1. Current issues of e-cash and Fair tracing Network Security Term Project Kim Byeong Gon Cais Lab of ICU 2002.10.10

2. Contents  Overview of e-cash  Classification  Curren issues  Goal  Basic Protocol  Examples of Countermeasures  Fair tracing  Building blocks  Previous work  Future work  References Network Security Term Project Fair tracing

3. Overview of e-cash  Similar names are Electronic money, Cyber money, e-cash, virtual currency  Classification of Electronic payment Network Security Term Project Fair tracing By functionality By Payment By Settlement

4. Classification (1/3)  Classification by functionality Network Security Term Project Fair tracing IC card type  Open - Value transfer is possible between card owner - Perfect E-wallet is need terminal is need - Mondex  Closed - Value transfer is impossible between card owner - VisaCash IC card type  Open - Value transfer is possible between card owner - Perfect E-wallet is need terminal is need - Mondex  Closed - Value transfer is impossible between card owner - VisaCash Network type  Re-charge is easy  Use network  suitable for e-commerce Network type  Re-charge is easy  Use network  suitable for e-commerce

5. Classification (2/3)  Classification by Settlement Network Security Term Project Fair tracing Credit E-mail First Virtual CyberCash Microsoft/Visa Netscape/MasterCard Credit E-mail First Virtual CyberCash Microsoft/Visa Netscape/MasterCard Token DigiCash NetCash Token DigiCash NetCash Cash Mondex Cash Mondex Prepaid(Debit) BankNet FSTC Electronic Checks Prepaid(Debit) BankNet FSTC Electronic Checks

6. Classification (3/3)  Classification by payment Network Security Term Project Fair tracing e-cash IC card type Network type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash e-cash IC card type Network type Visa International : Visa Cash DigiCash : E-Cash Electronic Payment Service : SmartCash CyberCash : CyberCoin Mondex International : Mondex California Univ. : NetCash Micro-payment system Millicent PayWord MicroMint Micro-payment system Millicent PayWord MicroMint Credit card (Network type) CyberCash : Cyber Card Service First Virtual Holdings : International Payment System SET Credit card (Network type) CyberCash : Cyber Card Service First Virtual Holdings : International Payment System SET e-check (Network type) Checkfree : Checkfree Payment Service STC : Electronic Check California Univ. : NetCheque NetChex Echeque e-check (Network type) Checkfree : Checkfree Payment Service STC : Electronic Check California Univ. : NetCheque NetChex Echeque Account transfer (Network type) Intuit : Quicken Microsoft : Money Meca Software : Managing Your Money SFNB(Security First Network Bank) NetBill MetaLand Account transfer (Network type) Intuit : Quicken Microsoft : Money Meca Software : Managing Your Money SFNB(Security First Network Bank) NetBill MetaLand

7. Current Issues  E-cash requirements  Anonymity : Untraceability  Anonymous revocation : Traceability  Double spent prevention  Off-line  Transferability  Divisibility  Bank robbery attack  Bank framing : Unforgeability  Etc. Network Security Term Project Fair tracing

8. Goals  In this term project, I will suggest an enhanced scheme for fair tracing or fair exchange of e-cash. Network Security Term Project Fair tracing

9. Basic Protocol(1/2) Network Security Term Project Fair tracing  Notations SK B : Bank’s secrete key PK B : Bank’s public key {M} SK : Message and its signature under key SK  A first-Try Protocol Withdrawal Protocol 1. User tells Bank she would like to withdraw $10. 2. Bank returns a $10 bill which looks like this : {I am a $10 bill, #4527} SK B and withdraw $10 from User account. 3. User checks the signature and if it is valid accepts the bill.

10. Basic Protocol(2/2) Network Security Term Project Fair tracing Payment Protocol 1. The User pays the Vendor with the bill. 2. The Vendor checks the signature and if it is valid, accepts the bill. Deposit Protocol 1. The Vendor gives the bill to the Bank. 2. The Bank checks the signature and if it is valid, credits the Vendor’s account  Basic problems of this scheme are - Duplicate, Double-spending - Anonymity : Bank can link user and serial number, therefore bank know where the user spent the coin. - Many other issues

11. Examples of Countermeasures (1/2) Network Security Term Project Fair tracing  Anonymity Problem ▶ Blind Signature Bank cannot know which bill is who’s one. But, user can cheat the bank about real amount. ▶ Fixing the dollar amount Use several PKi B for each bills of i dollars. ▶ Cut and Choose 1. User makes up 100 $20 bills. 2. Blinds them using r i  R Z p and gives it to the Bank 3. Bank picks one to sign(at random), User unblind all of the rest. Ensures that all of the bills that were unblinded were correct. Return one signed $20 bill. (1/100 probability of cheating)

12. Examples of Countermeasures (2/2) Network Security Term Project Fair tracing  double Spending Problem (off-line) ▶ RIS(Random Identity String) During the payment, the User is forced to write RIS on the bill. RIS must have the following properties, - must be different for every payment of the coin - only the user can create a valid RIS - two different RIS on the same coin should allow the Bank to retrieve the User name ex) The User prepares 100 bills of $20 which look like this : M i = (I’m $20 bill, #4527i, y i1,y i1 ’, y i2,y i2 ’,…. y ik,y ik ’) where i = 1..100, y ij = H(x ij ), y ij ’= H(x ij ’), where x ij ⊕ x ij ’ = User name for all i,j

13. Fair Tracing Network Security Term Project Fair tracing  Unconditional anonymity [vSN92] This may be misused for untraceable blackmailing of customers(perfect crime)  Revocable anonymity [SPC95,DFTY97] One or more TTP can link the the withdrawal and the deposit of coins Coin tracing : Is the withdrawn coin is deposited? Owner tracing : Who is the withdrawer of this deposited coin?  Fair Tracing problem [KV01] Legal Tracing : If it has been permitted by a judge or by the withdrawer. Illegal Tracing : If is is used without the permission of a judge or of withdrawer Fair Tracing : Legal tracing is always possible, but illegal tracing is inhibited. This is optimistic because illegal tracing can be detected later.

14. Building Blocks Network Security Term Project Fair tracing  Okamoto-Schnorr Blind Signature p,q : two large primes such that q/p-1 g 1, g 2  Z p * with order q Public key pair of signer Choose s 1, s 2  R Z q y = g 1 s1 g 2 s2 mod p Secrete (s 1,s 2 ) Public (g 1, g 2,y) 2. Blinds a with β,γ,δ  R Z q α = ag 1 β g 2 γ y δ mod p e = H(m, α ) - δ mod q 4. ρ= S 1 + β mod q, σ = S 2 + γ mod q signature is (α, ρ, σ) for message m 1. Select k 1,k 2  R Z q a = g 1 k1 g 2 k2 mod p 3. S 1 = k 1 – es 1 mod q, S 2 = k 2 – es 2 mod q which satisfies a = g 1 S1 g 2 S2 y e mod p CustomerBank a e (S 1,S 2 ) Verifty α =? g 1 ρ g 2 σ y H(m, α ) mod p ≡ g 1 S1+β g 2 S2+γ y e+δ ≡ g 1 S1 g 2 S2 y e (g 1 β g 2 γ y δ ) ≡ a(α/a)

15. Previous Work Network Security Term Project Fair tracing Kügler and Vogt[KV01] proposed marking mechanism based on a variant of an Okamoto-Schnorr Blind Signature[Oka92] in combination with a Chaum-van Antwerpen undeniable signature[Cha90].  Notations p,q : two large primes such that q/p-1 g 1,g 2,g 3  Z p * with order q (s 1,s 2 )  R Z q is the blind signature private key of the bank v = g 1 s1 g 2 s2 mod p is the blind signature public key of the bank x  R Z q is the undeniable signature private key of the bank y = g 3 x mod p is the undeniable signature public key of the bank

16. Previous Work Network Security Term Project Fair tracing  Marking and Withdrawal CustomerBank Once per withdrawal : r  R Z q * α = g 1 r mod p : new random generator ω = α x mod p : undeniable sig’ For every coin : δ  R Z q * α’ = α δ mod p ω’ = ω δ ≡ α xδ ≡ α’ x mod p α,ω a c S 1,S 2

17. Previous Work Network Security Term Project Fair tracing  Tracing Capabilities  Coin tracing - Chooses and stores a random undeniable signature key x m such that - The bank test for all stored marking keys x m  Tracing authority - The tracing capability can be transfered to a separate tracing authority. marking is invisible even for the bank. (Refer to [KV01])  Fair tracing - Revealing key x has no impact on the security of the Okamoto-Schnorr signature. : undeniable sig’ is independent to blind sig’ - Customer can detect marking by testing But he needs additional info. Sig bank =(α,ω,customer ID, coin generation)

18. Future work Network Security Term Project Fair tracing  Detail analysis about fair tracing  Study other fair tracing scheme  Develop enhanced scheme.

19. References Network Security Term Project Fair tracing [KV01] D. Kügler and H. Vogt. Fair tracing without trustees. In Financial Cryptography – FC2001. Preproceedings, 2001. [vSN92] B. Von Solms and D. Naccache. On blind signatures and perfect rimes. Computers and Security, 11(6):581-583, 1992. [SPC95] M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In Advances in Cryptology - EUROCRYPT ’95, volume 921of Lecture Notes in Computer Science, pages 209-219. Springer-Verlag, 1995 [DFTY97] G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung. Anonymity control in e-cash systems, In Financial Cryptography - FC’97, volume 1318 of LNCS, pages 1-16. Springer-Verlag, 1997 [Oka92] T.Okamoto, Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes, Advances in Cryptology-Crypto ’92, LNCS Vol.740, pages 31 –53, Springer-Verlag,1992. [Cha90] D.Chaum. Zero-knowledge undeniable signatures. In Advances in Cryptology – EUROCRYPT ’90, volume 473 of LNCS, pages 458-464. Springer-Verlag, 1990 [JKC01] Jinho Kim, Kwangjo Kim, Chulsoo Lee, An Efficient and Provably Secure Threshold Blind Signature, In ICISC 2001, volume 2288 of LNCS, pages 318 – 327. Springer-Verlag, 2002