divisible e-cash can be truly anonymous
DESCRIPTION
Divisible e-cash can be truly anonymous. Sébastien Canard* and Aline Gouget ** * France Télécom R&D Division, France. ** Gemalto, Security Labs, France. Wednesday, May 23, 2007. Outline. Electronic cash Divisible e-cash schemes - PowerPoint PPT PresentationTRANSCRIPT
Divisible e-cash can be truly anonymous
Wednesday, May 23, 2007.
Sébastien Canard* and Aline Gouget **
* France Télécom R&D Division, France. ** Gemalto, Security Labs, France.
Sébastien Canard, Aline Gouget 2
Outline
Electronic cash
Divisible e-cash schemes
General construction of a strong unlinkable and truly anonymous divisible e-cash scheme
Application using the construction of Nakanishi-Sugiyama
Conclusion
Sébastien Canard, Aline Gouget 3
Detection of double-spending
Identify
WithdrawVerify GuiltSpend
Deposit
Electronic cash systems
Sébastien Canard, Aline Gouget 4
Security properties
Unforgeability of coins
Anonymity Weak anonymity: anonymity of the user Strong anonymity: anonymity of the user + unlinkability of the spendings
Identification of cheaters
Exculpability
Sébastien Canard, Aline Gouget 5
A user first withdraws a divisible coin and next spends it part by part Each divisible coin of monetary value 2L is assigned to a binary tree
of L+1 levels
Divisibility rule: When a node N is used, none of the descendant and ancestor nodes can be used, and no node can be used more than once
This rule is satisfied iff over-spending is protected
Divisible e-cash
Sébastien Canard, Aline Gouget 6
Many off-line divisible e-cash schemes have been proposedFirst « practical » divisible e-cash scheme
Proposed by [Okamoto, Crypto’95] and improved by [Chan, Frankel and Tsiounis, Eurocrypt’98]
Both schemes provide anonymity of users but not unlinkability – it is possible to link several spends from a single divisible coin
First unlinkable divisible e-cash scheme Proposed by [Nakanishi and Sugiyama, ISW’00] Requires a TTP The unlinkability is not strong since the merchant and the bank know which
part of the coin is spent
None of the divisible e-cash schemes of the state of the art provides both strong unlinkability and truly anonymity of users
Divisible e-cash schemes
Sébastien Canard, Aline Gouget 7
Withdrawal phase between B and U B signs in a blind manner U’s secret key and a « master serial number »
Spending phase between U and M U computes a valid serial number S (→ allows to detect double-spending) U computes a valid security tag T (→ masks the spender identity) U proves that S and T are well-formed
The identity of the spender is recovered only in case of double-spending
Overview of our « truly anonymous » e-cash system
Sébastien Canard, Aline Gouget 8
Each divisible coin of monetary value 2L is assigned to a binary tree of L+2 levels
General description
Sébastien Canard, Aline Gouget 9
Each node of the tree (including the leaves) is related to a tag key with the following properties:
From the tag key Ki,b0 of a node N, it is possible for everyone to compute the tag
keys related to the descendants of N
From the tag key of a node, it is impossible to compute a tag key which is not related to a descendant of the targeted node
Withdrawal protocol The root tag key and the user secret key are signed (in a blind manner) by the
bank
),,(),,(:00 ,,1, ParamsbKFKParamsbKF bibibi
General description
Sébastien Canard, Aline Gouget 10
General description
Spending protocol U computes the tag key of the node N (at level i=L-n) he wants to spend From the tag key of N, U computes the serial number S
– Concatenation of the tag keys related to the two direct descendants of the spent node
From the tag key of N, U computes the security tag T – Verifiable encryption of the user identity (including randomness)
U proves to M that S and T are well-formed A spending corresponds to a triplet (S,T,Φ)
Detection of double-spending From S and i, B can compute all the tag keys of the descendant leaves of S
– Without knowing which node has been spent
Sébastien Canard, Aline Gouget 11
Identification of a double-spender
Double spending : (S=Kj,0||Kj,1,T,Φ) (S’=Kj’,0||Kj’,1,T’,Φ’) S=S’
– The cheater identity can be recovered from T and T’
S’ is an ancestor of S – The secret tag key used to compute T can be recovered using S’
Sébastien Canard, Aline Gouget 12
Divisible e-Cash System DCS
Based on the binary tree proposed by [Nakanishi and Sugiyama, ISW’00] The function F used to compute the tag keys is the modular exponentiation For each level i, there are three linked generators:
gi,0 for the left child
gi,1 for the right child
gi,2 to compute the security tag
Example: The tag key of a node of level i-1 is denoted by:
Computation of the left children tag key:
Computation of the security tag related to the tag key K i,b:
0,1 biK
0,1
0,,biK
ibi gK
RKiU
bigpkT ,
2,1
Sébastien Canard, Aline Gouget 13
Withdrawal protocol
Camenisch-Lysyanskaya signature scheme [Crypto’04] Efficient protocol for a user to get a signature from a signer on committed
values Efficient proof of knowledge of a signature on committed values
Sébastien Canard, Aline Gouget 14
U wants to spend a sub-coin of value 2n from his divisible coin C=(s,u,r,) U chooses an unspent coin of level i=L-n U receives from M a random value rand and computes:
U has to prove the validity of S and T U computes a zero-knowledge proof of knowledge of a signature of B on the values (s,u,r) and
that S and T are correctly computed, using the Fiat-Shamir heuristic Strong unlinkability is achieved using proofs of the "OR" statement (one per level)
Spending protocol
RViU
Vi
Vi
bi
M
gpkT
ggS
gV
randpkHRsg
.2,1
1,10,1
...,
)(
Sébastien Canard, Aline Gouget 15
Security arguments
Theorem: In the random oracle model, the DCS scheme is secure:
If the CL signature scheme is unforgeable, then DCS is unforgeable. Under the DDH assumption, DCS is unlinkable. If the CL signature scheme is unforgeable, then DCS permits the
identification of double-spenders Under the DL assumption, DCS has the exculpability property.
Sébastien Canard, Aline Gouget 16
Conclusion and open problems
We proposed the first off-line divisible e-cash scheme providing both strong unlinkability and true anonymity
The true anonymity of users is achieved without impacting the performance of the spending protocol
However, the spending of a small number of coins at a time is still expensive due to the use of double-exponentiation proofs during the spending phase
Open problems: Improve the efficiency of the spending phase Find a method to detect double-spending without computing 2L serial
numbers for a divisible coin of monetary value 2L
Sébastien Canard, Aline Gouget 17
Zero-knowledge proof of knowledge
)
~~)~~~~
(
~~)~~~~
(
~~~~~~~);,(
,,,,~,,,,(
111
11,0,
211,1
10,1
1
2,11,10,1
111111
222222
1111
~
0
11
iii
iii
ii
s
RiUii
iig
iig
ii
gg
grsU
i
gpkTgRKgLK
gVgVgV
gVgVgV
gVgVhgVrpksSign
rrusPK
Sébastien Canard, Aline Gouget 18
Proof of unlinkability
In fact, we embed an instance of the Matching Multi Diffie-Hellman (MMDH) problem
MMDH can be used to solve DDH Matching Multi Diffie-Hellman (MMDH) problem Decisional Multi Diffie-Hellman (DMDH) problem Derived Decisional Diffie-Hellman (DDDH) problem Decisional Diffie-Hellman (DDH)
DDHDDDHDMDHMMDH
Decision oracles are equivalent to matching oracles
[Handschuh, Tsiounis, Yung, PKC’99]),,,(),,,( 2121zbyaxzyx gggggggggggg
),,,,(),,,( 2211122112121
bghaba hhghghhghgggg