rsa-based secure electronic cash payment system

Download PDF
18 downloads 5186 Views 182KB Size Report
Comment
system, check-based electronic payment system and E-cash payment system. Credit card-based electronic payment does not support off-line payment, requiring ...
RSA-BASED SECURE ELECTRONIC CASH PAYMENT SYSTEM Yun Ling, Yiming Xiang, Xun Wang College of computer & information Engineering, Zhejiang Gongshang university, Hangzhou, P.R. China, 310018

Abstract - The wide application of E-commerce has put forward the new demands on the modes of Web payment. Ecash payment system is a key mode of current all web electronic payment. In this paper, a novel secure and convenient E-cash payment scheme is proposed based on analyzing the present technology of E-cash. This scheme is composed of three protocols, which are withdrawal protocol, payment protocol and deposit protocol. Utilizing the property of the modulus operation, this scheme could meet the demand of E-cash with only few public keys, and solve the problem of payment change by using blind signature and direct signature. At last, a prototype system is realized. The experiment result shows that proposed E-cash system is feasible. Keywords - electronic commerce, electronic cash, payment system,RSA

I. INTRODUCTION A secure and effective electronic payment system is a key link of E-commerce [1]. With the wide application of Ecommerce, current modes of payment have been greatly challenged and there is a pressing demand on new modes of electronic payment. Besides the small-amount payment systems such as micro-payment and mobile-payment, current web electronic payment systems could be categorized into following three types: credit card-based electronic payment system, check-based electronic payment system and E-cash payment system. Credit card-based electronic payment does not support off-line payment, requiring online multi-party certification and data transmission among clients, merchants, banks and credit-card service agents during each payment procedure. This payment could not protect client privacy, and the information of every transaction could be obtained through credit-card number. Credit card-based payment is essential a “deferred” payment mode and permits overdraw. Though check-based electronic payment system could support offline payment, it could not prevent client’s denial of payment and overdrawing. E-cash payment belongs to the “prepaid” payment system, where the consumers obtain the E-cash through prepaying same amounts of cash and reserving the cash in the intelligent card. E-cash is not directly related to any accounts and supports off-line payment. So, compared with these two previous payments, E-cash payment has following features [2]:

1) Anonymous: the third party could not obtain any historical payment information and could not acquire information of the client who has initiated the payment from the whole payment procedure, even could not be informed of whether two payments were initiated by the same client. 2) Off-line: the E-cash obtained by the client from bank could be reserved off-line. 3) Unrepeatable: client could not repetitively spend the E-cash that has already been used. 4) Transactional independence: similar to that of paper money, client could perform E-cash authenticat- ion and complete the whole transaction without the involvement of the bank. It was D. Chaum first proposed the anonymous E-cash system based on blind signature [3]. Later, D. Chaum, Fiat and etc.[4] proposed the concept of one-show blind signature, so as the bank could track the repetitive spending of E-cash while without sacrificing the anonymity of legal user. From this foundation, S. Brand [5] proposed the restrictive assumptions of blind signature, and effectively realized the one-show blind signature. Based on the work of S. Brand, Y. Frankel and etc. [6, 7] has made further improvement, and proposed anonymity-controllable E-cash system, namely the fair E-cash system. L. Anna and etc[8] have proposed the E-cash system with multiple banks’ involvement based on group signature. T. Okamoto [9]has implemented the divisible E-cash system based on the structure of binary tree. Liu [10] designed a multi-bank Ecash payment system based on elliptic curves. But all those systems are very complicated and need the introduction of new security assumptions. To sum up, there are many E-cash payment systems in existence, while the most typical ones are such as Netcash, CAFÉ, Wordpay, CyberCoin, Ecash and so on. Based on the current E-cash payment system, this paper proposes a novel secure E-cash payment scheme. This scheme could meet the demand of E-cash with only few public keys based on the property of the modulus operation, and solve the problem of payment change by using blind signature and direct signature. So this proposed scheme could be used Ecommerce transaction on-line. II. E-CASH SYSTEM BASED ON ZERO-KNOWLEDGE PROOF

A. System Principle The E-cash payment model is shown in Figure 1. In the model, three parties are bank, client and merchant respectively. The protocol of E-cash includes three procedures: first the client purchases the E-cash, and then the client pays by E-cash and merchant deposits the money to the bank in E-cash. The detailed procedures are described as follows: Liquidation system of bank Liquidation Processing

Processing

Client m2=m1/k

Receiving bank

Send m2, m3

Sign m1 m2,m3

Payment protocol

Deposit protocol

Send m1

Withdrawal protocol

Issuing bank

Verify m2 Sign m3

are thus: Ek(x)= x^b Mod n and Dk(y)=x^a Mod n. Make n and b public, while keep p, q and a private. 2)Digital signature. Let b be the public key and a be the private key, and px be the message to be encrypted. E(px) = px^a Mod n is just the process to sign the message px. Since b and a must be in pairs, so a string of digitals could be decrypted by b means the encryption is definitely made by the person with the key a. Thus, the signature is undeniable. 3)Zero-knowledge proof. In the early 80s, Goldwasser and etc. [11] first proposed the zero-knowledge proof protocol, in which the authenticator tries to convince the verifier of a certain secret value without revealing any useful information about how to go about that secret value. Many encryption schemes have adopted the zero-knowledge proof protocol. This paper presents a zero-knowledge proof method based on the equality of two discrete logarithm numbers using the zero-knowledge proof method described in document [12]. The verification procedure is listed as follows: Let g1 , g 2∈R Gq be the generator with a derivative of a

Merchant

Delivery, signed m3 Fig1. Model of payment system

First, the client could send the bank a string of digital numbers representing a certain amount of money, which is constructed on the basis of E-cash standard with blinding factor added. Then the bank returns the digital numbers after verifying the signature, and the client could obtain valid Ecash by eliminating the blinding factor. When purchasing, client pays the E-cash to the merchant. If there is a small change, then client is required to construct a new string of digital numbers representing the small change with blinding factor added and provides it to the merchant. The merchant would send those two strings to the bank. The bank verifies the first string and processes the signature on the second string, and then returns the second string to the client. Client receives the string representing the small change and transfers it to the client. After that, client eliminates the blinding factor and obtains the valid E-cash representing the small change. Where m1 is the E-cash with blind signature, m2 is the valid E-cash, m3 is the small change (E-cash with blinding factor but without signature), and k is the blinding factor. B. Key Technology 1)RSA algorithm. Let n be the product of two primes p and q, n=p*q, Ф(n)=(p-1)(q-1), K={(n, p, q, a, b)|n=p*q, where p and q are primes and a*b≡1 Mod Ф(n). For every K={(n, p, q, a, b), the encryption and decryption algorithms

a

order q of Gq, y1 = g1 , y2 = g 2 . The verifying procedure of zero-knowledge proof is noted as:

ZKP{(a ) : y1 = g1a ∧ y2 = g 2a } . Following is the detailed interactive verifying procedure. Authenticator

Verifier

r∈R Z q 1 , w2 w1 ∈ g 1' , w2 ∈ g 2' w →

u ← 

u∈R Z q

s = r − uα mod q  → s

?

?

Check : w1 = y1u g1s , w2 = y2u g 2s Thus, without revealing

α

, the authenticator has

convinced the verifier that y1 , y2 and g1 , g 2 have the same logarithms. 4)RSA blind signature. Suppose B has the public key b and private key a. If A wants B to send him a blind-signed message x, then A selects a random number k (blinding factor), computes x1=x * k^b Mod n, and send x1 to B. Then B signs the message x1, y1=Sig(x1)=x1^a Mod n =(x * k^b Mod n)^a Mod n =x^a * k Mod n returns y1 to A, so A could compute y=y1/k Mod n =x^a Mod n. III. SYSTEM PROTOCOL AND SECURITY ANALYSIS A. Withdrawal Protocol

First the bank sets up the monetary unit and selects two large primes p and q (the length of those two primes should be no less than 100 digits). Let n = p*q and Ф(n) = (p-1)*(q-1). Let the one-way function f in format f (x) = x ^ b Mod n, where b is the public key of the bank. Select a series of numbers b1, b2, b3, b4, b5, b6… as the public keys and a1, a2, a3, a4, a5, a6… as the private keys, representing 1¥, 2¥, 4¥, 8¥, 16¥, 32¥…respectively. So when f(x) = x^b1 Mod n, conforming to the E-cash standard format, x just represents 1 ¥ , while f(x) = x^(b1*b2) Mod n, conforming to the E-cash standard format, x represents 3¥. Since b1*a1=1 Mod Ф(n) and (b1*b2)*(a1*a2) Mod Ф(n) = ((b1*a1) Mod Ф(n)*(b2*a2) Mod Ф(n)) Mod Ф(n) = 1, b1*b2 and a1*a2 are a pair of qualified keys. Furthermore, since b1, b2, b3… represent 2^0¥, 2^1¥, 2^2¥…, we can obtain the keys of all the numbers smaller than 2^n-1. The bank makes f, n and key b public and keeps p and q private. Client submits the request of E-cash to the bank. First the client selects a random number k, the original amount of e-cash requested x and the corresponding public key b for the specific amount. Then client computes x1 = k ^ b*x Mod n, and sends the personal account, legal identification id, x1 and the requested amount to the bank. The bank would verify client identity and sign the message x1, namely x2=x1^a Mod n, where “a” is the private key corresponding to public key b. After that, the bank subtracts an equivalent amount of money from the client account. Once the client receives x2 and computes y=x2 /k Mod n = x ^ a Mod n, then the client obtains the signature made by the bank on message x. For the corresponding amount b, y is just the valid E-cash. Here RSA blind signature technology is used. The bank could sign the E-cash, but could not acquire the information of the E-cash signed. B. Payment Protocol The client U could shop at the merchant S, with y amounts of E-cash, corresponding to an amount of b cash. Once client U has finished the shopping, the client U provides y to the merchant S. S verifies y with the public keys b1, b2, b3, b4… provided by the bank. If y is a legal E-cash and is sufficient to pay the goods purchased, then the merchant S requires the client U provide a small change y1 as the E-cash to be signed (with blinding factor included). Then the merchant S sends idS, y, y1, and the value of small change and the account of S to the bank. The bank will verify the validation of idS and make sure that y has not been used, and then the bank will compute the value of y, increase the account of S by the amount of y-y1, sign y1, save y in the database and send the signed y1 to the merchant. The merchant returns the digital string to the client. The client eliminates the blinding factor to verify the

cash amount. In the whole process, the merchant could not obtain the true value of y1. C.

Deposit Protocol

After the client pays E-cash, the deposition of the merchant is executed when the bank verifies the E-cash. This protocol could also be applied when the client wants to save the small change, write off or change the E-cash. When saving the small change, the client provides the idU, account number, E-cash and money value to the bank. Then the bank verifies the validation of the E-cash and idU, transfers the corresponding amounts to the account and appends the Ecash to the database. If the client wants to write off the Ecash, then the bank adds the corresponding amounts to the account and appends the E-cash to the database. When updating the E-cash, then the bank blindly signs the new requested E-cash and appends the original E-cash to the database. D. Security Analysis Since the system is based on RSA, in order to forge Ecash, one must factorize n to obtain p and q. But until now, there is no effective algorithm that could successfully attack RSA in a short time. In 1994, Derek Atkins organized an attack on RSA-129 using Quadratic Sieve algorithm, with 1600 computers of 10MB of memory per computer. At that time, the fastest workstation was equipped with 16MB RAM. It totally cost 5000MIPS and took 20 months to finish the attack. We can conclude that RSA-based encryption algorithms are quite robust. Though the speed of computer hardware has progressed greatly, a RSA algorithm with 200 bits could well meet the current security demands. By adopting blind signature technology, this system could effectively realize the anonymity of E-cash, prevent the repetitive spending of E-cash and solve the problem of small change, thus the system should be considered as effective and secure. IV.A SIMPLIFIED E-CASH PAYMENT SYSTEM To explicitly describe the whole E-cash payment procedure, in the system, the E-cash would be of 15 bits and the value would be less than 200. The system procedure is described as follows: A. E-cash Request not Using Blind Signature Technology To better describe the whole system, here we will not use blind signature technology.

The E-cash standard is as defined as follows: aaaabbbbbbccccc, where aaaa is the bank code, bbbbbb represents the day, month and year of the request, and ccccc is a random number to prevent the requesting of a same amount of cash. The bank selects two primes: p=21371479 , q=46381211, then n=991235076881069, Ф(n)=(p-1) *(q1)= 991235009128380. Since a pair of keys b and a must comply with b*a≡1 Mod Ф(n), the bank could get 8 pairs of keys: 1¥: 919(public key), 5393008754779(private key) 2¥: 1759(public key), 3944653248379(private key) 4¥: 1847(public key), 5366729881583(private key) 8¥: 2047(public key), 3389665395163(private key) 16¥: 6289(public key), 788070447709(private key) 32¥: 7741(public key), 1152449952481(private key) 64¥: 12929(public key), 766675697369(private key) 128¥: 17461(public key), 283842566041(private key) The bank makes the public key and n public. For any number smaller than 200, the number could be represented by the keys listed above. For example, suppose the E-cash is 263703052112345, where 2637 is the code of a certain bank, 030521 represents that the request was made on May 21st 2003, and 12345 is the random number. The bank signs the digit with a value of 2 ¥ , then after signature, it becomes: 263703052112345^3944653248379 Mod n = 8885 99113292284, where 888599113292284 is the valid E-cash. To represent 15 ¥ , first computes the private key: 386996043369205609051996797491026736726759943246 989 (1¥*2¥*4¥*8¥), then signature: 263703052112345^386996043369205609051996797491 026736726759943246989 Mod n = 530044778 280746, where 530044778280746 is the valid E-cash and the public key is 6111757145489. To raise such a large number to such a large power modulo n, ordinary algorithm is not applicable. Here presents a multiplication and square algorithm, and the detailed description of the algorithm is listed as follows: The corresponding key to the value is decomposed into binary form. For example, the private key corresponding to 15 ¥ is 38699604336920560905199 6797491026736726759943246989, and in binary form it would be 10110001001010001001111100001010 000001101001111110011000100010111110000001101111 110010000111011100000001110100101110000001001101 11111101010000110111100011010011000100001, Let B1=1, B2=0, B3=1, B4=1, B5=0……the algorithm is as follows: Z=1 for I=1 to t z=z^2 Mod n if bi=1 then z=z*x Mod n

end if next where t is the length of the binary number and x is 263703052112345. B. Using E-cash The client owns E-cash 530044778280746 with a value of 15¥. When the client sends the E-cash to the merchant, the merchant could verify the E-cash. The data available to the merchant is the standard format of E-cash, the public key provided by the bank and n=991235076881069. The public key to 15¥ is 6111757145489. The merchant computes 53004477 8280746 ^ 6111757145489 Mod n=263703052112345 and analyses the result. Verifying that the result conforms to the standard format of E-cash, the merchant sends the E-cash to the bank. If there is a small change, then the merchant requires the client provide an unsigned E-cash with blinding factor. For example, in this transaction, the client spends 10¥, so the small change would be 5¥, making it necessary for the bank to sign the E-cash with a value of 5¥ provided by the client. C. Using Blind Signature to Realize Small Change The client provides the E-cash 263703052265895 with the blinding factor 236. The public key corresponding to 5 ¥ is 1697393. The client computes 263703052265895*236^1697393 Mod n =649814514 572498, while the signature made by the bank is 649814514572498 ^ 28942821235911184955335157 Mod n =473739661561024. The bank sends the E-cash to the client. Then the client eliminates the blinding factor: 473739661561024/236 Mod n= 4892246126 26123. The algorithm to eliminate the blinding factor is: for I=1 to 236 if(N * I+489224612626123)/236=truncate(((N * I+489224612626123)/236), 0) then result=(N * I+489224612626123)/236 end if next where result is the right answer and truncate(((N * I+489224612626123)/236), 0) represents the truncating operation. Verifying the E-cash: 489224612626123^1697393= 263703052265895, thus the transaction has been accomplished. V. CONCLUSION

This paper presents an RSA-based E-cash system and analyses the system performing procedures in detail through completing a simplified system. The experimental results show that the system has many features such as relatively small number of public keys provided by the bank, convenient and secure. With an intelligent card embedded with the program, the client could manipulate the random number in the card to process procedure such as blind signature. Furthermore, this random number could become the identification password for the intelligent card. Naturally, this system has many drawbacks, such as the length of key being too long. Since N should be bigger than the E-cash to be encrypted, and b*a≡1 mod Ф(n) and Ф(n)=(p-1)*(q-1)=n-(p+q)-1, so the sum of the length of b and a should be at least the length of N minus 1 bit. The maximum length could be more than four times the length of N (E-cash with a value less than 255¥). It is conceivable that an E-cash with more than 200 digits would result in a massive problem for key management, so how to better manage the key would be the research focus for further study. REFERENCES [1] D. O. Mahony, M. Perice, H. Tewari. Electronic payment systems for E-commerce. Boston: Artech House, 2003. [2] Zhong Ming, Yang Yixian. Electronic cash based on zero knowledge proof[J]. Journal of China institute of communications. 2001, 22(6): 34-38. [3] D. Chaum. Blind signatures for untraceable payments[A]. Proc. of CRYPTO’82[C]. Berlin: Plenum Press, 1983, 199-203. [4] D. Chaum, A Fiat, M Naor. Untraceable Electronic Cash[A]. In Advance in Cryptology-Crypto’88[C]. German: Springer Verlag, 1988, 319-327. [5] S. Brands. Untraceable Off-line Cash in Wallets with Observers[A]. In Advance in Cryptology-Crypto’93[C]. German: Springer Verlag, 1993, 302-318. [6] Y. Frankel, Y. Tsiounis, M. Yung. Indirect discourse proof: achieving fair off-line E-cash[A]. Proc. of Asiacrypt’96[C]. German: Springer Verlag, 1996, 286-300. [7] Y. Frankel, Y. Tsiounis, M. Yung. Fair off-line E-cash made easy[A]. Proc. of Asiacrypt’98[C]. Berlin: Springer Verlag, 1998, 257-270. [8] L. Anna, R. Zulfikar. Group Blind Digital Signatures: A scalable solution to electronic cash[A]. In Financial Cryptography’98[C]. German: Springer Verlag, 1998, 184191. [9] T. Okamoto. An efficient divisible electronic cash scheme[A]. Proc. of Crypto’95[C]. German: Springer-Verlag, 1995, 438451. [10]Liu wenyuan. A designed a multi-bank E-cash payment system based on elliptic curves[J]. Journal of China institute of communications,2003,11(2):19-23 [11] Goldwassers, Micalim, Rackoffc. Knowledge complexity of interactive proofs[A]. Proc of Stoc[C]. 1985, 291-304. [12] D. Chaum, T. P. Pedersen. Wallet Databases with observers[A]. Advance in Cryptology-Crypto’92, Lectrue

Notes in Computer Science[C]. vol740, Springer Verlag, 1993, 89-105.