Hindawi Publishing Corporation Mobile Information Systems Volume 2016, Article ID 2620141, 10 pages http://dx.doi.org/10.1155/2016/2620141

Research Article Secure Electronic Cash Scheme with Anonymity Revocation Baoyuan Kang and Danhui Xu School of Computer Science and Software, Tianjin Polytechnic University, Tianjin 300387, China Correspondence should be addressed to Baoyuan Kang; [email protected] Received 8 September 2015; Revised 14 December 2015; Accepted 1 March 2016 Academic Editor: Francesco Gringoli Copyright © 2016 B. Kang and D. Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In a popular electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an 𝑒-cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. There are a number of requirements for an electronic cash scheme, such as, anonymity, unforgeability, unreusability, divisibility, transferability, and portability. Anonymity property of electronic cash schemes can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. proposed a novel electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity for 𝑒-cash. But, in this paper we point out that Chen et al.’s scheme is subjected to some drawbacks. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

1. Introduction Due to the fast progress of computer networks and Internet, information technology is used in electronic commerce. Many electronic commerce services can be found over the internet. So, an electronic payment mechanism is necessary for electronic commerce. And electronic payment is one of the key issues of electronic commerce development. To realize the digitalization of traditional cash and electronic payment, in 1983, Chaum suggested the first electronic cash scheme [1]. Popularly, in an electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an 𝑒-cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. For security and efficiency, there are a number of requirements for an electronic cash scheme, such as anonymity, unforgeability, unreusability, divisibility, transferability, and portability [2]. Some of them are listed below. Anonymity/Unlinkability. The customer of the cash must be anonymous. As long as the coin is spent legitimately, neither

the merchant nor the bank can identify the customer of the coin. Unforgeability. Only authorized banks can generate electronic cash. Unreusability. The electronic cash cannot be reused. The scheme can detect the malicious customer, who spends the cash twice. Electronic cash schemes can be divided into two categories: online and offline. In online schemes, as paying a coin to a merchant, the bank must attend to validate the coin and detect its reuse. But, in offline schemes, double spending can only be figured out when the merchant deposits the coin to the bank in the next phase. After Chaum’s scheme, a lot of electronic cash schemes [3–9] have been proposed based on blind signatures and restrictive blind signatures. Afterward, many more complex schemes have been proposed [10–13]. Recently, Eslami and Talebi proposed an untraceable electronic cash scheme [2] and claimed that their scheme satisfies all main security requirements, such as anonymity, unreusability, and date attachability. However, Baseri et al.

2

Mobile Information Systems

[14] showed that Eslami and Talebi’s scheme is subjected to some weaknesses in perceptibility of double spender, unforgeability, and date attachability. Baseri et al. also contributed a novel electronic cash scheme. Untraceable electronic cash is an attractive payment tool for electronic commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. [15] proposed an electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity of the owner of an 𝑒-cash. Chen et al. claimed that their scheme is the first attempt to incorporate mutual authentication and key agreement into 𝑒-cash protocols and their scheme satisfies the security requirements of untraceability, verifiability, unforgeability, and anonymity revocation. But, in 2012, Chang [16] claimed that he finds some weaknesses of Chen et al.’s scheme. Then, Chen et al. [17] immediately provided a response to rebut Chang’s attacks. By thoroughly investigating Chen et al.’s scheme, we find that, despite Chang’s attacks being really wrong, Chen et al.’s scheme is surely insecure. Chen et al.’s scheme is subjected to some drawbacks. (1) The first flaw is the attack on the unforgeability by the dishonest customer. (2) The second flaw is the attack on double spending owner tracing. (3) The third flaw is the potential bank attack. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds. The remainder of this paper is organized as follows. Related concept of bilinear pairing and CDH problem are introduced in Section 2. In Section 3, we show some weaknesses of Chen et al.’s scheme. In Section 4 we propose a new electronic cash scheme with anonymity revocation. In Section 5 we show the verifiability of the proposed scheme. Double spender detection is covered in Section 6. In Section 7 we show that the proposed scheme satisfies uncheatability of merchants. Provable security of our scheme is covered in Section 8. In Section 9 we compare our scheme with the others. Finally conclusions are given in Section 10.

2. Preliminary 2.1. The Bilinear Pairing. Let 𝐺1 be a cyclic additive group generated by 𝑃, whose order is a prime 𝑞, and let 𝐺2 be a cyclic multiplicative group of the same order. Let 𝑒 : 𝐺1 × 𝐺1 → 𝐺2 be a pairing map which satisfies the following conditions: (1) Bilinearity: for any 𝑃, 𝑄, 𝑅 ∈ 𝐺1 , we have 𝑒(𝑃+𝑄, 𝑅) = 𝑒(𝑃, 𝑅)𝑒(𝑄, 𝑅). In particular, for any 𝑎, 𝑏 ∈ 𝑍𝑞 , 𝑒(𝑎𝑃, 𝑏𝑃) = 𝑒(𝑃, 𝑎𝑏𝑃) = 𝑒(𝑎𝑏𝑃, 𝑃) = 𝑒(𝑃, 𝑃)𝑎𝑏 . (2) Nondegeneracy: there exists 𝑃, 𝑄 ∈ 𝐺1 , such that 𝑒(𝑃, 𝑄) ≠ 1. (3) Computability: there is an efficient algorithm to compute 𝑒(𝑃, 𝑄) for all 𝑃, 𝑄 ∈ 𝐺1 .

2.2. The CDH Problem. Let 𝐺 be a cyclic additive group of prime order 𝑞 and 𝑃 a generator of 𝐺. The computational Diffie-Hellman (CDH) problem is to compute 𝑎𝑏𝑃 for given 𝑃, 𝑎𝑃, 𝑏𝑃 ∈ 𝐺.

3. Effective Attacks on Chen et al.’s Scheme In this section, we show the drawbacks of Chen et al.’s scheme [15]. For the sake of brevity, we omit the review of Chen et al.’s scheme. To know Chen et al.’s scheme in detail, readers can read literature [15]. 3.1. Attack on the Unforgeability by the Dishonest Customer. When the customer obtains an 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)}, he can randomly select 𝑎 ∈ 𝑍𝑞∗ and forge 𝑒-cash {𝐶𝑁𝑂, 𝑎 ⋅ 𝐿𝑆𝑇, (𝑎 ⋅ 𝑅, 𝑎 ⋅ 𝑆)}, because the 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} satisfies 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) .

(1)

So, 𝑎

𝑎

𝑒 (𝑆, 𝑃)𝑎 = 𝑒 (𝐻3 (CNO) 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) . (2) Then, 𝑒 (𝑎 ⋅ 𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) 𝑄𝐵 , 𝑎 ⋅ 𝑅) ⋅ 𝑒 (𝑎 ⋅ LST ⋅ 𝑄𝐵 , 𝑃pub ) .

(3)

That is to say, the customer forges a valid 𝑒-cash {𝐶𝑁𝑂, 𝑎 ⋅ 𝐿𝑆𝑇, (𝑎 ⋅ 𝑅, 𝑎 ⋅ 𝑆)}. Of course, in payment protocol, when the merchant gets an 𝑒-cash from customers, he also can similarly forge 𝑒-cash. Further, these forged 𝑒-cash make the scheme fail in double spending owner tracing, because it is impossible to find the customer identity from 𝑎 ⋅ 𝐿𝑆𝑇. Note that (𝑅, 𝑆) is a signature on 𝐶𝑁𝑂 and 𝐿𝑆𝑇. Furthermore, 𝐶𝑁𝑂 does not play distinction function to an 𝑒-cash. 𝐶𝑁𝑂 is only a randomly selected number. Any customer can randomly choose any 𝐶𝑁𝑂 for their 𝑒-cash. If 𝐶𝑁𝑂 has some function, it is only to certain customer. It is not strange that different customers may choose same 𝐶𝑁𝑂 for their 𝑒-cash. So, this attack is a successful forgery. 3.2. Attack by the Dishonest Merchant. In practice, there are always many merchants from different shops. After receiving an 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} from a customer, the merchant may spend {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} to another merchant. This attack is correct due to the fact that the verification equation 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub )

(4)

is only related to 𝐶𝑁𝑂, 𝐿𝑆𝑇, 𝑅, 𝑆. And no extra information should be provided by customers in the verification process. Later, even if the bank finds double spending, the bank and the trustee cannot find real double spender, because the double spender may not be the customer himself.

Mobile Information Systems

3

3.3. Potential Attack by the Bank. However, in payment protocol, the only verification to the 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} is to examine whether the following equation holds: 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) .

(5)

But, when let 𝑅 = 𝑎𝑃pub (𝑎 is a randomly selected number in 𝑍𝑞∗ ) in the above equation, then 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑎𝑃pub )

a license. The following steps describe the protocol, which is also illustrated in Box 1. (1) Customer 𝐶 selects four random numbers, 𝑏, 𝑧, 𝑤1 , 𝑤2 ∈ 𝑍𝑞∗ , and sends {ID𝐶, 𝑏, 𝑧, 𝑤1 , 𝑤2 } to Trustee 𝑇. (2) 𝑇 chooses a random number, 𝑥 ∈ 𝑍𝑞∗ , and computes 𝐿𝑆𝑇 as 𝐿𝑆𝑇 = 𝐸𝐾𝑇 (ID𝐶 ⊕ 𝑥). Here 𝐸 is a symmetric encryption algorithm, and 𝐾𝑇 is a secret key. (3) To sign on 𝑏−1 𝐿𝑆𝑇, trustee 𝑇 selects a random number, 𝑟 ∈ 𝑍𝑞∗ , and computes 𝑅 = 𝑒 (𝑃, 𝑃)𝑟 ,

⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) = 𝑒 (𝑎 ⋅ 𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑃pub )

𝑢 = 𝐻2 (𝑏−1 LST ‖ 𝑅) ,

(6)

𝑉 = 𝑢𝑆𝑇 + 𝑟𝑃.

⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) = 𝑒 ((𝑎 ⋅ 𝐻3 (CNO) + LST) ⋅ 𝑄𝐵 , 𝑃pub ) = 𝑒 ((𝑎 ⋅ 𝐻3 (CNO) + LST) ⋅ 𝑆𝐵 , 𝑃) . So, the bank can randomly select 𝐶𝑁𝑂 and 𝐿𝑆𝑇. Then Let 𝑅 = 𝑎𝑃pub , 𝑆 = (𝑎 ⋅ 𝐻3 (𝐶𝑁𝑂) + 𝐿𝑆𝑇) ⋅ 𝑆𝐵 to generate an 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)}. This apparently violates the withdrawal protocol above the customer and the bank together performing a blind signature function to complete the 𝑒-cash withdrawal.

4. Our Proposed Scheme Based on an id-based signature scheme [21] proposed by Hess and an efficient id-based blind signature [22] proposed by Zhang and Kim, we propose an offline electronic cash scheme with anonymity revocation. In the proposed scheme there are four participants: Trustee 𝑇, the bank 𝐵, the customer 𝐶, and the merchant 𝑀. There are five protocols: license issuing, withdrawal, payment, deposit, and 𝑒-cash owner tracing. Here any communication between any two entities should be encrypted, and this can be done by incorporating mutual authentication and key agreement protocols, likely in [15]. Here, for brevity, we omit those encryptions in five protocols. 4.1. System Setup. In this stage, the Key Generation Center (KGC) chooses a cyclic additive group 𝐺1 which is generated by 𝑃 with prime order 𝑞 and chooses a cyclic multiplicative group 𝐺2 of the same order and a bilinear map 𝑒 : 𝐺1 × 𝐺1 → 𝐺2 . KGC also chooses a random 𝑠 ∈ 𝑍𝑞∗ as the master key and sets 𝑃pub = 𝑠𝑃 public and chooses cryptographic hash functions 𝐻1 : {0, 1}∗ → 𝐺1 , 𝐻2 : {0, 1}∗ → 𝑍𝑞∗ . The system parameter list is params = (𝐺1 , 𝐺2 , 𝑒, 𝑃, 𝑃pub , 𝐻1 , 𝐻2 ). When the customer 𝐶 submits his identity, ID𝐶 to the KGC, the KGC computes the public key 𝑄𝐶 = 𝐻1 (ID𝐶) and private key 𝑆𝐶 = 𝑠𝑄𝐶 for the customer 𝐶. Similarly, the KGC generates the public/private key pairs (𝑄𝑇 , 𝑆𝑇 ), (𝑄𝐵 , 𝑆𝐵 ), and (𝑄𝑀, 𝑆𝑀) for Trustee 𝑇, the Bank 𝐵, and the Merchant 𝑀, respectively. 4.2. License-Issuing Protocol. Before withdrawing 𝑒-cash from the bank, customer 𝐶 needs to ask trustee 𝑇 to issue him

(7)

The trustee 𝑇 also signs on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ; here 𝐴 1 = (𝑏𝑧 + 𝑧)𝑃pub , 𝐴 2 = (𝑤1 + 𝑤2 )𝑃pub . 𝐴 3 = 𝑤1 𝑃pub , and 𝐴 4 = 𝑏𝑧𝑃pub . 𝑇 selects a random number, 𝑦 ∈ 𝑍𝑞∗ , and computes 𝑌 = 𝑒 (𝑃, 𝑃)𝑦 , 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌) ,

(8)

𝐹 = 𝑑𝑆𝑇 + 𝑦𝑃. After that, trustee 𝑇 stores (𝐿𝑆𝑇, 𝑥) to the database and sends (𝐿𝑆𝑇, 𝑢, 𝑉, 𝑑, 𝐹) to the customer 𝐶. (4) The customer 𝐶 computes −1

𝑅 = 𝑒 (𝑉, 𝑃) 𝑒 (𝑢𝑄𝑇 , 𝑃pub ) ,

𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

−1

(9)

and checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅 ) , 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

(10)

If so, The customer 𝐶 obtains the license, (𝐿𝑆𝑇, 𝑢, 𝑉) and the signature (𝑑, 𝐹) on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 . 4.3. Withdrawal Protocol. To complete the 𝑒-cash withdrawal, customer 𝐶 and bank 𝐵 together perform the following steps. This protocol is also illustrated in Box 2. (1) Customer 𝐶 sends {ID𝐶, (𝑏−1 𝐿𝑆𝑇, 𝑢, 𝑉)} to the bank 𝐵. (2) 𝐵 first computes 𝑅 = 𝑒 (𝑉, 𝑃) 𝑒 (𝑢𝑄𝑇 , 𝑃pub )

−1

(11)

and checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅 ) .

(12)

If so, the bank 𝐵 selects a random number, 𝑘 ∈ 𝑍𝑞∗ , computes 𝐾 = 𝑘𝑄𝐵 , and sends 𝐾 to the customer 𝐶.

4

Mobile Information Systems

Customer Selects random numbers, 𝑏, 𝑧, 𝑤1 , 𝑤2 ∈ 𝑍𝑞∗ ,

Trustee {ID𝐶 ,𝑏,𝑧,𝑤1 ,𝑤2 }

→ Chooses random number 𝑥 ∈ 𝑍𝑞∗ , computes 𝐿𝑆𝑇 = 𝐸𝐾𝑇 (ID𝐶 ⊕ 𝑥). Selects a random number, 𝑟 ∈ 𝑍𝑞∗ , computes 𝑅 = 𝑒(𝑃, 𝑃)𝑟 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇‖𝑅) 𝑉 = 𝑢𝑆𝑇 + 𝑟𝑃 Selects random number 𝑦 ∈ 𝑍𝑞∗ , and computes 𝑌 = 𝑒(𝑃, 𝑃)𝑦 , 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌) 𝐹 = 𝑑𝑆𝑇 + 𝑦𝑃

(𝐿𝑆𝑇,𝑢,𝑉,𝑑,𝐹)

← Computes 𝑅 = 𝑒(𝑉, 𝑃)𝑒(𝑢𝑄𝑇 , 𝑃pub )−1 𝑌 = 𝑒(𝐹, 𝑃)𝑒(𝑑𝑄𝑇 , 𝑃pub )−1 And checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇‖𝑅 ) 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌 ) Obtains the license, (𝐿𝑆𝑇, 𝑢, 𝑉) and the signature, (𝑑, 𝐹) on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 Box 1: License-issuing protocol.

Customer

Bank {ID𝐶 ,(𝑏−1 𝐿𝑆𝑇,𝑢,𝑉)}

→

𝐾

Computes 𝑅 = 𝑒(𝑉, 𝑃)𝑒(𝑢𝑄𝑇 , 𝑃pub )−1 Checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇‖𝑅 ) Selects random number 𝑘 ∈ 𝑍𝑞∗ , computes 𝐾 = 𝑘𝑄𝐵

← Selects two random number, 𝑎, 𝑐 ∈ 𝑍𝑞∗ , computes 𝐾 = 𝑎𝐾 + 𝑎𝑐𝑄𝐵 ℎ = 𝑎−1 𝐻2 (𝐿𝑆𝑇‖𝐾 ) + 𝑐 ℎ

→ 𝑆

Computes 𝑆 = (𝑘 + ℎ)𝑆𝐵

← Computes 𝑆 = 𝑎𝑆 Checks whether 𝑒(𝑆 , 𝑃) = 𝑒(𝐾 + 𝐻2 (𝐿𝑆𝑇‖𝐾 𝑄𝐵 , 𝑃pub ) Obtains an 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) Box 2: Withdrawal protocol.

Mobile Information Systems

5

Customer

Merchant (𝐿𝑆𝑇,𝐾 ,𝑆 )

→

(𝑗,𝐷)

Checks whether 𝑒(𝑆 , 𝑃) = 𝑒(𝐾 + 𝐻2 (𝐿𝑆𝑇‖𝐾 )𝑄𝐵 , 𝑃pub ) Selects random number 𝑙 ∈ 𝑍𝑞∗ , computes 𝐿 = 𝑒(𝑃, 𝑃)𝑙 𝑗 = 𝐻2 (𝐿𝑆𝑇‖𝐾 ‖𝑆 ‖𝐿) 𝐷 = 𝑗𝑆𝑀 + 𝑙𝑃

← Computes 𝐿 = 𝑒(𝐷, 𝑃)𝑒(𝑗𝑄𝑀 , 𝑃pub )−1 Checks whether 𝑗 = 𝐻2 (𝐿𝑆𝑇‖𝐾 ‖𝑆 ‖𝐿 ) Computes 𝑓1 = 𝑏𝑗𝑧 + 𝑤1 𝑓2 = 𝑗𝑧 + 𝑤2

(𝑓1 ,𝑓2 ,𝐴 1 ,𝐴 2 ,𝐴 3 ,𝐴 4 ,𝑗,𝑑,𝐹)

→ Checks whether 𝑒((𝑓1 + 𝑓2 )𝑄𝑇 , 𝑃pub ) = 𝑒(𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) Computes 𝑌 = 𝑒(𝐹, 𝑃)𝑒(𝑑𝑄𝑇 , 𝑃pub )−1 Checks whether 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌 ) Accepts the payment Box 3: Payment protocol.

𝑍𝑞∗ ,

(3) The customer 𝐶 selects two random numbers, 𝑎, 𝑐 ∈ computes 𝐾 = 𝑎𝐾 + 𝑎𝑐𝑄𝐵 , ℎ = 𝑎−1 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) + 𝑐,

𝐿 = 𝑒 (𝑃, 𝑃)𝑙 , (13)

(14)

and sends 𝑆 to the customer 𝐶. (5) Customer 𝐶 computes 𝑆 = 𝑎𝑆

(18)

Then he sends (𝑗, 𝐷) to the customer 𝐶. (3) The customer 𝐶 computes 𝐿 = 𝑒 (𝐷, 𝑃) 𝑒 (𝑗𝑄𝑀, 𝑃pub )

(15)

−1

(16)

(19)

and checks whether 𝑗 = 𝐻2 (LST ‖ 𝐾 ‖ 𝑆 ‖ 𝐿 ) .

and checks whether 𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

𝑗 = 𝐻2 (LST ‖ 𝐾 ‖ 𝑆 ‖ 𝐿) , 𝐷 = 𝑗𝑆𝑀 + 𝑙𝑃.

and sends ℎ to the bank 𝐵. (4) The bank 𝐵 computes 𝑆 = (𝑘 + ℎ) 𝑆𝐵

If so, he selects a random number 𝑙 ∈ 𝑍𝑞∗ and computes

(20)

If so, he computes

If so, the customer 𝐶 obtains an 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ).

𝑓1 = 𝑏𝑗𝑧 + 𝑤1 ,

4.4. Payment Protocol. When the customer 𝐶 wants to spend his cash at the shop, the customer 𝐶 and the merchant 𝑀 do the following steps. This protocol is also illustrated in Box 3. (1) Customer 𝐶 sends (𝐿𝑆𝑇, 𝐾 , 𝑆 ) to the merchant 𝑀. (2) The merchant 𝑀 checks whether

𝑓2 = 𝑗𝑧 + 𝑤2 .

Then he sends (𝑓1 , 𝑓2 , 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑗, 𝑑, 𝐹) to the merchant 𝑀. (4) The merchant 𝑀 checks whether

𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 )

(17)

(21)

(22)

6

Mobile Information Systems

Merchant

Bank (𝐿𝑆𝑇,𝐾 ,𝑆 ,𝑓1 ,𝑓2 ,𝑗,𝐴 1 ,𝐴 2 ,𝐴 3 ,𝐴 4 ,𝑑,𝐹)

→ Computes 𝑌 = 𝑒(𝐹, 𝑃)𝑒(𝑑𝑄𝑇 , 𝑃pub )−1 Checks whether 𝑒(𝑆 , 𝑃) = 𝑒(𝐾 + 𝐻2 (𝐿𝑆𝑇‖𝐾 )𝑄𝐵 , 𝑃pub ) 𝑒((𝑓1 + 𝑓2 )𝑄𝑇 , 𝑃pub ) = 𝑒(𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) 𝑒(𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒(𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌 ) Checks whether the 𝑒-cash is being double spent; if it is fresh, reedits the merchant’s account Box 4: Deposit protocol.

5. Verifiability of the Proposed Scheme

and computes 𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

−1

(23)

Firstly, we show that the blind license 𝑏−1 𝐿𝑆𝑇 can be verified by equation

and checks whether

𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

𝑢 = 𝐻2 (𝑏−1 LST ‖ 𝑅 ) . (24)

−1

4.5. Deposit Protocol. When the merchant 𝑀 wants to deposit the received 𝑒-cash into his account in the bank 𝐵, the following steps are done between the bank 𝐵 and the merchant 𝑀. This protocol is also illustrated in Box 4. (1) The merchant 𝑀 sends (𝐿𝑆𝑇, 𝐾 , 𝑆 , 𝑓1 , 𝑓2 , 𝑗, 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑑, 𝐹) to the bank 𝐵. (2) The bank 𝐵 first checks whether the coin exists in its deposit. If the coin exists, it runs the double spender detection procedure. Else, the bank computes 𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

Since 𝑅 = 𝑒 (𝑉, 𝑃) 𝑒 (𝑢𝑄𝑇 , 𝑃pub )

If so, the merchant accepts the payment.

−1

(28)

𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅) = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅 ). Secondly, we show that the 𝑒-cash can be verified by equation 𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

(29)

In fact, 𝑒 (𝑆 , 𝑃) = 𝑒 (𝑎𝑆, 𝑃) = 𝑒 (𝑎 (𝑘 + ℎ) 𝑆𝐵 , 𝑃)

(25)

= 𝑒 (𝑎 (𝑘 + 𝑎−1 𝐻2 (LST ‖ 𝐾 ) + 𝑐) 𝑄𝐵 , 𝑃pub ) = 𝑒 (𝑎𝑘𝑄𝐵 + 𝑎𝑐𝑄𝐵 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub )

𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) ,

𝑒 (𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) ,

= 𝑒 (𝑉, 𝑃) 𝑒 (−𝑢𝑆𝑇 , 𝑃)

= 𝑒 (𝑉 − 𝑢𝑆𝑇 , 𝑃) = 𝑒 (𝑟𝑃, 𝑃) = 𝑅,

and checks whether

𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) ,

(27)

(30)

= 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) . (26)

𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) . If the above four equations hold, the bank accepts the coin, stores it in the deposit table, and transfers money to the merchant 𝑀. 4.6. Revoking the Anonymity. In the case that an 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) is abused by a criminal, whether the cash is spent twice or not, the trustee can revoke the anonymity of the 𝑒cash by the 𝐿𝑆𝑇 provided by the bank. As soon as the trustee 𝑇 receives the request of revoking anonymity, 𝑇 checks his database to find record (𝐿𝑆𝑇, 𝑥) and computes the identity information ID𝐶 = 𝐷𝐾𝑇 (𝐿𝑆𝑇) ⊕ 𝑥 by using his secret key 𝐾𝑇.

Thirdly, we show that the signature (𝑗, 𝐷) on (LST, 𝐾 , 𝑆 ) by merchant can be verified by equation 𝑗 = 𝐻2 (LST ‖ 𝐾 ‖ 𝑆 ‖ 𝐿 ) .

(31)

Since 𝐿 = 𝑒 (𝐷, 𝑃) 𝑒 (𝑗𝑄𝑀, 𝑃pub )

−1

= 𝑒 (𝐷, 𝑃) 𝑒 (−𝑗𝑆𝑀, 𝑃)

(32)

= 𝑒 (𝐷 − 𝑗𝑆𝑀, 𝑃) = 𝑒 (𝑙𝑃, 𝑃) = 𝐿, 𝑗 = 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ‖ 𝑆 ‖ 𝐿) = 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ‖ 𝑆 ‖ 𝐿 ). Fourthly, we show that the information (𝑓1 , 𝑓2 ) can be verified by the equations 𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) , 𝑒 (𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) .

(33)

Mobile Information Systems

7

7. Uncheatability of Merchants

In fact, 𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑤1 + 𝑗𝑧 + 𝑤2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑗𝑧) 𝑄𝑇 + (𝑤1 + 𝑤2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑗𝑧) 𝑄𝑇 , 𝑃pub ) 𝑒 ((𝑤1 + 𝑤2 ) 𝑄𝑇 , 𝑃pub )

(34)

= 𝑒 (𝑄𝑇 , (𝑏𝑗𝑧 + 𝑗𝑧) 𝑃pub ) 𝑒 (𝑄𝑇 , (𝑤1 + 𝑤2 ) 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 ) 𝑒 (𝑄𝑇 , 𝐴 2 ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) , 𝑒 (𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑤1 ) 𝑄𝑇 , 𝑃pub )

8. Provable Security

= 𝑒 (𝑄𝑇 , (𝑏𝑗𝑧 + 𝑤1 ) 𝑃pub ) = (𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) . Finally, we show that the signature (𝑑, 𝐹) on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 by trustee can be verified by the equation 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

(35)

Since 𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

−1

𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌)

(36)

= 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

In the case that the customer spends an 𝑒-cash twice or more, the bank 𝐵 can compute 𝑓1 − 𝑓1 , 𝑓2 − 𝑓2

(37)

−1

𝑏 𝐿𝑆𝑇. Then, the bank 𝐵 checks its databases in the withdrawal protocol to find the record {ID𝐶, (𝑏−1 LST, 𝑢, 𝑉)} and knows the identity information ID𝐶 of the malicious customer 𝐶. Here (𝑓1 , 𝑓2 ) and (𝑓1 , 𝑓2 ) are information the customer 𝐶 sends to the merchant 𝑀 in payment phase in twice consumption, respectively. In fact, 𝑓1 = 𝑏𝑗1 𝑧 + 𝑤1 , 𝑓1 = 𝑏𝑗2 𝑧 + 𝑤1 , 𝑓2 = 𝑗1 𝑧 + 𝑤2 ,

(38)

𝑓2 = 𝑗2 𝑧 + 𝑤2 . So, 𝑏=

𝑓1 − 𝑓1 . 𝑓2 − 𝑓2

(39) −1

Definition 1 (the linkability game). Let 𝜂 be a security parameter and let 𝐶1 and 𝐶2 be two customers. 𝐶1 , 𝐶2 , and the bank 𝐵 are involved in the following game.

Step 2. We randomly choose a bit 𝑏 ∈ {0, 1} and place (𝐾𝑏 , 𝐿𝑆𝑇𝑏 ) and (𝐾1−𝑏 , 𝐿𝑆𝑇1−𝑏 ) on the private input tapes of 𝐶1 and 𝐶2 , respectively. The bit 𝑏 will not be disclosed to the bank 𝐵. Step 3. The bank 𝐵 and two customers 𝐶1 , 𝐶2 perform the withdrawal protocol of the proposed scheme.

6. Double Spender Detection

𝑏=

In this section, we show that the proposed scheme satisfies the property of unlinkability and unforgeability.

Step 1. The bank 𝐵 outputs two Licenses 𝐿𝑆𝑇0 and 𝐿𝑆𝑇1 .

= 𝑒 (𝐹, 𝑃) 𝑒 (−𝑑𝑆𝑇 , 𝑃)

= 𝑒 (𝐹 − 𝑑𝑆𝑇 , 𝑃) = 𝑒 (𝑦𝑃, 𝑃) = 𝑌,

When the customer sends 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) to the merchant, the merchant computes signature (𝑗, 𝐷) on (𝐿𝑆𝑇, 𝐾 , 𝑆 ). When the merchant sends (𝑗, 𝐷) to the customer, the customer first verifies it using the public key 𝑄𝑀 of the merchant 𝑀. When (𝑗, 𝐷) satisfies the verification equation, the customer sends (𝑓1 , 𝑓2 , 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑑, 𝐹) to the merchant. If later the merchant uses 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) and (𝑓1 , 𝑓2 , 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑑, 𝐹) to spend to other merchants and cheats the customer, the customer can show the merchant’s signature to some arbitration agency. So, the scheme can effectively resist merchants cheat attack.

Hence, the bank 𝐶 can compute 𝑏 𝐿𝑆𝑇 and obtain the identity information ID𝐶 of the malicious customer 𝐶.

Step 4. If 𝐶1 and 𝐶2 output two 𝑒-cash (𝐿𝑆𝑇𝑏 , 𝐾𝑏 , 𝑆𝑏 ) and (𝐿𝑆𝑇1−𝑏 , 𝐾1−𝑏 , 𝑆1−𝑏 ) on their private tapes, respectively, we give the two 3 tuples in a random order to the bank; otherwise, ⊥ is given to 𝐵. Step 5. The bank 𝐵 outputs 𝑏∗ ∈ {0, 1} as the guess of 𝑏 . 𝐵 wins the game if 𝑏∗ = 𝑏 . We define the advantage of 𝐵 as Traceality (40) Adv𝐵 (𝜂) = 2𝑝 [𝑏∗ = 𝑏 ] − 1 . Definition 2 (unlinkability). The proposed scheme satisfies Traceality the unlinkability property if the advantage Adv𝐵 (𝜂) is negligible. Theorem 3. The proposed scheme satisfies the unlinkability property. Proof of Theorem 3. We consider the condition in Definition 1. Let (𝐿𝑆𝑇, 𝐾 , 𝑆 ) be one of the two 𝑒-cash given to the bank and let (𝐾, ℎ, 𝑆) be the view of the bank in one of the withdrawal protocols. It is sufficient to show that there exist two random factors (𝑎, 𝑐) that map (𝐾, ℎ, 𝑆) to (𝐿𝑆𝑇, 𝐾 , 𝑆 ). We know 𝐾 = 𝑎𝐾 + 𝑎𝑐𝑄𝐵 , ℎ = 𝑎−1 𝐻2 (LST ‖ 𝐾 ) + 𝑐, 𝑆 = 𝑎𝑆.

(41)

8

Mobile Information Systems

So, by equation 𝑆 = 𝑎𝑆, there is a unique 𝑎. Then, by equation ℎ = 𝑎−1 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) + 𝑐, there is a unique 𝑐. Furthermore, when 𝑆 and 𝑆 are correctly computed, the following equation holds: 𝑒 (𝑆, 𝑃) = 𝑒 (𝐾 + (𝑎−1 𝐻2 (LST ‖ 𝐾 ) + 𝑐) 𝑄𝐵 , 𝑃pub ) , 𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

(42)

So, it holds when 𝐾 = 𝑎𝐾+𝑎𝑐𝑄𝐵 . It is to say that (𝑎, 𝑐) always exists regardless of the values (𝐿𝑆𝑇, 𝐾 , 𝑆 ) and (𝐾, ℎ, 𝑆). Therefore, even an infinitely powerful bank outputs a correct value 𝑏 with probability of exactly 1/2. So, the proposed scheme satisfies the unlinkability property. Definition 4 (the forgeability game). The adversary F and the challenger A play the following game. Step 1. The challenger A takes a security parameter and generates the public parameters params and sends params to the adversary F. Step 2. The adversary F can perform polynomially bounded number of hash queries, extract queries, and 𝑒-cash queries. These three kinds of queries answer the hash function, private key, and 𝑒-cash query by the adversary F, respectively. Step 3. The adversary F outputs a tuple 𝜎 = ((𝐿𝑆𝑇, 𝐾 , 𝑆 ), ID𝐵 ). This tuple satisfies the following requirements: (1) (𝐿𝑆𝑇, 𝐾 , 𝑆 ) is a valid 𝑒-cash with regard to the bank 𝐵. (2) The adversary F has never requested the private key of the bank 𝐵. (3) 𝜎 = ((𝐿𝑆𝑇, 𝐾 , 𝑆 ), ID𝐵 ) has never been queried during the 𝑒-cash query. Definition 5 (unforgeability). An adversary F is said to be an (𝜀, 𝑡, 𝑞𝐸 , 𝑞𝐼 , 𝑞𝐻)-forger if it has advantage at least 𝜀 in the above game, runs in time at most 𝑡, and makes at most 𝑞𝐸 , 𝑞𝐼 , and 𝑞𝐻 extract, 𝑒-cash, and hashing queries, respectively. A scheme is said to be (𝜀, 𝑡, 𝑞𝐸 , 𝑞𝐼 , 𝑞𝐻)-secure against A in the sense of unforgeable against 𝑒-cash existential forgery attack if no (𝜀, 𝑡, 𝑞𝐸 , 𝑞𝐼 , 𝑞𝐻)-forger exists. Theorem 6. If the CDH problem is hard, then the proposed scheme is secure against 𝑒-cash existential forgery attack. Proof of Theorem 6. Suppose that F is a forger who can forge 𝑒-cash in the proposed scheme. A CDH instance (𝑃, 𝑥𝑃, 𝑦𝑃) is given for 𝑥, 𝑦 ∈𝑅 𝑍𝑞∗ , By using the forgery algorithm F, we will construct an algorithm A which outputs the CDH solution 𝑥𝑦𝑃 in 𝐺. Algorithm A performs the following simulation by interacting with the forger F. Setup. Algorithm A sets 𝑃pub = 𝑥𝑃 and starts by giving F the system parameters including (𝑃, 𝑃pub ).

Table 1: Comparison of features of our scheme with recent schemes.

Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

F1 Yes Yes Yes Yes Yes

F2 Fail Yes Yes Yes Yes

F3 Yes No Yes Yes Yes

F4 Yes Yes Yes No Yes

F5 Yes Yes No No Yes

F6 Fail No No No Yes

F1: anonymity/unlinkability; F2: unforgeability; F3: verification; F4: doublespending owner tracing; F5: anonymity revocation; F6: uncheatability of merchant.

Table 2: Required number of rounds for each protocol in compared schemes. Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

P1 2 — 3 — 2

P2 2 4 3 3 4

P3 1 3 1 2 3

P4 1 1 1 1 1

P5 1 — 2 — 1

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing.

At any time, F can query the random oracle 𝐻1 , 𝐻2 and extract and cash queries. To answer these queries, A does the following. 𝐻1 -Queries. At any time F can query the random oracle 𝐻1 . To respond to these queries, A maintains a list 𝐻1 -list of tuples (ID, 𝑊, 𝑡, 𝑒) as explained below. When an identity ID is submitted to the 𝐻1 oracle, A responds as follows: If the query ID already appears on the 𝐻1 -list in a tuple (ID, 𝑊, 𝑡, 𝑒), A responds with 𝐻1 (ID) = 𝑊. Otherwise, A generates a random coin 𝑒 ∈ {0, 1}. If 𝑒 = 0 then A computes 𝑊 = 𝑡(𝑦𝑃) for a random 𝑡 ∈ 𝑍𝑞∗ ; If 𝑒 = 1 then A computes 𝑊 = 𝑡𝑃. A adds the tuple (ID, 𝑊, 𝑡, 𝑒) to 𝐻1 -list and responds to F with 𝐻1 (ID) = 𝑊. 𝐻2 -Queries. To respond to 𝐻2 -Queries, A maintains a list referred to as 𝐻2 -list of tuples (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑). When F queries the 𝐻2 oracle at (𝐿𝑆𝑇 ‖ 𝐾 ), A responds as follows: If the query (𝐿𝑆𝑇 ‖ 𝐾 ) already appears on the 𝐻2 -list in a tuple (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑), then A responds with 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) = 𝑑 ∈ 𝑍𝑞 . Otherwise, A generates a random 𝑑 ∈ 𝑍𝑞 and adds the tuples (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑) to 𝐻2 -list and responds to F with 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) = 𝑑. Extract Queries. When F queries the private key corresponding to ID, A first finds the corresponding (ID, 𝑊, 𝑡, 𝑒) from the 𝐻1 -list. If 𝑒 = 0, then A fails and halts. Otherwise, A computes the private key 𝑆ID = 𝑡 ⋅ 𝑃pub = 𝑡(𝑥𝑃) by using the tuple (ID, 𝑊, 𝑡, 𝑒) in the 𝐻1 -list and responds to F with 𝑆ID . Cash Queries. If F requests an 𝑒-cash on 𝐿𝑆𝑇 under ID, A responds to this query as follows: A first finds the corresponding tuple (ID, 𝑊, 𝑡, 𝑒) from 𝐻1 -list and chooses one random number 𝑙, 𝑑 ∈ 𝑍𝑞∗ and computes 𝐾 = 𝑙𝑃 − 𝑑𝑊.

Mobile Information Systems

9 Table 3: Comparison of computation costs.

Chen et al. [15] Zhang et al. [20] Ours

P1 E + 2H + 3B — E + 4H + 5B + 2L

P2 4H + 6B 2H + 2B + L 2H + 4B

P3 H + 3B 2H + 3B 4H + 9B

P4 H + 3B 2H + 3B 2H + 8B

P5 D — D

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing. E: symmetrical encryption; D: symmetrical decryption; H: hash computation; B: bilinear pairings; L: modular exponentiation.

If (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑) already appears on the 𝐻2 -list, A chooses another 𝑙, 𝑑 ∈ 𝑍𝑞∗ and tries again. Otherwise, A computes 𝑆 = 𝑙 ⋅ 𝑃pub and stores (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑) on the 𝐻2 -list. Then A responds to F with (𝑆 , 𝐾 ). Indeed, the output is valid 𝑒-cash on 𝐿𝑆𝑇 for ID. In fact, 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) = 𝑒 (𝑙𝑃 − 𝑑𝑊 + 𝑑𝑊, 𝑃pub ) = 𝑒 (𝑙𝑃, 𝑃pub )

(43)

= 𝑒 (𝑙𝑃pub , 𝑃) = 𝑒 (𝑆 , 𝑃) .

Output. If A does not abort as a result of F’s extract query, then F’s view is identical to its view in the real attack. By Forking Lemma, after replying F with the same random tape, A obtains two valid 𝑒-cash: (𝐿𝑆𝑇, 𝐾 , 𝑆 ) , (𝐿𝑆𝑇, 𝐾 , 𝑆∗ ) .

10. Conclusion (44)

Correspondingly, there are two valid signatures (𝑆, 𝐾) and (𝑆∗ , 𝐾), because 𝑆 = (𝑘 + ℎ) 𝑆𝐵 , 𝑆∗ = (𝑘 + ℎ∗ ) 𝑆𝐵 .

and recovering phase in Juang’s scheme are computed to license-issuing protocol and owner tracing protocol, respectively. By Table 2, the proposed scheme demonstrates better communication efficiency under enhanced security. Our scheme and schemes [15, 20] are all id-based scheme using bilinear pairings. So, in Table 3, we compare the computation cost of our scheme with schemes [15, 20]. It is necessary to illustrate that Zhang et al.’s scheme [20] has no license-issuing protocol and owner tracing protocol and for fair comparison, we have not computed the computation cost of encryption and its related computation cost in Chen et al.’s scheme. Compared with Chen et al.’s scheme, there are eleven more pairings computations in the proposed scheme. These eleven pairings computations are in payment protocol and deposit protocol and useful to prevent the merchant from cheat. In practice, we can use elliptic curves to reduce the computation cost of bilinear pairings.

(45)

In this paper, we show that Chen et al.’s electronic cash scheme is suffering from some weaknesses in unforgeability and merchant frauds. To contribute a secure scheme, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

So, by the security proof of [22], A obtains (𝑥𝑦)𝑃 = 𝑆𝐵 = (ℎ − ℎ∗ )−1 (𝑆 − 𝑆∗ ). This completes the proof.

Competing Interests

9. Comparisons

Acknowledgments

In this section, we compare our scheme with [15, 18–20] in some features, communication efficiency, and computation cost. The features are anonymity/unlinkability, unforgeability, verification, double-spending owner tracing, anonymity revocation, and uncheatability of merchant. Our scheme satisfies all of above features, but the others do not. We show the comparison result in Table 1. In Table 2, we compare the communication efficiency of our scheme with other schemes. Fan et al.’s scheme [18] and Zhang et al.’s scheme [20] are not trustee based, and therefore they do not have license-issuing protocol and owner tracing protocol. Juang’s scheme [19] also does not have license-issuing protocol and owner tracing protocol but has the initializing phase and recovering phase. For comparison, the numbers of rounds of initializing phase

This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).

The authors declare that they have no competing interests.

References [1] D. Chaum, “Blind signatures for untraceable payments,” in Crypto 82, pp. 199–203, Plenum Press, New York, NY, USA, 1983. [2] Z. Eslami and M. Talebi, “A new untraceable off-line electronic cash system,” Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59–66, 2011. [3] R. Anderson, C. Manifavas, and C. Sutherland, “NetCard— a practical electronic-cash system,” in Security Protocols, vol.

10

[4]

[5]

[6] [7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

Mobile Information Systems 1189 of Lecture Notes in Computer Science, pp. 49–57, Springer, Berlin, Germany, 1997. G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung, “Anonymity control in e-cash systems,” in Financial Cryptography, vol. 1318 of Lecture Notes in Computer Science, pp. 1–16, Springer, Berlin, Germany, 1997. G. Maitland and C. Boyd, “Fair electronic cash based on a group signature scheme,” in Information and Communication Security, pp. 461–465, Springer, 2001. D. Chaum and S. Brands, “‘Minting’ electronic cash,” IEEE Spectrum, vol. 34, no. 2, pp. 30–34, 1997. J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash,” in Advances in Cryptology—EUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 302–321, Springer, 2005. H. Wang and Y. Zhang, “Untraceable off-line electronic cash flow in e-commerce,” in Proceedings of the 24th Australasian Computer Science Conference (ACSC ’01), pp. 191–198, IEEE, Gold Coast, Australia, January-February 2001. S. Brands, “Untraceable off-line cash in wallet with observers,” in Advances in Cryptology—CRYPTO ’93, pp. 302–318, Springer, 1994. C.-Y. Ku, C.-J. Tsao, Y.-H. Lin, and C.-Y. Chen, “An escrow electronic cash system with limited traceability,” Information Sciences, vol. 164, no. 1–4, pp. 17–30, 2004. T. Cao, D. Lin, and R. Xue, “A randomized RSA-based partially blind signature scheme for electronic cash,” Computers & Security, vol. 24, no. 1, pp. 44–49, 2005. W.-S. Juang, “D-cash: a flexible pre-paid e-cash scheme for dateattachment,” Electronic Commerce Research and Applications, vol. 6, no. 1, pp. 74–80, 2007. C. Fan and W. Sun, “Efficient encoding scheme for date attachable electronic cash,” in Proceedings of the 24th Workshop on Combinatorial Mathematics and Computation Theory (CMCT ’07), pp. 405–410, Nantou, Taiwan, 2007. Y. Baseri, B. Takhtaei, and J. Mohajeri, “Secure untraceable offline electronic cash system,” Scientia Iranica, vol. 20, no. 3, pp. 637–646, 2013. Y. Chen, J.-S. Chou, H.-M. Sun, and M.-H. Cho, “A novel electronic cash system with trustee-based anonymity revocation from pairing,” Electronic Commerce Research and Applications, vol. 10, no. 6, pp. 673–682, 2011. Y.-F. Chang, “A critique of ‘a novel electronic cash system with trustee-based anonymity revocation from pairing,’ by Chen, Chou, Sun and Cho (2011),” Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 441–442, 2012. Y. L. Chen, J.-S. Chou, H.-M. Sun, and M.-S. Cho, “A response to a critique of ‘A novel electronic cash system with trustee-based anonymity revocation from pairing,’ by Chen, Chou, Sun and Cho (2011),” Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 443–444, 2012. C.-I. Fan, V. S. Huang, and Y.-C. Yu, “User efficient recoverable off-line e-cash scheme with fast anonymity revoking,” Mathematical and Computer Modelling, vol. 58, no. 1-2, pp. 227–237, 2013. W.-S. Juang, “RO-cash: an efficient and practical recoverable pre-paid offline e-cash scheme using bilinear pairings,” Journal of Systems and Software, vol. 83, no. 4, pp. 638–645, 2010. L. Zhang, F. Zhang, B. Qin, and S. Liu, “Provably-secure electronic cash based on certificateless partially-blind signatures,” Electronic Commerce Research and Applications, vol. 10, no. 5, pp. 545–552, 2011.

[21] F. Hess, “Efficient identity based signature schemes based on pairings,” in Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002 St. John’s, Newfoundland, Canada, August 15-16, 2002 Revised Papers, vol. 2595 of Lecture Notes in Computer Science, pp. 310–324, Springer, Berlin, Germany, 2003. [22] F. Zhang and F. Kim, “Efficient ID-based blind signature and proxy signature from bilinear pairings,” in Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP ’03), Wollongong, Australia, July 2003, Lecture Notes in Computer Science, pp. 312–323, Springer, 2003.

Journal of

Advances in

Industrial Engineering

Multimedia

Hindawi Publishing Corporation http://www.hindawi.com

The Scientific World Journal Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Applied Computational Intelligence and Soft Computing

International Journal of

Distributed Sensor Networks Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Advances in

Fuzzy Systems Modelling & Simulation in Engineering Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Submit your manuscripts at http://www.hindawi.com

Journal of

Computer Networks and Communications

Advances in

Artificial Intelligence Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Biomedical Imaging

Volume 2014

Advances in

Artificial Neural Systems

International Journal of

Computer Engineering

Computer Games Technology

Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Advances in

Volume 2014

Advances in

Software Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Reconfigurable Computing

Robotics Hindawi Publishing Corporation http://www.hindawi.com

Computational Intelligence and Neuroscience

Advances in

Human-Computer Interaction

Journal of

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Journal of

Electrical and Computer Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Research Article Secure Electronic Cash Scheme with Anonymity Revocation Baoyuan Kang and Danhui Xu School of Computer Science and Software, Tianjin Polytechnic University, Tianjin 300387, China Correspondence should be addressed to Baoyuan Kang; [email protected] Received 8 September 2015; Revised 14 December 2015; Accepted 1 March 2016 Academic Editor: Francesco Gringoli Copyright © 2016 B. Kang and D. Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In a popular electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an 𝑒-cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. There are a number of requirements for an electronic cash scheme, such as, anonymity, unforgeability, unreusability, divisibility, transferability, and portability. Anonymity property of electronic cash schemes can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. proposed a novel electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity for 𝑒-cash. But, in this paper we point out that Chen et al.’s scheme is subjected to some drawbacks. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

1. Introduction Due to the fast progress of computer networks and Internet, information technology is used in electronic commerce. Many electronic commerce services can be found over the internet. So, an electronic payment mechanism is necessary for electronic commerce. And electronic payment is one of the key issues of electronic commerce development. To realize the digitalization of traditional cash and electronic payment, in 1983, Chaum suggested the first electronic cash scheme [1]. Popularly, in an electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an 𝑒-cash from his account and pays it to a merchant. After checking the electronic cash’s validity, the merchant accepts it and deposits it to the bank. For security and efficiency, there are a number of requirements for an electronic cash scheme, such as anonymity, unforgeability, unreusability, divisibility, transferability, and portability [2]. Some of them are listed below. Anonymity/Unlinkability. The customer of the cash must be anonymous. As long as the coin is spent legitimately, neither

the merchant nor the bank can identify the customer of the coin. Unforgeability. Only authorized banks can generate electronic cash. Unreusability. The electronic cash cannot be reused. The scheme can detect the malicious customer, who spends the cash twice. Electronic cash schemes can be divided into two categories: online and offline. In online schemes, as paying a coin to a merchant, the bank must attend to validate the coin and detect its reuse. But, in offline schemes, double spending can only be figured out when the merchant deposits the coin to the bank in the next phase. After Chaum’s scheme, a lot of electronic cash schemes [3–9] have been proposed based on blind signatures and restrictive blind signatures. Afterward, many more complex schemes have been proposed [10–13]. Recently, Eslami and Talebi proposed an untraceable electronic cash scheme [2] and claimed that their scheme satisfies all main security requirements, such as anonymity, unreusability, and date attachability. However, Baseri et al.

2

Mobile Information Systems

[14] showed that Eslami and Talebi’s scheme is subjected to some weaknesses in perceptibility of double spender, unforgeability, and date attachability. Baseri et al. also contributed a novel electronic cash scheme. Untraceable electronic cash is an attractive payment tool for electronic commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. [15] proposed an electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity of the owner of an 𝑒-cash. Chen et al. claimed that their scheme is the first attempt to incorporate mutual authentication and key agreement into 𝑒-cash protocols and their scheme satisfies the security requirements of untraceability, verifiability, unforgeability, and anonymity revocation. But, in 2012, Chang [16] claimed that he finds some weaknesses of Chen et al.’s scheme. Then, Chen et al. [17] immediately provided a response to rebut Chang’s attacks. By thoroughly investigating Chen et al.’s scheme, we find that, despite Chang’s attacks being really wrong, Chen et al.’s scheme is surely insecure. Chen et al.’s scheme is subjected to some drawbacks. (1) The first flaw is the attack on the unforgeability by the dishonest customer. (2) The second flaw is the attack on double spending owner tracing. (3) The third flaw is the potential bank attack. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds. The remainder of this paper is organized as follows. Related concept of bilinear pairing and CDH problem are introduced in Section 2. In Section 3, we show some weaknesses of Chen et al.’s scheme. In Section 4 we propose a new electronic cash scheme with anonymity revocation. In Section 5 we show the verifiability of the proposed scheme. Double spender detection is covered in Section 6. In Section 7 we show that the proposed scheme satisfies uncheatability of merchants. Provable security of our scheme is covered in Section 8. In Section 9 we compare our scheme with the others. Finally conclusions are given in Section 10.

2. Preliminary 2.1. The Bilinear Pairing. Let 𝐺1 be a cyclic additive group generated by 𝑃, whose order is a prime 𝑞, and let 𝐺2 be a cyclic multiplicative group of the same order. Let 𝑒 : 𝐺1 × 𝐺1 → 𝐺2 be a pairing map which satisfies the following conditions: (1) Bilinearity: for any 𝑃, 𝑄, 𝑅 ∈ 𝐺1 , we have 𝑒(𝑃+𝑄, 𝑅) = 𝑒(𝑃, 𝑅)𝑒(𝑄, 𝑅). In particular, for any 𝑎, 𝑏 ∈ 𝑍𝑞 , 𝑒(𝑎𝑃, 𝑏𝑃) = 𝑒(𝑃, 𝑎𝑏𝑃) = 𝑒(𝑎𝑏𝑃, 𝑃) = 𝑒(𝑃, 𝑃)𝑎𝑏 . (2) Nondegeneracy: there exists 𝑃, 𝑄 ∈ 𝐺1 , such that 𝑒(𝑃, 𝑄) ≠ 1. (3) Computability: there is an efficient algorithm to compute 𝑒(𝑃, 𝑄) for all 𝑃, 𝑄 ∈ 𝐺1 .

2.2. The CDH Problem. Let 𝐺 be a cyclic additive group of prime order 𝑞 and 𝑃 a generator of 𝐺. The computational Diffie-Hellman (CDH) problem is to compute 𝑎𝑏𝑃 for given 𝑃, 𝑎𝑃, 𝑏𝑃 ∈ 𝐺.

3. Effective Attacks on Chen et al.’s Scheme In this section, we show the drawbacks of Chen et al.’s scheme [15]. For the sake of brevity, we omit the review of Chen et al.’s scheme. To know Chen et al.’s scheme in detail, readers can read literature [15]. 3.1. Attack on the Unforgeability by the Dishonest Customer. When the customer obtains an 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)}, he can randomly select 𝑎 ∈ 𝑍𝑞∗ and forge 𝑒-cash {𝐶𝑁𝑂, 𝑎 ⋅ 𝐿𝑆𝑇, (𝑎 ⋅ 𝑅, 𝑎 ⋅ 𝑆)}, because the 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} satisfies 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) .

(1)

So, 𝑎

𝑎

𝑒 (𝑆, 𝑃)𝑎 = 𝑒 (𝐻3 (CNO) 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) . (2) Then, 𝑒 (𝑎 ⋅ 𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) 𝑄𝐵 , 𝑎 ⋅ 𝑅) ⋅ 𝑒 (𝑎 ⋅ LST ⋅ 𝑄𝐵 , 𝑃pub ) .

(3)

That is to say, the customer forges a valid 𝑒-cash {𝐶𝑁𝑂, 𝑎 ⋅ 𝐿𝑆𝑇, (𝑎 ⋅ 𝑅, 𝑎 ⋅ 𝑆)}. Of course, in payment protocol, when the merchant gets an 𝑒-cash from customers, he also can similarly forge 𝑒-cash. Further, these forged 𝑒-cash make the scheme fail in double spending owner tracing, because it is impossible to find the customer identity from 𝑎 ⋅ 𝐿𝑆𝑇. Note that (𝑅, 𝑆) is a signature on 𝐶𝑁𝑂 and 𝐿𝑆𝑇. Furthermore, 𝐶𝑁𝑂 does not play distinction function to an 𝑒-cash. 𝐶𝑁𝑂 is only a randomly selected number. Any customer can randomly choose any 𝐶𝑁𝑂 for their 𝑒-cash. If 𝐶𝑁𝑂 has some function, it is only to certain customer. It is not strange that different customers may choose same 𝐶𝑁𝑂 for their 𝑒-cash. So, this attack is a successful forgery. 3.2. Attack by the Dishonest Merchant. In practice, there are always many merchants from different shops. After receiving an 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} from a customer, the merchant may spend {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} to another merchant. This attack is correct due to the fact that the verification equation 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub )

(4)

is only related to 𝐶𝑁𝑂, 𝐿𝑆𝑇, 𝑅, 𝑆. And no extra information should be provided by customers in the verification process. Later, even if the bank finds double spending, the bank and the trustee cannot find real double spender, because the double spender may not be the customer himself.

Mobile Information Systems

3

3.3. Potential Attack by the Bank. However, in payment protocol, the only verification to the 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)} is to examine whether the following equation holds: 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑅) ⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) .

(5)

But, when let 𝑅 = 𝑎𝑃pub (𝑎 is a randomly selected number in 𝑍𝑞∗ ) in the above equation, then 𝑒 (𝑆, 𝑃) = 𝑒 (𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑎𝑃pub )

a license. The following steps describe the protocol, which is also illustrated in Box 1. (1) Customer 𝐶 selects four random numbers, 𝑏, 𝑧, 𝑤1 , 𝑤2 ∈ 𝑍𝑞∗ , and sends {ID𝐶, 𝑏, 𝑧, 𝑤1 , 𝑤2 } to Trustee 𝑇. (2) 𝑇 chooses a random number, 𝑥 ∈ 𝑍𝑞∗ , and computes 𝐿𝑆𝑇 as 𝐿𝑆𝑇 = 𝐸𝐾𝑇 (ID𝐶 ⊕ 𝑥). Here 𝐸 is a symmetric encryption algorithm, and 𝐾𝑇 is a secret key. (3) To sign on 𝑏−1 𝐿𝑆𝑇, trustee 𝑇 selects a random number, 𝑟 ∈ 𝑍𝑞∗ , and computes 𝑅 = 𝑒 (𝑃, 𝑃)𝑟 ,

⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) = 𝑒 (𝑎 ⋅ 𝐻3 (CNO) ⋅ 𝑄𝐵 , 𝑃pub )

𝑢 = 𝐻2 (𝑏−1 LST ‖ 𝑅) ,

(6)

𝑉 = 𝑢𝑆𝑇 + 𝑟𝑃.

⋅ 𝑒 (LST ⋅ 𝑄𝐵 , 𝑃pub ) = 𝑒 ((𝑎 ⋅ 𝐻3 (CNO) + LST) ⋅ 𝑄𝐵 , 𝑃pub ) = 𝑒 ((𝑎 ⋅ 𝐻3 (CNO) + LST) ⋅ 𝑆𝐵 , 𝑃) . So, the bank can randomly select 𝐶𝑁𝑂 and 𝐿𝑆𝑇. Then Let 𝑅 = 𝑎𝑃pub , 𝑆 = (𝑎 ⋅ 𝐻3 (𝐶𝑁𝑂) + 𝐿𝑆𝑇) ⋅ 𝑆𝐵 to generate an 𝑒-cash {𝐶𝑁𝑂, 𝐿𝑆𝑇, (𝑅, 𝑆)}. This apparently violates the withdrawal protocol above the customer and the bank together performing a blind signature function to complete the 𝑒-cash withdrawal.

4. Our Proposed Scheme Based on an id-based signature scheme [21] proposed by Hess and an efficient id-based blind signature [22] proposed by Zhang and Kim, we propose an offline electronic cash scheme with anonymity revocation. In the proposed scheme there are four participants: Trustee 𝑇, the bank 𝐵, the customer 𝐶, and the merchant 𝑀. There are five protocols: license issuing, withdrawal, payment, deposit, and 𝑒-cash owner tracing. Here any communication between any two entities should be encrypted, and this can be done by incorporating mutual authentication and key agreement protocols, likely in [15]. Here, for brevity, we omit those encryptions in five protocols. 4.1. System Setup. In this stage, the Key Generation Center (KGC) chooses a cyclic additive group 𝐺1 which is generated by 𝑃 with prime order 𝑞 and chooses a cyclic multiplicative group 𝐺2 of the same order and a bilinear map 𝑒 : 𝐺1 × 𝐺1 → 𝐺2 . KGC also chooses a random 𝑠 ∈ 𝑍𝑞∗ as the master key and sets 𝑃pub = 𝑠𝑃 public and chooses cryptographic hash functions 𝐻1 : {0, 1}∗ → 𝐺1 , 𝐻2 : {0, 1}∗ → 𝑍𝑞∗ . The system parameter list is params = (𝐺1 , 𝐺2 , 𝑒, 𝑃, 𝑃pub , 𝐻1 , 𝐻2 ). When the customer 𝐶 submits his identity, ID𝐶 to the KGC, the KGC computes the public key 𝑄𝐶 = 𝐻1 (ID𝐶) and private key 𝑆𝐶 = 𝑠𝑄𝐶 for the customer 𝐶. Similarly, the KGC generates the public/private key pairs (𝑄𝑇 , 𝑆𝑇 ), (𝑄𝐵 , 𝑆𝐵 ), and (𝑄𝑀, 𝑆𝑀) for Trustee 𝑇, the Bank 𝐵, and the Merchant 𝑀, respectively. 4.2. License-Issuing Protocol. Before withdrawing 𝑒-cash from the bank, customer 𝐶 needs to ask trustee 𝑇 to issue him

(7)

The trustee 𝑇 also signs on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ; here 𝐴 1 = (𝑏𝑧 + 𝑧)𝑃pub , 𝐴 2 = (𝑤1 + 𝑤2 )𝑃pub . 𝐴 3 = 𝑤1 𝑃pub , and 𝐴 4 = 𝑏𝑧𝑃pub . 𝑇 selects a random number, 𝑦 ∈ 𝑍𝑞∗ , and computes 𝑌 = 𝑒 (𝑃, 𝑃)𝑦 , 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌) ,

(8)

𝐹 = 𝑑𝑆𝑇 + 𝑦𝑃. After that, trustee 𝑇 stores (𝐿𝑆𝑇, 𝑥) to the database and sends (𝐿𝑆𝑇, 𝑢, 𝑉, 𝑑, 𝐹) to the customer 𝐶. (4) The customer 𝐶 computes −1

𝑅 = 𝑒 (𝑉, 𝑃) 𝑒 (𝑢𝑄𝑇 , 𝑃pub ) ,

𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

−1

(9)

and checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅 ) , 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

(10)

If so, The customer 𝐶 obtains the license, (𝐿𝑆𝑇, 𝑢, 𝑉) and the signature (𝑑, 𝐹) on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 . 4.3. Withdrawal Protocol. To complete the 𝑒-cash withdrawal, customer 𝐶 and bank 𝐵 together perform the following steps. This protocol is also illustrated in Box 2. (1) Customer 𝐶 sends {ID𝐶, (𝑏−1 𝐿𝑆𝑇, 𝑢, 𝑉)} to the bank 𝐵. (2) 𝐵 first computes 𝑅 = 𝑒 (𝑉, 𝑃) 𝑒 (𝑢𝑄𝑇 , 𝑃pub )

−1

(11)

and checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅 ) .

(12)

If so, the bank 𝐵 selects a random number, 𝑘 ∈ 𝑍𝑞∗ , computes 𝐾 = 𝑘𝑄𝐵 , and sends 𝐾 to the customer 𝐶.

4

Mobile Information Systems

Customer Selects random numbers, 𝑏, 𝑧, 𝑤1 , 𝑤2 ∈ 𝑍𝑞∗ ,

Trustee {ID𝐶 ,𝑏,𝑧,𝑤1 ,𝑤2 }

→ Chooses random number 𝑥 ∈ 𝑍𝑞∗ , computes 𝐿𝑆𝑇 = 𝐸𝐾𝑇 (ID𝐶 ⊕ 𝑥). Selects a random number, 𝑟 ∈ 𝑍𝑞∗ , computes 𝑅 = 𝑒(𝑃, 𝑃)𝑟 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇‖𝑅) 𝑉 = 𝑢𝑆𝑇 + 𝑟𝑃 Selects random number 𝑦 ∈ 𝑍𝑞∗ , and computes 𝑌 = 𝑒(𝑃, 𝑃)𝑦 , 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌) 𝐹 = 𝑑𝑆𝑇 + 𝑦𝑃

(𝐿𝑆𝑇,𝑢,𝑉,𝑑,𝐹)

← Computes 𝑅 = 𝑒(𝑉, 𝑃)𝑒(𝑢𝑄𝑇 , 𝑃pub )−1 𝑌 = 𝑒(𝐹, 𝑃)𝑒(𝑑𝑄𝑇 , 𝑃pub )−1 And checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇‖𝑅 ) 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌 ) Obtains the license, (𝐿𝑆𝑇, 𝑢, 𝑉) and the signature, (𝑑, 𝐹) on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 Box 1: License-issuing protocol.

Customer

Bank {ID𝐶 ,(𝑏−1 𝐿𝑆𝑇,𝑢,𝑉)}

→

𝐾

Computes 𝑅 = 𝑒(𝑉, 𝑃)𝑒(𝑢𝑄𝑇 , 𝑃pub )−1 Checks whether 𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇‖𝑅 ) Selects random number 𝑘 ∈ 𝑍𝑞∗ , computes 𝐾 = 𝑘𝑄𝐵

← Selects two random number, 𝑎, 𝑐 ∈ 𝑍𝑞∗ , computes 𝐾 = 𝑎𝐾 + 𝑎𝑐𝑄𝐵 ℎ = 𝑎−1 𝐻2 (𝐿𝑆𝑇‖𝐾 ) + 𝑐 ℎ

→ 𝑆

Computes 𝑆 = (𝑘 + ℎ)𝑆𝐵

← Computes 𝑆 = 𝑎𝑆 Checks whether 𝑒(𝑆 , 𝑃) = 𝑒(𝐾 + 𝐻2 (𝐿𝑆𝑇‖𝐾 𝑄𝐵 , 𝑃pub ) Obtains an 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) Box 2: Withdrawal protocol.

Mobile Information Systems

5

Customer

Merchant (𝐿𝑆𝑇,𝐾 ,𝑆 )

→

(𝑗,𝐷)

Checks whether 𝑒(𝑆 , 𝑃) = 𝑒(𝐾 + 𝐻2 (𝐿𝑆𝑇‖𝐾 )𝑄𝐵 , 𝑃pub ) Selects random number 𝑙 ∈ 𝑍𝑞∗ , computes 𝐿 = 𝑒(𝑃, 𝑃)𝑙 𝑗 = 𝐻2 (𝐿𝑆𝑇‖𝐾 ‖𝑆 ‖𝐿) 𝐷 = 𝑗𝑆𝑀 + 𝑙𝑃

← Computes 𝐿 = 𝑒(𝐷, 𝑃)𝑒(𝑗𝑄𝑀 , 𝑃pub )−1 Checks whether 𝑗 = 𝐻2 (𝐿𝑆𝑇‖𝐾 ‖𝑆 ‖𝐿 ) Computes 𝑓1 = 𝑏𝑗𝑧 + 𝑤1 𝑓2 = 𝑗𝑧 + 𝑤2

(𝑓1 ,𝑓2 ,𝐴 1 ,𝐴 2 ,𝐴 3 ,𝐴 4 ,𝑗,𝑑,𝐹)

→ Checks whether 𝑒((𝑓1 + 𝑓2 )𝑄𝑇 , 𝑃pub ) = 𝑒(𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) Computes 𝑌 = 𝑒(𝐹, 𝑃)𝑒(𝑑𝑄𝑇 , 𝑃pub )−1 Checks whether 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌 ) Accepts the payment Box 3: Payment protocol.

𝑍𝑞∗ ,

(3) The customer 𝐶 selects two random numbers, 𝑎, 𝑐 ∈ computes 𝐾 = 𝑎𝐾 + 𝑎𝑐𝑄𝐵 , ℎ = 𝑎−1 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) + 𝑐,

𝐿 = 𝑒 (𝑃, 𝑃)𝑙 , (13)

(14)

and sends 𝑆 to the customer 𝐶. (5) Customer 𝐶 computes 𝑆 = 𝑎𝑆

(18)

Then he sends (𝑗, 𝐷) to the customer 𝐶. (3) The customer 𝐶 computes 𝐿 = 𝑒 (𝐷, 𝑃) 𝑒 (𝑗𝑄𝑀, 𝑃pub )

(15)

−1

(16)

(19)

and checks whether 𝑗 = 𝐻2 (LST ‖ 𝐾 ‖ 𝑆 ‖ 𝐿 ) .

and checks whether 𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

𝑗 = 𝐻2 (LST ‖ 𝐾 ‖ 𝑆 ‖ 𝐿) , 𝐷 = 𝑗𝑆𝑀 + 𝑙𝑃.

and sends ℎ to the bank 𝐵. (4) The bank 𝐵 computes 𝑆 = (𝑘 + ℎ) 𝑆𝐵

If so, he selects a random number 𝑙 ∈ 𝑍𝑞∗ and computes

(20)

If so, he computes

If so, the customer 𝐶 obtains an 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ).

𝑓1 = 𝑏𝑗𝑧 + 𝑤1 ,

4.4. Payment Protocol. When the customer 𝐶 wants to spend his cash at the shop, the customer 𝐶 and the merchant 𝑀 do the following steps. This protocol is also illustrated in Box 3. (1) Customer 𝐶 sends (𝐿𝑆𝑇, 𝐾 , 𝑆 ) to the merchant 𝑀. (2) The merchant 𝑀 checks whether

𝑓2 = 𝑗𝑧 + 𝑤2 .

Then he sends (𝑓1 , 𝑓2 , 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑗, 𝑑, 𝐹) to the merchant 𝑀. (4) The merchant 𝑀 checks whether

𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 )

(17)

(21)

(22)

6

Mobile Information Systems

Merchant

Bank (𝐿𝑆𝑇,𝐾 ,𝑆 ,𝑓1 ,𝑓2 ,𝑗,𝐴 1 ,𝐴 2 ,𝐴 3 ,𝐴 4 ,𝑑,𝐹)

→ Computes 𝑌 = 𝑒(𝐹, 𝑃)𝑒(𝑑𝑄𝑇 , 𝑃pub )−1 Checks whether 𝑒(𝑆 , 𝑃) = 𝑒(𝐾 + 𝐻2 (𝐿𝑆𝑇‖𝐾 )𝑄𝐵 , 𝑃pub ) 𝑒((𝑓1 + 𝑓2 )𝑄𝑇 , 𝑃pub ) = 𝑒(𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) 𝑒(𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒(𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 )‖𝑌 ) Checks whether the 𝑒-cash is being double spent; if it is fresh, reedits the merchant’s account Box 4: Deposit protocol.

5. Verifiability of the Proposed Scheme

and computes 𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

−1

(23)

Firstly, we show that the blind license 𝑏−1 𝐿𝑆𝑇 can be verified by equation

and checks whether

𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

𝑢 = 𝐻2 (𝑏−1 LST ‖ 𝑅 ) . (24)

−1

4.5. Deposit Protocol. When the merchant 𝑀 wants to deposit the received 𝑒-cash into his account in the bank 𝐵, the following steps are done between the bank 𝐵 and the merchant 𝑀. This protocol is also illustrated in Box 4. (1) The merchant 𝑀 sends (𝐿𝑆𝑇, 𝐾 , 𝑆 , 𝑓1 , 𝑓2 , 𝑗, 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑑, 𝐹) to the bank 𝐵. (2) The bank 𝐵 first checks whether the coin exists in its deposit. If the coin exists, it runs the double spender detection procedure. Else, the bank computes 𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

Since 𝑅 = 𝑒 (𝑉, 𝑃) 𝑒 (𝑢𝑄𝑇 , 𝑃pub )

If so, the merchant accepts the payment.

−1

(28)

𝑢 = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅) = 𝐻2 (𝑏−1 𝐿𝑆𝑇 ‖ 𝑅 ). Secondly, we show that the 𝑒-cash can be verified by equation 𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

(29)

In fact, 𝑒 (𝑆 , 𝑃) = 𝑒 (𝑎𝑆, 𝑃) = 𝑒 (𝑎 (𝑘 + ℎ) 𝑆𝐵 , 𝑃)

(25)

= 𝑒 (𝑎 (𝑘 + 𝑎−1 𝐻2 (LST ‖ 𝐾 ) + 𝑐) 𝑄𝐵 , 𝑃pub ) = 𝑒 (𝑎𝑘𝑄𝐵 + 𝑎𝑐𝑄𝐵 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub )

𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) ,

𝑒 (𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) ,

= 𝑒 (𝑉, 𝑃) 𝑒 (−𝑢𝑆𝑇 , 𝑃)

= 𝑒 (𝑉 − 𝑢𝑆𝑇 , 𝑃) = 𝑒 (𝑟𝑃, 𝑃) = 𝑅,

and checks whether

𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) ,

(27)

(30)

= 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) . (26)

𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) . If the above four equations hold, the bank accepts the coin, stores it in the deposit table, and transfers money to the merchant 𝑀. 4.6. Revoking the Anonymity. In the case that an 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) is abused by a criminal, whether the cash is spent twice or not, the trustee can revoke the anonymity of the 𝑒cash by the 𝐿𝑆𝑇 provided by the bank. As soon as the trustee 𝑇 receives the request of revoking anonymity, 𝑇 checks his database to find record (𝐿𝑆𝑇, 𝑥) and computes the identity information ID𝐶 = 𝐷𝐾𝑇 (𝐿𝑆𝑇) ⊕ 𝑥 by using his secret key 𝐾𝑇.

Thirdly, we show that the signature (𝑗, 𝐷) on (LST, 𝐾 , 𝑆 ) by merchant can be verified by equation 𝑗 = 𝐻2 (LST ‖ 𝐾 ‖ 𝑆 ‖ 𝐿 ) .

(31)

Since 𝐿 = 𝑒 (𝐷, 𝑃) 𝑒 (𝑗𝑄𝑀, 𝑃pub )

−1

= 𝑒 (𝐷, 𝑃) 𝑒 (−𝑗𝑆𝑀, 𝑃)

(32)

= 𝑒 (𝐷 − 𝑗𝑆𝑀, 𝑃) = 𝑒 (𝑙𝑃, 𝑃) = 𝐿, 𝑗 = 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ‖ 𝑆 ‖ 𝐿) = 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ‖ 𝑆 ‖ 𝐿 ). Fourthly, we show that the information (𝑓1 , 𝑓2 ) can be verified by the equations 𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) , 𝑒 (𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) .

(33)

Mobile Information Systems

7

7. Uncheatability of Merchants

In fact, 𝑒 ((𝑓1 + 𝑓2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑤1 + 𝑗𝑧 + 𝑤2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑗𝑧) 𝑄𝑇 + (𝑤1 + 𝑤2 ) 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑗𝑧) 𝑄𝑇 , 𝑃pub ) 𝑒 ((𝑤1 + 𝑤2 ) 𝑄𝑇 , 𝑃pub )

(34)

= 𝑒 (𝑄𝑇 , (𝑏𝑗𝑧 + 𝑗𝑧) 𝑃pub ) 𝑒 (𝑄𝑇 , (𝑤1 + 𝑤2 ) 𝑃pub ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 ) 𝑒 (𝑄𝑇 , 𝐴 2 ) = 𝑒 (𝑄𝑇 , 𝑗𝐴 1 + 𝐴 2 ) , 𝑒 (𝑓1 𝑄𝑇 , 𝑃pub ) = 𝑒 ((𝑏𝑗𝑧 + 𝑤1 ) 𝑄𝑇 , 𝑃pub )

8. Provable Security

= 𝑒 (𝑄𝑇 , (𝑏𝑗𝑧 + 𝑤1 ) 𝑃pub ) = (𝑄𝑇 , 𝐴 3 + 𝑗𝐴 4 ) . Finally, we show that the signature (𝑑, 𝐹) on 𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 by trustee can be verified by the equation 𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

(35)

Since 𝑌 = 𝑒 (𝐹, 𝑃) 𝑒 (𝑑𝑄𝑇 , 𝑃pub )

−1

𝑑 = 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌)

(36)

= 𝐻2 ((𝐴 1 + 𝐴 2 + 𝐴 3 + 𝐴 4 ) ‖ 𝑌 ) .

In the case that the customer spends an 𝑒-cash twice or more, the bank 𝐵 can compute 𝑓1 − 𝑓1 , 𝑓2 − 𝑓2

(37)

−1

𝑏 𝐿𝑆𝑇. Then, the bank 𝐵 checks its databases in the withdrawal protocol to find the record {ID𝐶, (𝑏−1 LST, 𝑢, 𝑉)} and knows the identity information ID𝐶 of the malicious customer 𝐶. Here (𝑓1 , 𝑓2 ) and (𝑓1 , 𝑓2 ) are information the customer 𝐶 sends to the merchant 𝑀 in payment phase in twice consumption, respectively. In fact, 𝑓1 = 𝑏𝑗1 𝑧 + 𝑤1 , 𝑓1 = 𝑏𝑗2 𝑧 + 𝑤1 , 𝑓2 = 𝑗1 𝑧 + 𝑤2 ,

(38)

𝑓2 = 𝑗2 𝑧 + 𝑤2 . So, 𝑏=

𝑓1 − 𝑓1 . 𝑓2 − 𝑓2

(39) −1

Definition 1 (the linkability game). Let 𝜂 be a security parameter and let 𝐶1 and 𝐶2 be two customers. 𝐶1 , 𝐶2 , and the bank 𝐵 are involved in the following game.

Step 2. We randomly choose a bit 𝑏 ∈ {0, 1} and place (𝐾𝑏 , 𝐿𝑆𝑇𝑏 ) and (𝐾1−𝑏 , 𝐿𝑆𝑇1−𝑏 ) on the private input tapes of 𝐶1 and 𝐶2 , respectively. The bit 𝑏 will not be disclosed to the bank 𝐵. Step 3. The bank 𝐵 and two customers 𝐶1 , 𝐶2 perform the withdrawal protocol of the proposed scheme.

6. Double Spender Detection

𝑏=

In this section, we show that the proposed scheme satisfies the property of unlinkability and unforgeability.

Step 1. The bank 𝐵 outputs two Licenses 𝐿𝑆𝑇0 and 𝐿𝑆𝑇1 .

= 𝑒 (𝐹, 𝑃) 𝑒 (−𝑑𝑆𝑇 , 𝑃)

= 𝑒 (𝐹 − 𝑑𝑆𝑇 , 𝑃) = 𝑒 (𝑦𝑃, 𝑃) = 𝑌,

When the customer sends 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) to the merchant, the merchant computes signature (𝑗, 𝐷) on (𝐿𝑆𝑇, 𝐾 , 𝑆 ). When the merchant sends (𝑗, 𝐷) to the customer, the customer first verifies it using the public key 𝑄𝑀 of the merchant 𝑀. When (𝑗, 𝐷) satisfies the verification equation, the customer sends (𝑓1 , 𝑓2 , 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑑, 𝐹) to the merchant. If later the merchant uses 𝑒-cash (𝐿𝑆𝑇, 𝐾 , 𝑆 ) and (𝑓1 , 𝑓2 , 𝐴 1 , 𝐴 2 , 𝐴 3 , 𝐴 4 , 𝑑, 𝐹) to spend to other merchants and cheats the customer, the customer can show the merchant’s signature to some arbitration agency. So, the scheme can effectively resist merchants cheat attack.

Hence, the bank 𝐶 can compute 𝑏 𝐿𝑆𝑇 and obtain the identity information ID𝐶 of the malicious customer 𝐶.

Step 4. If 𝐶1 and 𝐶2 output two 𝑒-cash (𝐿𝑆𝑇𝑏 , 𝐾𝑏 , 𝑆𝑏 ) and (𝐿𝑆𝑇1−𝑏 , 𝐾1−𝑏 , 𝑆1−𝑏 ) on their private tapes, respectively, we give the two 3 tuples in a random order to the bank; otherwise, ⊥ is given to 𝐵. Step 5. The bank 𝐵 outputs 𝑏∗ ∈ {0, 1} as the guess of 𝑏 . 𝐵 wins the game if 𝑏∗ = 𝑏 . We define the advantage of 𝐵 as Traceality (40) Adv𝐵 (𝜂) = 2𝑝 [𝑏∗ = 𝑏 ] − 1 . Definition 2 (unlinkability). The proposed scheme satisfies Traceality the unlinkability property if the advantage Adv𝐵 (𝜂) is negligible. Theorem 3. The proposed scheme satisfies the unlinkability property. Proof of Theorem 3. We consider the condition in Definition 1. Let (𝐿𝑆𝑇, 𝐾 , 𝑆 ) be one of the two 𝑒-cash given to the bank and let (𝐾, ℎ, 𝑆) be the view of the bank in one of the withdrawal protocols. It is sufficient to show that there exist two random factors (𝑎, 𝑐) that map (𝐾, ℎ, 𝑆) to (𝐿𝑆𝑇, 𝐾 , 𝑆 ). We know 𝐾 = 𝑎𝐾 + 𝑎𝑐𝑄𝐵 , ℎ = 𝑎−1 𝐻2 (LST ‖ 𝐾 ) + 𝑐, 𝑆 = 𝑎𝑆.

(41)

8

Mobile Information Systems

So, by equation 𝑆 = 𝑎𝑆, there is a unique 𝑎. Then, by equation ℎ = 𝑎−1 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) + 𝑐, there is a unique 𝑐. Furthermore, when 𝑆 and 𝑆 are correctly computed, the following equation holds: 𝑒 (𝑆, 𝑃) = 𝑒 (𝐾 + (𝑎−1 𝐻2 (LST ‖ 𝐾 ) + 𝑐) 𝑄𝐵 , 𝑃pub ) , 𝑒 (𝑆 , 𝑃) = 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) .

(42)

So, it holds when 𝐾 = 𝑎𝐾+𝑎𝑐𝑄𝐵 . It is to say that (𝑎, 𝑐) always exists regardless of the values (𝐿𝑆𝑇, 𝐾 , 𝑆 ) and (𝐾, ℎ, 𝑆). Therefore, even an infinitely powerful bank outputs a correct value 𝑏 with probability of exactly 1/2. So, the proposed scheme satisfies the unlinkability property. Definition 4 (the forgeability game). The adversary F and the challenger A play the following game. Step 1. The challenger A takes a security parameter and generates the public parameters params and sends params to the adversary F. Step 2. The adversary F can perform polynomially bounded number of hash queries, extract queries, and 𝑒-cash queries. These three kinds of queries answer the hash function, private key, and 𝑒-cash query by the adversary F, respectively. Step 3. The adversary F outputs a tuple 𝜎 = ((𝐿𝑆𝑇, 𝐾 , 𝑆 ), ID𝐵 ). This tuple satisfies the following requirements: (1) (𝐿𝑆𝑇, 𝐾 , 𝑆 ) is a valid 𝑒-cash with regard to the bank 𝐵. (2) The adversary F has never requested the private key of the bank 𝐵. (3) 𝜎 = ((𝐿𝑆𝑇, 𝐾 , 𝑆 ), ID𝐵 ) has never been queried during the 𝑒-cash query. Definition 5 (unforgeability). An adversary F is said to be an (𝜀, 𝑡, 𝑞𝐸 , 𝑞𝐼 , 𝑞𝐻)-forger if it has advantage at least 𝜀 in the above game, runs in time at most 𝑡, and makes at most 𝑞𝐸 , 𝑞𝐼 , and 𝑞𝐻 extract, 𝑒-cash, and hashing queries, respectively. A scheme is said to be (𝜀, 𝑡, 𝑞𝐸 , 𝑞𝐼 , 𝑞𝐻)-secure against A in the sense of unforgeable against 𝑒-cash existential forgery attack if no (𝜀, 𝑡, 𝑞𝐸 , 𝑞𝐼 , 𝑞𝐻)-forger exists. Theorem 6. If the CDH problem is hard, then the proposed scheme is secure against 𝑒-cash existential forgery attack. Proof of Theorem 6. Suppose that F is a forger who can forge 𝑒-cash in the proposed scheme. A CDH instance (𝑃, 𝑥𝑃, 𝑦𝑃) is given for 𝑥, 𝑦 ∈𝑅 𝑍𝑞∗ , By using the forgery algorithm F, we will construct an algorithm A which outputs the CDH solution 𝑥𝑦𝑃 in 𝐺. Algorithm A performs the following simulation by interacting with the forger F. Setup. Algorithm A sets 𝑃pub = 𝑥𝑃 and starts by giving F the system parameters including (𝑃, 𝑃pub ).

Table 1: Comparison of features of our scheme with recent schemes.

Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

F1 Yes Yes Yes Yes Yes

F2 Fail Yes Yes Yes Yes

F3 Yes No Yes Yes Yes

F4 Yes Yes Yes No Yes

F5 Yes Yes No No Yes

F6 Fail No No No Yes

F1: anonymity/unlinkability; F2: unforgeability; F3: verification; F4: doublespending owner tracing; F5: anonymity revocation; F6: uncheatability of merchant.

Table 2: Required number of rounds for each protocol in compared schemes. Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

P1 2 — 3 — 2

P2 2 4 3 3 4

P3 1 3 1 2 3

P4 1 1 1 1 1

P5 1 — 2 — 1

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing.

At any time, F can query the random oracle 𝐻1 , 𝐻2 and extract and cash queries. To answer these queries, A does the following. 𝐻1 -Queries. At any time F can query the random oracle 𝐻1 . To respond to these queries, A maintains a list 𝐻1 -list of tuples (ID, 𝑊, 𝑡, 𝑒) as explained below. When an identity ID is submitted to the 𝐻1 oracle, A responds as follows: If the query ID already appears on the 𝐻1 -list in a tuple (ID, 𝑊, 𝑡, 𝑒), A responds with 𝐻1 (ID) = 𝑊. Otherwise, A generates a random coin 𝑒 ∈ {0, 1}. If 𝑒 = 0 then A computes 𝑊 = 𝑡(𝑦𝑃) for a random 𝑡 ∈ 𝑍𝑞∗ ; If 𝑒 = 1 then A computes 𝑊 = 𝑡𝑃. A adds the tuple (ID, 𝑊, 𝑡, 𝑒) to 𝐻1 -list and responds to F with 𝐻1 (ID) = 𝑊. 𝐻2 -Queries. To respond to 𝐻2 -Queries, A maintains a list referred to as 𝐻2 -list of tuples (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑). When F queries the 𝐻2 oracle at (𝐿𝑆𝑇 ‖ 𝐾 ), A responds as follows: If the query (𝐿𝑆𝑇 ‖ 𝐾 ) already appears on the 𝐻2 -list in a tuple (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑), then A responds with 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) = 𝑑 ∈ 𝑍𝑞 . Otherwise, A generates a random 𝑑 ∈ 𝑍𝑞 and adds the tuples (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑) to 𝐻2 -list and responds to F with 𝐻2 (𝐿𝑆𝑇 ‖ 𝐾 ) = 𝑑. Extract Queries. When F queries the private key corresponding to ID, A first finds the corresponding (ID, 𝑊, 𝑡, 𝑒) from the 𝐻1 -list. If 𝑒 = 0, then A fails and halts. Otherwise, A computes the private key 𝑆ID = 𝑡 ⋅ 𝑃pub = 𝑡(𝑥𝑃) by using the tuple (ID, 𝑊, 𝑡, 𝑒) in the 𝐻1 -list and responds to F with 𝑆ID . Cash Queries. If F requests an 𝑒-cash on 𝐿𝑆𝑇 under ID, A responds to this query as follows: A first finds the corresponding tuple (ID, 𝑊, 𝑡, 𝑒) from 𝐻1 -list and chooses one random number 𝑙, 𝑑 ∈ 𝑍𝑞∗ and computes 𝐾 = 𝑙𝑃 − 𝑑𝑊.

Mobile Information Systems

9 Table 3: Comparison of computation costs.

Chen et al. [15] Zhang et al. [20] Ours

P1 E + 2H + 3B — E + 4H + 5B + 2L

P2 4H + 6B 2H + 2B + L 2H + 4B

P3 H + 3B 2H + 3B 4H + 9B

P4 H + 3B 2H + 3B 2H + 8B

P5 D — D

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing. E: symmetrical encryption; D: symmetrical decryption; H: hash computation; B: bilinear pairings; L: modular exponentiation.

If (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑) already appears on the 𝐻2 -list, A chooses another 𝑙, 𝑑 ∈ 𝑍𝑞∗ and tries again. Otherwise, A computes 𝑆 = 𝑙 ⋅ 𝑃pub and stores (𝐿𝑆𝑇 ‖ 𝐾 , 𝑑) on the 𝐻2 -list. Then A responds to F with (𝑆 , 𝐾 ). Indeed, the output is valid 𝑒-cash on 𝐿𝑆𝑇 for ID. In fact, 𝑒 (𝐾 + 𝐻2 (LST ‖ 𝐾 ) 𝑄𝐵 , 𝑃pub ) = 𝑒 (𝑙𝑃 − 𝑑𝑊 + 𝑑𝑊, 𝑃pub ) = 𝑒 (𝑙𝑃, 𝑃pub )

(43)

= 𝑒 (𝑙𝑃pub , 𝑃) = 𝑒 (𝑆 , 𝑃) .

Output. If A does not abort as a result of F’s extract query, then F’s view is identical to its view in the real attack. By Forking Lemma, after replying F with the same random tape, A obtains two valid 𝑒-cash: (𝐿𝑆𝑇, 𝐾 , 𝑆 ) , (𝐿𝑆𝑇, 𝐾 , 𝑆∗ ) .

10. Conclusion (44)

Correspondingly, there are two valid signatures (𝑆, 𝐾) and (𝑆∗ , 𝐾), because 𝑆 = (𝑘 + ℎ) 𝑆𝐵 , 𝑆∗ = (𝑘 + ℎ∗ ) 𝑆𝐵 .

and recovering phase in Juang’s scheme are computed to license-issuing protocol and owner tracing protocol, respectively. By Table 2, the proposed scheme demonstrates better communication efficiency under enhanced security. Our scheme and schemes [15, 20] are all id-based scheme using bilinear pairings. So, in Table 3, we compare the computation cost of our scheme with schemes [15, 20]. It is necessary to illustrate that Zhang et al.’s scheme [20] has no license-issuing protocol and owner tracing protocol and for fair comparison, we have not computed the computation cost of encryption and its related computation cost in Chen et al.’s scheme. Compared with Chen et al.’s scheme, there are eleven more pairings computations in the proposed scheme. These eleven pairings computations are in payment protocol and deposit protocol and useful to prevent the merchant from cheat. In practice, we can use elliptic curves to reduce the computation cost of bilinear pairings.

(45)

In this paper, we show that Chen et al.’s electronic cash scheme is suffering from some weaknesses in unforgeability and merchant frauds. To contribute a secure scheme, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

So, by the security proof of [22], A obtains (𝑥𝑦)𝑃 = 𝑆𝐵 = (ℎ − ℎ∗ )−1 (𝑆 − 𝑆∗ ). This completes the proof.

Competing Interests

9. Comparisons

Acknowledgments

In this section, we compare our scheme with [15, 18–20] in some features, communication efficiency, and computation cost. The features are anonymity/unlinkability, unforgeability, verification, double-spending owner tracing, anonymity revocation, and uncheatability of merchant. Our scheme satisfies all of above features, but the others do not. We show the comparison result in Table 1. In Table 2, we compare the communication efficiency of our scheme with other schemes. Fan et al.’s scheme [18] and Zhang et al.’s scheme [20] are not trustee based, and therefore they do not have license-issuing protocol and owner tracing protocol. Juang’s scheme [19] also does not have license-issuing protocol and owner tracing protocol but has the initializing phase and recovering phase. For comparison, the numbers of rounds of initializing phase

This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).

The authors declare that they have no competing interests.

References [1] D. Chaum, “Blind signatures for untraceable payments,” in Crypto 82, pp. 199–203, Plenum Press, New York, NY, USA, 1983. [2] Z. Eslami and M. Talebi, “A new untraceable off-line electronic cash system,” Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59–66, 2011. [3] R. Anderson, C. Manifavas, and C. Sutherland, “NetCard— a practical electronic-cash system,” in Security Protocols, vol.

10

[4]

[5]

[6] [7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

Mobile Information Systems 1189 of Lecture Notes in Computer Science, pp. 49–57, Springer, Berlin, Germany, 1997. G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung, “Anonymity control in e-cash systems,” in Financial Cryptography, vol. 1318 of Lecture Notes in Computer Science, pp. 1–16, Springer, Berlin, Germany, 1997. G. Maitland and C. Boyd, “Fair electronic cash based on a group signature scheme,” in Information and Communication Security, pp. 461–465, Springer, 2001. D. Chaum and S. Brands, “‘Minting’ electronic cash,” IEEE Spectrum, vol. 34, no. 2, pp. 30–34, 1997. J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash,” in Advances in Cryptology—EUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 302–321, Springer, 2005. H. Wang and Y. Zhang, “Untraceable off-line electronic cash flow in e-commerce,” in Proceedings of the 24th Australasian Computer Science Conference (ACSC ’01), pp. 191–198, IEEE, Gold Coast, Australia, January-February 2001. S. Brands, “Untraceable off-line cash in wallet with observers,” in Advances in Cryptology—CRYPTO ’93, pp. 302–318, Springer, 1994. C.-Y. Ku, C.-J. Tsao, Y.-H. Lin, and C.-Y. Chen, “An escrow electronic cash system with limited traceability,” Information Sciences, vol. 164, no. 1–4, pp. 17–30, 2004. T. Cao, D. Lin, and R. Xue, “A randomized RSA-based partially blind signature scheme for electronic cash,” Computers & Security, vol. 24, no. 1, pp. 44–49, 2005. W.-S. Juang, “D-cash: a flexible pre-paid e-cash scheme for dateattachment,” Electronic Commerce Research and Applications, vol. 6, no. 1, pp. 74–80, 2007. C. Fan and W. Sun, “Efficient encoding scheme for date attachable electronic cash,” in Proceedings of the 24th Workshop on Combinatorial Mathematics and Computation Theory (CMCT ’07), pp. 405–410, Nantou, Taiwan, 2007. Y. Baseri, B. Takhtaei, and J. Mohajeri, “Secure untraceable offline electronic cash system,” Scientia Iranica, vol. 20, no. 3, pp. 637–646, 2013. Y. Chen, J.-S. Chou, H.-M. Sun, and M.-H. Cho, “A novel electronic cash system with trustee-based anonymity revocation from pairing,” Electronic Commerce Research and Applications, vol. 10, no. 6, pp. 673–682, 2011. Y.-F. Chang, “A critique of ‘a novel electronic cash system with trustee-based anonymity revocation from pairing,’ by Chen, Chou, Sun and Cho (2011),” Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 441–442, 2012. Y. L. Chen, J.-S. Chou, H.-M. Sun, and M.-S. Cho, “A response to a critique of ‘A novel electronic cash system with trustee-based anonymity revocation from pairing,’ by Chen, Chou, Sun and Cho (2011),” Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 443–444, 2012. C.-I. Fan, V. S. Huang, and Y.-C. Yu, “User efficient recoverable off-line e-cash scheme with fast anonymity revoking,” Mathematical and Computer Modelling, vol. 58, no. 1-2, pp. 227–237, 2013. W.-S. Juang, “RO-cash: an efficient and practical recoverable pre-paid offline e-cash scheme using bilinear pairings,” Journal of Systems and Software, vol. 83, no. 4, pp. 638–645, 2010. L. Zhang, F. Zhang, B. Qin, and S. Liu, “Provably-secure electronic cash based on certificateless partially-blind signatures,” Electronic Commerce Research and Applications, vol. 10, no. 5, pp. 545–552, 2011.

[21] F. Hess, “Efficient identity based signature schemes based on pairings,” in Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002 St. John’s, Newfoundland, Canada, August 15-16, 2002 Revised Papers, vol. 2595 of Lecture Notes in Computer Science, pp. 310–324, Springer, Berlin, Germany, 2003. [22] F. Zhang and F. Kim, “Efficient ID-based blind signature and proxy signature from bilinear pairings,” in Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP ’03), Wollongong, Australia, July 2003, Lecture Notes in Computer Science, pp. 312–323, Springer, 2003.

Journal of

Advances in

Industrial Engineering

Multimedia

Hindawi Publishing Corporation http://www.hindawi.com

The Scientific World Journal Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Applied Computational Intelligence and Soft Computing

International Journal of

Distributed Sensor Networks Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Advances in

Fuzzy Systems Modelling & Simulation in Engineering Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Submit your manuscripts at http://www.hindawi.com

Journal of

Computer Networks and Communications

Advances in

Artificial Intelligence Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Biomedical Imaging

Volume 2014

Advances in

Artificial Neural Systems

International Journal of

Computer Engineering

Computer Games Technology

Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Advances in

Volume 2014

Advances in

Software Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Reconfigurable Computing

Robotics Hindawi Publishing Corporation http://www.hindawi.com

Computational Intelligence and Neuroscience

Advances in

Human-Computer Interaction

Journal of

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Journal of

Electrical and Computer Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014