Hindawi Publishing Corporation Mobile Information Systems Volume 2016, Article ID 2620141, 10 pages http://dx.doi.org/10.1155/2016/2620141

Research Article Secure Electronic Cash Scheme with Anonymity Revocation Baoyuan Kang and Danhui Xu School of Computer Science and Software, Tianjin Polytechnic University, Tianjin 300387, China Correspondence should be addressed to Baoyuan Kang; [email protected] Received 8 September 2015; Revised 14 December 2015; Accepted 1 March 2016 Academic Editor: Francesco Gringoli Copyright Β© 2016 B. Kang and D. Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In a popular electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an π-cash from his account and pays it to a merchant. After checking the electronic cashβs validity, the merchant accepts it and deposits it to the bank. There are a number of requirements for an electronic cash scheme, such as, anonymity, unforgeability, unreusability, divisibility, transferability, and portability. Anonymity property of electronic cash schemes can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. proposed a novel electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity for π-cash. But, in this paper we point out that Chen et al.βs scheme is subjected to some drawbacks. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

1. Introduction Due to the fast progress of computer networks and Internet, information technology is used in electronic commerce. Many electronic commerce services can be found over the internet. So, an electronic payment mechanism is necessary for electronic commerce. And electronic payment is one of the key issues of electronic commerce development. To realize the digitalization of traditional cash and electronic payment, in 1983, Chaum suggested the first electronic cash scheme [1]. Popularly, in an electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an π-cash from his account and pays it to a merchant. After checking the electronic cashβs validity, the merchant accepts it and deposits it to the bank. For security and efficiency, there are a number of requirements for an electronic cash scheme, such as anonymity, unforgeability, unreusability, divisibility, transferability, and portability [2]. Some of them are listed below. Anonymity/Unlinkability. The customer of the cash must be anonymous. As long as the coin is spent legitimately, neither

the merchant nor the bank can identify the customer of the coin. Unforgeability. Only authorized banks can generate electronic cash. Unreusability. The electronic cash cannot be reused. The scheme can detect the malicious customer, who spends the cash twice. Electronic cash schemes can be divided into two categories: online and offline. In online schemes, as paying a coin to a merchant, the bank must attend to validate the coin and detect its reuse. But, in offline schemes, double spending can only be figured out when the merchant deposits the coin to the bank in the next phase. After Chaumβs scheme, a lot of electronic cash schemes [3β9] have been proposed based on blind signatures and restrictive blind signatures. Afterward, many more complex schemes have been proposed [10β13]. Recently, Eslami and Talebi proposed an untraceable electronic cash scheme [2] and claimed that their scheme satisfies all main security requirements, such as anonymity, unreusability, and date attachability. However, Baseri et al.

2

Mobile Information Systems

[14] showed that Eslami and Talebiβs scheme is subjected to some weaknesses in perceptibility of double spender, unforgeability, and date attachability. Baseri et al. also contributed a novel electronic cash scheme. Untraceable electronic cash is an attractive payment tool for electronic commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. [15] proposed an electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity of the owner of an π-cash. Chen et al. claimed that their scheme is the first attempt to incorporate mutual authentication and key agreement into π-cash protocols and their scheme satisfies the security requirements of untraceability, verifiability, unforgeability, and anonymity revocation. But, in 2012, Chang [16] claimed that he finds some weaknesses of Chen et al.βs scheme. Then, Chen et al. [17] immediately provided a response to rebut Changβs attacks. By thoroughly investigating Chen et al.βs scheme, we find that, despite Changβs attacks being really wrong, Chen et al.βs scheme is surely insecure. Chen et al.βs scheme is subjected to some drawbacks. (1) The first flaw is the attack on the unforgeability by the dishonest customer. (2) The second flaw is the attack on double spending owner tracing. (3) The third flaw is the potential bank attack. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds. The remainder of this paper is organized as follows. Related concept of bilinear pairing and CDH problem are introduced in Section 2. In Section 3, we show some weaknesses of Chen et al.βs scheme. In Section 4 we propose a new electronic cash scheme with anonymity revocation. In Section 5 we show the verifiability of the proposed scheme. Double spender detection is covered in Section 6. In Section 7 we show that the proposed scheme satisfies uncheatability of merchants. Provable security of our scheme is covered in Section 8. In Section 9 we compare our scheme with the others. Finally conclusions are given in Section 10.

2. Preliminary 2.1. The Bilinear Pairing. Let πΊ1 be a cyclic additive group generated by π, whose order is a prime π, and let πΊ2 be a cyclic multiplicative group of the same order. Let π : πΊ1 Γ πΊ1 β πΊ2 be a pairing map which satisfies the following conditions: (1) Bilinearity: for any π, π, π β πΊ1 , we have π(π+π, π ) = π(π, π )π(π, π ). In particular, for any π, π β ππ , π(ππ, ππ) = π(π, πππ) = π(πππ, π) = π(π, π)ππ . (2) Nondegeneracy: there exists π, π β πΊ1 , such that π(π, π) =ΜΈ 1. (3) Computability: there is an efficient algorithm to compute π(π, π) for all π, π β πΊ1 .

2.2. The CDH Problem. Let πΊ be a cyclic additive group of prime order π and π a generator of πΊ. The computational Diffie-Hellman (CDH) problem is to compute πππ for given π, ππ, ππ β πΊ.

3. Effective Attacks on Chen et al.βs Scheme In this section, we show the drawbacks of Chen et al.βs scheme [15]. For the sake of brevity, we omit the review of Chen et al.βs scheme. To know Chen et al.βs scheme in detail, readers can read literature [15]. 3.1. Attack on the Unforgeability by the Dishonest Customer. When the customer obtains an π-cash {πΆππ, πΏππ, (π , π)}, he can randomly select π β ππβ and forge π-cash {πΆππ, π β πΏππ, (π β π , π β π)}, because the π-cash {πΆππ, πΏππ, (π , π)} satisfies π (π, π) = π (π»3 (CNO) ππ΅ , π ) β π (LST β ππ΅ , πpub ) .

(1)

So, π

π

π (π, π)π = π (π»3 (CNO) ππ΅ , π ) β π (LST β ππ΅ , πpub ) . (2) Then, π (π β π, π) = π (π»3 (CNO) ππ΅ , π β π ) β π (π β LST β ππ΅ , πpub ) .

(3)

That is to say, the customer forges a valid π-cash {πΆππ, π β πΏππ, (π β π , π β π)}. Of course, in payment protocol, when the merchant gets an π-cash from customers, he also can similarly forge π-cash. Further, these forged π-cash make the scheme fail in double spending owner tracing, because it is impossible to find the customer identity from π β πΏππ. Note that (π , π) is a signature on πΆππ and πΏππ. Furthermore, πΆππ does not play distinction function to an π-cash. πΆππ is only a randomly selected number. Any customer can randomly choose any πΆππ for their π-cash. If πΆππ has some function, it is only to certain customer. It is not strange that different customers may choose same πΆππ for their π-cash. So, this attack is a successful forgery. 3.2. Attack by the Dishonest Merchant. In practice, there are always many merchants from different shops. After receiving an π-cash {πΆππ, πΏππ, (π , π)} from a customer, the merchant may spend {πΆππ, πΏππ, (π , π)} to another merchant. This attack is correct due to the fact that the verification equation π (π, π) = π (π»3 (CNO) β ππ΅ , π ) β π (LST β ππ΅ , πpub )

(4)

is only related to πΆππ, πΏππ, π , π. And no extra information should be provided by customers in the verification process. Later, even if the bank finds double spending, the bank and the trustee cannot find real double spender, because the double spender may not be the customer himself.

Mobile Information Systems

3

3.3. Potential Attack by the Bank. However, in payment protocol, the only verification to the π-cash {πΆππ, πΏππ, (π , π)} is to examine whether the following equation holds: π (π, π) = π (π»3 (CNO) β ππ΅ , π ) β π (LST β ππ΅ , πpub ) .

(5)

But, when let π = ππpub (π is a randomly selected number in ππβ ) in the above equation, then π (π, π) = π (π»3 (CNO) β ππ΅ , ππpub )

a license. The following steps describe the protocol, which is also illustrated in Box 1. (1) Customer πΆ selects four random numbers, π, π§, π€1 , π€2 β ππβ , and sends {IDπΆ, π, π§, π€1 , π€2 } to Trustee π. (2) π chooses a random number, π₯ β ππβ , and computes πΏππ as πΏππ = πΈπΎπ (IDπΆ β π₯). Here πΈ is a symmetric encryption algorithm, and πΎπ is a secret key. (3) To sign on πβ1 πΏππ, trustee π selects a random number, π β ππβ , and computes π = π (π, π)π ,

β π (LST β ππ΅ , πpub ) = π (π β π»3 (CNO) β ππ΅ , πpub )

π’ = π»2 (πβ1 LST β π ) ,

(6)

π = π’ππ + ππ.

β π (LST β ππ΅ , πpub ) = π ((π β π»3 (CNO) + LST) β ππ΅ , πpub ) = π ((π β π»3 (CNO) + LST) β ππ΅ , π) . So, the bank can randomly select πΆππ and πΏππ. Then Let π = ππpub , π = (π β π»3 (πΆππ) + πΏππ) β ππ΅ to generate an π-cash {πΆππ, πΏππ, (π , π)}. This apparently violates the withdrawal protocol above the customer and the bank together performing a blind signature function to complete the π-cash withdrawal.

4. Our Proposed Scheme Based on an id-based signature scheme [21] proposed by Hess and an efficient id-based blind signature [22] proposed by Zhang and Kim, we propose an offline electronic cash scheme with anonymity revocation. In the proposed scheme there are four participants: Trustee π, the bank π΅, the customer πΆ, and the merchant π. There are five protocols: license issuing, withdrawal, payment, deposit, and π-cash owner tracing. Here any communication between any two entities should be encrypted, and this can be done by incorporating mutual authentication and key agreement protocols, likely in [15]. Here, for brevity, we omit those encryptions in five protocols. 4.1. System Setup. In this stage, the Key Generation Center (KGC) chooses a cyclic additive group πΊ1 which is generated by π with prime order π and chooses a cyclic multiplicative group πΊ2 of the same order and a bilinear map π : πΊ1 Γ πΊ1 β πΊ2 . KGC also chooses a random π β ππβ as the master key and sets πpub = π π public and chooses cryptographic hash functions π»1 : {0, 1}β β πΊ1 , π»2 : {0, 1}β β ππβ . The system parameter list is params = (πΊ1 , πΊ2 , π, π, πpub , π»1 , π»2 ). When the customer πΆ submits his identity, IDπΆ to the KGC, the KGC computes the public key ππΆ = π»1 (IDπΆ) and private key ππΆ = π ππΆ for the customer πΆ. Similarly, the KGC generates the public/private key pairs (ππ , ππ ), (ππ΅ , ππ΅ ), and (ππ, ππ) for Trustee π, the Bank π΅, and the Merchant π, respectively. 4.2. License-Issuing Protocol. Before withdrawing π-cash from the bank, customer πΆ needs to ask trustee π to issue him

(7)

The trustee π also signs on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ; here π΄ 1 = (ππ§ + π§)πpub , π΄ 2 = (π€1 + π€2 )πpub . π΄ 3 = π€1 πpub , and π΄ 4 = ππ§πpub . π selects a random number, π¦ β ππβ , and computes π = π (π, π)π¦ , π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β π) ,

(8)

πΉ = πππ + π¦π. After that, trustee π stores (πΏππ, π₯) to the database and sends (πΏππ, π’, π, π, πΉ) to the customer πΆ. (4) The customer πΆ computes β1

π σΈ = π (π, π) π (π’ππ , πpub ) , σΈ

π = π (πΉ, π) π (πππ , πpub )

β1

(9)

and checks whether π’ = π»2 (πβ1 πΏππ β π σΈ ) , π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) .

(10)

If so, The customer πΆ obtains the license, (πΏππ, π’, π) and the signature (π, πΉ) on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 . 4.3. Withdrawal Protocol. To complete the π-cash withdrawal, customer πΆ and bank π΅ together perform the following steps. This protocol is also illustrated in Box 2. (1) Customer πΆ sends {IDπΆ, (πβ1 πΏππ, π’, π)} to the bank π΅. (2) π΅ first computes π σΈ = π (π, π) π (π’ππ , πpub )

β1

(11)

and checks whether π’ = π»2 (πβ1 πΏππ β π σΈ ) .

(12)

If so, the bank π΅ selects a random number, π β ππβ , computes πΎ = πππ΅ , and sends πΎ to the customer πΆ.

4

Mobile Information Systems

Customer Selects random numbers, π, π§, π€1 , π€2 β ππβ ,

Trustee {IDπΆ ,π,π§,π€1 ,π€2 }

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β Chooses random number π₯ β ππβ , computes πΏππ = πΈπΎπ (IDπΆ β π₯). Selects a random number, π β ππβ , computes π = π(π, π)π π’ = π»2 (πβ1 πΏππβπ ) π = π’ππ + ππ Selects random number π¦ β ππβ , and computes π = π(π, π)π¦ , π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπ) πΉ = πππ + π¦π

(πΏππ,π’,π,π,πΉ)

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Computes π σΈ = π(π, π)π(π’ππ , πpub )β1 πσΈ = π(πΉ, π)π(πππ , πpub )β1 And checks whether π’ = π»2 (πβ1 πΏππβπ σΈ ) π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπσΈ ) Obtains the license, (πΏππ, π’, π) and the signature, (π, πΉ) on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 Box 1: License-issuing protocol.

Customer

Bank {IDπΆ ,(πβ1 πΏππ,π’,π)}

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β

πΎ

Computes π σΈ = π(π, π)π(π’ππ , πpub )β1 Checks whether π’ = π»2 (πβ1 πΏππβπ σΈ ) Selects random number π β ππβ , computes πΎ = πππ΅

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Selects two random number, π, π β ππβ , computes πΎσΈ = ππΎ + ππππ΅ β = πβ1 π»2 (πΏππβπΎσΈ ) + π β

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β π

Computes π = (π + β)ππ΅

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Computes πσΈ = ππ Checks whether π(πσΈ , π) = π(πΎσΈ + π»2 (πΏππβπΎσΈ ππ΅ , πpub ) Obtains an π-cash (πΏππ, πΎσΈ , πσΈ ) Box 2: Withdrawal protocol.

Mobile Information Systems

5

Customer

Merchant (πΏππ,πΎσΈ ,πσΈ )

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β

(π,π·)

Checks whether π(πσΈ , π) = π(πΎσΈ + π»2 (πΏππβπΎσΈ )ππ΅ , πpub ) Selects random number π β ππβ , computes πΏ = π(π, π)π π = π»2 (πΏππβπΎσΈ βπσΈ βπΏ) π· = πππ + ππ

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Computes πΏσΈ = π(π·, π)π(πππ , πpub )β1 Checks whether π = π»2 (πΏππβπΎσΈ βπσΈ βπΏσΈ ) Computes π1 = πππ§ + π€1 π2 = ππ§ + π€2

(π1 ,π2 ,π΄ 1 ,π΄ 2 ,π΄ 3 ,π΄ 4 ,π,π,πΉ)

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β Checks whether π((π1 + π2 )ππ , πpub ) = π(ππ , ππ΄ 1 + π΄ 2 ) Computes πσΈ = π(πΉ, π)π(πππ , πpub )β1 Checks whether π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπσΈ ) Accepts the payment Box 3: Payment protocol.

ππβ ,

(3) The customer πΆ selects two random numbers, π, π β computes πΎσΈ = ππΎ + ππππ΅ , β = πβ1 π»2 (πΏππ β πΎσΈ ) + π,

πΏ = π (π, π)π , (13)

(14)

and sends π to the customer πΆ. (5) Customer πΆ computes πσΈ = ππ

(18)

Then he sends (π, π·) to the customer πΆ. (3) The customer πΆ computes πΏσΈ = π (π·, π) π (πππ, πpub )

(15)

β1

(16)

(19)

and checks whether π = π»2 (LST β πΎσΈ β πσΈ β πΏσΈ ) .

and checks whether π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

π = π»2 (LST β πΎσΈ β πσΈ β πΏ) , π· = πππ + ππ.

and sends β to the bank π΅. (4) The bank π΅ computes π = (π + β) ππ΅

If so, he selects a random number π β ππβ and computes

(20)

If so, he computes

If so, the customer πΆ obtains an π-cash (πΏππ, πΎσΈ , πσΈ ).

π1 = πππ§ + π€1 ,

4.4. Payment Protocol. When the customer πΆ wants to spend his cash at the shop, the customer πΆ and the merchant π do the following steps. This protocol is also illustrated in Box 3. (1) Customer πΆ sends (πΏππ, πΎσΈ , πσΈ ) to the merchant π. (2) The merchant π checks whether

π2 = ππ§ + π€2 .

Then he sends (π1 , π2 , π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, π, πΉ) to the merchant π. (4) The merchant π checks whether

π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

π ((π1 + π2 ) ππ , πpub ) = π (ππ , ππ΄ 1 + π΄ 2 )

(17)

(21)

(22)

6

Mobile Information Systems

Merchant

Bank (πΏππ,πΎσΈ ,πσΈ ,π1 ,π2 ,π,π΄ 1 ,π΄ 2 ,π΄ 3 ,π΄ 4 ,π,πΉ)

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β Computes πσΈ = π(πΉ, π)π(πππ , πpub )β1 Checks whether π(πσΈ , π) = π(πΎσΈ + π»2 (πΏππβπΎσΈ )ππ΅ , πpub ) π((π1 + π2 )ππ , πpub ) = π(ππ , ππ΄ 1 + π΄ 2 ) π(π1 ππ , πpub ) = π(ππ , π΄ 3 + ππ΄ 4 ) π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπσΈ ) Checks whether the π-cash is being double spent; if it is fresh, reedits the merchantβs account Box 4: Deposit protocol.

5. Verifiability of the Proposed Scheme

and computes πσΈ = π (πΉ, π) π (πππ , πpub )

β1

(23)

Firstly, we show that the blind license πβ1 πΏππ can be verified by equation

and checks whether σΈ

π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β π ) .

π’ = π»2 (πβ1 LST β π σΈ ) . (24)

β1

4.5. Deposit Protocol. When the merchant π wants to deposit the received π-cash into his account in the bank π΅, the following steps are done between the bank π΅ and the merchant π. This protocol is also illustrated in Box 4. (1) The merchant π sends (πΏππ, πΎσΈ , πσΈ , π1 , π2 , π, π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, πΉ) to the bank π΅. (2) The bank π΅ first checks whether the coin exists in its deposit. If the coin exists, it runs the double spender detection procedure. Else, the bank computes πσΈ = π (πΉ, π) π (πππ , πpub )

Since π σΈ = π (π, π) π (π’ππ , πpub )

If so, the merchant accepts the payment.

β1

(28)

π’ = π»2 (πβ1 πΏππ β π ) = π»2 (πβ1 πΏππ β π σΈ ). Secondly, we show that the π-cash can be verified by equation π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

(29)

In fact, π (πσΈ , π) = π (ππ, π) = π (π (π + β) ππ΅ , π)

(25)

= π (π (π + πβ1 π»2 (LST β πΎσΈ ) + π) ππ΅ , πpub ) = π (ππππ΅ + ππππ΅ + π»2 (LST β πΎσΈ ) ππ΅ , πpub )

π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) ,

π (π1 ππ , πpub ) = π (ππ , π΄ 3 + ππ΄ 4 ) ,

= π (π, π) π (βπ’ππ , π)

= π (π β π’ππ , π) = π (ππ, π) = π ,

and checks whether

π ((π1 + π2 ) ππ , πpub ) = π (ππ , ππ΄ 1 + π΄ 2 ) ,

(27)

(30)

= π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) . (26)

π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) . If the above four equations hold, the bank accepts the coin, stores it in the deposit table, and transfers money to the merchant π. 4.6. Revoking the Anonymity. In the case that an π-cash (πΏππ, πΎσΈ , πσΈ ) is abused by a criminal, whether the cash is spent twice or not, the trustee can revoke the anonymity of the πcash by the πΏππ provided by the bank. As soon as the trustee π receives the request of revoking anonymity, π checks his database to find record (πΏππ, π₯) and computes the identity information IDπΆ = π·πΎπ (πΏππ) β π₯ by using his secret key πΎπ.

Thirdly, we show that the signature (π, π·) on (LST, πΎσΈ , πσΈ ) by merchant can be verified by equation π = π»2 (LST β πΎσΈ β πσΈ β πΏσΈ ) .

(31)

Since πΏσΈ = π (π·, π) π (πππ, πpub )

β1

= π (π·, π) π (βπππ, π)

(32)

= π (π· β πππ, π) = π (ππ, π) = πΏ, π = π»2 (πΏππ β πΎσΈ β πσΈ β πΏ) = π»2 (πΏππ β πΎσΈ β πσΈ β πΏσΈ ). Fourthly, we show that the information (π1 , π2 ) can be verified by the equations π ((π1 + π2 ) ππ , πpub ) = π (ππ , ππ΄ 1 + π΄ 2 ) , π (π1 ππ , πpub ) = π (ππ , π΄ 3 + ππ΄ 4 ) .

(33)

Mobile Information Systems

7

7. Uncheatability of Merchants

In fact, π ((π1 + π2 ) ππ , πpub ) = π ((πππ§ + π€1 + ππ§ + π€2 ) ππ , πpub ) = π ((πππ§ + ππ§) ππ + (π€1 + π€2 ) ππ , πpub ) = π ((πππ§ + ππ§) ππ , πpub ) π ((π€1 + π€2 ) ππ , πpub )

(34)

= π (ππ , (πππ§ + ππ§) πpub ) π (ππ , (π€1 + π€2 ) πpub ) = π (ππ , ππ΄ 1 ) π (ππ , π΄ 2 ) = π (ππ , ππ΄ 1 + π΄ 2 ) , π (π1 ππ , πpub ) = π ((πππ§ + π€1 ) ππ , πpub )

8. Provable Security

= π (ππ , (πππ§ + π€1 ) πpub ) = (ππ , π΄ 3 + ππ΄ 4 ) . Finally, we show that the signature (π, πΉ) on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 by trustee can be verified by the equation π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) .

(35)

Since πσΈ = π (πΉ, π) π (πππ , πpub )

β1

π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β π)

(36)

= π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) .

In the case that the customer spends an π-cash twice or more, the bank π΅ can compute π1 β π1σΈ , π2 β π2σΈ

(37)

β1

π πΏππ. Then, the bank π΅ checks its databases in the withdrawal protocol to find the record {IDπΆ, (πβ1 LST, π’, π)} and knows the identity information IDπΆ of the malicious customer πΆ. Here (π1 , π2 ) and (π1σΈ , π2σΈ ) are information the customer πΆ sends to the merchant π in payment phase in twice consumption, respectively. In fact, π1 = ππ1 π§ + π€1 , π1σΈ = ππ2 π§ + π€1 , π2 = π1 π§ + π€2 ,

(38)

π2σΈ = π2 π§ + π€2 . So, π=

π1 β π1σΈ . π2 β π2σΈ

(39) β1

Definition 1 (the linkability game). Let π be a security parameter and let πΆ1 and πΆ2 be two customers. πΆ1 , πΆ2 , and the bank π΅ are involved in the following game.

Step 2. We randomly choose a bit πσΈ β {0, 1} and place (πΎπσΈ , πΏπππσΈ ) and (πΎ1βπσΈ , πΏππ1βπσΈ ) on the private input tapes of πΆ1 and πΆ2 , respectively. The bit πσΈ will not be disclosed to the bank π΅. Step 3. The bank π΅ and two customers πΆ1 , πΆ2 perform the withdrawal protocol of the proposed scheme.

6. Double Spender Detection

π=

In this section, we show that the proposed scheme satisfies the property of unlinkability and unforgeability.

Step 1. The bank π΅ outputs two Licenses πΏππ0 and πΏππ1 .

= π (πΉ, π) π (βπππ , π)

= π (πΉ β πππ , π) = π (π¦π, π) = π,

When the customer sends π-cash (πΏππ, πΎσΈ , πσΈ ) to the merchant, the merchant computes signature (π, π·) on (πΏππ, πΎσΈ , πσΈ ). When the merchant sends (π, π·) to the customer, the customer first verifies it using the public key ππ of the merchant π. When (π, π·) satisfies the verification equation, the customer sends (π1 , π2 , π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, πΉ) to the merchant. If later the merchant uses π-cash (πΏππ, πΎσΈ , πσΈ ) and (π1 , π2 , π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, πΉ) to spend to other merchants and cheats the customer, the customer can show the merchantβs signature to some arbitration agency. So, the scheme can effectively resist merchants cheat attack.

Hence, the bank πΆ can compute π πΏππ and obtain the identity information IDπΆ of the malicious customer πΆ.

Step 4. If πΆ1 and πΆ2 output two π-cash (πΏπππσΈ , πΎπσΈ σΈ , ππσΈ σΈ ) and σΈ σΈ (πΏππ1βπσΈ , πΎ1βπ σΈ , π1βπσΈ ) on their private tapes, respectively, we give the two 3 tuples in a random order to the bank; otherwise, β₯ is given to π΅. Step 5. The bank π΅ outputs πσΈ β β {0, 1} as the guess of πσΈ . π΅ wins the game if πσΈ β = πσΈ . We define the advantage of π΅ as σ΅¨ σ΅¨ Traceality (40) Advπ΅ (π) = σ΅¨σ΅¨σ΅¨σ΅¨2π [πσΈ β = πσΈ ] β 1σ΅¨σ΅¨σ΅¨σ΅¨ . Definition 2 (unlinkability). The proposed scheme satisfies Traceality the unlinkability property if the advantage Advπ΅ (π) is negligible. Theorem 3. The proposed scheme satisfies the unlinkability property. Proof of Theorem 3. We consider the condition in Definition 1. Let (πΏππ, πΎσΈ , πσΈ ) be one of the two π-cash given to the bank and let (πΎ, β, π) be the view of the bank in one of the withdrawal protocols. It is sufficient to show that there exist two random factors (π, π) that map (πΎ, β, π) to (πΏππ, πΎσΈ , πσΈ ). We know πΎσΈ = ππΎ + ππππ΅ , β = πβ1 π»2 (LST β πΎσΈ ) + π, πσΈ = ππ.

(41)

8

Mobile Information Systems

So, by equation πσΈ = ππ, there is a unique π. Then, by equation β = πβ1 π»2 (πΏππ β πΎσΈ ) + π, there is a unique π. Furthermore, when π and πσΈ are correctly computed, the following equation holds: π (π, π) = π (πΎ + (πβ1 π»2 (LST β πΎσΈ ) + π) ππ΅ , πpub ) , π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

(42)

So, it holds when πΎσΈ = ππΎ+ππππ΅ . It is to say that (π, π) always exists regardless of the values (πΏππ, πΎσΈ , πσΈ ) and (πΎ, β, π). Therefore, even an infinitely powerful bank outputs a correct value πσΈ with probability of exactly 1/2. So, the proposed scheme satisfies the unlinkability property. Definition 4 (the forgeability game). The adversary F and the challenger A play the following game. Step 1. The challenger A takes a security parameter and generates the public parameters params and sends params to the adversary F. Step 2. The adversary F can perform polynomially bounded number of hash queries, extract queries, and π-cash queries. These three kinds of queries answer the hash function, private key, and π-cash query by the adversary F, respectively. Step 3. The adversary F outputs a tuple π = ((πΏππ, πΎσΈ , πσΈ ), IDπ΅ ). This tuple satisfies the following requirements: (1) (πΏππ, πΎσΈ , πσΈ ) is a valid π-cash with regard to the bank π΅. (2) The adversary F has never requested the private key of the bank π΅. (3) π = ((πΏππ, πΎσΈ , πσΈ ), IDπ΅ ) has never been queried during the π-cash query. Definition 5 (unforgeability). An adversary F is said to be an (π, π‘, ππΈ , ππΌ , ππ»)-forger if it has advantage at least π in the above game, runs in time at most π‘, and makes at most ππΈ , ππΌ , and ππ» extract, π-cash, and hashing queries, respectively. A scheme is said to be (π, π‘, ππΈ , ππΌ , ππ»)-secure against A in the sense of unforgeable against π-cash existential forgery attack if no (π, π‘, ππΈ , ππΌ , ππ»)-forger exists. Theorem 6. If the CDH problem is hard, then the proposed scheme is secure against π-cash existential forgery attack. Proof of Theorem 6. Suppose that F is a forger who can forge π-cash in the proposed scheme. A CDH instance (π, π₯π, π¦π) is given for π₯, π¦ βπ ππβ , By using the forgery algorithm F, we will construct an algorithm A which outputs the CDH solution π₯π¦π in πΊ. Algorithm A performs the following simulation by interacting with the forger F. Setup. Algorithm A sets πpub = π₯π and starts by giving F the system parameters including (π, πpub ).

Table 1: Comparison of features of our scheme with recent schemes.

Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

F1 Yes Yes Yes Yes Yes

F2 Fail Yes Yes Yes Yes

F3 Yes No Yes Yes Yes

F4 Yes Yes Yes No Yes

F5 Yes Yes No No Yes

F6 Fail No No No Yes

F1: anonymity/unlinkability; F2: unforgeability; F3: verification; F4: doublespending owner tracing; F5: anonymity revocation; F6: uncheatability of merchant.

Table 2: Required number of rounds for each protocol in compared schemes. Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

P1 2 β 3 β 2

P2 2 4 3 3 4

P3 1 3 1 2 3

P4 1 1 1 1 1

P5 1 β 2 β 1

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing.

At any time, F can query the random oracle π»1 , π»2 and extract and cash queries. To answer these queries, A does the following. π»1 -Queries. At any time F can query the random oracle π»1 . To respond to these queries, A maintains a list π»1 -list of tuples (ID, π, π‘, π) as explained below. When an identity ID is submitted to the π»1 oracle, A responds as follows: If the query ID already appears on the π»1 -list in a tuple (ID, π, π‘, π), A responds with π»1 (ID) = π. Otherwise, A generates a random coin π β {0, 1}. If π = 0 then A computes π = π‘(π¦π) for a random π‘ β ππβ ; If π = 1 then A computes π = π‘π. A adds the tuple (ID, π, π‘, π) to π»1 -list and responds to F with π»1 (ID) = π. π»2 -Queries. To respond to π»2 -Queries, A maintains a list referred to as π»2 -list of tuples (πΏππ β πΎσΈ , π). When F queries the π»2 oracle at (πΏππ β πΎσΈ ), A responds as follows: If the query (πΏππ β πΎσΈ ) already appears on the π»2 -list in a tuple (πΏππ β πΎσΈ , π), then A responds with π»2 (πΏππ β πΎσΈ ) = π β ππ . Otherwise, A generates a random π β ππ and adds the tuples (πΏππ β πΎσΈ , π) to π»2 -list and responds to F with π»2 (πΏππ β πΎσΈ ) = π. Extract Queries. When F queries the private key corresponding to ID, A first finds the corresponding (ID, π, π‘, π) from the π»1 -list. If π = 0, then A fails and halts. Otherwise, A computes the private key πID = π‘ β πpub = π‘(π₯π) by using the tuple (ID, π, π‘, π) in the π»1 -list and responds to F with πID . Cash Queries. If F requests an π-cash on πΏππ under ID, A responds to this query as follows: A first finds the corresponding tuple (ID, π, π‘, π) from π»1 -list and chooses one random number π, π β ππβ and computes πΎσΈ = ππ β ππ.

Mobile Information Systems

9 Table 3: Comparison of computation costs.

Chen et al. [15] Zhang et al. [20] Ours

P1 E + 2H + 3B β E + 4H + 5B + 2L

P2 4H + 6B 2H + 2B + L 2H + 4B

P3 H + 3B 2H + 3B 4H + 9B

P4 H + 3B 2H + 3B 2H + 8B

P5 D β D

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing. E: symmetrical encryption; D: symmetrical decryption; H: hash computation; B: bilinear pairings; L: modular exponentiation.

If (πΏππ β πΎσΈ , π) already appears on the π»2 -list, A chooses another π, π β ππβ and tries again. Otherwise, A computes πσΈ = π β πpub and stores (πΏππ β πΎσΈ , π) on the π»2 -list. Then A responds to F with (πσΈ , πΎσΈ ). Indeed, the output is valid π-cash on πΏππ for ID. In fact, π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) = π (ππ β ππ + ππ, πpub ) = π (ππ, πpub )

(43)

= π (ππpub , π) = π (πσΈ , π) .

Output. If A does not abort as a result of Fβs extract query, then Fβs view is identical to its view in the real attack. By Forking Lemma, after replying F with the same random tape, A obtains two valid π-cash: (πΏππ, πΎσΈ , πσΈ ) , (πΏππ, πΎσΈ , πσΈ β ) .

10. Conclusion (44)

Correspondingly, there are two valid signatures (π, πΎ) and (πβ , πΎ), because π = (π + β) ππ΅ , πβ = (π + ββ ) ππ΅ .

and recovering phase in Juangβs scheme are computed to license-issuing protocol and owner tracing protocol, respectively. By Table 2, the proposed scheme demonstrates better communication efficiency under enhanced security. Our scheme and schemes [15, 20] are all id-based scheme using bilinear pairings. So, in Table 3, we compare the computation cost of our scheme with schemes [15, 20]. It is necessary to illustrate that Zhang et al.βs scheme [20] has no license-issuing protocol and owner tracing protocol and for fair comparison, we have not computed the computation cost of encryption and its related computation cost in Chen et al.βs scheme. Compared with Chen et al.βs scheme, there are eleven more pairings computations in the proposed scheme. These eleven pairings computations are in payment protocol and deposit protocol and useful to prevent the merchant from cheat. In practice, we can use elliptic curves to reduce the computation cost of bilinear pairings.

(45)

In this paper, we show that Chen et al.βs electronic cash scheme is suffering from some weaknesses in unforgeability and merchant frauds. To contribute a secure scheme, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

So, by the security proof of [22], A obtains (π₯π¦)π = ππ΅ = (β β ββ )β1 (π β πβ ). This completes the proof.

Competing Interests

9. Comparisons

Acknowledgments

In this section, we compare our scheme with [15, 18β20] in some features, communication efficiency, and computation cost. The features are anonymity/unlinkability, unforgeability, verification, double-spending owner tracing, anonymity revocation, and uncheatability of merchant. Our scheme satisfies all of above features, but the others do not. We show the comparison result in Table 1. In Table 2, we compare the communication efficiency of our scheme with other schemes. Fan et al.βs scheme [18] and Zhang et al.βs scheme [20] are not trustee based, and therefore they do not have license-issuing protocol and owner tracing protocol. Juangβs scheme [19] also does not have license-issuing protocol and owner tracing protocol but has the initializing phase and recovering phase. For comparison, the numbers of rounds of initializing phase

This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).

The authors declare that they have no competing interests.

References [1] D. Chaum, βBlind signatures for untraceable payments,β in Crypto 82, pp. 199β203, Plenum Press, New York, NY, USA, 1983. [2] Z. Eslami and M. Talebi, βA new untraceable off-line electronic cash system,β Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59β66, 2011. [3] R. Anderson, C. Manifavas, and C. Sutherland, βNetCardβ a practical electronic-cash system,β in Security Protocols, vol.

10

[4]

[5]

[6] [7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

Mobile Information Systems 1189 of Lecture Notes in Computer Science, pp. 49β57, Springer, Berlin, Germany, 1997. G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung, βAnonymity control in e-cash systems,β in Financial Cryptography, vol. 1318 of Lecture Notes in Computer Science, pp. 1β16, Springer, Berlin, Germany, 1997. G. Maitland and C. Boyd, βFair electronic cash based on a group signature scheme,β in Information and Communication Security, pp. 461β465, Springer, 2001. D. Chaum and S. Brands, ββMintingβ electronic cash,β IEEE Spectrum, vol. 34, no. 2, pp. 30β34, 1997. J. Camenisch, S. Hohenberger, and A. Lysyanskaya, βCompact e-cash,β in Advances in CryptologyβEUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 302β321, Springer, 2005. H. Wang and Y. Zhang, βUntraceable off-line electronic cash flow in e-commerce,β in Proceedings of the 24th Australasian Computer Science Conference (ACSC β01), pp. 191β198, IEEE, Gold Coast, Australia, January-February 2001. S. Brands, βUntraceable off-line cash in wallet with observers,β in Advances in CryptologyβCRYPTO β93, pp. 302β318, Springer, 1994. C.-Y. Ku, C.-J. Tsao, Y.-H. Lin, and C.-Y. Chen, βAn escrow electronic cash system with limited traceability,β Information Sciences, vol. 164, no. 1β4, pp. 17β30, 2004. T. Cao, D. Lin, and R. Xue, βA randomized RSA-based partially blind signature scheme for electronic cash,β Computers & Security, vol. 24, no. 1, pp. 44β49, 2005. W.-S. Juang, βD-cash: a flexible pre-paid e-cash scheme for dateattachment,β Electronic Commerce Research and Applications, vol. 6, no. 1, pp. 74β80, 2007. C. Fan and W. Sun, βEfficient encoding scheme for date attachable electronic cash,β in Proceedings of the 24th Workshop on Combinatorial Mathematics and Computation Theory (CMCT β07), pp. 405β410, Nantou, Taiwan, 2007. Y. Baseri, B. Takhtaei, and J. Mohajeri, βSecure untraceable offline electronic cash system,β Scientia Iranica, vol. 20, no. 3, pp. 637β646, 2013. Y. Chen, J.-S. Chou, H.-M. Sun, and M.-H. Cho, βA novel electronic cash system with trustee-based anonymity revocation from pairing,β Electronic Commerce Research and Applications, vol. 10, no. 6, pp. 673β682, 2011. Y.-F. Chang, βA critique of βa novel electronic cash system with trustee-based anonymity revocation from pairing,β by Chen, Chou, Sun and Cho (2011),β Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 441β442, 2012. Y. L. Chen, J.-S. Chou, H.-M. Sun, and M.-S. Cho, βA response to a critique of βA novel electronic cash system with trustee-based anonymity revocation from pairing,β by Chen, Chou, Sun and Cho (2011),β Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 443β444, 2012. C.-I. Fan, V. S. Huang, and Y.-C. Yu, βUser efficient recoverable off-line e-cash scheme with fast anonymity revoking,β Mathematical and Computer Modelling, vol. 58, no. 1-2, pp. 227β237, 2013. W.-S. Juang, βRO-cash: an efficient and practical recoverable pre-paid offline e-cash scheme using bilinear pairings,β Journal of Systems and Software, vol. 83, no. 4, pp. 638β645, 2010. L. Zhang, F. Zhang, B. Qin, and S. Liu, βProvably-secure electronic cash based on certificateless partially-blind signatures,β Electronic Commerce Research and Applications, vol. 10, no. 5, pp. 545β552, 2011.

[21] F. Hess, βEfficient identity based signature schemes based on pairings,β in Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002 St. Johnβs, Newfoundland, Canada, August 15-16, 2002 Revised Papers, vol. 2595 of Lecture Notes in Computer Science, pp. 310β324, Springer, Berlin, Germany, 2003. [22] F. Zhang and F. Kim, βEfficient ID-based blind signature and proxy signature from bilinear pairings,β in Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP β03), Wollongong, Australia, July 2003, Lecture Notes in Computer Science, pp. 312β323, Springer, 2003.

Journal of

Advances in

Industrial Engineering

Multimedia

Hindawi Publishing Corporation http://www.hindawi.com

The Scientific World Journal Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Applied Computational Intelligence and Soft Computing

International Journal of

Distributed Sensor Networks Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Advances in

Fuzzy Systems Modelling & Simulation in Engineering Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Submit your manuscripts at http://www.hindawi.com

Journal of

Computer Networks and Communications

βAdvancesβinβ

Artificial Intelligence Hindawi Publishing Corporation http://www.hindawi.com

HindawiβPublishingβCorporation http://www.hindawi.com

Volume 2014

International Journal of

Biomedical Imaging

Volumeβ2014

Advances in

Artificial Neural Systems

International Journal of

Computer Engineering

Computer Games Technology

Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Advances in

Volume 2014

Advances in

Software Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Reconfigurable Computing

Robotics Hindawi Publishing Corporation http://www.hindawi.com

Computational Intelligence and Neuroscience

Advances in

Human-Computer Interaction

Journal of

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Journal of

Electrical and Computer Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Research Article Secure Electronic Cash Scheme with Anonymity Revocation Baoyuan Kang and Danhui Xu School of Computer Science and Software, Tianjin Polytechnic University, Tianjin 300387, China Correspondence should be addressed to Baoyuan Kang; [email protected] Received 8 September 2015; Revised 14 December 2015; Accepted 1 March 2016 Academic Editor: Francesco Gringoli Copyright Β© 2016 B. Kang and D. Xu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In a popular electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an π-cash from his account and pays it to a merchant. After checking the electronic cashβs validity, the merchant accepts it and deposits it to the bank. There are a number of requirements for an electronic cash scheme, such as, anonymity, unforgeability, unreusability, divisibility, transferability, and portability. Anonymity property of electronic cash schemes can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. proposed a novel electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity for π-cash. But, in this paper we point out that Chen et al.βs scheme is subjected to some drawbacks. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

1. Introduction Due to the fast progress of computer networks and Internet, information technology is used in electronic commerce. Many electronic commerce services can be found over the internet. So, an electronic payment mechanism is necessary for electronic commerce. And electronic payment is one of the key issues of electronic commerce development. To realize the digitalization of traditional cash and electronic payment, in 1983, Chaum suggested the first electronic cash scheme [1]. Popularly, in an electronic cash scheme, there are three participants: the bank, the customer, and the merchant. First, a customer opens an account in a bank. Then, he withdraws an π-cash from his account and pays it to a merchant. After checking the electronic cashβs validity, the merchant accepts it and deposits it to the bank. For security and efficiency, there are a number of requirements for an electronic cash scheme, such as anonymity, unforgeability, unreusability, divisibility, transferability, and portability [2]. Some of them are listed below. Anonymity/Unlinkability. The customer of the cash must be anonymous. As long as the coin is spent legitimately, neither

the merchant nor the bank can identify the customer of the coin. Unforgeability. Only authorized banks can generate electronic cash. Unreusability. The electronic cash cannot be reused. The scheme can detect the malicious customer, who spends the cash twice. Electronic cash schemes can be divided into two categories: online and offline. In online schemes, as paying a coin to a merchant, the bank must attend to validate the coin and detect its reuse. But, in offline schemes, double spending can only be figured out when the merchant deposits the coin to the bank in the next phase. After Chaumβs scheme, a lot of electronic cash schemes [3β9] have been proposed based on blind signatures and restrictive blind signatures. Afterward, many more complex schemes have been proposed [10β13]. Recently, Eslami and Talebi proposed an untraceable electronic cash scheme [2] and claimed that their scheme satisfies all main security requirements, such as anonymity, unreusability, and date attachability. However, Baseri et al.

2

Mobile Information Systems

[14] showed that Eslami and Talebiβs scheme is subjected to some weaknesses in perceptibility of double spender, unforgeability, and date attachability. Baseri et al. also contributed a novel electronic cash scheme. Untraceable electronic cash is an attractive payment tool for electronic commerce because its anonymity property can ensure the privacy of payers. However, this anonymity property is easily abused by criminals. In 2011, Chen et al. [15] proposed an electronic cash system with trustee-based anonymity revocation from pairing. On demand, the trustee can disclose the identity of the owner of an π-cash. Chen et al. claimed that their scheme is the first attempt to incorporate mutual authentication and key agreement into π-cash protocols and their scheme satisfies the security requirements of untraceability, verifiability, unforgeability, and anonymity revocation. But, in 2012, Chang [16] claimed that he finds some weaknesses of Chen et al.βs scheme. Then, Chen et al. [17] immediately provided a response to rebut Changβs attacks. By thoroughly investigating Chen et al.βs scheme, we find that, despite Changβs attacks being really wrong, Chen et al.βs scheme is surely insecure. Chen et al.βs scheme is subjected to some drawbacks. (1) The first flaw is the attack on the unforgeability by the dishonest customer. (2) The second flaw is the attack on double spending owner tracing. (3) The third flaw is the potential bank attack. To contribute secure electronic cash schemes, we propose a new offline electronic cash scheme with anonymity revocation. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds. The remainder of this paper is organized as follows. Related concept of bilinear pairing and CDH problem are introduced in Section 2. In Section 3, we show some weaknesses of Chen et al.βs scheme. In Section 4 we propose a new electronic cash scheme with anonymity revocation. In Section 5 we show the verifiability of the proposed scheme. Double spender detection is covered in Section 6. In Section 7 we show that the proposed scheme satisfies uncheatability of merchants. Provable security of our scheme is covered in Section 8. In Section 9 we compare our scheme with the others. Finally conclusions are given in Section 10.

2. Preliminary 2.1. The Bilinear Pairing. Let πΊ1 be a cyclic additive group generated by π, whose order is a prime π, and let πΊ2 be a cyclic multiplicative group of the same order. Let π : πΊ1 Γ πΊ1 β πΊ2 be a pairing map which satisfies the following conditions: (1) Bilinearity: for any π, π, π β πΊ1 , we have π(π+π, π ) = π(π, π )π(π, π ). In particular, for any π, π β ππ , π(ππ, ππ) = π(π, πππ) = π(πππ, π) = π(π, π)ππ . (2) Nondegeneracy: there exists π, π β πΊ1 , such that π(π, π) =ΜΈ 1. (3) Computability: there is an efficient algorithm to compute π(π, π) for all π, π β πΊ1 .

2.2. The CDH Problem. Let πΊ be a cyclic additive group of prime order π and π a generator of πΊ. The computational Diffie-Hellman (CDH) problem is to compute πππ for given π, ππ, ππ β πΊ.

3. Effective Attacks on Chen et al.βs Scheme In this section, we show the drawbacks of Chen et al.βs scheme [15]. For the sake of brevity, we omit the review of Chen et al.βs scheme. To know Chen et al.βs scheme in detail, readers can read literature [15]. 3.1. Attack on the Unforgeability by the Dishonest Customer. When the customer obtains an π-cash {πΆππ, πΏππ, (π , π)}, he can randomly select π β ππβ and forge π-cash {πΆππ, π β πΏππ, (π β π , π β π)}, because the π-cash {πΆππ, πΏππ, (π , π)} satisfies π (π, π) = π (π»3 (CNO) ππ΅ , π ) β π (LST β ππ΅ , πpub ) .

(1)

So, π

π

π (π, π)π = π (π»3 (CNO) ππ΅ , π ) β π (LST β ππ΅ , πpub ) . (2) Then, π (π β π, π) = π (π»3 (CNO) ππ΅ , π β π ) β π (π β LST β ππ΅ , πpub ) .

(3)

That is to say, the customer forges a valid π-cash {πΆππ, π β πΏππ, (π β π , π β π)}. Of course, in payment protocol, when the merchant gets an π-cash from customers, he also can similarly forge π-cash. Further, these forged π-cash make the scheme fail in double spending owner tracing, because it is impossible to find the customer identity from π β πΏππ. Note that (π , π) is a signature on πΆππ and πΏππ. Furthermore, πΆππ does not play distinction function to an π-cash. πΆππ is only a randomly selected number. Any customer can randomly choose any πΆππ for their π-cash. If πΆππ has some function, it is only to certain customer. It is not strange that different customers may choose same πΆππ for their π-cash. So, this attack is a successful forgery. 3.2. Attack by the Dishonest Merchant. In practice, there are always many merchants from different shops. After receiving an π-cash {πΆππ, πΏππ, (π , π)} from a customer, the merchant may spend {πΆππ, πΏππ, (π , π)} to another merchant. This attack is correct due to the fact that the verification equation π (π, π) = π (π»3 (CNO) β ππ΅ , π ) β π (LST β ππ΅ , πpub )

(4)

is only related to πΆππ, πΏππ, π , π. And no extra information should be provided by customers in the verification process. Later, even if the bank finds double spending, the bank and the trustee cannot find real double spender, because the double spender may not be the customer himself.

Mobile Information Systems

3

3.3. Potential Attack by the Bank. However, in payment protocol, the only verification to the π-cash {πΆππ, πΏππ, (π , π)} is to examine whether the following equation holds: π (π, π) = π (π»3 (CNO) β ππ΅ , π ) β π (LST β ππ΅ , πpub ) .

(5)

But, when let π = ππpub (π is a randomly selected number in ππβ ) in the above equation, then π (π, π) = π (π»3 (CNO) β ππ΅ , ππpub )

a license. The following steps describe the protocol, which is also illustrated in Box 1. (1) Customer πΆ selects four random numbers, π, π§, π€1 , π€2 β ππβ , and sends {IDπΆ, π, π§, π€1 , π€2 } to Trustee π. (2) π chooses a random number, π₯ β ππβ , and computes πΏππ as πΏππ = πΈπΎπ (IDπΆ β π₯). Here πΈ is a symmetric encryption algorithm, and πΎπ is a secret key. (3) To sign on πβ1 πΏππ, trustee π selects a random number, π β ππβ , and computes π = π (π, π)π ,

β π (LST β ππ΅ , πpub ) = π (π β π»3 (CNO) β ππ΅ , πpub )

π’ = π»2 (πβ1 LST β π ) ,

(6)

π = π’ππ + ππ.

β π (LST β ππ΅ , πpub ) = π ((π β π»3 (CNO) + LST) β ππ΅ , πpub ) = π ((π β π»3 (CNO) + LST) β ππ΅ , π) . So, the bank can randomly select πΆππ and πΏππ. Then Let π = ππpub , π = (π β π»3 (πΆππ) + πΏππ) β ππ΅ to generate an π-cash {πΆππ, πΏππ, (π , π)}. This apparently violates the withdrawal protocol above the customer and the bank together performing a blind signature function to complete the π-cash withdrawal.

4. Our Proposed Scheme Based on an id-based signature scheme [21] proposed by Hess and an efficient id-based blind signature [22] proposed by Zhang and Kim, we propose an offline electronic cash scheme with anonymity revocation. In the proposed scheme there are four participants: Trustee π, the bank π΅, the customer πΆ, and the merchant π. There are five protocols: license issuing, withdrawal, payment, deposit, and π-cash owner tracing. Here any communication between any two entities should be encrypted, and this can be done by incorporating mutual authentication and key agreement protocols, likely in [15]. Here, for brevity, we omit those encryptions in five protocols. 4.1. System Setup. In this stage, the Key Generation Center (KGC) chooses a cyclic additive group πΊ1 which is generated by π with prime order π and chooses a cyclic multiplicative group πΊ2 of the same order and a bilinear map π : πΊ1 Γ πΊ1 β πΊ2 . KGC also chooses a random π β ππβ as the master key and sets πpub = π π public and chooses cryptographic hash functions π»1 : {0, 1}β β πΊ1 , π»2 : {0, 1}β β ππβ . The system parameter list is params = (πΊ1 , πΊ2 , π, π, πpub , π»1 , π»2 ). When the customer πΆ submits his identity, IDπΆ to the KGC, the KGC computes the public key ππΆ = π»1 (IDπΆ) and private key ππΆ = π ππΆ for the customer πΆ. Similarly, the KGC generates the public/private key pairs (ππ , ππ ), (ππ΅ , ππ΅ ), and (ππ, ππ) for Trustee π, the Bank π΅, and the Merchant π, respectively. 4.2. License-Issuing Protocol. Before withdrawing π-cash from the bank, customer πΆ needs to ask trustee π to issue him

(7)

The trustee π also signs on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ; here π΄ 1 = (ππ§ + π§)πpub , π΄ 2 = (π€1 + π€2 )πpub . π΄ 3 = π€1 πpub , and π΄ 4 = ππ§πpub . π selects a random number, π¦ β ππβ , and computes π = π (π, π)π¦ , π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β π) ,

(8)

πΉ = πππ + π¦π. After that, trustee π stores (πΏππ, π₯) to the database and sends (πΏππ, π’, π, π, πΉ) to the customer πΆ. (4) The customer πΆ computes β1

π σΈ = π (π, π) π (π’ππ , πpub ) , σΈ

π = π (πΉ, π) π (πππ , πpub )

β1

(9)

and checks whether π’ = π»2 (πβ1 πΏππ β π σΈ ) , π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) .

(10)

If so, The customer πΆ obtains the license, (πΏππ, π’, π) and the signature (π, πΉ) on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 . 4.3. Withdrawal Protocol. To complete the π-cash withdrawal, customer πΆ and bank π΅ together perform the following steps. This protocol is also illustrated in Box 2. (1) Customer πΆ sends {IDπΆ, (πβ1 πΏππ, π’, π)} to the bank π΅. (2) π΅ first computes π σΈ = π (π, π) π (π’ππ , πpub )

β1

(11)

and checks whether π’ = π»2 (πβ1 πΏππ β π σΈ ) .

(12)

If so, the bank π΅ selects a random number, π β ππβ , computes πΎ = πππ΅ , and sends πΎ to the customer πΆ.

4

Mobile Information Systems

Customer Selects random numbers, π, π§, π€1 , π€2 β ππβ ,

Trustee {IDπΆ ,π,π§,π€1 ,π€2 }

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β Chooses random number π₯ β ππβ , computes πΏππ = πΈπΎπ (IDπΆ β π₯). Selects a random number, π β ππβ , computes π = π(π, π)π π’ = π»2 (πβ1 πΏππβπ ) π = π’ππ + ππ Selects random number π¦ β ππβ , and computes π = π(π, π)π¦ , π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπ) πΉ = πππ + π¦π

(πΏππ,π’,π,π,πΉ)

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Computes π σΈ = π(π, π)π(π’ππ , πpub )β1 πσΈ = π(πΉ, π)π(πππ , πpub )β1 And checks whether π’ = π»2 (πβ1 πΏππβπ σΈ ) π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπσΈ ) Obtains the license, (πΏππ, π’, π) and the signature, (π, πΉ) on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 Box 1: License-issuing protocol.

Customer

Bank {IDπΆ ,(πβ1 πΏππ,π’,π)}

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β

πΎ

Computes π σΈ = π(π, π)π(π’ππ , πpub )β1 Checks whether π’ = π»2 (πβ1 πΏππβπ σΈ ) Selects random number π β ππβ , computes πΎ = πππ΅

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Selects two random number, π, π β ππβ , computes πΎσΈ = ππΎ + ππππ΅ β = πβ1 π»2 (πΏππβπΎσΈ ) + π β

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β π

Computes π = (π + β)ππ΅

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Computes πσΈ = ππ Checks whether π(πσΈ , π) = π(πΎσΈ + π»2 (πΏππβπΎσΈ ππ΅ , πpub ) Obtains an π-cash (πΏππ, πΎσΈ , πσΈ ) Box 2: Withdrawal protocol.

Mobile Information Systems

5

Customer

Merchant (πΏππ,πΎσΈ ,πσΈ )

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β

(π,π·)

Checks whether π(πσΈ , π) = π(πΎσΈ + π»2 (πΏππβπΎσΈ )ππ΅ , πpub ) Selects random number π β ππβ , computes πΏ = π(π, π)π π = π»2 (πΏππβπΎσΈ βπσΈ βπΏ) π· = πππ + ππ

βσ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨ Computes πΏσΈ = π(π·, π)π(πππ , πpub )β1 Checks whether π = π»2 (πΏππβπΎσΈ βπσΈ βπΏσΈ ) Computes π1 = πππ§ + π€1 π2 = ππ§ + π€2

(π1 ,π2 ,π΄ 1 ,π΄ 2 ,π΄ 3 ,π΄ 4 ,π,π,πΉ)

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β Checks whether π((π1 + π2 )ππ , πpub ) = π(ππ , ππ΄ 1 + π΄ 2 ) Computes πσΈ = π(πΉ, π)π(πππ , πpub )β1 Checks whether π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπσΈ ) Accepts the payment Box 3: Payment protocol.

ππβ ,

(3) The customer πΆ selects two random numbers, π, π β computes πΎσΈ = ππΎ + ππππ΅ , β = πβ1 π»2 (πΏππ β πΎσΈ ) + π,

πΏ = π (π, π)π , (13)

(14)

and sends π to the customer πΆ. (5) Customer πΆ computes πσΈ = ππ

(18)

Then he sends (π, π·) to the customer πΆ. (3) The customer πΆ computes πΏσΈ = π (π·, π) π (πππ, πpub )

(15)

β1

(16)

(19)

and checks whether π = π»2 (LST β πΎσΈ β πσΈ β πΏσΈ ) .

and checks whether π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

π = π»2 (LST β πΎσΈ β πσΈ β πΏ) , π· = πππ + ππ.

and sends β to the bank π΅. (4) The bank π΅ computes π = (π + β) ππ΅

If so, he selects a random number π β ππβ and computes

(20)

If so, he computes

If so, the customer πΆ obtains an π-cash (πΏππ, πΎσΈ , πσΈ ).

π1 = πππ§ + π€1 ,

4.4. Payment Protocol. When the customer πΆ wants to spend his cash at the shop, the customer πΆ and the merchant π do the following steps. This protocol is also illustrated in Box 3. (1) Customer πΆ sends (πΏππ, πΎσΈ , πσΈ ) to the merchant π. (2) The merchant π checks whether

π2 = ππ§ + π€2 .

Then he sends (π1 , π2 , π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, π, πΉ) to the merchant π. (4) The merchant π checks whether

π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

π ((π1 + π2 ) ππ , πpub ) = π (ππ , ππ΄ 1 + π΄ 2 )

(17)

(21)

(22)

6

Mobile Information Systems

Merchant

Bank (πΏππ,πΎσΈ ,πσΈ ,π1 ,π2 ,π,π΄ 1 ,π΄ 2 ,π΄ 3 ,π΄ 4 ,π,πΉ)

σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨σ³¨β Computes πσΈ = π(πΉ, π)π(πππ , πpub )β1 Checks whether π(πσΈ , π) = π(πΎσΈ + π»2 (πΏππβπΎσΈ )ππ΅ , πpub ) π((π1 + π2 )ππ , πpub ) = π(ππ , ππ΄ 1 + π΄ 2 ) π(π1 ππ , πpub ) = π(ππ , π΄ 3 + ππ΄ 4 ) π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 )βπσΈ ) Checks whether the π-cash is being double spent; if it is fresh, reedits the merchantβs account Box 4: Deposit protocol.

5. Verifiability of the Proposed Scheme

and computes πσΈ = π (πΉ, π) π (πππ , πpub )

β1

(23)

Firstly, we show that the blind license πβ1 πΏππ can be verified by equation

and checks whether σΈ

π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β π ) .

π’ = π»2 (πβ1 LST β π σΈ ) . (24)

β1

4.5. Deposit Protocol. When the merchant π wants to deposit the received π-cash into his account in the bank π΅, the following steps are done between the bank π΅ and the merchant π. This protocol is also illustrated in Box 4. (1) The merchant π sends (πΏππ, πΎσΈ , πσΈ , π1 , π2 , π, π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, πΉ) to the bank π΅. (2) The bank π΅ first checks whether the coin exists in its deposit. If the coin exists, it runs the double spender detection procedure. Else, the bank computes πσΈ = π (πΉ, π) π (πππ , πpub )

Since π σΈ = π (π, π) π (π’ππ , πpub )

If so, the merchant accepts the payment.

β1

(28)

π’ = π»2 (πβ1 πΏππ β π ) = π»2 (πβ1 πΏππ β π σΈ ). Secondly, we show that the π-cash can be verified by equation π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

(29)

In fact, π (πσΈ , π) = π (ππ, π) = π (π (π + β) ππ΅ , π)

(25)

= π (π (π + πβ1 π»2 (LST β πΎσΈ ) + π) ππ΅ , πpub ) = π (ππππ΅ + ππππ΅ + π»2 (LST β πΎσΈ ) ππ΅ , πpub )

π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) ,

π (π1 ππ , πpub ) = π (ππ , π΄ 3 + ππ΄ 4 ) ,

= π (π, π) π (βπ’ππ , π)

= π (π β π’ππ , π) = π (ππ, π) = π ,

and checks whether

π ((π1 + π2 ) ππ , πpub ) = π (ππ , ππ΄ 1 + π΄ 2 ) ,

(27)

(30)

= π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) . (26)

π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) . If the above four equations hold, the bank accepts the coin, stores it in the deposit table, and transfers money to the merchant π. 4.6. Revoking the Anonymity. In the case that an π-cash (πΏππ, πΎσΈ , πσΈ ) is abused by a criminal, whether the cash is spent twice or not, the trustee can revoke the anonymity of the πcash by the πΏππ provided by the bank. As soon as the trustee π receives the request of revoking anonymity, π checks his database to find record (πΏππ, π₯) and computes the identity information IDπΆ = π·πΎπ (πΏππ) β π₯ by using his secret key πΎπ.

Thirdly, we show that the signature (π, π·) on (LST, πΎσΈ , πσΈ ) by merchant can be verified by equation π = π»2 (LST β πΎσΈ β πσΈ β πΏσΈ ) .

(31)

Since πΏσΈ = π (π·, π) π (πππ, πpub )

β1

= π (π·, π) π (βπππ, π)

(32)

= π (π· β πππ, π) = π (ππ, π) = πΏ, π = π»2 (πΏππ β πΎσΈ β πσΈ β πΏ) = π»2 (πΏππ β πΎσΈ β πσΈ β πΏσΈ ). Fourthly, we show that the information (π1 , π2 ) can be verified by the equations π ((π1 + π2 ) ππ , πpub ) = π (ππ , ππ΄ 1 + π΄ 2 ) , π (π1 ππ , πpub ) = π (ππ , π΄ 3 + ππ΄ 4 ) .

(33)

Mobile Information Systems

7

7. Uncheatability of Merchants

In fact, π ((π1 + π2 ) ππ , πpub ) = π ((πππ§ + π€1 + ππ§ + π€2 ) ππ , πpub ) = π ((πππ§ + ππ§) ππ + (π€1 + π€2 ) ππ , πpub ) = π ((πππ§ + ππ§) ππ , πpub ) π ((π€1 + π€2 ) ππ , πpub )

(34)

= π (ππ , (πππ§ + ππ§) πpub ) π (ππ , (π€1 + π€2 ) πpub ) = π (ππ , ππ΄ 1 ) π (ππ , π΄ 2 ) = π (ππ , ππ΄ 1 + π΄ 2 ) , π (π1 ππ , πpub ) = π ((πππ§ + π€1 ) ππ , πpub )

8. Provable Security

= π (ππ , (πππ§ + π€1 ) πpub ) = (ππ , π΄ 3 + ππ΄ 4 ) . Finally, we show that the signature (π, πΉ) on π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 by trustee can be verified by the equation π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) .

(35)

Since πσΈ = π (πΉ, π) π (πππ , πpub )

β1

π = π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β π)

(36)

= π»2 ((π΄ 1 + π΄ 2 + π΄ 3 + π΄ 4 ) β πσΈ ) .

In the case that the customer spends an π-cash twice or more, the bank π΅ can compute π1 β π1σΈ , π2 β π2σΈ

(37)

β1

π πΏππ. Then, the bank π΅ checks its databases in the withdrawal protocol to find the record {IDπΆ, (πβ1 LST, π’, π)} and knows the identity information IDπΆ of the malicious customer πΆ. Here (π1 , π2 ) and (π1σΈ , π2σΈ ) are information the customer πΆ sends to the merchant π in payment phase in twice consumption, respectively. In fact, π1 = ππ1 π§ + π€1 , π1σΈ = ππ2 π§ + π€1 , π2 = π1 π§ + π€2 ,

(38)

π2σΈ = π2 π§ + π€2 . So, π=

π1 β π1σΈ . π2 β π2σΈ

(39) β1

Definition 1 (the linkability game). Let π be a security parameter and let πΆ1 and πΆ2 be two customers. πΆ1 , πΆ2 , and the bank π΅ are involved in the following game.

Step 2. We randomly choose a bit πσΈ β {0, 1} and place (πΎπσΈ , πΏπππσΈ ) and (πΎ1βπσΈ , πΏππ1βπσΈ ) on the private input tapes of πΆ1 and πΆ2 , respectively. The bit πσΈ will not be disclosed to the bank π΅. Step 3. The bank π΅ and two customers πΆ1 , πΆ2 perform the withdrawal protocol of the proposed scheme.

6. Double Spender Detection

π=

In this section, we show that the proposed scheme satisfies the property of unlinkability and unforgeability.

Step 1. The bank π΅ outputs two Licenses πΏππ0 and πΏππ1 .

= π (πΉ, π) π (βπππ , π)

= π (πΉ β πππ , π) = π (π¦π, π) = π,

When the customer sends π-cash (πΏππ, πΎσΈ , πσΈ ) to the merchant, the merchant computes signature (π, π·) on (πΏππ, πΎσΈ , πσΈ ). When the merchant sends (π, π·) to the customer, the customer first verifies it using the public key ππ of the merchant π. When (π, π·) satisfies the verification equation, the customer sends (π1 , π2 , π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, πΉ) to the merchant. If later the merchant uses π-cash (πΏππ, πΎσΈ , πσΈ ) and (π1 , π2 , π΄ 1 , π΄ 2 , π΄ 3 , π΄ 4 , π, πΉ) to spend to other merchants and cheats the customer, the customer can show the merchantβs signature to some arbitration agency. So, the scheme can effectively resist merchants cheat attack.

Hence, the bank πΆ can compute π πΏππ and obtain the identity information IDπΆ of the malicious customer πΆ.

Step 4. If πΆ1 and πΆ2 output two π-cash (πΏπππσΈ , πΎπσΈ σΈ , ππσΈ σΈ ) and σΈ σΈ (πΏππ1βπσΈ , πΎ1βπ σΈ , π1βπσΈ ) on their private tapes, respectively, we give the two 3 tuples in a random order to the bank; otherwise, β₯ is given to π΅. Step 5. The bank π΅ outputs πσΈ β β {0, 1} as the guess of πσΈ . π΅ wins the game if πσΈ β = πσΈ . We define the advantage of π΅ as σ΅¨ σ΅¨ Traceality (40) Advπ΅ (π) = σ΅¨σ΅¨σ΅¨σ΅¨2π [πσΈ β = πσΈ ] β 1σ΅¨σ΅¨σ΅¨σ΅¨ . Definition 2 (unlinkability). The proposed scheme satisfies Traceality the unlinkability property if the advantage Advπ΅ (π) is negligible. Theorem 3. The proposed scheme satisfies the unlinkability property. Proof of Theorem 3. We consider the condition in Definition 1. Let (πΏππ, πΎσΈ , πσΈ ) be one of the two π-cash given to the bank and let (πΎ, β, π) be the view of the bank in one of the withdrawal protocols. It is sufficient to show that there exist two random factors (π, π) that map (πΎ, β, π) to (πΏππ, πΎσΈ , πσΈ ). We know πΎσΈ = ππΎ + ππππ΅ , β = πβ1 π»2 (LST β πΎσΈ ) + π, πσΈ = ππ.

(41)

8

Mobile Information Systems

So, by equation πσΈ = ππ, there is a unique π. Then, by equation β = πβ1 π»2 (πΏππ β πΎσΈ ) + π, there is a unique π. Furthermore, when π and πσΈ are correctly computed, the following equation holds: π (π, π) = π (πΎ + (πβ1 π»2 (LST β πΎσΈ ) + π) ππ΅ , πpub ) , π (πσΈ , π) = π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) .

(42)

So, it holds when πΎσΈ = ππΎ+ππππ΅ . It is to say that (π, π) always exists regardless of the values (πΏππ, πΎσΈ , πσΈ ) and (πΎ, β, π). Therefore, even an infinitely powerful bank outputs a correct value πσΈ with probability of exactly 1/2. So, the proposed scheme satisfies the unlinkability property. Definition 4 (the forgeability game). The adversary F and the challenger A play the following game. Step 1. The challenger A takes a security parameter and generates the public parameters params and sends params to the adversary F. Step 2. The adversary F can perform polynomially bounded number of hash queries, extract queries, and π-cash queries. These three kinds of queries answer the hash function, private key, and π-cash query by the adversary F, respectively. Step 3. The adversary F outputs a tuple π = ((πΏππ, πΎσΈ , πσΈ ), IDπ΅ ). This tuple satisfies the following requirements: (1) (πΏππ, πΎσΈ , πσΈ ) is a valid π-cash with regard to the bank π΅. (2) The adversary F has never requested the private key of the bank π΅. (3) π = ((πΏππ, πΎσΈ , πσΈ ), IDπ΅ ) has never been queried during the π-cash query. Definition 5 (unforgeability). An adversary F is said to be an (π, π‘, ππΈ , ππΌ , ππ»)-forger if it has advantage at least π in the above game, runs in time at most π‘, and makes at most ππΈ , ππΌ , and ππ» extract, π-cash, and hashing queries, respectively. A scheme is said to be (π, π‘, ππΈ , ππΌ , ππ»)-secure against A in the sense of unforgeable against π-cash existential forgery attack if no (π, π‘, ππΈ , ππΌ , ππ»)-forger exists. Theorem 6. If the CDH problem is hard, then the proposed scheme is secure against π-cash existential forgery attack. Proof of Theorem 6. Suppose that F is a forger who can forge π-cash in the proposed scheme. A CDH instance (π, π₯π, π¦π) is given for π₯, π¦ βπ ππβ , By using the forgery algorithm F, we will construct an algorithm A which outputs the CDH solution π₯π¦π in πΊ. Algorithm A performs the following simulation by interacting with the forger F. Setup. Algorithm A sets πpub = π₯π and starts by giving F the system parameters including (π, πpub ).

Table 1: Comparison of features of our scheme with recent schemes.

Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

F1 Yes Yes Yes Yes Yes

F2 Fail Yes Yes Yes Yes

F3 Yes No Yes Yes Yes

F4 Yes Yes Yes No Yes

F5 Yes Yes No No Yes

F6 Fail No No No Yes

F1: anonymity/unlinkability; F2: unforgeability; F3: verification; F4: doublespending owner tracing; F5: anonymity revocation; F6: uncheatability of merchant.

Table 2: Required number of rounds for each protocol in compared schemes. Chen et al. [15] Fan et al. [18] Juang [19] Zhang et al. [20] Ours

P1 2 β 3 β 2

P2 2 4 3 3 4

P3 1 3 1 2 3

P4 1 1 1 1 1

P5 1 β 2 β 1

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing.

At any time, F can query the random oracle π»1 , π»2 and extract and cash queries. To answer these queries, A does the following. π»1 -Queries. At any time F can query the random oracle π»1 . To respond to these queries, A maintains a list π»1 -list of tuples (ID, π, π‘, π) as explained below. When an identity ID is submitted to the π»1 oracle, A responds as follows: If the query ID already appears on the π»1 -list in a tuple (ID, π, π‘, π), A responds with π»1 (ID) = π. Otherwise, A generates a random coin π β {0, 1}. If π = 0 then A computes π = π‘(π¦π) for a random π‘ β ππβ ; If π = 1 then A computes π = π‘π. A adds the tuple (ID, π, π‘, π) to π»1 -list and responds to F with π»1 (ID) = π. π»2 -Queries. To respond to π»2 -Queries, A maintains a list referred to as π»2 -list of tuples (πΏππ β πΎσΈ , π). When F queries the π»2 oracle at (πΏππ β πΎσΈ ), A responds as follows: If the query (πΏππ β πΎσΈ ) already appears on the π»2 -list in a tuple (πΏππ β πΎσΈ , π), then A responds with π»2 (πΏππ β πΎσΈ ) = π β ππ . Otherwise, A generates a random π β ππ and adds the tuples (πΏππ β πΎσΈ , π) to π»2 -list and responds to F with π»2 (πΏππ β πΎσΈ ) = π. Extract Queries. When F queries the private key corresponding to ID, A first finds the corresponding (ID, π, π‘, π) from the π»1 -list. If π = 0, then A fails and halts. Otherwise, A computes the private key πID = π‘ β πpub = π‘(π₯π) by using the tuple (ID, π, π‘, π) in the π»1 -list and responds to F with πID . Cash Queries. If F requests an π-cash on πΏππ under ID, A responds to this query as follows: A first finds the corresponding tuple (ID, π, π‘, π) from π»1 -list and chooses one random number π, π β ππβ and computes πΎσΈ = ππ β ππ.

Mobile Information Systems

9 Table 3: Comparison of computation costs.

Chen et al. [15] Zhang et al. [20] Ours

P1 E + 2H + 3B β E + 4H + 5B + 2L

P2 4H + 6B 2H + 2B + L 2H + 4B

P3 H + 3B 2H + 3B 4H + 9B

P4 H + 3B 2H + 3B 2H + 8B

P5 D β D

P1: license-issuing protocol; P2: withdrawal protocol; P3: payment protocol; P4: deposit protocol; P5: owner tracing. E: symmetrical encryption; D: symmetrical decryption; H: hash computation; B: bilinear pairings; L: modular exponentiation.

If (πΏππ β πΎσΈ , π) already appears on the π»2 -list, A chooses another π, π β ππβ and tries again. Otherwise, A computes πσΈ = π β πpub and stores (πΏππ β πΎσΈ , π) on the π»2 -list. Then A responds to F with (πσΈ , πΎσΈ ). Indeed, the output is valid π-cash on πΏππ for ID. In fact, π (πΎσΈ + π»2 (LST β πΎσΈ ) ππ΅ , πpub ) = π (ππ β ππ + ππ, πpub ) = π (ππ, πpub )

(43)

= π (ππpub , π) = π (πσΈ , π) .

Output. If A does not abort as a result of Fβs extract query, then Fβs view is identical to its view in the real attack. By Forking Lemma, after replying F with the same random tape, A obtains two valid π-cash: (πΏππ, πΎσΈ , πσΈ ) , (πΏππ, πΎσΈ , πσΈ β ) .

10. Conclusion (44)

Correspondingly, there are two valid signatures (π, πΎ) and (πβ , πΎ), because π = (π + β) ππ΅ , πβ = (π + ββ ) ππ΅ .

and recovering phase in Juangβs scheme are computed to license-issuing protocol and owner tracing protocol, respectively. By Table 2, the proposed scheme demonstrates better communication efficiency under enhanced security. Our scheme and schemes [15, 20] are all id-based scheme using bilinear pairings. So, in Table 3, we compare the computation cost of our scheme with schemes [15, 20]. It is necessary to illustrate that Zhang et al.βs scheme [20] has no license-issuing protocol and owner tracing protocol and for fair comparison, we have not computed the computation cost of encryption and its related computation cost in Chen et al.βs scheme. Compared with Chen et al.βs scheme, there are eleven more pairings computations in the proposed scheme. These eleven pairings computations are in payment protocol and deposit protocol and useful to prevent the merchant from cheat. In practice, we can use elliptic curves to reduce the computation cost of bilinear pairings.

(45)

In this paper, we show that Chen et al.βs electronic cash scheme is suffering from some weaknesses in unforgeability and merchant frauds. To contribute a secure scheme, we propose a new offline electronic cash scheme with anonymity revocation. We also provide the formally security proofs of the unlinkability and unforgeability. Furthermore, the proposed scheme ensures the property of avoiding merchant frauds.

So, by the security proof of [22], A obtains (π₯π¦)π = ππ΅ = (β β ββ )β1 (π β πβ ). This completes the proof.

Competing Interests

9. Comparisons

Acknowledgments

In this section, we compare our scheme with [15, 18β20] in some features, communication efficiency, and computation cost. The features are anonymity/unlinkability, unforgeability, verification, double-spending owner tracing, anonymity revocation, and uncheatability of merchant. Our scheme satisfies all of above features, but the others do not. We show the comparison result in Table 1. In Table 2, we compare the communication efficiency of our scheme with other schemes. Fan et al.βs scheme [18] and Zhang et al.βs scheme [20] are not trustee based, and therefore they do not have license-issuing protocol and owner tracing protocol. Juangβs scheme [19] also does not have license-issuing protocol and owner tracing protocol but has the initializing phase and recovering phase. For comparison, the numbers of rounds of initializing phase

This work is supported by the Applied Basic and Advanced Technology Research Programs of Tianjin (no. 15JCYBJC15900).

The authors declare that they have no competing interests.

References [1] D. Chaum, βBlind signatures for untraceable payments,β in Crypto 82, pp. 199β203, Plenum Press, New York, NY, USA, 1983. [2] Z. Eslami and M. Talebi, βA new untraceable off-line electronic cash system,β Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59β66, 2011. [3] R. Anderson, C. Manifavas, and C. Sutherland, βNetCardβ a practical electronic-cash system,β in Security Protocols, vol.

10

[4]

[5]

[6] [7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

Mobile Information Systems 1189 of Lecture Notes in Computer Science, pp. 49β57, Springer, Berlin, Germany, 1997. G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung, βAnonymity control in e-cash systems,β in Financial Cryptography, vol. 1318 of Lecture Notes in Computer Science, pp. 1β16, Springer, Berlin, Germany, 1997. G. Maitland and C. Boyd, βFair electronic cash based on a group signature scheme,β in Information and Communication Security, pp. 461β465, Springer, 2001. D. Chaum and S. Brands, ββMintingβ electronic cash,β IEEE Spectrum, vol. 34, no. 2, pp. 30β34, 1997. J. Camenisch, S. Hohenberger, and A. Lysyanskaya, βCompact e-cash,β in Advances in CryptologyβEUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 302β321, Springer, 2005. H. Wang and Y. Zhang, βUntraceable off-line electronic cash flow in e-commerce,β in Proceedings of the 24th Australasian Computer Science Conference (ACSC β01), pp. 191β198, IEEE, Gold Coast, Australia, January-February 2001. S. Brands, βUntraceable off-line cash in wallet with observers,β in Advances in CryptologyβCRYPTO β93, pp. 302β318, Springer, 1994. C.-Y. Ku, C.-J. Tsao, Y.-H. Lin, and C.-Y. Chen, βAn escrow electronic cash system with limited traceability,β Information Sciences, vol. 164, no. 1β4, pp. 17β30, 2004. T. Cao, D. Lin, and R. Xue, βA randomized RSA-based partially blind signature scheme for electronic cash,β Computers & Security, vol. 24, no. 1, pp. 44β49, 2005. W.-S. Juang, βD-cash: a flexible pre-paid e-cash scheme for dateattachment,β Electronic Commerce Research and Applications, vol. 6, no. 1, pp. 74β80, 2007. C. Fan and W. Sun, βEfficient encoding scheme for date attachable electronic cash,β in Proceedings of the 24th Workshop on Combinatorial Mathematics and Computation Theory (CMCT β07), pp. 405β410, Nantou, Taiwan, 2007. Y. Baseri, B. Takhtaei, and J. Mohajeri, βSecure untraceable offline electronic cash system,β Scientia Iranica, vol. 20, no. 3, pp. 637β646, 2013. Y. Chen, J.-S. Chou, H.-M. Sun, and M.-H. Cho, βA novel electronic cash system with trustee-based anonymity revocation from pairing,β Electronic Commerce Research and Applications, vol. 10, no. 6, pp. 673β682, 2011. Y.-F. Chang, βA critique of βa novel electronic cash system with trustee-based anonymity revocation from pairing,β by Chen, Chou, Sun and Cho (2011),β Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 441β442, 2012. Y. L. Chen, J.-S. Chou, H.-M. Sun, and M.-S. Cho, βA response to a critique of βA novel electronic cash system with trustee-based anonymity revocation from pairing,β by Chen, Chou, Sun and Cho (2011),β Electronic Commerce Research and Applications, vol. 11, no. 4, pp. 443β444, 2012. C.-I. Fan, V. S. Huang, and Y.-C. Yu, βUser efficient recoverable off-line e-cash scheme with fast anonymity revoking,β Mathematical and Computer Modelling, vol. 58, no. 1-2, pp. 227β237, 2013. W.-S. Juang, βRO-cash: an efficient and practical recoverable pre-paid offline e-cash scheme using bilinear pairings,β Journal of Systems and Software, vol. 83, no. 4, pp. 638β645, 2010. L. Zhang, F. Zhang, B. Qin, and S. Liu, βProvably-secure electronic cash based on certificateless partially-blind signatures,β Electronic Commerce Research and Applications, vol. 10, no. 5, pp. 545β552, 2011.

[21] F. Hess, βEfficient identity based signature schemes based on pairings,β in Selected Areas in Cryptography: 9th Annual International Workshop, SAC 2002 St. Johnβs, Newfoundland, Canada, August 15-16, 2002 Revised Papers, vol. 2595 of Lecture Notes in Computer Science, pp. 310β324, Springer, Berlin, Germany, 2003. [22] F. Zhang and F. Kim, βEfficient ID-based blind signature and proxy signature from bilinear pairings,β in Proceedings of the 8th Australasian Conference on Information Security and Privacy (ACISP β03), Wollongong, Australia, July 2003, Lecture Notes in Computer Science, pp. 312β323, Springer, 2003.

Journal of

Advances in

Industrial Engineering

Multimedia

Hindawi Publishing Corporation http://www.hindawi.com

The Scientific World Journal Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Applied Computational Intelligence and Soft Computing

International Journal of

Distributed Sensor Networks Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Advances in

Fuzzy Systems Modelling & Simulation in Engineering Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Volume 2014

Submit your manuscripts at http://www.hindawi.com

Journal of

Computer Networks and Communications

βAdvancesβinβ

Artificial Intelligence Hindawi Publishing Corporation http://www.hindawi.com

HindawiβPublishingβCorporation http://www.hindawi.com

Volume 2014

International Journal of

Biomedical Imaging

Volumeβ2014

Advances in

Artificial Neural Systems

International Journal of

Computer Engineering

Computer Games Technology

Hindawi Publishing Corporation http://www.hindawi.com

Hindawi Publishing Corporation http://www.hindawi.com

Advances in

Volume 2014

Advances in

Software Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

International Journal of

Reconfigurable Computing

Robotics Hindawi Publishing Corporation http://www.hindawi.com

Computational Intelligence and Neuroscience

Advances in

Human-Computer Interaction

Journal of

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Journal of

Electrical and Computer Engineering Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014