Date Attachable Offline Electronic Cash Scheme

Fan, Chun-I; Sun, Wei-Zhe; Hau, Hoi-Tung

doi:https://doi.org/10.1155/2014/216973

The Scientific World Journal

On this page

Abstract Introduction Preliminaries Conclusion Acknowledgments References Copyright Related Articles

Special Issue

Recent Advances in Information Security

View this Special Issue

Research Article | Open Access

Volume 2014 | Article ID 216973 | https://doi.org/10.1155/2014/216973

Date Attachable Offline Electronic Cash Scheme

Chun-I Fan,¹Wei-Zhe Sun,¹and Hoi-Tung Hau¹

Academic Editor: F. Yu, M. Ivanovic, T. Cao

Received15 Jan 2014

Accepted26 Feb 2014

Published18 May 2014

Abstract

Electronic cash (e-cash) is definitely one of the most popular research topics in the e-commerce field. It is very important that e-cash be able to hold the anonymity and accuracy in order to preserve the privacy and rights of customers. There are two types of e-cash in general, which are online e-cash and offline e-cash. Both systems have their own pros and cons and they can be used to construct various applications. In this paper, we pioneer to propose a provably secure and efficient offline e-cash scheme with date attachability based on the blind signature technique, where expiration date and deposit date can be embedded in an e-cash simultaneously. With the help of expiration date, the bank can manage the huge database much more easily against unlimited growth, and the deposit date cannot be forged so that users are able to calculate the amount of interests they can receive in the future correctly. Furthermore, we offer security analysis and formal proofs for all essential properties of offline e-cash, which are anonymity control, unforgeability, conditional-traceability, and no-swindling.

1. Introduction

Due to the rapid growth of the Internet and communication developments, electronic commerce has become much more popular and widely used than ever [1–8]. The mobile telecommunications have been developed from 2 G to 3.5 G. Furthermore, LTE Advanced, 4 G, and 5 G are being implemented to the market in recent years. With the convenience of mobile network, people can do shopping or electronic payments by using any devices with network capability instead of leaving home. As a result, electronic commerce has been emphasized nowadays. Electronic cash (e-cash) is definitely one of the most popular research topics among electronic commerce. E-cash and the traditional cash notes are very much alike except e-cash is digitized and used on Internet transactions; therefore, it is very important that e-cash be able to hold the accuracy, privacy, and all other security concerns.

A typical e-cash system usually consists of payers (customers), payees (shops), and a bank. There are two types of e-cash in general which are online e-cash [9–13] and offline e-cash [14–27]. Online e-cash system involves participation of the bank during transactions (the payment stage). Banks are able to check whether customers have double-spent the e-cash(s) or not, and if yes, banks can terminate the transactions at once. Thus, the bank has to be online during every transaction and it may lead to a bottleneck of the system. On the other hand, while banks do not participate in the payment stage of offline e-cash systems, double-spending check is only held during the deposit stage. Yet, the bank is set to be offline, but the system design is usually much more complicated than the online type and it may lead to a longer transaction time. Since both systems have their own pros and cons, they are used under different circumstances.

Extending online and offline e-cash systems, many e-cash schemes with other different features have been proposed over the years. For instance, e-cash can be stored compactly such that the space to store these e-cash is much reduced [15, 16], e-cash is generated by multiauthorities instead of one bank only [25], exact payments e-cash [13], recoverable e-cash which can be recovered when an e-cash is lost [26], and so on.

Based on the majority of the existing approaches, we summarize that a secure e-cash system should satisfy the following requirements.(i) Anonymity: no one, except the judge, can obtain any information of the e-cash owner’s identity from the contents of e-cash.(ii) Unlinkability: no one, except the judge, can link any e-cash payment contents.(iii) Unforgeability: no one, except the bank, can generate a legal e-cash.(iv) Double-Spending Control: banks should have the ability to check if the e-cash is double-spent or not. No e-cash is allowed to be spent twice or more in an e-cash system.(v) Conditional-Traceability: the system should be able to trace and revoke the anonymity of users who violate any of the security rules so that they will receive penalties.(vi) No-swindling: no one, except the real owner, can spend a valid offline e-cash successfully.

In order to perform double-spending checks, banks have to store information of e-cash(s) in their database. Thus, the database of banks grows in direct proportion to the number of e-cash(s) withdrawn. Embedding an expiration date into each e-cash has been considered since it helps the banks to manage the database more easily. On the other hand, customers have to exchange their expired e-cash(s) with banks for new ones so as to keep the validity of the e-cash. Furthermore, customers will receive interest from banks after cash is deposited. In order to guarantee customers will receive the right amount of interest, it is necessary for customers to attach the deposit date to their e-cash(s) and the date cannot be modified by anyone else [11]. So far, there are a number of online e-cash schemes with an expiration date attachment [9, 11, 28]. However, there are very few offline approaches [21].

In this paper, we are going to propose an efficient date attachable offline e-cash scheme and provide formal proofs on essential properties to it in the random oracle model. Considering the practical needs, we pioneer to embed two kinds of date, which are expiration data and deposit date, to the offline e-cash. Moreover, we will offer an E-cash renewal protocol in our scheme (Section 3.2.5). Users can exchange their unused expired e-cash for a new one with another valid expiration date more efficiently. Compared with other similar works, our scheme is efficient from the aspect of considering computation cost.

The rest of this paper is organized as follows. In Section 2, we briefly review techniques employed throughout our scheme. Our proposed scheme is described in Section 3 in detail. Security proofs and analysis are covered in Section 4. Features and performance comparisons are made in Section 5, and the conclusion is given in Section 6.

2. Preliminaries

In this section, we briefly review techniques used in our date attachable offline e-cash scheme.

2.1. Chaum’s Blind Signature Scheme

Blind signature was first introduced by Chaum [29]. It has been widely used in e-cash protocols since it has been proposed. A signer will not be able to view the content of the message while she/he is signing the message. Afterwards, a user can get a message with the signature of the signer by unblinding the signed message. The protocol is described as follows.(1)Initialization: The signer randomly chooses two distinct large primes and , then computes and . Afterwards, the signer selects two integers and at random such that mod . Finally, the signer publishes the public parameters and a one-way hash function .(2)User Signer: The user chooses a message and a random integer in , then blinds the message by computing and sends it to the signer.(3)Signer User: After receiving , the signer signs it with her/his private key and sends it back to the user. The signed message will be .(4)Unblinding: After receiving from the signer, the user unblinds it by computing . The signature-message pair is .(5)Verification: The can be verified by checking if () is true or not.

2.2. Chameleon Hashing Based on Discrete Logarithm

Chameleon hashing was proposed by Krawczyk and Rabin [30]. The chameleon hash function is associated with a one-time public-private key pair; it is a collision resistant function except for users who own a trapdoor for finding collision. Any user who knows the public key can compute the hashing, and for those who do not know the private key (trapdoor), it is impossible for them to find any two inputs which lead to the same hashing output. On the contrary, any user who knows the trapdoor can find the collision of given inputs. The construction of the chameleon hashing based on discrete logarithm is described as follows.(1) Setup:(i), : two large primes such that ,(ii): an element order in ,(iii): private key in ,(iv): public key, where mod .(2) The function: a message is given and a random integer is chosen. The hash is defined as CHAM-HASH_y mod .(3) Collision: for a user who knows , she/he is able to find the collision of the hash for any given , such that CHAM-HASH_y CHAM-HASH_y. The user derives in the equation (mod ).

3. The Proposed Date Attachable Offline Electronic Cash Scheme

In this section, we will introduce a new date attachable offline e-cash scheme. Considering the issues mentioned in Section 1, we propose a secure offline e-cash scheme with two specific kinds of date attached to the e-cash, which are expiration date and deposit date.

3.1. Outline of the Proposed Scheme

Here we are going to briefly describe the procedures of our scheme. The proposed scheme contains four protocols, withdrawal protocol, payment protocol, deposit protocol, and e-cash renewal protocol. A user withdraws an e-cash with an expiration date attached to it from the bank. A trusted computing platform (i.e., judge device) [31, 32], as stated in the proposed scheme, is installed in the bank to hold the identity information of all users and it will further help trace users when it is needed. It is impossible for anyone except the judge to obtain any information embedded in the device [33]. Nowadays, judge device can be implemented by the technique of Trusted Platform Module (TPM) [32, 34] in practice.

Before an e-cash is deposited, the depositor attaches the deposit date on the e-cash and sends it to the bank during the deposit stage. When the bank receives an e-cash, it will perform double-spending checking to verify whether the e-cash is doubly spent or not. The bank can derive secret parameters of the user who does double-spending and let the judge revoke the anonymity of the user. Besides, when an unused e-cash is expired, a user will be able to exchange it for a new one with a new expiration date. In our scheme, for the efficiency concerns, some of the unused parameters of users can remain unchanged while exchanging for a new valid e-cash. In the following sections, we will describe our scheme in detail.

3.2. The Proposed Scheme

Firstly, we define some notations as follows.(1): three one-way hash functions, .(2): two one-way hash functions, : .(3), : a secure symmetric cryptosystem. Plaintext is both encrypted and decrypted with a symmetric key .(4): a secure asymmetric cryptosystem. Plaintext is encrypted with a public key and decrypted with the corresponding private key .(5): the public-private key pair of the judge.(6): the public-private key pair of bank.(7): expiration date. It represents an effective spending date of a withdrawn e-cash. Any e-cash withdrawn in the same period will have the same expiration date, and vice versa.(8): the identity of user .(9), : the security parameters.(10)A judge device: a tamper-resistant device which is issued by the judge. It is installed into the system of the bank. It is impossible to intercept or modify any information stored in the device.

3.2.1. Initialization

Initially, the bank randomly chooses two distinct large primes and computes RSA parameters . It selects an integer at random such that GCD, where and . Then, it finds a such that mod . Secondly, it also chooses two other large primes and and two generators and of order in . Then, the bank publishes . Meanwhile, the judge embeds into a judge device and issues it to the bank.

3.2.2. Withdrawal Protocol

Users run the withdrawal protocol with banks to get an e-cash, as shown in Figure 1, yet banks have to obtain information of users’ identity, such as or account numbers, before the withdrawal protocol is proceeded. Therefore, users should perform an authentication with banks beforehand. Users can execute the withdrawal protocol by any devices that have the ability to compute and connect to the network. For instance, users can use mobile phones or computers to perform the withdrawal protocol and store the withdrawn e-cash. The detailed steps of the protocol are as follows.(1)Bank User: Firstly, the user prepares parameters for withdrawing an e-cash. The user chooses integers , , , , , and in random, where and , , , , and selects a string randomly. The user then computes , where and for . Secondly, the bank computes parameters for expiration date. It randomly chooses a in , prepares for some expiration date . The bank will send to the user when she/he requests to withdraw an e-cash.(2)User Bank: After receiving , the user prepares and where . Finally, the user sends to the bank.(3)Bank Judge device: The bank sets , where is the identity of user , and inputs it together with and to the judge device.(4)Judge device Bank: The judge device decrypts and checks if . If not, it returns “ID error” to the bank; or else, it picks a random integer and a string randomly. Then it computes and Finally, it encrypts by using the symmetric key and outputs it together with to the bank.(5)Bank User: After receiving from the judge device, it computes and sends to the user.(6)Verifications After receiving , the user firstly decrypts the ciphertext by using the symmetric key in order to obtain . Secondly, she/he checks if his/her ID is embedded correctly by computing if is true or not. Thirdly, she/he computes and verifies by checking if is true or not. Finally, when all verifications are done, the user gets the e-cash tuples and stores for further payment usages.

3.2.3. Payment Protocol

When a user has to spend the e-cash, she/he performs the protocol as shown in Figure 2. The steps of the protocol are described as follows.(1)User Shop: The user sends to the shop, where contains the expiration date of the e-cash.(2)Shop User: The shop first checks to verify if the e-cash is still within the expiration date or not. If not, it terminates the transaction. Otherwise, it continues to verify . If it is not valid, the protocol is aborted; or else, it selects a string and sets a challenge , where is the identity of the shop. Finally, it sends to the user.(3)User Shop: After receiving from the shop, the user randomly selects a and computes a response to the challenge where . Then, the user sends to the shop.(4)Verifications After receiving from the user, the shop verifies if is true or not. If it is true, the shop will accept the e-cash. On the other hand, if it is not, the shop will reject it. Since it is an offline e-cash, the shop does not have to deposit it to the bank immediately. It can store the e-cash and deposit it later together with other received e-cash(s).

3.2.4. Deposit Protocol

As Figure 3 shows, shops attach the deposit date to their e-cash(s) and deposit them to banks in this protocol. Banks perform double-spending checks when they receive these e-cash(s). If any e-cash is double-spent, the bank will revoke the anonymity of the e-cash owner with the help of the judge. The steps are described in detail as follows.(1)Shop Bank: The shop computes , where is the deposit date, and sends to the bank.(2)Verifications Firstly, the bank checks the correctness of expiration date and deposit date , respectively, and also checks if are true or not. Secondly, the bank verifies if and checks the uniqueness of . Finally, if all of the above facts are verified successfully, the bank will accept and store the e-cash in its database and record in exchange list. Otherwise, it will reject this transaction and trace the owner of the e-cash.

3.2.5. E-Cash Renewal Protocol

In order to reduce the unlimited growth database problem of the bank, we have expiration date and renewal protocol in our scheme to achieve it, as shown in Figure 4. When an unused e-cash is expired, the user has to exchange it for another e-cash with a new expiration date from the bank.(1)User Bank: The user recalls and prepares and sends it together with the unused to the bank.(2)Verifications Firstly, the bank checks the correctness of expiration date and makes sure does not exist in the exchange list. Secondly, the bank verifies if . Finally, if all of the above facts are verified successfully, the bank will accept to exchange the e-cash. It will send a new expiration date and store in the exchange list. Otherwise, it will reject the exchange request.(3)User Bank: The user computes where , is a random, and is the new expiration date issued by the bank. The user sends to the bank. Then the bank repeats the withdrawal protocol in Section 3.2.2 from Step 2 with the user.

3.2.6. Double-Spending Checking and Anonymity Control

In our scheme, the identity of the users is anonymous in general except when the users violate any security rules and, therefore, their identities will be revealed.(1)Double-Spending Checking When an e-cash is being doubly spent, there must be two e-cash(s) with the same record prefixed by stored in the database of the bank. Therefore, the bank is able to detect any double-spent e-cash easily by checking the above parameters. For instance, the bank has received two e-cash(s), Thus, the bank can obtain two equations as follows: The bank can derive from the above equations and send and to the judge to trace the owner of the e-cash.(2)Revocation The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations. When the judge receives and from the bank, it checks the following equations: If all of the above equalities are true, the judge will decrypt and return the extracted to the bank.

4. Security Proofs

In this section, we provide security definitions and formal proofs of the following security features: unlinkability, unforgeability, traceability, and no-swindling for our proposed date attachable offline electronic cash scheme ().

4.1. E-Cash Unlinkability

Based on the definition of unlinkability introduced by Abe and Okamoto [35] and Juels et al. [36], we formally define the unlinkability property of .

Definition 1 (The Linkage Game). Let , , and be two honest users and the judge that follows , respectively. Let be the bank that participates the following game with , , and . The game environment is shown in Figure 5.

Step 1. According to , generates the bank’s public key , the bank’s private key , system parameters , the expiration date , and the five public one-way hash functions , , , , and . generates the judge’s public-private key pair .

Step 2. generates , , , , in random, where , , , , , and computes for and , where and .

Step 3. We choose a bit randomly and place and on the private input tapes of and , respectively, where is not disclosed to .

Step 4. performs the withdrawal protocol of with and , respectively.

Step 5. If and output two e-cash(s) and , where , on their private tapes, respectively, we give the two e-cash(s) in a random order to ; otherwise, is given to .

Step 6. outputs as the guess of . The bank wins the game if and has not revoked the anonymity of and to . We define the advantage of as where denotes the probability of .

Definition 2 (Unlinkability). A satisfies the unlinkability property if and only if the advantage defined in Definition 1 is negligible.

Theorem 3. A satisfies the unlinkability property of Definition 2 if the adopted cryptosystems are semantically secure.

Proof. If is given in the Step 5 of the game, it will determine with probability , which is exactly the same as a random guess of .
Here, we assume that gets two e-cash and . Let , , be the view of data exchanged between and in the withdrawal protocol (Section 3.2.2) and let be the view of data exchanged when performs the payment protocol (Section 3.2.3) and the deposit protocol (Section 3.2.4) by using , where .
For and , , there always exists a pair such that And from (3), , (4) always holds as Besides, and are semantically secure encryption functions. cannot learn any information from and .
From the above, given any and , where , there always exists a corresponding pair such that (1), (2), (3), and (4) are satisfied.
Thus, go back to Step 6 of the game, the bank succeeds in determining with probability , where is negligible since and are semantically secure. Therefore, we have , which is negligible, so that satisfies the unlinkability property.

4.2. E-Cash Unforgeability

In this section, we will formally prove that the proposed date attachable offline electronic cash scheme () is secure against forgery attack. The forgery attack can be roughly divided into two types, one is the typical one-more forgery type (i.e., -forgery) [37] and the other is the forgery on some specific expiration date of an e-cash after sufficient communications with the signing oracle (i.e., bank). The details of definitions and our formal proofs will be described as follows.

Definition 4 (Forgery Game 1 in (FG-1)). Let be a security parameter and be an adversary in . is an oracle which plays the role of the bank in to be responsible for issuing e-cash(s) (i.e., , where ) according to the queries from . is allowed to query for times; consider the experiment shown in Algorithm 1. wins the forgery game FG-1 if the probability Pr of is nonnegligible.

Experiment


if the following checks are true, return 1;
(i) (mod ), ;
(ii) are all distinct
else return 0;

Definition 5 (Forgery Game 2 in (FG-2)). Let be a security parameter and be an adversary in . is an oracle which plays the role of the bank in to take charge of the following two events:(i)issue e-cash(s) (i.e., , where ) according to the queries from ,(ii)record the total number of each distinct expiration date .
is allowed to query for times; consider the experiment shown in Algorithm 2. wins the forgery game FG-2 if the probability Pr of is nonnegligible.

Experiment


if the following checks are true, return 1;
(i) (mod ), ;
(ii) are all distinct;
else return 0;

Here we introduce the hard problems used in our proof models.

Definition 6 (Alternative Formulation of RSA Chosen-Target Inversion Problem (RSA-ACTI)). Let be a security parameter and be an adversary who is allowed to access the RSA-inversion oracle and the target oracle . is allowed to query and for and times, respectively. Consider Algorithm 3.
We say breaks the RSA-ACTI problem if the probability Pr of is nonnegligible.

Experiment
.


if the following checks are true, return 1;
(i) is injective
(ii) (mod ),
(iii)
else return 0;

Definition 7 (The RSA Inversion Problem). Given , where is the product of two distinct large primes and with roughly the same length and is a positive integer relatively-prime to , and a randomly-chosen positive integer less than , find an integer such that .

Definition 8 (E-Cash Unforgeability). If there exists no probabilistic polynomial-time adversary who can win FG-1 or FG-2, then is secure against forgery attacks.

Theorem 9. For a polynomial-time adversary who can win FG-1 or FG-2 with nonnegligible probability, there exists another adversary who can break the RSA-ACTI problem or RSA inversion problem with nonnegligible probability.

Proof. simulates the environment and controls three hash oracles, , , and an e-cash producing oracle of scheme to respond to different queries from in the random oracle model and takes advantage of to solve RSA-ACTI problem or RSA inversion problem, simultaneously. Then, for consistency, maintains three lists , , and to record every response of , , and , respectively.
Here we will start to do the simulation for the two games (i.e., FG-1 and FG-2) to prove is secure against forgery attacks. The details of simulation are set below and illustrated in Figures 6 and 7, respectively.
Simulation in FG-1. In this proof model, is allowed to query the oracles (i.e., ) and of RSA-ACTI problem defined in Definition 6 for helping to produce e-cash(s) and the corresponding verifying key is .(i) Query of Initially, every blank record in can be represented as . When sends for querying the hash value , will check the list :(a)if for some , then retrieves the corresponding and returns it to ;(b)else if and for some , then retrieves the corresponding and returns it to ;(c)else if and for some , then queries to get an instance and returns it to , then fills the record as in ;(d)otherwise, selects a random , records in , and returns to .(ii) Query of When asks for query by sending to , will look up the list : (a)if for some , the corresponding will be retrieved and will send () back to ;(b)otherwise, will select a random , record in , and return () back to . (iii) Query of While sends to for , will look up the list :(a)if for some , the corresponding will be retrieved and () will be returned to ; (b)otherwise, will select a random , record in , and return ( ) back to .(iv)E-Cash Producing Query of When sends to , will do the following steps:(1)decrypt , obtain ;(2)randomly select and prepare ;(3)choose , set , and store in ;(4)select and compute ;(5)retrieve or assign such that as the query described above;(6)send to oracle to get ;(7)return back to .
Eventually, assume that can successfully output e-cash tuples where are all distinct, , such that () after times to query with nonnegligible probability .
According to , , and , can compute and retrieve RSA-inversion instances (, ) Via querying the signing oracle for times (i.e., query for times by ), can output RSA-inversion instances and break the RSA-ACTI problem with nonnegligible probability at least .
Simulation in FG-2. Initially, is given an instance of RSA inversion problem defined in Definition 7 and simulates the environment as follows. (i) Query of Initially, every blank record in can be represented as . When sends for querying the hash value , will check the list :(a)if for some , then retrieves the corresponding and returns it to ;(b)else if and for some , then retrieves the corresponding and returns ( ) to ;(c)else if and for some , then selects a random , returns () to , and then fills the record as in ;(d)otherwise, selects a random , records in , and returns to .(ii) Query of When asks for query by sending to , will look up the list :(a)if for some , the corresponding will be retrieved and will send ( ) back to ;(b)otherwise, will select a random , record in , and return ( ) back to .(iii) Query of While sends to for , will look up the list :(a)if for some , the corresponding will be retrieved and returned to ;(b)otherwise, will select a random , set mod ), record in , and return back to .(iv)E-Cash Producing Query of Let be a counter to record the number of queries on each expiration date , which is initialized by 0. When sends to , will do the following steps:(1)decrypt , obtain ;(2)randomly select and prepare ;(3)choose , set , and store and in and , respectively;(4)select and compute ;(5)retrieve or assign such that as the query described above;(6)compute ();(7)set and return back to .
Eventually, assume that can successfully output e-cash tuples for some expiration date such that (), , after times to query on , with nonnegligible probability .
Assume some , , is not recorded in ; then by the , , and , can compute and retrieve and solve the RSA inversion problem with nonnegligible probability at least .

4.3. E-Cash Conditional-Traceability

In this section, we will prove that the ID information embedded in e-cash(s) cannot be replaced or moved out by any user against being traced after some misbehavior or criminals. The details of our proof model are illustrated in Figure 8.

Definition 10 (Tampering Game (TG)). Let be a security parameter and be an adversary in . is an oracle which plays the role of bank in to record parameters from the queries of and issue e-cash(s) (i.e., , where ) accordingly. is allowed to query for times; consider Algorithm 4.
wins the game if the probability Pr of is nonnegligible.

Experiment



if the following two checks are true, return 1;
(i)
(ii) mod
else return 0;

Definition 11 (E-Cash Traceability). If there exists no probabilistic polynomial-time adversary who can win the tracing game TG, then satisfies the E-Cash Traceability.

Definition 12 (Alternative Formulation of RSA Known-Target Inversion Problem (RSA-AKTI)). Let be a security parameter and be an adversary who is allowed to access the RSA-inversion oracle and the target oracle . is allowed to query and for and times (), respectively. Consider Algorithm 5.
We say breaks the RSA-AKTI problem if the probability Pr of is nonnegligible.

Experiment
.


if (mod ), , return 1;
else return 0;

Theorem 13. For a polynomial-time adversary who can win the tracing game TG with nonnegligible probability, there exists another adversary who can break the RSA-AKTI problem with nonnegligible probability.

Proof. simulates the environment of by controlling three hash oracles, , , , to respond hash queries and an e-cash producing oracle of to respond e-cash producing queries from , respectively, in the random oracle model. Eventually, will take advantage of ’s capability to solve RSA-AKTI problem. Then, for consistency, maintains three lists , , and to record every response of , , and , respectively.
Besides, in the proof model, is allowed to query the oracles (i.e., ) and of the RSA-AKTI problem defined in Definition 12 for helping produce valid e-cash(s) and the corresponding verifying key is .
Here we will do the simulation for game to prove that satisfies the e-cash traceability. Details are described as follows.(i) Query of Initially, every blank record in can be represented as . When sends for querying the hash value , will check the list : (a)if for some , then retrieves the corresponding and return it to ;(b)else if and for some , then retrieves the corresponding and returns ( ) to ;(c)else if and for some , then chooses , sets ), and returns to then fills the original record as in ;(d)otherwise, selects a random , sets , records in , and returns to .(ii) Query of When asks for query by sending to , will look up the list : (a)if for some , the corresponding will be retrieved and will send ( ) back to ;(b)otherwise, will select a random , record in , and return ( ) back to .(iii) Query of While sends to for , will look up the list :(a)if for some , the corresponding will be retrieved and returned to ;(b)otherwise, will query to get an instance ; record and in and , respectively;(c)return back to .(iv)E-Cash Producing Query of While sends to , will do the following steps:(1)decrypt , obtain ;(2)randomly select and prepare ;(3)choose , set , and store in ;(4)select and compute ;(5)retrieve or assign such that as the query described above;(6)compute ();(7)return back to .
Assume that can successfully output an e-cash tuples , where never appeals as a part for some query such that (); then by , , and , can derive Let and . sends , , to and obtains such that .
Eventually can output RSA-inversion instances after querying for times, where and thus, it breaks the RSA-AKTI problem with nonnegligible probability at least .

4.4. E-Cash No-Swindling

In typical online e-cash transactions, when an e-cash has been spent in previous transactions, another spending will be detected immediately owing to the double-spending check procedure. However, in an offline e-cash model, the merchant may accept a transaction involving a double-spent e-cash first and then do the double-spending check later. In this case, the original owner of the e-cash may suffer from loss. Therefore, a secure offline e-cash scheme should guarantee the following two events.(i)No one, except the real owner, can spend a fresh and valid offline e-cash successfully.(ii)No one can double spend an e-cash successfully.

Roughly, it can be referred to as e-cash no-swindling property. In this section, we will define the no-swindling property and formally prove that our scheme is secure against swindling attacks.

Definition 14 (Swindling Game in ). Let be a security parameter and be an adversary in . is an oracle issuing generic e-cash(s) (i.e., ) of to . is an oracle to show the expanding form for the payment according to the input . Consider the two experiments SWG-1 and SWG-2 shown in Algorithms 6 and 7, respectively.
wins the game if the probability Pr or Pr of is nonnegligible.

Experiment


if the following checks are true, return 1;
(i) mod ;
(ii) never be a query to
else return 0;

Experiment


if the following checks are true, return 1;
(i) mod ;
(ii) is allowed to be queried to for once;
(iii) is not obtained from
else return 0;

Definition 15 (E-Cash No-Swindling). If there exists no probabilistic polynomial-time adversary who can win the swindling game defined in Definition 14, then satisfies e-cash no-swindling.

Theorem 16. For a polynomial-time adversary who can win the swindling game SWG with nonnegligible probability, there exists another adversary who can solve the discrete logarithm problem with nonnegligible probability.

Proof. Consider the swindling game defined in Definition 14. simulates the environment by controlling the hash oracles, , to respond hash queries on of in the random oracle model. Eventually, will take advantage of ’s capability to solve the discrete logarithm problem. Then, for consistency, maintains a list to record every response of . is given all parameters of and an instance of discrete logarithm problem (i.e., ). Here we will describe the simulations for the two experiments and , individually.
The simulation for is illustrated in Figure 9 and each oracle is constructed as follows.(i)Oracle Initially, guesses that the generic e-cash produced from th query will be the attack target. When sends th query to for an e-cash, will do the following:(a)select , , and , ;(b)if ,(1)compute ( ) and ( );(c)if ,(1)compute ( ) and ( );(d)prepare , where ;(e)record in list and return to .(ii)Oracle When sends a valid e-cash tuple to , it will look up the list :(a)if exists with prefix index , then abort;(b)otherwise, will retrieve the corresponding ; choose a random , compute and ( ), and send back to .
Assume that can successfully output a valid offline e-cash expansion tuple , where is prefixed with and postfixed with in . Then, since and , can derive and solve the discrete logarithm problem with nonnegligible probability at least , where is the total number of query.
The simulation for is illustrated in Figure 10 and each oracle is constructed as follows.(i)Oracle Initially, guesses that the generic e-cash produced from th query will be the attack target. When sends th query to for an e-cash, will do the followings. (a)if :(1)select , , , and , ;(2)compute ( ) and ( );(3) prepare , where , , , , , ;(4)record in list ;(b)if :(1)select , , and , ;(2)compute ( ) and ( );(3)prepare , where ;(4)record in list ;(c)return to .(ii)Oracle A status parameter is initialized by 0. When sends a valid e-cash tuple to , it will look up the list : (a)if exists with prefix index and , will perform the following procedures:(1)set (2)retrieve the corresponding from and choose a random ;(3)set and record in ;(4)record in list ;(5)send back to ;(b)if exists with prefix index , will retrieve the corresponding , choose random and , set , record in , compute ( ), and send back to .(c)Otherwise, abort.(iii)Oracle While sends to query for , will check the list :(a)if exists as the prefix of some record, will retrieve the corresponding and return it to ;(b)otherwise, will choose a random , record in , and return to .
Assume that can successfully output a valid offline e-cash expansion tuple , where is prefixed with and postfixed with in and .
Then, via , since
can derive and solve the discrete logarithm problem with nonnegligible probability at least , where is the total number of query.

Summarize the proof models for the two experiments shown above, if there exists a polynomial-time adversary who can win the swindling game with nonnegligible probability, then there exists another one who can solve the discrete logarithm problem with nonnegligible probability. It implies that there exists no p.p.t. adversary who can win the swindling game, and our proposed offline e-cash scheme satisfies no-swindling property.

5. E-Cash Advanced Features and Performance Comparisons

In this section, we compare the e-cash features and performance of our proposed scheme with other schemes given in [9, 13–15, 21, 22, 27, 38–40]. We analyze the features and performance of the aforementioned schemes and form a table (Table 1) for the summary.

5.1. Features Comparisons

All the schemes mentioned above fulfill the basic security requirements stated in Section 1, which are anonymity, unlinkability, unforgeability, and no double-spending. Besides these features, there can be other advanced features on an e-cash system discussed in the literatures. We focus on three other advanced features, which are traceability, date attachability, and no-swindling, and we compare the proposed scheme with the aforementioned schemes.

We also propose an e-cash renewal protocol for users to exchange a new valid e-cash with their unused but expired e-cash(s); therefore, users do not have to deposit the e-cash before it expires and withdraw a new e-cash again. Our proposed e-cash renewal protocol reduces the computation cost by 49.5% as compared to withdrawal and deposit protocols, which is almost half of the effort of getting a new e-cash, at the user side. It does a great help to the users since their devices usually have a weaker computation capability, such as smart phones.

5.2. Performance Comparisons

According to [41], we can summarize and induce the computation cost of all operations as follows. The computation cost of a modular exponentiation computation is about 240 times of the computation cost of a modular multiplication computation, while the computation cost of a modular inversion almost equals to that of a modular exponentiation. Also, the computation cost of a hash operation almost equals to that of a modular multiplication.

With the above assumptions, the total computation cost of users during withdrawal and payment phases of our proposed scheme can be induced as 1452 times of a modular multiplication computation, while other works [9, 13–15, 21, 22, 27, 38–40] need 3375, 1448, 5534, 966, 1450, 480, 4337, 7468, 5291, and 1449 times of a modular multiplication computation to finish withdrawal and payment phases at the user ends.

According to [15], we assume the RSA parameters are 1024, 512, and 512 bits, respectively. We adopt AES and SHA-1 as the symmetric cryotsystem and one-way hash function used in all protocols, respectively; therefore, the signed message and hash massage are in 128 and 160 bits, respectively. We assume the expiration date is in 32 bits.

With the above assumptions, we compute the communication cost of each offline transaction, withdrawal, and payment, at the user side. Our scheme needs 2048 bits for withdrawing an e-cash and 6688 bits for spending an e-cash, which is 1092 bytes for each transaction.

The details of the comparisons are summarized in Table 1.

6. Conclusion

In this paper, we have presented earlier a provably secure offline electronic cash scheme with an expiration date and a deposit date attached to it. Besides, we have also designed an e-cash renewal protocol, where users can exchange their unused and expired e-cash(s) for new ones more efficiently. Compared with other similar works, our scheme is efficient from the aspect of considering computation cost of the user side and satisfying all security properties, simultaneously. Except for anonymity, unlinkability, unforgeability, and no double-spending, we also formally prove that our scheme achieves conditional-traceability and no-swindling. Not only does our scheme help the bank to manage their huge databases against unlimited growth, but also it strengthens the preservation of users’ privacy and rights as well.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was partially supported by the National Science Council of Taiwan under Grants NSC 102-2219-E-110-002, NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001), and Aim for the Top University Plan of the National Sun Yat-sen University and Ministry of Education, Taiwan.

References

H. Chen, P. P. Y. Lam, H. C. B. Chan, T. S. Dillon, J. Cao, and R. S. T. Lee, “Business-to-consumer mobile agent-based internet commerce system (MAGICS),” IEEE Transactions on Systems, Man and Cybernetics C: Applications and Reviews, vol. 37, no. 6, pp. 1174–1189, 2007.
View at: Publisher Site | Google Scholar
S. C. Fan and Y. L. Lai, “A study on e-commerce applying in Taiwan's restaurant franchise,” in Proceedings of the IET International Conference on Frontier Computing. Theory, Technologies and Applications, pp. 324–329, August 2010.
View at: Publisher Site | Google Scholar
D. R. W. Holton, I. Nafea, M. Younas, and I. Awan, “A class-based scheme for E-commerce web servers: formal specification and performance evaluation,” Journal of Network and Computer Applications, vol. 32, no. 2, pp. 455–460, 2009.
View at: Publisher Site | Google Scholar
Z. Jie and X. Hong, “E-commerce security policy analysis,” in Proceedings of the International Conference on Electrical and Control Engineering (ICECE '10), pp. 2764–2766, June 2010.
View at: Publisher Site | Google Scholar
D. R. Liuy and T. F. Hwang, “An agent-based approach to flexible commerce in intermediary-Centric electronic markets,” Journal of Network and Computer Applications, vol. 27, no. 1, pp. 33–48, 2004.
View at: Publisher Site | Google Scholar
S. J. Lin and D. C. Liu, “An incentive-based electronic payment scheme for digital content transactions over the Internet,” Journal of Network and Computer Applications, vol. 32, no. 3, pp. 589–598, 2009.
View at: Publisher Site | Google Scholar
H. Wang, Y. Zhang, J. Cao, and V. Varadharajan, “Achieving Secure and Flexible M-Services through Tickets,” IEEE Transactions on Systems, Man, and Cybernetics A:Systems and Humans, vol. 33, no. 6, pp. 697–708, 2003.
View at: Publisher Site | Google Scholar
C. Yue and H. Wang, “Profit-aware overload protection in E-commerce Web sites,” Journal of Network and Computer Applications, vol. 32, no. 2, pp. 347–356, 2009.
View at: Publisher Site | Google Scholar
C. C. Chang and Y. P. Lai, “A flexible date-attachment scheme on e-cash,” Computers and Security, vol. 22, no. 2, pp. 160–166, 2003.
View at: Publisher Site | Google Scholar
C. L. Chen and J. J. Liao, “A fair online payment system for digital content via subliminal channel,” Electronic Commerce Research and Applications, vol. 10, no. 3, pp. 279–287, 2011.
View at: Publisher Site | Google Scholar
C. I. Fan, W. K. Chen, and Y. S. Yeh, “Date attachable electronic cash,” Computer Communications, vol. 23, no. 4, pp. 425–428, 2000.
View at: Publisher Site | Google Scholar
C. I. Fan and W. Z. Sun, “Efficient encoding scheme for date attachable electronic cash,” in Proceedings of the 24th Workshop on Combinatorial Mathematics and Computation Theory, pp. 405–410, 2007.
View at: Google Scholar
T. Nakanishi, M. Shiota, and Y. Sugiyama, “An efficient online electronic cash with unlinkable exact payments,” Information Security, vol. 3225, pp. 367–378, 2004.
View at: Google Scholar
Y. Baseri, B. Takhtaei, and J. Mohajeri, “Secure untraceable off-line electronic cash system,” Scientia Iranica, vol. 20, pp. 637–646, 2012.
View at: Google Scholar
J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '05), pp. 302–321, May 2005.
View at: Google Scholar
J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Balancing accountability and privacy using E-cash,” in Security and Cryptography for Networks, vol. 4116 of Lecture Notes in Computer Science, pp. 141–155, 2006.
View at: Google Scholar
J. Camenisch, A. Lysyanskaya, and M. Meyerovich, “Endorsed e-cash,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 101–115, May 2007.
View at: Publisher Site | Google Scholar
S. Canard, A. Gouget, and J. Traoré, “Improvement of efficiency in (unconditional) anonymous transferable E-cash,” in Financial Cryptography and Data Security, vol. 5143 of Lecture Notes in Computer Science, pp. 202–214, 2008.
View at: Publisher Site | Google Scholar
D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Advances in Cryptology-CRYPTO '88, vol. 403 of Lecture Notes in Computer Science, pp. 319–327, Springer, Berlin, Germany, 1990.
View at: Google Scholar
G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung, “Anonymity control in E-cash systems,” in Proceedings of the First International Conference on Financial Cryptography, pp. 1–16, 1997.
View at: Google Scholar
Z. Eslami and M. Talebi, “A new untraceable off-line electronic cash system,” Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59–66, 2011.
View at: Publisher Site | Google Scholar
C. I. Fan, V. S. M. Huang, and Y. C. Yu, “User efficient recoverable off-line e-cash scheme with fast anonymity revoking,” Mathematical and Computer Modelling, vol. 58, pp. 227–237, 2013.
View at: Google Scholar
X. Hou and C. H. Tan, “Fair traceable off-line electronic cash in wallets with observers,” in Proceedings of the 6th International Conference on Advanced Communication Technology, pp. 595–599, February 2004.
View at: Google Scholar
X. Hou and C. H. Tan, “A new electronic cash model,” in Proceedings of the International Conference on Information Technology: Coding and Computing, pp. 374–379, April 2005.
View at: Google Scholar
W. S. Juang, “A practical anonymous off-line multi-authority payment scheme,” Electronic Commerce Research and Applications, vol. 4, no. 3, pp. 240–249, 2005.
View at: Publisher Site | Google Scholar
J. K. Liu, V. K. Wei, and S. H. Wong, “Recoverable and untraceable e-cash,” in International Conference on Trends in Communications (EUROCON '01), vol. 1, pp. 132–135, 2001.
View at: Google Scholar
C. Wang, H. Sun, H. Zhang, and Z. Jin, “An improved off-line electronic cash scheme,” in Proceedings of the 5th International Conference on Computational and Information Sciences (ICCIS '13), pp. 438–441, 2013.
View at: Google Scholar
W. S. Juang, “D-cash: a flexible pre-paid e-cash scheme for date-attachment,” Electronic Commerce Research and Applications, vol. 6, no. 1, pp. 74–80, 2007.
View at: Publisher Site | Google Scholar
D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptology-CRYPTO '82, Lecture Notes in Computer Science, pp. 199–203, Springer, Berlin, Germany, 1983.
View at: Google Scholar
H. Krawczyk and T. Rabin, “Chameleon signatures,” in Proceedings of the Network and Distributed System Security Symposium (NDSS '00), pp. 143–154, 2000.
View at: Google Scholar
S. Pearson, Trusted Computing Platforms: TCPA Technology in Context, Prentice Hall, New York, NY, USA, 2002.
S. Pearson, “Trusted computing platforms: the next security solution,” Tech. Rep. HPL-2002-221, Hewllet-Packard Laboratorie, 2002.
View at: Google Scholar
C. I. Fan and V. S. M. Huang, “Provably secure integrated on/off-line electronic cash for flexible and efficient payment,” IEEE Transactions on Systems, Man and Cybernetics C: Applications and Reviews, vol. 40, no. 5, pp. 567–579, 2010.
View at: Publisher Site | Google Scholar
S. Bajikar, Trusted platform module (TPM) based security on notebook pcs—white paper, Mobile Platform Group, Intel Corporation, 2002.
M. Abe and T. Okamoto, “Provably secure partially blind signatures,” in Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '00), pp. 271–286, Springer, 2000.
View at: Google Scholar
A. Juels, M. Luby, and R. Ostrovsky, “Security of blind digital signatures,” in Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '97), pp. 150–164, Springer, 1997.
View at: Google Scholar
M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko, “The one-more-RSA-inversion problems and the security of chaum's blind signature scheme,” Journal of Cryptology, vol. 16, no. 3, pp. 185–215, 2003.
View at: Publisher Site | Google Scholar
S. Brands, “Untraceable off-line cash in wallets with observers (extended abstract),” CRYPTO, pp. 302–318, 1993.
View at: Google Scholar
Y. Hanatani, Y. Komano, K. Ohta, and N. Kunihiro, “Provably secure electronic cash based on blind multisignature schemes,” Financial Cryptography, vol. 4107, pp. 236–250, 2006.
View at: Google Scholar
C. Popescu, “An off-line electronic cash system with revokable anonymity,” in Proceedings of the 12th IEEE Mediterranean Electrotechnical Conference, pp. 763–767, May 2004.
View at: Google Scholar
A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, New York, NY, USA, 1997.

Copyright

Copyright © 2014 Chun-I Fan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2168

Downloads

969

Citations