Fair E-cash: Be Compact, Spend Faster Sbastien Canard, Orange Labs - - PowerPoint PPT Presentation

SLIDE 1

research & development

Fair E-cash: Be Compact, Spend Faster

Sébastien Canard, Orange Labs R&D, France Cécile Delerablée, UVSQ, France Aline Gouget, Gemalto, France Emeline Hufschmitt, Thalès Communications, France Fabien Laguillaumie, Université de Caen, France Hervé Sibert, ST-Ericsson, France Jacques Traoré, Orange Labs R&D, France Damien Vergnaud, Ecole Normale Supérieure – CNRS – INRIA, France

ISC 2009 – Tuesday, September 8, 2009 Pisa

SLIDE 2

Orange Labs - Research & Development

2

Outline

• 1. The concept of Fair E-cash
• 2. Previous Results
• 3. Basic Tools
• 4. Our Proposal
• 5. Conclusion

SLIDE 3

Orange Labs - Research & Development

3

Bob

• 1

Shop +1

The concept of E-cash

Bob Shop

SLIDE 4

Orange Labs - Research & Development

4

Minting an Untraceable Coin

Public verification key to recognize coins Secret minting key to create coins Bank = ( Serial Number , BankSig (Serial Number ) )

SLIDE 5

Orange Labs - Research & Development

5

Requirements

n Privacy Protection

n Weak anonymity: anonymity of the user n Strong anonymity: anonymity of the user + unlinkability of the

spendings n Security

n Unforgeability of coins n Identification of double-spenders n Excupability

SLIDE 6

Orange Labs - Research & Development

6

Withdrawal

Customer Bank

authentication "blind" signature protocol SN SN coin = (SN, coin = (SN, Sig Sig (SN)) (SN)) debits customer’s account

SLIDE 7

Orange Labs - Research & Development

7

Fair Off-Line Electronic Cash

u Drawbacks of anonymous cash

n money laundering n black mailing, bank robbery attack

u Controlling user anonymity: fair e-cash systems

n use one (or several) trusted authority (ies) to revoke anonymity when

necessary

n the power of the trusted authority can be distributed

SLIDE 8

Orange Labs - Research & Development

8

Trustee-based Tracing Model

Shop Customer Bank Judge Revoke anonymity Payment Deposit Withdrawal

SLIDE 9

Orange Labs - Research & Development

9

Tracing Operations

u

Owner tracing

u

Coin tracing

Withdrawal : 09 / 08 / 2009

SN = 01234 BankSig SN = 56789 BankSig

SLIDE 10

Orange Labs - Research & Development

10

Previous Results

n Many fair and non-fair off-line e-cash schemes have been

proposed ([CFN88], [Brands'93], [CMS96], [FTY96], [dST98], [Traoré99],…

n Before Compact E-cash [Camenisch, Hohenberger, Lysyanskaya, Eurocrypt 2005]

…

Alice

• 1

Alice

• 2

Alice

• n

Alice

• n+1

Bob

SLIDE 11

Orange Labs - Research & Development

11

Compact E-Cash [Camenisch, Hohenberger, Lysyanskaya, Eurocrypt 2005]

Alice

• n

n

Bob

• Do not consider the efficiency of the spending phase (and is not "fair")

Allows a user to withdraw a wallet with 2L coins such that the space required to store these coins and the complexity of the withdrawal protocol are proportional to L rather than 2L.

SLIDE 12

Orange Labs - Research & Development

12

Our Contribution

n with compact wallets n which is fair n where users can spend efficiently k coins while only

sending to the merchant Olog k) bits where is a security parameter

Fair E-cash: Be Compact, Spend Faster

A new off-line electronic cash system:

SLIDE 13

Orange Labs - Research & Development

13

Batch RSA (I)

H : a public hash function § Public Key : an RSA modulus n = pq § Private Key : (p, q)

§ An RSA variant

A valid digital signature on a message M is of the form where e is any prime ) mod ) ( , (

/ 1

n M H e

e

Let S0, S1, , , Sl-1 be l distinct messages with l K = 2L and where the ei's are for example the l first odd primes ∏ =

− = 1 l i i

e E Batch RSA allows to efficiently compute the l roots , mod

/ 1

n S

e

, mod

1

/ 1 1

n S

e

n S

l

e l

mod

1

/ 1 1

−

−

,..., mod

2

/ 1 2

n S

e

in O(log K log E + log n) modular multiplications and O (K) divisions

SLIDE 14

Orange Labs - Research & Development

14

Batch RSA (II)

Step 1: Build up product (the private key is not needed) n S S S M

l

e E l e E e E

mod ...

1 1

/ 1 / 1 /

−

−

× × = Step 2: Extract the E'th root of the product M (the private key is needed) Step 3: Break up product roots (the private key is not needed) , mod

/ 1

n S

e

, mod

1

/ 1 1

n S

e

n S

l

e l

mod

1

/ 1 1

−

−

,..., mod

2

/ 1 2

n S

e

Option : Splitting an aggregated signature Blind Batch RSA: the l roots can be obtained in a blind manner n S S S M S

l

e l e e E

mod ...

1 1

/ 1 1 / 1 1 / 1 / 1

−

−

× × = = n S S

l i e i

i mod

1 / 1

∏ =

− =

n S S

F i e i

i mod 1

/ 1 1

∏ =

∈

n S S

F i e i

i mod 2

/ 1 2

∏ =

∈

Aggregated signature

{ }

l F F ,..., 1

1

= ⊂ F2 = F \ F1

SLIDE 15

Orange Labs - Research & Development

15

n We use a RSA-type CL signature scheme n A block of messages (m1, m2, m3,…, mn) can be signed n A signature protocol, where the messages are kept secret

for the signer (but not the signature)…

Camenisch-Lysyanskaya signature scheme

User Signer Com (m1, m2, m3,…,mn) Sign(Com (m1, m2, m3,…,mn)) SignCL(m1, m2, m3,…,mn) Com (m1, m2, m3,…,mn) n A ZKPK of ownership of SignCL(m1, m2, m3,…, mn) without

revealing the signature and the messages

SLIDE 16

Orange Labs - Research & Development

16

Parameters

Customer

l K = 2L ; g a generator of a cyclic group G ∏ =

− = 1 l i i l

e E

is associated to a long term private key skU = u and a corresponding public key PkU = gu Bank Judge holds two pairs (private, public) of keys: one for the Batch RSA signature scheme and the other one for the CL signature scheme holds a pairs of keys of a suitable public key cryptosystem

SLIDE 17

Orange Labs - Research & Development

17

Generation of the serial numbers

• F : a public collision-free function
• s = S0,0 is the seed (master secret)
• S1,0 = F (S0,0, 0) ; S1,0 = F (S0,0, 1) ;

Si + 1, 2j = F (Si,j, 0) for the left child of Si,j Si + 1,2j+1 = F (Si,j, 1) for the right child of Si,j

SLIDE 18

Orange Labs - Research & Development

18

Withdrawal

Wallet = (s, u, , , ) where: = aggregated signature of the l coins = = CL signature on (s, u, ) n S H S H

l

e l e

mod ) ( ) (

1

/ 1 1 / 1

−

−

⋅ ⋅ ⋅

SLIDE 19

Orange Labs - Research & Development

19

Example : spending two coins

coins to be spent remaining coins in the wallet

n S H

i e i

i mod

) (

4 / 1

∏ =

=

σ n S H S H

e e

mod ) ( ) (

1

/ 1 1 / 1 1

⋅ = σ n S H S H S H

e e e

mod ) ( ) ( ) (

4 3 2

/ 1 4 / 1 3 / 1 2 2

⋅ ⋅ = σ

SLIDE 20

Orange Labs - Research & Development

20

Spending two coins at the same time

Customer

Shop

Computes from

) (

1 U J Pk

Enc C = ) (

2

s Enc C

J

=

Computes also:

S2,0, 1, C1, C2 + proof*

Retrieves S0 and S1 from S2,0 and from 1 :

n S H S H

e e

mod ) ( ) (

1

/ 1 1 / 1 1

⋅ = σ n S H S H S H

e e e

mod ) ( ) ( ) (

4 3 2

/ 1 4 / 1 3 / 1 2 2

⋅ ⋅ = σ n S H

i e i

i mod

) (

4 / 1

∏ =

=

σ n S H S BatchSig

e mod

) ( ) (

/ 1 0 =

n S H S BatchSig

e mod

) ( ) (

1

/ 1 1 1 =

Verifies the proof

* this proof doesn't prove that S0 and S1 derive from s

SLIDE 21

Orange Labs - Research & Development

21

Tracing of Double-Spenders

Shop 1

! ! !

Shop 2 BanK Judge S0 , 1, C1 , C2 + p r

• f

S0 , 1, C '1 , C '2 + p r

• f

' Ex: double-spending of a coin with serial number S0

Deposit 1 ; Deposit 2

⇒ PkU (resp PkU') is guilty

• 1. Decrypts:

) (

2

s Enc C

J

=

and

) ' ( '2 s Enc C

J

=

• 2. If S0 cannot be computed from s (resp s')

then the judge decrypts:

) (

1 U J Pk

Enc C = ) (

1 U J Pk

Enc C =

(resp )

SLIDE 22

Orange Labs - Research & Development

22

Security

Theorem: In the random oracle model, our fair e-cash system satisfies the following properties:

n Unforgeabilty:under the one-more Strong RSA problem n Anonymity: under the strong blindness of the Batch-RSA blind

signature scheme and the indistinguishability of the ciphertexts of the encryption scheme

n Identification of double-spenders: under the unforgeability of the

CL signature scheme

n Exculpability: under the one-more discrete logarithm assumption

SLIDE 23

Orange Labs - Research & Development

23

Efficiency considerations

• M and D are the respective costs of exponentiation, multiplication and division modulo n
• F is the cost of the derivation function
• is a security parameter
• K is the number of withdrawn coins
• K is the number of spent coins
• K' is the number of remaining coins in the wallet after spending

SLIDE 24

Orange Labs - Research & Development

24

Conclusion and open problems

n We proposed the first fair e-cash system with a compact

wallet and efficient spendings

n It does not however provide a perfect anonymity property since it is

possible to know which leaves in the serial number binary tree are used during the spending n Future work:

n How to design a similar system in the non-fair setting? n Strong anonymity