A practical anonymous multi-authority e-cash scheme

doi:10.1016/S0096-3003(02)00805-6

Applied Mathematics and Computation

Volume 147, Issue 3, 16 January 2004, Pages 699-711

https://doi.org/10.1016/S0096-3003(02)00805-6 Get rights and content

Abstract

We propose a practical multi-authority e-cash scheme that satisfies anonymity, security and verifiability. By means of our proposed scheme, the issue of e-coins is controlled by several issuers. Customers can request e-coins from several issuers, who represent a bank, on the current available issuers list according to the Internet condition.

Introduction

Due to the fast progress of the Internet and wireless communications, many conventional activities such as shopping, education, and elections can be conducted over it. However, the current Internet is rife with security problems. Viruses and hacker attacks are commonplace. These commercial activities are inhibited because of concerns about the lack of security.

The critical success factors for an enterprise to implement and operate an e-business are money flow, material flow and information flow in electronic commerce. Entrepreneurs have to provide various services on the Internet in order to keep customers and attract new customers. From a customer’s point of view, security, anonymity, efficiency, and flexibility are the main criteria of electronic payment schemes. Also, from the point of view of a bank or the government [1], [2], security and implementation costs are most important. As of today, several electronic payment schemes have been proposed for money flow in electronic commerce, such as e-cash schemes, credit card schemes, stored value card schemes, pre-paid card schemes, e-check schemes, etc.

Secure e-cash schemes have been investigated by many researchers from practical and theoretical points of view [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13]. A secure e-cash scheme can be regarded as a protocol involving a customer, a shop and a bank. Both the shop and the customer have their accounts with the bank. There are two types of e-cash schemes for verifying the validity of a transaction: on-line schemes and off-line schemes. In on-line schemes [4], [5], [9], [11], [13], all participants, the customer, the shop and the bank, have to be connected on-line when the customer spends an e-coin. In off-line schemes [3], [6], [7], [8], [10], [12], each transaction during the protocol requires two participants only. However, these off-line schemes do not prevent double-spending, but allow to detect the frauds and reveal the identity of the cheater. These schemes may only be used in low value transactions that require prior restraint against customers spending beyond their available money. From the literatures, all proposed e-cash schemes [3], [4], [5], [6], [7], [8], [9], [10], [11], [12], [13] are single authority schemes. The basic assumption of these schemes is that the single money issuer of these schemes is trustworthy. However, she/he may issue extra e-coins as she/he wishes. If she/he does that, it may cause great danger or hurt for the country or society.

To remedy this problem, we propose a practical multi-authority e-cash scheme that satisfies anonymity, security and verifiability properties. Our proposed scheme can satisfy real-world environments, such that, the issue of e-coins is controlled by several issuers, who can represent a bank in issuing e-coins. In our proposed scheme, a customer only needs to request t members from n issuers when she/he withdraws e-coins. It can satisfy real-world environments without a single trusted authority or with some absent/dishonest authorities. It can also increase the availability of the issuers and increase protection against forgery by making it harder for the adversary to learn the group secret key. Also, the verification function and the size of the e-coins in our proposed multi-authority e-cash scheme is the same as those in the single authority scheme. A customer can request an e-coin from t issuers, who can be chosen by the customer or assigned by the system, on the current available issuers list according to the Internet condition.

Section snippets

The multi-authority e-cash scheme

In this section, we propose a practical multi-authority e-cash scheme. In our scheme, blind threshold signatures from [14], [15] are used to distribute the power of a single trusted money issuer. The scheme involves a customer, shops, n e-coin issuers and a bank. The scheme consists of four phases: the initialization phase, the preparation phase, the withdrawal phase and the paying phase. Before a customer can withdraw any e-coin from the issuers, the bank first publishes all public parameters.

Correctness

To prevent an issuer from sending an invalid partial signature to a customer, a partial signature can be checked in step 4 of the withdrawal phase. The following lemma ensures the correctness of partial signatures.

Lemma 1

The customer’s partial signature (r_j,s_j) is valid if I_j is honest.

Proof

By means of our scheme, we have $g^{−s_{j}} y_{j}^{r} r_{j} ≡_{p} g^{−(s_{j}β+α)} g^{z_{j}r} g^{α} r_{j}^{β} ≡_{p} g^{−m̂z_{j}+∑_{l=t+1}^{n}f_{l}(x_{j})∏_{k=1,k≠j}^{t}−x_{k}x_{j}−x_{k}+k_{j}β} g^{z_{j}r} g^{k_{j}β} ≡_{p} g^{−m̂z_{j}+∑_{l=t+1}^{n}f_{l}(x_{j})∏_{k=1,k≠j}^{t}−x_{k}x_{j}−x_{k}β} g^{z_{j}r} ≡_{p} g^{−m̂z_{j}β−m̂∑_{l=t+1}^{n}f_{l}(x_{j})∏_{k=1,k≠j}^{t}−x_{k}x_{j}−x_{k}β} g^{z_{j}r} ≡_{p} g^{∑_{l=t+1}^{n}f_{l}(x_{j})∏_{}}$

Conclusion

We have proposed a practical anonymous multi-authority e-cash scheme, which satisfies real-world environments, such that the issue of e-coins is controlled by several authorities. A customer can request an e-coin from several issuers, who represent a bank, on the current available issuers list according to the Internet condition. Also, the size and the verification function of e-coins in our proposed multi-authority e-cash scheme is the same as those in the single authority scheme.

Acknowledgements

This work was supported in part by the National Science Council of the Republic of China under contract NSC-91-2213-E-128-005. The authors would like to thank Professor Chin-Laung Lei for several very helpful comments and suggestions.

References (23)

W. Juang et al.
Partially blind threshold signatures based on discrete logarithm
Comput. Commun.
(1999)
W. Juang et al.
A collision free secret ballot protocol for computerized general elections
Comput. Security
(1996)
N. Asokan et al.
State of the art in electronic payment systems
IEEE Computer
(1997)
R. Rivest, Perspectives on financial cryptography, the rump session at Financial Crypto’97,...
S. Brands, Untraceable off-line cash in wallets with observers, in: Advances in Cryptology: Proc. of Crypt’93, LNCS...
J. Camenisch, J. Piveteau, M. Stadler, An efficient payment system protecting privacy, in: Proceeding of ESORICS’94,...
D. Chaum, Blind signatures for untraceable payments, in: Advances in Cryptology: Proc. of Crypt’82, Springer, New York,...
D. Chaum, A. Fiat, M. Naor, Untraceable electronic cash, in: Advances in Cryptology: Proc. of Crypt’88, LNCS 403,...
D. Chaum, T. Pedersen, Transferred cash grows in size, in: Advances in Cryptology: Proc. of EuroCrypt’92, LNCS 658,...
T. Eng, T. Okamoto, Single-term divisible electronic coins, in: Advances in Cryptology: Proc. Of EuroCrypt’94, LNCS...

C. Fan et al.

Low computation partially blind signatures for electronic cash

IEICE Trans. Fundamentals Electron., Commun. Computer Sci.

(1998)

Cited by (11)

A simplified scheme for secure offline electronic payment systems
2021, High-Confidence Computing
Citation Excerpt :
Based on the mode of connectivity of the 3rd party (e.g., the Bank, the trusted central authority (CA), etc.) within the system, broadly, the category of e-payment system is either online or offline. In an online system [3–7], usually, the Bank can check transactions between a customer and a merchant instantaneously. Thereby, the Bank can identify any illegal trade and can control it easily.
This paper proposes a secure offline electronic (e-) payment scheme by adopting Schnorr's untraceable blind signature (BS). Thereby, to satisfy the essential security requirements of e-payment systems, it requires much more simple computations and becomes more practical than many existing schemes. Other considerations are: to prevent the forgery of e-coin, the Bank is only the lawful entity to produce the valid e-coin; and others can verify its correctness. To confirm no swindling, the e-coin owner also sticks her private signing key with the e-coin before spending it as the payment. Hence, through the commitment with challenge-response of Schnorr's BS, the merchant can verify the spent e-coin, and the trusted authority can identify the dishonest spender if multiple spending occurs. Moreover, it embeds three distinct information of date, namely expiration, deposit, and transaction dates with every e-coin. Thereby, it minimizes the size of the Bank's database, correctly calculates the interest of the e-coin, and helps in arbiter if multiple spending, respectively. Finally, it evaluates the performance and analyzes essential security requirements of the proposed scheme, plus studies a comparison with existing ones.
User efficient recoverable off-line e-cash scheme with fast anonymity revoking
2013, Mathematical and Computer Modelling
Citation Excerpt :
Furthermore, the bank needs to deal with the e-cash double-spending problem. In general, e-cash can be classified into two types, which are on-line e-cash [2,3,1,4] and off-line e-cash [5–8]. The bank can prevent double-spending in an on-line e-cash scheme because it performs double-spending checking before accepting an e-cash transaction.
Due to rapid progress in the internet and cloud computing technologies, electronic commerce is becoming more and more popular. Many people and businesses deal with their payment transactions via the Internet. The technologies of credit cards, electronic tickets, electronic cash (e-cash), and other advanced payment services have realized the vision of electronic commerce. In this paper, we proposed an off-line e-cash scheme with anonymity, unlinkability, double-spending checking, anonymity control, and fast anonymity revocation on double-spending. In an off-line e-cash scheme, the bank which could be a financial cloud server or the third party (TTP) must be able to revoke the anonymity of a user who doubly spent her/his e-cash(s). In our proposed scheme, the bank can quickly derive the identity of the user who doubly spent her/his e-cash(s) without the participation of TTP. Besides, if some illegal transactions are reported, TTP can also directly revoke the anonymity of the user who spent her/his e-cash(s) in the illegal transactions. Furthermore, we also provide traceability for the police to trace a specific user, and maybe a crime, in some situations. Finally, the security of the proposed features, unlinkability and unforgeability, are formally proved in this paper.
A novel electronic cash system with trustee-based anonymity revocation from pairing
2011, Electronic Commerce Research and Applications
Citation Excerpt :
Next, we compare the communication efficiency of our scheme with those of the other schemes. In relation to the certificate/license-issuing protocol, the e-cash schemes of Wang and Zhang (2001), Juang and Liaw (2004), Wang et al. (2005), and Juang (2007) are not trustee based, and therefore do not have this issuing protocol; those of Popescu and Oros (2007), Chen et al. (2007), and Wang et al. (2008), along with our scheme, each have two rounds of this kind of protocol. For the withdrawal protocol, all of the schemes except ours should run over a pre-established authenticated channel (because a bank should first authenticate its customer to provide the e-cash withdrawal service), and thus need more communication overhead (denoted as “auth” in Table 2) than ours does.
Untraceable electronic cash is an attractive payment tool for electronic-commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In this paper, several recent untraceable e-cash systems are examined. Most of these provide identity revealing only when the e-cash is double spent. Only two of these systems can disclose the identity whenever there is a need, and only these two systems can prevent crime. We propose a novel e-cash system based on identity-based bilinear pairing to create an anonymity revocation function. We construct an identity-based blind signature scheme, in which a bank can blindly sign on a message containing a trustee-approved token that includes the user’s identity. On demand, the trustee can disclose the identity for e-cash using only one symmetric operation. Our scheme is the first attempt to incorporate mutual authentication and key agreement into e-cash protocols. This allows the proposed system to attain improvement in communication efficiency when compared to previous works.
A practical anonymous off-line multi-authority payment scheme
2005, Electronic Commerce Research and Applications
Citation Excerpt :
This database will be very large, when many customers use this service. In [17], for reducing the large database problem in [16], the concept of anonymous accounts is used. We have proposed a practical anonymous off-line multi-authority payment scheme (AOMPS).
Electronic payment is one of the critical success factors for an enterprise to provide attractive services on the Internet in order to keep customers and attract new ones for electronic commerce. The major drawbacks of on-line payment schemes are the difficulty of the management of a large database incurred in preserving the anonymity of customers, and the transaction failure caused by the disconnecting of the shop and the bank when a customer has some shopping. Also, in a single money issuer payment scheme, if the money issuer is not trustworthy, he can issue extra e-coins as he wishes, which may cause great injury or danger to the society or the bank. In this paper, we propose a practical anonymous off-line multi-authority payment scheme (AOMPS). By means of AOMPS, the size of a bank’s database is dramatically reduced and distributed to shops. Also, the issue of e-coins is controlled by several issuers, who can be chosen by the customer, on the current available issuers list according to the Internet conditions.
A practical anonymous payment scheme for electronic commerce
2003, Computers and Mathematics with Applications
We propose a practical anonymous payment scheme with anonymous accounts. By means of our proposed scheme, the size of a bank's database is dramatically reduced. Also, the issue of e-coins for an anonymous account is controlled by several issuers, who represent a bank and who can be chosen by the customer or assigned by the system, on the current available issuers list according to the internet conditions. Our scheme does not require the assistance of a mutually entrusted third party.
A Novel e-Cash Payment System with Divisibility Based on Proxy Blind Signature in Web of Things
2022, IEICE Transactions on Information and Systems

View all citing articles on Scopus

View full text