Offline E-Payment System Using Proxy Blind Signature Scheme

6 downloads 252 Views 398KB Size Report
Abstract: In this patent paper, a proxy blind signature scheme typed bilinear ... ture with the blind signature makes the e-payment system more robust and ...
Recent Patents on Computer Science 2012, 5, 153-162

153

Offline E-Payment System Using Proxy Blind Signature Scheme Sattar J. Aboud* Information Technology Advisor, Iraqi Council of Representatives, Baghdad-Iraq, District 337, Street No. 17, Door No. 97, Baghdad-Iraq Received: April 14, 2012; Accepted: May 3, 2012; Revised: May 19, 2012

Abstract: In this patent paper, a proxy blind signature scheme typed bilinear pairings is suggested. The proxy blind signature scheme is demonstrated as secure under discrete logarithm problem, decision bilinear Diffie-Hellman scheme and the chosen-target computational Diffie-Hellman in the random oracle model. In reality, users can withdraw and deposit funds from all levels of banks. In this patent we introduced a new e-payment system that uses a new proxy blind signature scheme. We claim that the proposed e-payment system can ensure that e-coins are not forged, real users remain anonymous and over-spending that can be efficiently traced. This scheme demonstrates that the combination of the proxy signature with the blind signature makes the e-payment system more robust and suitable than before. The review also discussed in the relevant patents.

Keywords: Bilinear pairing, chosen-target computational Diffie-Hellman scheme, decision bilinear Diffie-Hellman scheme, discete logarithm problem, e-payment system, offline e-payment system, proxy blind signature, random oracle model. 1. INTRODUCTION The E-payment system can be extensively used in the ecommerce applications through the Internet as a payment method. In the withdrawal phase of an e-payment scheme, the bank issues e-payment to the user. Subsequently, the user performs the transaction and pays an e-payment to the merchant. At the end, the merchant deposits that e-payment in the bank. However, there are two methods of running the epayment systems: an online e-payment method and an offline e-payment method [1]. In the online payment system, the merchant checks the payment sent by the user with a bank before serving the user. Whereas in the offline payment system, over-spending must be detected, and consequently no online link to the bank is needed. However, the offline e-payment system is more efficient and more realistic, because the bank needs not to perform an online payment. Nevertheless, an offline e-payment system simply causes an over-spending problem. Thus, it is essential to design a secure and efficient offline e-payment system that takes into consideration the bank to implement an overspending checking method. When a secure e-payment scheme is used, there is a shared set of characteristics for an e-payment protocol: 1.

Traceability: over-spending must be detected, i.e., the ecash must be used once only. The system can provide a technique which can efficiently trace the over-spending and the fraudulent user. The majority of e-payment schemes [2] are built by a practical public key encryption, a blind signature scheme.

*Address correspondence to this author at the Information Technology Advisor, Iraqi Council of Representatives, Baghdad-Iraq, District 337, Street No. 17, Door No. 97, Baghdad-Iraq; Tel: 009647704443432; E-mail: [email protected]

1874-4796/12 $100.00+.00

2.

Anonymity: e-payment should not provide the user with information; it means that it should be an anonymous epayment transaction.

3.

Unforgeability: a valid e-payment can only be issued by a bank. A hacker cannot forge an e-payment within the probabilistic polynomial time.

4.

Divisibility: e-payment can be sub-divided since the notes have a basic piece.

5.

Transference: e-payment can be transferred to a trusted authority by providing a suitable amount of coins.

The idea of blind signature scheme was first presented by Chaum in (1982) [3]. The blind signature does not provide signer or user anonymities but it shuts off the signer’s view from the resulted signature. In a blind signature scheme, if the bank needs to get a signature for a chosen document, the bank first blinds the document. The signer generates a signature on it and cannot know anything regarding the original document. Upon receiving the signature, the bank performs the unbinding process and gets the blind signature on a true document. The blind signature can be checked by any entity who intends to, but the signer then cannot connect the signature with the document. Thus, the benefit of blind signature makes it very convenient in e-payment schemes. In reality, most banks monitor withdrawals and accept deposits. As a result, it is natural that e-payment can be issued by the bank that has been authorized by the National Central Bank. In this paper, we propose an offline e-payment scheme using a proxy blind signature scheme, which can be an encouraging technique to make the e-cash system more robust and fair. The thought of proxy signature scheme was first presented by Mambo et al. in (1996) [4]. However, the proxy signature scheme involves three participants: original signer, proxy signer and a verifier. In a proxy signature scheme, a user Alice, named an original signer, delegates her © 2012 Bentham Science Publishers

154 Recent Patents on Computer Science, 2012, Vol. 5, No. 2

Sattar J Aboud

signing right to another user Bob, named a proxy signer, so that Bob can sign documents on behalf of Alice. A verifier can validate its verification and can differentiate between the standard signature and the proxy signature. Consequently, the verifier can be satisfied that an original signer agreed on the signed document. Proxy signature scheme has been suggested for a number of uses, including e-commerce, mobile agents, e-payments, and so on. For instance, the manager of a corporation authorizes a signing right to the deputy before a time off. The deputy can make a signature on behalf of the manager, and a verifier can be convinced that the signature has been signed by an authorized deputy. The verifier can also be satisfied that the manager agreed on the signed document. Usually, a proxy signature scheme is as follows: the original signer Alice passes to the proxy signer Bob a signature that is associated with a specific document. Bob generates a proxy private key using this information. Bob can then sign on a document with the proxy private key using a standard signature scheme. Once the document and signature have been passed to the verifier, he retrieves a proxy public key using public information and verifies the proxy signature using a standard signature scheme and the verifier is satisfied that the signature is authorized by an original signer. The proxy signature scheme and the blind signature scheme are combined in proxy blind signature scheme [5]. The proxy blind signature scheme in this case has the advantages of both proxy signature scheme and blind signature scheme. A proxy blind signature can be employed in the creation of an e-money system. The document in the blind signature scheme denotes some facts such as user-ID in an epayment scheme. Withdrawal of money in an e-payment scheme is equal to the creation of the blind signature on a document. The transfer of an authority to issue e-payment from a National Central Bank to all banks is achieved by a proxy algorithm of the proxy blind signature. Simultaneously, the blind signature also protects the user privacy and anonymity. Thus, the user can withdraw e-payment from the bank and use it anonymously. So far, there are some proxy blind signature schemes that already exist to deal with this issue such as: discrete logarithm under a proxy blind signature [6], braid group typed-proxy blind signature [7] and identitytyped proxy blind signature [8]. To give a robust security promise, provable security is necessary for a proxy blind signature scheme. Unfortunately, most of proxy blind schemes are not set with formal security proofs and were only given selected decisive clarification concerning the security properties [9] such as verifiability, unforgeability, identifiability, distinguishabilty, unlinkability and undeniability. Certain security faults of these systems were discovered later on [10]. As a result, we must build a provably secure proxy blind signature scheme. Therefore, we propose a provably secure proxy blind signature scheme based on the bilinear pairing. Due to the strength of the suggested proxy blind signature scheme, we build an offline e-payment system. It is shown that the proposed offline e-payment system meets the security needs for an e-payment system. Figure 1 shows the online e-cash payment system.

Fig. (1). Online e-cash Payment System. 2. RELATED WORKS Since David Chaum presented the idea of e-cash [3, 11], there has been many e-payment research works performed [12-14]. In e-payment schemes, a bank is responsible for issuing an e-coin. If a transaction is completed, the e-coin is deposited in a bank by a merchant. The principal requirement of an e-payment system is that the withdrawal and payment schemes do not reveal if a specific amount of emoney is consumed and who has spent the e-money. Through the withdrawal, a private key is kept secret so that a bank cannot trace the e-cash consumed. Thus, e-payment is easily copied, which will guide to detect over-spending of ecash. In many uses, the protection of a signer identity is needed. Group signature can give anonymity and unlinkability. Thus, group signature is implemented to build up the epayment scheme [15, 16]. But, the majority of group signature typed e-payment schemes are inefficient. David Chaum presented an idea of blind signature. The blind signature scheme lets a sender of a document receives its signature where a signer cannot observe a document through a signature and then cannot connect the signature with a document. The secure blind signature scheme needs unforgeability and unlinkability. If a signature requester, for instance the customer, needs to prevent a sender (bank) from connecting a message with a signature, a blind signature scheme can be employed. Blind signatures have already found broad uses in an e-cash scheme [17]. The document in a blind signature scheme indicates such data as the customer identity and emoney value in e-cash scheme. If a customer provides a document with its signature issued by a bank, a bank cannot reveal who is signed the signature. Actually, the withdrawing entity gets a blind signature during un-blinding the message. The signer (bank) cannot connect a last signature with a blinding operation. Thus, a customer can withdraw e-money from a bank and spend it anonymously. In [18], a trusted authority is needed in order to trace the over-spending. Actually, the system of every bank consists of many levels, for example headquarter and branches. The majority of customers prefer to deal with different local bank departments than with a central bank. Only a central bank has an authority to issue e-money which will cause some problem to the customers. Consider a standard situation where local banks want to issue an e-money since they need an authority

Offline Payment System

from a central bank to issue e-coins. In proxy signature scheme [4], the original signer delegates the proxy signer to sign documents on its behalf. Proxy signature and blind signature are combined into a proxy blind signature [5]. Proxy blind signature requires three entities: an original signer, a proxy signer and a signature receiver. Proxy blind signature has broad potential uses for the entities to secure their secrecy and anonymity. To ensure customer secrecy in e-cash scheme, the customer usiually does not let the banks connect a specific emoney issued by a bank with a payment performance of a customer. Because proxy blind signature was presented [19, 10], there are many proxy blind signature protocols. For instance, Schnor signature based proxy blind signature [9], braid group based proxy blind signature [7] and identity based proxy blind signature [20]. It is required for proxy blind signature systems to have security characteristics as claimed. Also, an original signer cannot repudiate a proxy blind signature that has been authorized by itself. The majority of proxy blind signature schemes are not equipped with demonstrable security proofs. In this paper, we designed an offline e-payment system using proxy blind signature scheme. The suggested system is provable secure in a random oracle model. Then we apply a secure proxy blind signature scheme to build the off-line e-cash scheme. The proposed system is unforgeable and has unlinkability in a random oracle model. Also, the proposed e-cash system can efficiently trace an over-spending. 3. PRELIMINARIES In this section we present some preliminaries regarding the proposed proxy blind signature scheme. These are as follows: 3.1. Security Properties of Proxy Blind Signature In this part, we illustrate the required security characteristics of the proxy blind signature. Unforgeability: a nominated signer can only generate a valid proxy blind signature for an original signer. 1.

Verifiability: following the verification, a verifier can be satisfied of an original signer agreement on a signed document.

2.

Private key dependency: proxy key or delegation key can only be calculated by an original signer.

3.

Distinguishability: verifier can differentiate between an original signature and a proxy signature.

4.

Identifiability: verifier can identify both the proxy and the original signers.

5.

Undeniability: delegation information is signed by an original signer, and a proxy signature is created by a proxy signer, both signers cannot repudiate their signatures.

6.

Non-Denial: the proxy signer cannot claim that the proxy signature is illegally signed by an original signer.

7.

Unlinkability: if a signature is verified, a signer knows nothing about a document or its signature.

Recent Patents on Computer Science, 2012, Vol. 5, No. 2

155

3.2. Bilinear Pairings Let G1 and G 2 be two cyclic groups of prime order q , and Q be a generator of G1 . Let e be an admissible map from G1  G1 to G 2 , which satisfies the following property:

Bilinear: For Q1 , Q2  R G1 and any a, b  Z q* , e(aQ1 , bQ 2 ) = e(Q1 , Q 2 ) ab . Definition 1 (Decisional Bilinear Diffie-Hellman (DBDH) Problem). Given the elements (Q, aQ, bQ, cQ) in a cyclic group G1 for some unknown a, b, c  Z *p , and an element Z  R G 2 , decide whether Z = e ' (Q, Q) abc or not. 3.3. Use of Hash Functions Signature verification requires knowledge of the message. It is thus natural to use the scheme in combination with a suitable one-way hash function with which the message m will be hashed before signing in order to limit the size of the exponent in verification. In order to avoid the possibility of collisions of messages it is desirable that the hash function used have a 160-bit output and the Secure Hash Standard algorithm, SHA currently appears to be a suitable choice. 3.4. Chosen-Target CDH Assumption Select (Q, a * Q)  G1 for certain unkown a  Z q* a polynomial Hacker A can access two oracles: 1. Target oracle TO : a. Choose a random value Qi  G1 b. Return Qi 2. Helper oracle HO : a. Choose a value Q j  G1 b. Find R j = a * Q j c. Return R j Hacker A is said to win a game if A can result l pairs [(Q1 , R1 ), (Q 2 , R 2 ),...(Ql , Rl ), ], q ho < l < q to , where Ri = a * Qi (1  i  l ) after hacker A makes q ho , HO queries and q to , TO -queries (q ho < q to ) . The basis that there is no probabilistic polynomial-time hacker A who can win the above game with non-negligible probability is defined as Chosen-Target CDH Assumption in G1 . 3.5. Security Concept There was no formal security scheme until Boldyreva et al. [21] presented one in (2003). Nevertheless, their scheme is complex and is vulnerable to the chosen warrant attacks [22] and proxy key exposure attack [23]. Moreover, in (2006) [24] Huang et al. introduced a pioneering security

156 Recent Patents on Computer Science, 2012, Vol. 5, No. 2

Sattar J Aboud

scheme of proxy signature which is still the best scheme. In their proxy signature scheme, all the hackers are categorized into three types: 1.

Hacker H 1 : has a public key of an original signer and a public key of a proxy signer;

2.

Hacker H 2 : has a public key of an original signer and a public key of a proxy signer. In addition, it has a private key of a proxy signer;

3.

Hacker H 3 : has a public key of an original signer and a public key of a proxy signer. Moreover, it has a private key of an original signer.

It is easy to understand that the subsequent claim is acceptable. When the proxy signature is un-forgeable vs. hacker H 2 or H 3 it is also un-forgeable vs. hacker H 1 .

proxy signer B , involving a public key e A of an original signer A and a public key e B of proxy signer B . Note that the warrant w can be misused within a short period of time. But, in the proposed e-payment system, the main bank delegates the warrant w to the branch bank. The warrant w stays unaffected for a long period of time. However, the steps of the algorithm performed by the original signer A are as follows: 1.

Select arbitrarily integer number x A  Z q*

2.

Calculate g A = x A * a

3.

Compute t A = d A * h1 ( w || g A ) + x A mod q

4.

Pass ( w, t A , g A ) , to the proxy signer B by a secure channel.

(1)

4.3. Delegation Verification 4. THE SUGGESTED PROXY BLIND SIGNATURE SCHEME In this section, we explain the proposed proxy blind signature scheme using bilinear pairings. The participants included in a proxy blind signature scheme involves four users: a user called an original signer A , a user called a proxy signer B , a user called a signature requester C and a user called a verifier V . A proxy blind signature scheme includes the following algorithms: setup, delegation generation, delegation verification, proxy blind signature, and proxy blind verification.

Upon receiving the delegation, the proxy signer B checks first the validity of the warrant w . To check the validity of the delegation ( w, t A , g A ) a proxy signer B does the following: 1.

Finds h1 ( w || g A )

2.

Verifies the validity of the delegation by:

3.

If formula (2) is not satisfied, the proxy signer B rejects the delegation. If not, the proxy signer B accepts it and calculates the proxy signature key by: t B = t A + d B mod q . (3)

5.

Set e pub = t B * a = h1 ( w || g A )e A + g A + eB .

The scheme public keys are as follows: Select a prime number q .

2.

Suppose that (G1 , G 2 ) are two bilinear groups such that

(2)

4.

4.1. Setup 1.

t A * a = h1 ( w || g A )e A + g A .

| G1 |=| G 2 |= q .

4.4. Proxy Blind Signature

3.

Assume that a is a generator of G1 .

If a signature requester C needs to get a proxy blind signature on document m , it must do the following:

4.

Suppose b represents the bilinear pairing G1  G1  G 2 .

5.

Suppose that the public key and the private key are a pair of the original signer A is (e A , d A ) .

6.

Suppose that the public key and the private key are a pair of the proxy signer B is (e B , d B ) .

7.

Assume

that

e A = d A * a and

eB = d B * a

where

d A , d B  Z q* . 8.

Select two secure hash functions h1 (0,1) *  Z q* and

h2 (0,1) *  G1 in the different uses environments. 4.2. Delegation Generation The original signer A makes a warrant w which reports the delegation limitations of an authority, valid times of delegation, an identity record of an original signer A and

1. After that a proxy signer B passes ( w, g A ) to a signature requester C . 2. A signature requester C selects two arbitrary values

k1 , k 2  Z q* , 3. finds z = k1 * h2 (m || g A || w) + k 2 * a .

(4)

4. A signature requester C passes z to the proxy singer B . 5. The proxy singer B calculates g B = t B * z

(5)

6. passes g B to a signature requester C . 7. A signature requester C finds j = k11 ( g B  k 2 * e pub ) . (6) 8. Then ( w, g A , j ) is a proxy blind signature on document m.

Offline Payment System

Recent Patents on Computer Science, 2012, Vol. 5, No. 2

4.5. Proxy Blind Verification After a verifier V obtains a proxy blind signature (m, w, g A , j ) , a verifier V do the following: 1. Verifies if the formula satisfies or not b( j , a ) = b(h2 (m || g A || w) ,

attacks of hacker H 3 . The hacker is supposed to achieve something in attacking a proxy blind signature scheme when it attains one or both of the following targets: forgery of a delegation or forgery of a proxy blind signature. Unforgeability vs. Hacker H 2

h1 ( w || g A )e A + g A + e B 2. If yes, the proxy blind signature ( w, g A , j ) on ment m is valid, if not it is invalid.

157

(7) docu-

3. Verifies the validity of the delegation by formula 2 as follows:

t A * a = h1 ( w || g A )e A + g A 4. If not the proxy signer or the attacker can forge the proxy information the warrant w easily.

We illustrate the outcome by the proof of inconsistency. Assume that hacker H 2 has known a public key e A of an original signer A and a public key e B of a proxy signer B . Moreover, H 2 defrauds the proxy signer B and gets the private key d B of the proxy signer B . Ultimately, the hacker

H 2 produces a proxy blind signature ( g 'A , j ' ) on a document m ' using the warrant w ' which fulfills the following: •

5. analysis of the proxy blind signature scheme



In this section, we will show that the suggested scheme has the security characteristics of a proxy signature scheme. The following characteristics are simply verified.



5.1. Verifiability The validity of a proxy blind signature can be checked by formula (7). Its verification illustrated in Theorem 1. Theorem 1. The suggested proxy blind signature scheme satisfies the correctness. Proof. b( j , a ) = (k11 ( g B  k 2 * e pub ), a )

= (k11 (t B * z  k 2 * e pub ), a )

= (k11 (t B (k1 * h2 (m || g A || w) + k 2 * a)  k 2 * e pub ), a) = (k11 (t B * k1 * h2 (m || g A || w) + k 2 * e pub  k 2 * e pub ), a)

= (t B * h2 (m || g A || w), a) = (h2 (m || g A || w), t B * a) = (h2 (m || g A || w), h1 ( w || g A ) * e A + g A + e B ) . 5.2. Unforgeability The signature scheme is un-forgeable since the valid proxy blind signature and an original signer A cannot repudiate its delegation to proxy signer B and a proxy signer B cannot repudiate its signature. Its verification is simply illustrated in Theorem 2. Theorem 2. The suggested proxy blind signature is secure against one-more forgery upon discrete logarithm problem, decisional bilinear Diffie-Hellman problem and chosentarget computational Diffie-Hellman problem in the random oracle model. Proof. The unforgeability of the proposed scheme is that, the scheme can withstand the attacks of hacker H 2 and the

w ' has not been demanded as a delegation inquiries; ( g 'A , w ' , m ' ) has not been demanded as a proxy blind signing inquiries; (m ' , w ' , g 'A , j ' ) is the proxy blind signature on

document m ' using a warrant w ' which sends a verification formula (7). As of formula (6), we have j ' = k11 ( g B'  k 2 * e pub ) . Basically, it is not hard to deduce ' ' ' ' ' j = (t A + d B ) * h2 (m || g A || w ) . j is a Boneh et al. signature [25] on a document (m' || g 'A || w' ) . Under decisional bilinear Diffie-Hellman problem in the random oracle model, the Boneh et al. signature is verified existentially unforgeable. The hacker H 2 has a private key d B . So, the hacker H 2 should have thrived in forging the valid t A . While w ' has not been demanded as a delegation inquires and ( w ' , t A , g 'A ) suits a delegation verification formula (2), the hacker H 2 has succeeded in forging the valid delegation

( w ' , t A , g 'A ) . As of formula (1), we have g 'A = k A * a and t A = d A * h1 ( w ' || g 'A ) + k A mod q . A forgery of a delegation ( w ' , t A , g 'A ) denotes that the hacker H 2 succeeds in forging the Schnor signature on m w with a private key d A of the original singer A . This is inconsistent with the unforgeability of the Schnor signature scheme under discrete logarithm problem in the random oracle model. Unforgeability vs. Hacker H 3 Assume that a hacker H 3 has known a public key e A of the original signer A and a public key e B of the proxy signer B . The hacker H 3 defrauds the original signer A and gets its private key d A . Suppose that a hacker H 3 succeeds in one-more forgery. Upon receiving the reply to the inquiry, a

158 Recent Patents on Computer Science, 2012, Vol. 5, No. 2

hacker H 3 produces the proxy blind signature (m ' , w ' , g 'A , j ' ) by a warrant w ' and document m ' where: • •

(m' , w ' ) has not been demanded as a proxy blind sign inquiry; (m ' , w ' , g 'A , j ' ) is the proxy blind signature on

document m ' using a warrant w ' which can send the verification formula (7). We apply hacker H 3 to build a method to break the Chosen-Target computational Diffie-Hellman problem. Assume (Q, a * Q) are the challenge from the Chosen-Target computational Diffie-Hellman problem. The algorithm M can access the target oracle and the helper oracle from the ChosenTarget computational Diffie-Hellman problem. The algorithm M has provided the private key d A . The algorithm

M simulates the answers to the queries issued by hacker H 3 . Delegation queries: Assume the hacker H 3 issues a delegation query concerning a warrant w on the original signer A . Algorithm M makes a response as the algorithm Delegation Generation does by using the secret key d A . Hash queries: If a hash h1 -query about ( w, g A ) is issued, the algorithm M first checks if ( w, g A ,) exist in a list of

h1 . If it exists, algorithm M returns the corresponding value in the list of h1 . Otherwise, algorithm M randomly selects a number in Z q* as the hash value h1 ( w + g A ) and adds the triple

( w, g A ,) to the list of h1 .

Sattar J Aboud

j i  t Ai Qi = a * Qi for Thus algorithm M can result 1 i  l . (Q1 , a * Q1 ), (Q 2 , a * Q 2 ),..., (Ql , a * Ql ) as l valid instances Result:

Algorithm M computes

in the Chosen-Target CDH assumption where q ho  l  q to , so that q ho and q to are the numbers of the queries to the oracles HO and TO , respectively, q ho = q s * q to = q h . Therefore, the result contradicts the Chosen-Target CDH assumption. 5.3. Unlinkability If the signature is verified, a signer understands nothing regarding a document or its signature. Theorem 3. The suggested proxy blind signature scheme meets the unlinkability characteristic; specifically, after a proxy signer B receives the proxy blind signature, the proxy singer B cannot connect it with the view of an actual scheme implementation. Proof. Assume that the definition of unlinkability in [27] is adopted to prove the theorem. Suppose that a proxy signer B has two signatures ((m1 , w1 , g A1 , j1 ) , (m 0 , w0 , g A0 , j 0 )) . By  n we indicate that the nth instance of the proposed proxy blind scheme for n  (0,1) . Suppose that proxy signer B stores all the sights during an actual scheme implementation. In the implementation of  n the signer has a sight ( g n , g Bn ) .

For

(( g A , g BA ), ( g 1 , g B1 )) and

each any

M checks if ( w, g A ,) exists in a list of h1 . If it does not exist, algorithm M makes a response as in the h1 -query. Then algorithm M searches a list of h2 for (m, g A , w,) . If (m, g A , w,) appears in the list of h2 , algorithm M re-

blind

in

signature

there is a related blinding factor pair (k1' n , k 2' n ) where the sight and a proxy blind signature convince the formulas (4– 7) in a proxy blind signature scheme, then we will finish the proof of the theorem. For (m, w, g A ) and ( g n , g Bn ) there is a pair (k1n , k 2 n ) which convinces

turns the corresponding number in the list of h2 . Otherwise, algorithm M accesses the oracle TO and gets a random value Qi  G1 where 1  i  q h such that q h indicates the

g n = k1' n * h2 (m || g A || w) + k 2' n * a

numbers of h2 -queries. Algorithm M

have

stores the tuple

j = k1'n1 ( g Bn  k 2' n * e pub )

Proxy Blind Signature queries: If hacker H 3 acquires the signature on z , Algorithm M accesses the oracle HO and gets a random value z i  G1 where 1  i  q s , so that q s indicates the numbers of Proxy Blind Signature queries.

= k1'i =1n (t B * g n  k 2' n * e pub )

Forgery: After q h Hash queries and q s Proxy Blind Sigvalid signatures

(m1 , w1 , g A1 , j1 ), (m 2 , w2 , g A2 , j 2 ),..., (ml , wl , g Al , j l )

(8)

Through the formula g Bi = t B * g n and formula (8), we

(m, g A , w, Qi ) in the list of h2 and returns Qi to hacker H 3 .

where q s  l  q h .

proxy

( g n , g Bn )

(m, w, g A , j ) in ((m1 , w1 , g A1 , j1 ) , (m 0 , w0 , g A0 , j 0 )) .When

When h2 -query about (m, g A , w) is issued, algorithm

nature queries, hacker H 3 produces l

sight

= (k1'n1 (t B * k1' n * h2 (m || g A || w) + k 2' n * t B * a  k 2; n * e pub )

= t B * h2 (m || g A || w) Formula (9) proves that formula (7) always holds.

(9)

The above argument illustrates that, for each sight ( g n , g Bn ) and proxy blind signature (m, w, g A , j ) , there is a related blinding issue pair (k1' n , k 2' n ) where formulas (4– 7) are realized. So, the success possibility that the signer can decide the linkage of a signature with a sight is 1 / 2 . How-

Offline Payment System

ever, the proposed proxy blind signature realizes the unlinkability feature. 6. THE PROPOSED E-PAYMENT SYSTEM We build an offline e-payment system under the proposed proxy blind signature scheme. There are four types of users: a client C , a branch bank B , upper bank A and a merchant M . After an upper bank A authorizes a branch bank B , the branch bank B can issue e-payment to the client C . The new offline e-payment system ensures that not only the central bank but also the branch banks can issue e-payment. The transaction can be carried out between the client C and the merchant M without the bank being online. Therefore, the proposed offline e-payment system can give even more flexibility than the bank system in the real world. We now illustrate the construction of the new offline e-payment system. Fig. (2) shows the architecture of the new e-cash system.

Recent Patents on Computer Science, 2012, Vol. 5, No. 2

159

Opening Account (Id ) . The client C passes the form for opening account to the branch bank B . The branch bank B identifies the client C and opens the account accU for the client C . Withdraw ( Id , t B ) . The client C gets e-payment from the bank as follows: 1. The client C passes its identity Id and account information accU to the branch bank B . The branch bank B verifies these information and issues an approval response to the client C . 2. After that, the client C randomly selects four integers k1 , k 2 , k 3 , k 4  Z q* , and determines an amount

val of e-payment and finds: z1 = k 3 * e B z 2 = k 4 * eB

z 3 = k 4 * Id (10) z = k1 * h2 (val || w || g A || z1 || z 2 || z 3 ) + k 2 * a

3.

(11)

Then the client C passes z to the branch bank B . The branch bank B finds and passes g B to the client C as follows: g B = t B * z .

4.

The client C finds

j = k11 ( g B  k 2 * e pub ) (12)

The client C verifies if the following formula holds: b( j, a) = (h2 (val || w || g A || z1 || z 2 || z 3 ), h1 ( w || g A ) (13) * e A + g A + eB ) If formula (13) holds, then the client C has withdrawn an e-payment coin = (val , w, g A , z1 , z 2 , z 3 , j ) from the branch bank B . The client C keeps (coin, k 3 , k 4 ) . 5.

Fig. (2). Architecture of the New e-cash System.

Payment setup (1t ) . Execute the setup algorithm of the proposed proxy blind signature with a security parameter t and return the public key params = (G1 , G2 , q, b, h1 , h2 ) . Also, the parameters params of the e-payment system contain a third secure hash function h3 (0,1) *  Z q* . Suppose that a client C has an identity Id  G1 . Bank Key Generation ( params) . Execute the algorithm key generation in the proposed proxy blind signature with the parameters params . Suppose that both banks, that is the upper bank A and the branch bank B , have their public and private key pairs (e A , d A ) and (e B , d B ) respectively, so that

Spend E-Payment ( params, coin, k 3 , k 4 ) 1. The client C passes coin to the merchant M . 2. The merchant M checks the validity of coin by verifying if formula (13) holds. If coin is valid, the merchant M accepts the coin . Otherwise, M rejects the coin. 3. The merchant M passes a challenge c  (0,1) * to the client C . 4. The client C finds and passes (b, x) to the merchant M as follows: b = h3 (coin || c)

e A = d A * a , e B = d B * a , while d A , d B  Z q* .

x = k 4 + k 3 * b mod q . (14) 5. .The merchant M checks the spending documentation (b, x) by verifying if the following formula holds:

Bank Delegation ( params, d A , e A , d B , e B ) . Execute the algorithms delegation generation, delegation verification and signature key generation. Finally, the branch bank B gets the delegation of the upper bank A and has a signature key t B which will be applied to issue e-payment.

b = h3 (val || w || g A || z1 || ( x * e B  b * k 3 ) || k 3 || c) (15) 6. If formula (15) holds, then the merchant M keeps the transaction record (coin, b, x, c) in a database deposit and sends out the record (coin, b, x, c) to the branch bank B .

160 Recent Patents on Computer Science, 2012, Vol. 5, No. 2

Sattar J Aboud

7. The branch bank B checks its validity by formula (15), whether the e-cash has already been spent, i.e. double-spending checking, and seeks the database of all previously accepted e-payments to verify if coin has existed. If coin is new, the bank keeps it in the database. The amount val of money is added to the account of the merchant M . 7. ANLYSIS OF PROPOSED E-PAYMENT SYSTEM In this section, we will show that the new e-payment system realizes the security characteristics: unforgeability of epayment, anonymity for an uncorrupted client and traceability of over-spending. Theorem 4 (Unforgeability). The coin in the proposed e-payment system is un-forgeable upon discrete logarithm problem, decisional bilinear Diffie-Hellman problems and chosen-target computational Diffie-Hellman problem in the random oracle model. Proof. It is similar to the proof of Theorem 2. Theorem 5 (Anonymity). The proposed e-payment system can give anonymity for an uncorrupted client C . Proof. Firstly, e-payment withdrawn by the client C is a proxy blind signature on (val , w, g A , z1 , z 2 , z 3 , j ) . By a similar proof to that of Theorem 2, we can verify that a bank which issues e-payment cannot trace the e-payment. Secondly, through an e-payment, (coin, b, x, c) is a merchant M sight exchanged between the client C and the merchant M . The sight cannot disclose any identity information of a client C . Thirdly, if the bank receives the transaction record, the bank cannot get more information than the merchant M . While a record (coin, b, x, c) does not reveal an identity of the client C , the bank which receives e-payment cannot connect coin with an uncorrupted client C . Theorem 6 (Traceability of over-spending). The proposed e-payment system has the feature of traceability of over-spending with high efficiency. Proof. Suppose that the client C spends the same epayment coin twice. Then there exist two records

(b ' , x ' , c ' , coin) and (coin, b, x, c) in the bank database as follows:

b = h3 (coin || c) x = k 4 + b * k3

(16)

b = h3 (coin || c ) '

'

k ' = k 4 + b ' * k3 From formula (16) and (17), we can find:

k 3 = (k '  x) * (b '  b) 1 mod q k 4 = ( x * b '  k ' * b) * (b '  b) 1 mod q

(17)

(18)

Therefore, the identity of the client C who has performed over-spending can be discovered by a question Id = k 41 * z 3 mod q . 8. COMPARISONS Compared with other schemes, the new scheme is more efficient in terms of time computing, complexity and storage space. Suppose that the bank has one million 10 6 users. Every user withdraws and uses approximately one thousand coins, and 1% of the users are distrustful. In this example, 109 coins are issued, so in the other scheme you have to inspect each 109 key in the list for holder tracing of one depositing coin. But, in the new scheme, mark x is not stored in a bank, just the distrustful user key. Thus, the new scheme is more efficient by 109 times per coin. We have to calculate the real space for coins and additional needed data. The necessary other data is roughly similar to other schemes. But other schemes require certification and signed mark lists, where the proposed scheme wants some other information for verifiable secret sharing scheme. The aim of the proposed scheme is that the bank cannot unlawfully trace itself. This denotes that perfect fair tracing can be accomplished. In addition to that, in the payment protocol, we can set up the proxy blind signature scheme to prevent over-spending of e-coin. Furthermore, this signature can be separated from the main scheme, and it exposes a certain signature secret key. This will not affect the other signature schemes. It only exposes user secrecy. Moreover, this signature does not affect the soundness of e-payment. However, there is also a little disadvantage. In the proposed scheme, we supposed three different participants, so we did not take into consideration that the bank can be a merchant. This situation is very uncommon, but banks can sell goods from time to time. In this situation, the user should provide all shared values to the bank, and the bank can discover private marks by itself. Thus, when a user is not concerned about the tracing ability of the bank, s/he will use the cash which was issued by the same bank. Otherwise, s/he will use another bank cash. 9. REVIEW OF RECENT PATENTS A system and a method for transferring an e-payment between a purchaser and a merchant, that includes assigning a role of merchant account to a first account and a role of a purchaser account to a second account within a payment system, is proposed in the patent US20110029416A1 [26]. The author also transfers funds for the purchase price total from the purchaser account to the merchant account to increase the number of features. In patent application US20110184869A1 [27], the inventor has proposed a method of managing a franchise using a credit-card payment system. The method includes the input of goods selection use statement of a customer at a franchise to a franchised client to calculate an estimated payment amount, received by the customer to the information server. A member of authentication requests signal for the customer, comparing the authentication request signal with previously stored member information of the customer to perform authentication processing to the franchised client.

Offline Payment System

In the US20110031310A1 [28], the inventor designed a system for improving security and simplifying financial transactions in e-communications environments using public key cryptography. This invention has signed a data item. The data item and the public key certificate are conveyed to the merchant, which enables the merchant to authenticate the transaction without the need to communicate with the user’s financial institution. This scheme avoids the inconvenience and privacy issues associated with obtaining other card details and user details. An authentication device-implemented for a remote epayment system that comprises an authentication device with authenticating server in a remote payment system is provided by the patent application US20110047082A1 [29]. It is a way to generate a plan, which is about the amount to be paid and when to be paid, for making payment obligations in accounts payable of a finance account. Patent application US20110066524A1 [30] provides a micro-payments system so that e-sales transactions are secured and anonymously enabled by a central payment agent maintaining declining balance accounts for users and separately authenticating and authorizing customer and vendor transaction requests and payment upon confirmation of delivery. This invention also provides a method where the personal information of the customer are nor required. In patent application US20100163618A1 [31] the inventors have proposed a computer-implemented method for making payments between a plurality of different payers and a plurality of different issuers through a payment system that retrieves a plurality of invoices issued by a plurality of different issuers issued to a plurality of different payers for making a payment to at least one of the plurality of invoices. This invention enhances the processing of invoices payments and money transfer from the bank account of payers to the bank account of issuers without disclosing the bank account. 10. CURRENT & FUTURE DEVELOPMENTS In this patent, we propose a proxy blind signature from bilinear pairings. The proposed proxy blind signature is proven secure upon the discrete logarithm problem, decisional bilinear Diffie-Hellman problems and the chosentarget computational Diffie-Hellman problem in the random oracle model. By applying the new proxy blind signature scheme, we build an offline e-payment system. The e- payment system has unforgeability. It can protect the anonymity of uncorrupted clients and can also give an efficient traceability function to over-spending checking. The new epayment system is appropriate for the requirement that all levels of banks can issue e-payment.

Recent Patents on Computer Science, 2012, Vol. 5, No. 2

REFERENCES [1]

[2]

[3] [4]

[5] [6]

[7] [8]

[9] [10] [11] [12] [13]

[14]

[15]

[16]

[17] [18] [19]

[20]

ACKNOWLEDGEMENTS The author wishes to extend his thanks to the Iraqi Council of Representatives for their helpful suggestions and support.

[21] [22]

CONFLICT OF INTEREST The author declares no conflict of interest.

161

[23]

D. Chaum, A. Fiat and M. Naor, "Untraceable Electronic Cash", Advances in Cryptology-CRYPTO’88, Santa Barbara, CA, USA, 21-25 August, Lecture Notes in Computer Science 403, pp. 319327, Springer, Berlin, 1988. Y. Hanatani1, Y. Komano, K. Ohta and N. Kunihiro, "Provably Secure Electronic Cash Based on Blind Multi-signature Schemes", Financial Cryptography 2006, Anguilla, British West Indies, 27 February-2 March, Lecture Notes in Computer Science 4107, pp. 236–250. Springer, Berlin, 2006. D. Chaum, "Blind Signatures for Untraceable Payments", Advances in Cryptology-CRYPTO’82, Santa Barbara, CA, USA, Plenum Press, New York, 1982, pp. 199-203, M. Mambo, K. Usuda and E. Okamoto, "Proxy signature: delegation of the power to sign messages", IEICE Trans Fundam., E79-A, 1338–1353, 1996. W. Lin, and J. Jan, "Security Personal Learning Tools Using a Proxy Blind Signature Scheme". Proc. Int. Conf. Chinese Language Computing, Illinois, USA, July 2000, pp. 273–277. S. Wang, F. Hong and G. Cui, "Secure Efficient Proxy Blind Signature Schemes Based DLP", Proc. 7th IEEE Int. Conf. ECommerce Technology, Munich, Germany, 19-22 July 2005, pp. 452–455.. G. Verma, "A proxy blind signature scheme over braid groups", Int. J. Net w. Sec. , Vol. 9, pp. 214–217, 2009. F. Zhang, R. Safavi-Naini and C. Lin, "New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings, e-Print Archive, Report 2003/104. Z. Tan, Z. Liu and C. Tang, "A proxy blind signature scheme based on DLP", J. Syst. Soft., w Vol. 14, pp. 1931-1935, 2003. H. Sun and B. Hsieh, "On the security of some proxy blind signature schemes", J. Syst. Softw, Vol. 74, pp. 297–302, 2005. D, Chaum. “Blind signature systems”, Advances in CryptologyCRYPTO’83, USA, pp.153-166, Plemum Press, New York, 1983. C. Popescu, "A Secure E-Cash Transfer System based on the Elliptic Curve Discrete Logarithm Problem", Informatica, Vol. 22, no. 3, pp. 395-409, 2011. M. Hedabou, "An Off-Line Electronic Payment Scheme based on Publicly Verifiable Secret Sharing", Int. J. Computer Applications (IJCA), Special Issue Network Security Cryptograp., NSC, 201, pp.15-19, 2011. M. Au, W. Susilo, Y. Mu, "Practical Anonymous Divisible E-Cash from Bounded Accumulators", In: Proceedings of Financial Cryptography and Data Security, Lecture Notes in Computer Science 5143. Springer-Verlag, pp. 287-301, 2008 A. Kiayias, Y. Tsiounis and M. Yung, “Traceable signatures”, Advances in Cryptology-EUROCRYPT’ 04, Lecture Notes in Computer Science, 3027, Springer- Verlag, Berlin, pp. 571–589, 2004. C. Popescu, "An Electronic Cash System Based on Group Blind Signatures", J. Informat., Vol. 17, no 4, pp. 551-564, December 2006. C. Popescu, “A Fair Off-line Electronic Cash System Based on Elliptic Curve Discrete Logarithm Problem,” Studies in Informat Control, Vol. 14, No. 4, pp.291-298, 2005. A. Awasthi, S. Lal, “Proxy blind signature scheme”, Transaction Cryptol. Vol. 2, no. 1, pp. 1-4, 2005. B. Majhi, D. Sahu and R. Subudhi, "An Efficient ID Based Proxy Signature, Proxy Blind Signature and Proxy Partial Blind Signature", Proc. Int. Conf. Information Technology 2008, Las Vegas, NV, USA, 7–8April, pp. 19–23. IEEE Computer Society, 2008. C. Fan, W. Sun S. Huang, "Provably secure randomized blind signature scheme based on bilinear pairing", Computer Math. Appl. Vol. 60, pp. 285-293, 2010. A. Boldyreva, A. Palacio and B. Warinschi, "Secure Proxy Signature Schemes for Delegation of Signing Rights", IACR e-Print Archive, Report 2003/096. Z. Tan and Z. Liu, "Provably Secure Delegation by Certification Proxy Signature Schemes", Proc. 3rd Int. Conf. Information Security, Shanghai, 14–16 November, ACM International Conference Proceeding Series 85, pp. 38–43, 2004. J. Schdult, K. Matsuura and K. Paterson, "Proxy Signatures Secure Against Proxy Key Exposure", Proc. PKC 2008, Barcelona, Spain, 9–12 March, Lecture Notes in Computer Science 4939, pp. 344– 359. Springer, Berlin, 2008.

162 Recent Patents on Computer Science, 2012, Vol. 5, No. 2 [24]

[25]

[26]

X. Huang, Y. Mu, W. Susilo and W. Wu, "Proxy Signature Without Random Oracles", Proc. MSN 2006, Hong Kong, 13–15 December, Lecture Notes in Computer Science 4325, pp. 473-484, Springer, Berlin, 2006. D. Boneh, B. Lynn and H. Shacham, "Short Signatures from the Weil Pairing". Proc. Asia crypt 2001, Gold Coast, Australia, 9–13 December, Lecture Notes in Computer Science 2248, pp. 514–532, Springer, Berlin, 2001. J. Aaron and P. Greenspan, “Method and System for Transferring an Electronic Payment,”. U. S. Patent 0029416A1 February 3, 2011.

Sattar J Aboud [27] [28] [29] [30] [31]

H. Hee, “Method of Managing Franchises Using Cried-Card Payment System,” U. S. Patent 0184869A1, July 28, 2011. W. Stephen, “Authenticating Electronic Financial Transactions,” U. S. Patent 0031310A1, February 10, 2011. B. Eric, D. Christophe and G. Carles, “Remote Electronic Payment System,” U. S. Patent 0047082A1, February 24, 2011. C. Keith and D. David, “Method and System for Secure Electronic Transactions,” U. S. Patent 0066524A1, March 17, 2011. Y. Tianzhu and L. Zhixiong, “Transaction Method With E-Payment Card and E-Payment Card,”. U. S. Patent 0163618A1 July 1, 2010.