbacks of Chen et al.’s scheme [15]. For the sake of brevity, we omit the review of Chen et al.’s scheme. To know Chen et al.’s scheme in detail, readers can read literature [15].

    3.1. Attack on the Unforgeability by the Dishonest Customer. When the customer obtains an 𝑒-cash {𝐢𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)}, he can randomly select π‘Ž ∈ π‘βˆ—

    π‘ž and forge 𝑒-cash {𝐢𝑁𝑂, π‘Ž β‹… 𝐿𝑆𝑇,

    (π‘Ž β‹… 𝑅, π‘Ž β‹… 𝑆)}, because the 𝑒-cash {𝐢𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} satisfies

    𝑒 (𝑆, 𝑃) = 𝑒 (𝐻 3 (CNO) 𝑄

    𝐡 , 𝑅) β‹… 𝑒 (LST β‹… 𝑄

    𝐡 , 𝑃pub) . (1)

    So,

    𝑒 (𝑆, 𝑃) π‘Ž = 𝑒 (𝐻

    3 (CNO) 𝑄

    𝐡 , 𝑅) π‘Ž

    β‹… 𝑒 (LST β‹… 𝑄 𝐡 , 𝑃pub)

    π‘Ž

    . (2)

    Then,

    𝑒 (π‘Ž β‹… 𝑆, 𝑃) = 𝑒 (𝐻 3 (CNO) 𝑄

    𝐡 , π‘Ž β‹… 𝑅)

    β‹… 𝑒 (π‘Ž β‹… LST β‹… 𝑄 𝐡 , 𝑃pub) .

    (3)

    That is to say, the customer forges a valid 𝑒-cash {𝐢𝑁𝑂, π‘Ž β‹… 𝐿𝑆𝑇, (π‘Ž β‹… 𝑅, π‘Ž β‹… 𝑆)}.

    Of course, in payment protocol, when the merchant gets an 𝑒-cash from customers, he also can similarly forge 𝑒-cash. Further, these forged 𝑒-cash make the scheme fail in double spending owner tracing, because it is impossible to find the customer identity from π‘Ž β‹… 𝐿𝑆𝑇.

    Note that (𝑅, 𝑆) is a signature on 𝐢𝑁𝑂 and 𝐿𝑆𝑇. Further- more, 𝐢𝑁𝑂 does not play distinction function to an 𝑒-cash. 𝐢𝑁𝑂 is only a randomly selected number. Any customer can randomly choose any𝐢𝑁𝑂 for their 𝑒-cash. If𝐢𝑁𝑂 has some function, it is only to certain customer. It is not strange that different customers may choose same 𝐢𝑁𝑂 for their 𝑒-cash. So, this attack is a successful forgery.

    3.2. Attack by the Dishonest Merchant. In practice, there are always many merchants from different shops. After receiving

Recommended

View more >