Fair E-cash: Be Compact, Spend Faster Sbastien Canard, Orange Labs - PowerPoint PPT Presentation

Fair E-cash: Be Compact, Spend Faster Sébastien Canard, Orange Labs R&D, France Cécile Delerablée, UVSQ, France Aline Gouget, Gemalto, France Emeline Hufschmitt, Thalès Communications, France Fabien Laguillaumie, Université de Caen, France Hervé Sibert, ST-Ericsson, France Jacques Traoré, Orange Labs R&D, France Damien Vergnaud , Ecole Normale Supérieure – CNRS – INRIA, France ISC 2009 – Tuesday, September 8, 2009 Pisa research & development

Outline 1. The concept of Fair E-cash 2. Previous Results 3. Basic Tools 4. Our Proposal 5. Conclusion Orange Labs - Research & Development 2

The concept of E-cash Bob Bob Shop -1 +1 Shop Orange Labs - Research & Development 3

Minting an Untraceable Coin Secret minting key to create coins Bank = ( Serial Number , BankSig ( Serial Number ) ) Public verification key to recognize coins Orange Labs - Research & Development 4

Requirements n Privacy Protection n Weak anonymity: anonymity of the user n Strong anonymity: anonymity of the user + unlinkability of the spendings n Security n Unforgeability of coins n Identification of double-spenders n Excupability Orange Labs - Research & Development 5

Withdrawal SN SN authentication "blind" signature protocol Customer Bank coin = (SN, Sig Sig (SN)) (SN)) debits customer’s account coin = (SN, Orange Labs - Research & Development 6

Fair Off-Line Electronic Cash u Drawbacks of anonymous cash n money laundering n black mailing, bank robbery attack u Controlling user anonymity: fair e-cash systems n use one (or several) trusted authority (ies) to revoke anonymity when necessary n the power of the trusted authority can be distributed Orange Labs - Research & Development 7

Trustee-based Tracing Model Judge Revoke anonymity Bank Withdrawal Deposit Payment Shop Customer Orange Labs - Research & Development 8

Tracing Operations Owner tracing u Coin tracing u SN = 01234 SN = 56789 BankSig BankSig Withdrawal : 09 / 08 / 2009 Orange Labs - Research & Development 9

Previous Results n Many fair and non-fair off-line e-cash schemes have been proposed ([CFN88], [Brands'93], [CMS96], [FTY96], [dST98], [Traoré99],… n Before Compact E-cash [Camenisch, Hohenberger, Lysyanskaya, Eurocrypt 2005] … Bob Alice Alice Alice Alice -1 -2 -n -n+1 Orange Labs - Research & Development 10

Compact E-Cash [Camenisch, Hohenberger, Lysyanskaya, Eurocrypt 2005] n Bob Alice -n Allows a user to withdraw a wallet with 2 L coins such that the space required to store these coins and the complexity of the withdrawal protocol are proportional to L rather than 2 L . � Do not consider the efficiency of the spending phase (and is not "fair") Orange Labs - Research & Development 11

Our Contribution A new off-line electronic cash system: n with compact wallets n which is fair n where users can spend efficiently k coins while only sending to the merchant O �� log k ) bits where � is a security parameter Fair E-cash: Be Compact, Spend Faster Orange Labs - Research & Development 12

Batch RSA (I) § An RSA variant H : a public hash function § Public Key : an RSA modulus n = pq § Private Key : (p, q) 1 / e A valid digital signature on a message M is of the form ( e , H ( M ) mod n ) where e is any prime − l 1 = ∏ Let S 0 , S 1 , , , S l -1 be l distinct messages with l � K = 2 L and E e i = i 0 where the e i 's are for example the l first odd primes Batch RSA allows to efficiently compute the l roots 1 / e 1 / e 1 / e 1 / e − 0 1 2 l 1 S mod n , S mod n S , mod n ,..., S mod n − 0 1 2 l 1 in O (log K log E + log n ) modular multiplications and O ( K ) divisions Orange Labs - Research & Development 13

Batch RSA (II) Step 1: Build up product (the private key is not needed) E / e E / e E / e = × × − 0 1 l 1 M S S ... S mod n − 0 1 l 1 Step 2: Extract the E'th root of the product M (the private key is needed) 1 / e 1 / e 1 / e = 1 / E = × × − Aggregated signature 0 1 l 1 S M S S ... S mod n − 0 1 l 1 Step 3: Break up product roots (the private key is not needed) 1 / e 1 / e 1 / e 1 / e − 0 1 2 l 1 mod , mod , mod ,..., mod S n S n S n S n − 0 1 2 1 l − 1 l 1 / e = i mod ∏ Option : Splitting an aggregated signature S S n i = i 0 { } ⊂ = F F 1 ,..., l 1 1 / e 1 / e = = i mod i mod ∏ ∏ S S n S S n 1 2 F 2 = F \ F 1 i i ∈ ∈ i F i F 1 2 Blind Batch RSA: the l roots can be obtained in a blind manner Orange Labs - Research & Development 14

Camenisch-Lysyanskaya signature scheme n We use a RSA-type CL signature scheme n A block of messages (m 1 , m 2 , m 3 ,…, m n ) can be signed n A signature protocol, where the messages are kept secret for the signer (but not the signature)… Com (m 1 , m 2 , m 3 ,…,m n ) Sign(Com (m 1 , m 2 , m 3 ,…,m n )) Signer User Com (m 1 , m 2 , m 3 ,…,m n ) SignCL(m 1 , m 2 , m 3 ,…,m n ) n A ZKPK of ownership of SignCL(m 1 , m 2 , m 3 ,…, m n ) without revealing the signature and the messages Orange Labs - Research & Development 15

Parameters − l 1 = ∏ l � K = 2 L ; E e l i = i 0 g a generator of a cyclic group G is associated to a long term private key sk U = u and a corresponding public key Pk U = g u Customer holds two pairs (private, public) of keys: one for the Batch RSA signature scheme and the other one for the CL signature scheme Bank holds a pairs of keys of a suitable public key cryptosystem Judge Orange Labs - Research & Development 16

Generation of the serial numbers • F : a public collision-free function • s = S 0,0 is the seed (master secret) • S 1,0 = F (S 0,0 , 0) ; S 1,0 = F (S 0,0 , 1) ; S i + 1 , 2 j = F (S i , j , 0) for the left child of S i , j S i + 1 ,2 j+1 = F (S i , j , 1) for the right child of S i , j Orange Labs - Research & Development 17

Withdrawal Wallet = ( s , u , � , � , � ) where: 1 / e ⋅ ⋅ ⋅ 1 / e − � = aggregated signature of the l coins = 0 − H ( S ) H ( S l 1 ) mod n l 1 0 � = CL signature on ( s , u , � ) Orange Labs - Research & Development 18

Example : spending two coins 4 σ = 1 / e ∏ i mod H ( S ) n i = remaining coins in the wallet i 0 coins to be spent 1 / 1 / σ = e ⋅ e σ = 1 / e ⋅ 1 / e ⋅ 1 / e H ( S ) 0 H ( S ) 1 mod n H ( S ) 2 H ( S ) 3 H ( S ) 4 mod n 1 0 1 2 2 3 4 Orange Labs - Research & Development 19

Spending two coins at the same time Customer Shop 4 1 / e σ = i mod ∏ Computes from H ( S ) n i = i 0 σ = 1 / e ⋅ 1 / e ( ) 0 ( ) 1 mod H S H S n 1 0 1 σ = 1 / e ⋅ 1 / e ⋅ 1 / e H ( S ) 2 H ( S ) 3 H ( S ) 4 mod n 2 2 3 4 Computes also: S 2,0 , � 1, C 1 , C 2 + proof* C = Enc J Pk ( ) 1 U = C Enc ( s ) 2 J Retrieves S 0 and S 1 from S 2,0 and from � 1 : e mod 0 = 1 / 0 BatchSig ( S ) H ( S ) n 0 e mod 1 = 1 / BatchSig ( S ) H ( S ) 1 n 1 Verifies the proof * this proof doesn't prove that S 0 and S 1 derive from s Orange Labs - Research & Development 20

Tracing of Double-Spenders Ex: double-spending of a coin with serial number S 0 S 0 , � 1, C 1 ! ! , C 2 + p r o o f Shop 1 ! Deposit 1 ; Deposit 2 ' f o o r p + BanK Judge ' 2 C , ' 1 C � 1, , S 0 = = C Enc ( s ) C ' 2 Enc ( s ' ) 1. Decrypts: and 2 J J 2. If S 0 cannot be computed from s (resp s' ) Shop 2 then the judge decrypts: C = C = Enc J Pk ( ) Enc J Pk ( ) (resp ) 1 U 1 U ⇒ Pk U (resp Pk U' ) is guilty Orange Labs - Research & Development 21

Security Theorem: In the random oracle model, our fair e-cash system satisfies the following properties: n Unforgeabilty :under the one-more Strong RSA problem n Anonymity: under the strong blindness of the Batch-RSA blind signature scheme and the indistinguishability of the ciphertexts of the encryption scheme n Identification of double-spenders: under the unforgeability of the CL signature scheme n Exculpability : under the one-more discrete logarithm assumption Orange Labs - Research & Development 22

Efficiency considerations • M and D are the respective costs of exponentiation, multiplication and division modulo n • F is the cost of the derivation function • � is a security parameter • K is the number of withdrawn coins • K is the number of spent coins • K' is the number of remaining coins in the wallet after spending Orange Labs - Research & Development 23

Conclusion and open problems n We proposed the first fair e-cash system with a compact wallet and efficient spendings n It does not however provide a perfect anonymity property since it is possible to know which leaves in the serial number binary tree are used during the spending n Future work: n How to design a similar system in the non-fair setting? n Strong anonymity Orange Labs - Research & Development 24