1. 1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1 JANUARY 2000 Authors: Shingo MIYAZAKI and Kouichi SAKURAI Presented by : Kuo Shu Chuan

2. 2 Outline Introduction Their proposed system Concluding remarks

3. 3 Introduction Chaum proposed an anonymous untraceable e-money system in 1983. Chaum et al. presented an off-line e- money in 1988. Abe and Fujisaki proposed the partially blind signature (PBS) in 1996. This paper applies Brand’s idea of the secret key certificate.

4. 4 Their proposed system Registration Withdrawal Payment Deposit Tracing a double-spender

5. 5 diagram Bank User Shop Withdrawal protocol Payment protocol Deposit protocol Registration Center (RC) Obtain the certificate of its own secret key

6. 6 Registration Each user obtains the certificate (r,s) of its own secret key. System parameters: A large prime p A prime factor q (p=2q+1) A generator g in Z* p of order q (S A0, S A1 ) is a secret key of user A (S R0, S R1 ) is a secret key of RC S A1 is preserved as the ID of A on the RC’s database.

7. 7 Registration (cont.) A’s public key P A =g S A0 h 1 S A1 (mod p) RC’s public key h 0 =g S R0 and h 1 =g S R1 (mod p) A get certificate (r, s) from RC Step1(RC): RC selects   R Z q and computes a=g  mod p RC sends a to A Step2(A): A chooses ,   R Z q Computers r=H(ag  (h 0 h 1 S A1 )  mod p ŕ=r+  mod q, sent ŕ to RC

8. 8 Registration (cont.) Step3: RC computes ś= ŕ (S R0 + S R1 S A1 )+  mod p Sends ś to A Step4: Verify if a=g ś (h 0 h 1 S A1 ) - ŕ mod p A computes s= ś+rS A0 +  The verification formula for the certificate (r,s) of A’s key is : H(g s (h 0 P A ) -r ) mod p) =r ?

9. 9 Withdrawal Bank(B)‘s secret key (x 1, x 2 ), and public key y 1 =g x 1 mod p; y 2 =g x 2 mod p Step1: A generates k 0,k 1  R Z q, computes t=g k 0 h 1 k 1 mod p A requests B’s signature on message (m,I) through the PBS protocol m=(P A ||t) is a blind part for B I is a clear part including the amount of money and the date

10. 10 Withdrawal (cont.) Step2: B, after deducting the amount of the money withdrawn from A’s account B sends its own signature Sig (I) B [m] on (m,I) through the PBS protocol. Step3: A verifies B’s signature Sig (I) B [m]

11. 11 Payment User A makes a payment to shop S as follows Step l: A sends (Sig (I) B [m],m) and the certificate (r,s) to shop S Step 2: S verifies B’s signature on the e-money and the certificate (r,s). If it is correct, S generates a challenge M S sends M to A

12. 12 Payment (cont.) Step 3: A signs on the challenge M with its own secret key Sends S a 3-tuple(t,u,v) u=h(M)k 0 +S A0 t mod q v=h(M)k 1 +S A1 t mod q Step 4: S verifies A’s signature on challenge M with g u h 1 v =t h(M) P A t mod p

13. 13 Deposit S sends B the e-money ((Sig (I) B [m],m),(r,s),(t,u,v,M). Step1:B verifies (Sig (I) B [m],m) Step2:compare (Sig (I) B [m],m) to the list of previously deposited money stored in the database of B. If the (Sig (I) B [m],m) is the first visit to B’s database, B adds it to the list as linking the money to S. And increasing the amount of S’ account.

14. 14 Tracing a double spender In a deposit, if discovering the corresponding money with deposited Coin on the database. Check by v 1 =h(M 1 )k 1 +S A1 t mod q ……………(1) v 2 =h(M 2 )k 1 +S A1 t mod q…………….(2) B computes v 1 -v 2 to obtain k 1 Then get S A1 from (1) or (2). Detect the double-spender (by asking RC about his name).

15. 15 Concluding remarks Two challenging problems: To discuss the provable security of the proposed system. To design a divisible e-money system with the partially blind signature.