An Efficient Online Electronic Cash with Unlinkable Exact Payments

1
An Efficient On-line Electronic Cash with
Unlinkable Exact Payments

• Toru Nakanishi, Mitsuaki Shiota and Yuji Sugiyama
• Dept. of Communication Network Engineering,
• Okayama Univ., Japan

2
Whats on-line e-cash ?

• e-cash By circulating information called coin, a
  payment from a user to a merchant is performed
• A bank issues coins, and manages payments
• On-line The payment transaction from a user to a
  merchant involves with the bank

Withdrawal
Bank
User
Users account
-w
Coins of amounts w
Payment for a merchant
Bank
Merchants account p
User
Coins of amounts p
3
Requirements

• Securityunforgeability, no over-spending,
• Privacy protectionunlinkability (gtanonymity)
• Unknown whether two payments were made by the
  same user
• ConvenienceExact payments
• (payments of arbitrary
  amounts)

A payment
Bank
User
Coins of amounts p
Unlinkable
Another payment
Bank
User
Coins of amounts p
4
Previous work

• On-line system 3 with unlinkable exact payments
• User anonymously obtains changes

Payment of 25
Bank
User
Note coin amounts are public
3 Brickell et.al., Trustee-based tracing
extensions to anonymous cash and the making of
anonymous change, SODA95
5
Problems of 3

• Assume there are coin types with all payable
  amounts( e.g.,?1 coin type 1,000 coin type)
• A payment T1
• Another payment T2
• Use a coin with 27.46

Payment of 22.54
Bank
User
Specific amount 27.46 in a lot of
amounts(0.011000.00) largely reduces the
number of candidates to link ? weaken
unlinkability
6
Problems of 3 (Cont.)

• Assume there are coin types with amounts 2i (1,
  2, 4, 8, )
• N the number of payable amounts
• Then, to express any amount, O(log N) coins
  needed
• In case of N100,000(?1 1,000), 17 coins
• Protocol 3 needs about10 multi-exps per a coin
• Total cost of a payment is more than 100
  multi-exps

Inefficient (Similar in case of other coin types)
3 does not satisfy unlinkability or efficiency
7
Our contributions

• On-line e-cash with unlinkable exact payments
• satisfying both efficiency and unlinkability
• A payment needs only 1 coin
• ? Efficient
• Coin amounts are kept secret
• ? Protect linking via coin amounts

8
Our approach

• Use changes
• A coin is assigned to any amount
• Every coin amount is kept secret, but correctness
  of amounts of old and new coins is ensured by a
  ZPK (Zero-knowledge Proof of Knowledge)

User
payment of amount p
Bank
9
Used toolCamenisch-Lysyanskaya signature
scheme4

• RSA type
• Multiple messages signed
• A coin Sign(x,m) w.r.t. Banks key
• x a secret of user, m coin amount

• Note
• Sign(x,m) unforgeability
• Secrecy of x
• used to detect double-spending coin
• (the detail is omitted here)

4 Camenisch, Lysyanskaya, A signature scheme
with efficient protocols, SCN02
10
Protocols in 4

• A ZPK of ownership of Sign(x,m) without revealing
  Sign(x,m), x, m
• A protocol to sign, where x, m are kept secret
  for the signer

Com(x, m) (Commitment of x and m)
Receiver
Signer
Sign(Com(x, m))
Sign(x, m)
11
Idea of our system (unlinkability
correctness in payment)

• Payment of p

User
Bank
ZPK of ownership of Sign(x,m) ZPK of equation
m m p ZPK of inequation p?m
Old coin of m Sign(x,m)
Com(x, m)
New coin of m Sign(x,m)
Sign(Com(x, m))
No information revealed ? unlinkability, amounts
secrecy ZPK of Sign ? ownership of old coin ZPK
of mm-p ? consistency of coin amounts ZPK of
p?m ? no over-spending
12
Conclusion

• Efficient on-line e-cash with unlinkable exact
  payments
• O(1) efficiency w.r.t. N
• In detail, about 20 multi-exps in a payment

13
Future works

• Strict security considerations
• Further efficiency improvements