A Novel ID-based Electronic Cash System from Pairings

Transcription

1 A Novel ID-based Electronc ash System from Parngs Jue-Sam hou, Yaln hen, Mng-Hsun ho, Hung-Mn Sun 4 Department of Informaton Management, Nanhua Unversty, Tawan R.O. : correspondng author: schou@mal.nhu.edu.tw Tel: 886+ ( ext.5656 Insttute of nformaton systems and applcatons, Natonal Tsng Hua Unversty d94970@oz.nthu.edu.tw Department of Informaton Management, Nanhua Unversty,, hung eng L, Daln hay 6 Tawan, RO Abstract dsshng@gmal.com 4 Insttute of nformaton systems and applcatons, Natonal Tsng Hua Unversty cs.nthu.edu.tw Recently, hen et al. and Juang et al. each proposed one and two e-cash payment systems respectvely. They clamed that ther schemes are secure. However, n ths paper, we wll present the shortcomngs of ther schemes and then propose a novel one from parngs. After securty analyss and comparson, we conclude that our scheme not only s more secure but also possesses more functons that a secure electronc cash system should encompass than all of the proposed protocols. eywords: Electronc cash, e-cash, Off-lne, lnear parng, lnd sgnature, ID-based. Introducton Nowadays, electronc commerce s becomng more and more popular on the Internet. Many knds of nternet servces are therefore developed. Among them, electronc payment system s one of the most mportant technology. In 98, haum [] frst proposed an untraceable electronc cash system based on blnd sgnature whch allows the reuester to obtan a message sgnature from a sgner wthout revealng the message content and makes the sgner cannot lnk any sgned message to ts sgnature. In 984, Shamr [] ntroduced the concept of ID-based cryptography to smplfy key management procedures for lc key nfrastructures. It reures no key exchange. In t, a user s lc key can be derved from hs dentty, and hs prvate key s generated by a trusted thrd party called Prvate ey Generator (PG. oneh and Frankln [] proposed a practcal ID-based encrypton scheme n 00 and Zhang and m [4] proposed the frst ID-based blnd sgnature scheme n 00, respectvely. In the systems, data encrypton and sgnature verfcaton

2 proceses reure only usng user s dentty along wth some lc system parameters. Subseuently, many blnd sgnature schemes [5-0] and many electronc cash systems [5-4] employng blnd sgnature technology based on ether tradtonal DLP or ID-based cryptosystem have been proposed. In 00, H.Wang et al. [8] proposed an untraceable off-lne electronc cash scheme. They clamed that n ther scheme, the user remans anonymous from the wthdrawal phase, payment phase to the depost phase. However, we found ther scheme not only can t satsfy the anonymous property but also can t prevent an adversary from usng the con for shoppng. We wll demonstrate the weaknesses n Appendx A.( and (4 respectvely. In 004, Juang et al. [5] proposed a practcal anonymous mult-authorty e-cash scheme to acheve the goal of anonymty, securty and verfablty. However, ther scheme does not satsfy the unforgeable property because an adversary can fake an e-con for shoppng over the nternet. In 005, hen et al. [7] proposed a RSA based depost delegaton scheme. They clamed that ther scheme s smple and secure. Yet, we found t s nsecure for that an adversary can easly make the system confused by masueradng as other merchant. Moreover, ther scheme sn t a complete soluton for an electronc cash system snce t only concerns about the depost functon. In 007, Juang [6] proposed a D-cash system. They clamed that ther scheme s practcal and flexble. However, after analyss, we found Juang s scheme does not satsfy the unforgeable property because an adversary can easly fake a sgnature for the customer durng the wthdrawal phase (Later, we wll demonstrate the weaknesses n schemes [5, 6, 7] n ths artcle.. Also n 007, Popescu et al. [9] proposed an off-lne electronc cash based on parngs. They clamed ther scheme s secure. However, t has a serous drawback that the e-con n the wthdrawal phase s dfferent from the one n the payment phase. Ths volates the basc rule of an e-cash system. In 008, Shangpng Wang et al. [0] proposed a certfcateless electronc cash scheme wth multple banks based on group sgnatures. They clamed that ther scheme can satsfy varous securty reurements. ut we found t has a shortcomng that an adversary can successfully pass the dentty verfcaton to wthdraw an e-con from the wthdrawal phase. We wll demonstrate the weaknesses n Appendx A. (4. Also n 008, Alfredo De Sants et al. [] showed an attack on Wang et al. sflexble payment scheme [4]. Ther attack uses only lc nformaton to construct a faked proof for the ownershp of a con. In 009, Fan et al. [] proposed a far anonymous rewardng based on electronc cash and Ashraf et al. [] proposed a prvacy-preservng e-payments usng one-tme payment. However, the former emphaszes on far rewardng, not on the e-cash mechansm tself and the latter ust focuses on the payment phase. That s, there stll lacks a secure complete system nowadays. Hence, n ths paper, we propose

3 such a system. We wll frst revew the shortcomngs of three e-cash schemes [5-7] and then propose a secure ID-based electronc cash system from parngs. The remander of ths paper s organzed as follows. In Secton, we descrbe the roles and functons n a secure electronc cash system, the background concepts of blnear parngs, and some related mathematcal problems. In Secton, we analyze the schemes of Juang et al. s[5], Juang s[6], and hen et al. s [7],respectvely. After that, we present our ID-based blnear parng electronc cash system n Secton 4 and analyze ts securty n Secton 5. Then, we make comparsons wth other schemes n Secton 6. Fnally, a concluson s gven n Secton 7.. ackground In ths secton, we brefly revew the roles and functons n a secure complete electronc cash system, the basc knowledge of blnear parngs, and some related mathematcal problems on whch the securty of our scheme s based... Roles and functons n a secure complete electronc cash system A smple electronc cash system [8] conssts of three partes (a customer, a bank, and a merchant M and three man procedures (wthdrawal, payment and depost. In an e-con s lfe-cycle, the customer frst opens an account n a bank. To obtan an e-con, performs a wthdrawal protocol wth. then performs a payment protocol for shoppng n a merchant by usng the wthdrawn e-con. After recevng the e-con, M sends t to the bank and transfers the correspondng money to M s account. Moreover, From [6, 8, 9, 0, 4, 5], we summarze fve mportant reurements for a secure complete electronc cash system. They are: (mutual authentcaton, (verfablty, (anonymty, (4unforgeablty, and (5traceablty. mutual authentcaton means that two partes can authentcate each other correctly. verfablty ponts out that one can ensure the correctness and ntegrty of messages transmtted by the other desgnated party. anonymty sgnfes that no e-con can be lnked by the bank to ts correspondng wthdrawal. unforgeablty ndcates that no adversary can create a vald e-con wthout havng to wthdraw from a bank. And traceablty means that we can reveal the dentty of customer f the same e-con s spent twce... lnear Parngs Let G be a cyclc addtve group of order generated by a base pont P, G be a cyclc multplcatve group of the same order. It s assumed that solvng the dscrete logarthm problem (DLP n both G and G s dffcult []. A

4 cryptographc blnear map e s defned as e : G G G followng propertes []: ( lnear: e P, Q G and all ab (ˆ ap, bq ˆ P, Q,where whch has the a., b Z ( Non-degeneracy: There exsts P, Q G such that e (ˆ P, Q, n other words, the map does not send all pars n G G to the dentty n G. ( omputable: There s an effcent algorthm to compute ˆ P, Q for all P, Q G... omputatonal Problems on Ellptc curve Here, we ntroduce some mathematcal problems whch form the securty bass of our scheme. ( Ellptc curve Dscrete logarthm problem (EDLP: Gven two elements P, Q G, fnd an nteger a Z, such that Q ap. ( omputatonal Dffe-Hellman problem (DHP: For any a, b, gven P, ap, bp, compute abp. ( Decsonal Dffe-Hellman problem (DDHP: For any a, b, c, gven P, ap, bp, cp, decde whether c ab mod. (4 lnear computatonal Dffe-Hellman problem (DHP: For any gven P, ap, bp, cp, compute e abc ( P, P. Z Z a,, b, c Z. Revews and attacks on three e-cash schemes In ths secton, we revew and show our attacks on Juang et al. s e-cash scheme [5] n Secton., Juang s D-cash scheme [6] n Secton., and hen et al. s depost delegaton scheme [7] n Secton., respectvely... Revew and attack on Juang et al. s scheme In 004, Juang et al. proposed an anonymous mult-authorty e-cash scheme [5] concernng only the wthdrawng phase and payng phase. They clamed that ther scheme s secure. However, we found that t does not satsfy the unforgeable property. ecause that an adversary can fake a vald e-con for shoppng over the nternet. In the followng, we wll demonstrate ths by frst revew ther scheme n part (A, then show the weakness n part (. (A Revew of Juang et al. s scheme In the followng, we frst lst the defntons of used notatons then show the four phases n ther scheme. (a Defntons of used notatons 4

5 : a lc one-way permutaton functon H:: a lc one-way hash functon n : the number of money ssuers before the preparaton phase QUAL: the set of non-dsualfed money ssuers after the preparaton phase n : the number of non-dsualfed money ssuers n QUAL I, n : the dentty of money ssuer before the preparaton phase I, n : the dentty of non-dsualfed money ssuer after the preparaton phase d c : the secret key chosen by customer d I : the secret key chosen by I e : customer s correspondng lc key c e : I s correspondng lc key I p, : two large strong prme numbers satsfyng dvdes ( p : a generators of Z P : a random value generated by a generc dstrbuted con flppng protocol, also a generators of Z P (b The four phases Juang et al. s scheme conssts of four phases: (ntalzaton phase, (preparaton phase, (wthdrawal phase, and (4payng phase. We descrbe them as follows. ( Intalzaton phase The bank lshes all lc parameters n, t, p,, g, and h, all dentfcatons of e-cons ssuers I, n lc one-way hash functon H. ( Preparaton phase (as shown n Fg.. All I, n, the lc one-way permutaton, and the, must cooperate to dstrbute ther secret shadows to each other. They carry out the followng steps: Step: I chooses a secret key z Z and two secret polynomals t f (x k t k 0 a, k x, f ( x k k 0 a, k x such that a, 0 z. He computes a and sends, k a, k G g h, 0 k t to I, n,., k p Step: Upon recevng G k, n, 0 k t, from all other ssuers,, I secretly sends f ( x and f ( x to every other I, where Step: When I receves all,, x s a unue lc number for I., he verfes f the shares, and,,, and n, from other ssuers,,, receved from I s consstent wth the certfed values G,, 0 l t, by checkng whether or not,, l x 0, l t g h p l ( G He lshes,,, l. If t fals, I broadcasts that an error has occurred. and the authentcaton nformaton for I. Each 5

6 ssuer, except for the dshonest ssuer I, then marks I as a dsualfed ssuer and excludes I from the set of non-dsualfed ssuers QUAL. Step4: Every ssuer I, QUAL, broadcasts A a l, l p g,, 0 l t. Step5: When I, QUAL, receves all A, l, n,, from other ssuers n QUAL, he verfes whether g, l t x p l 0 ( A, l. If ths check fals for an ndex, I broadcasts that an error has been found. He lshes,,, and the authentcaton nformaton for,,., I and any t ssuers n QUAL can cooperate to compute z, (x, and A,, 0 k t. Anyone then can compute the lc shadows k l, l 0,, t x p g p ( A l and the group lc key y p QUAL y p QUAL A, 0, where, QUAL. The group lc key y, all lc z shadows,, and the personal lc key y p A, 0 p g, where and f Step : I choose a sec ret key z t k t two polynomals f ( x a, k x, f ( x a, k k 0 k 0 a,0 z, 0 k t a, k a compute G, k p g h Step :, f ( x, f ( x, k G, k G, k,,, I Step : choose a sec ret key z t k two polynomals f ( x a, k x, k 0 t k f ( x a, k x k 0 a,0 z, 0 k t a, k a compute G, k p g h Step :, k Step :, f ( x,,,, f ( x g, h,? l t x ( G, l l 0 Step : If fal, lshes,,,, I and,,? l t x g h ( G, l marks I as a dsualfed ssuer. l 0 Step 4: a, l A, l p g,0 l t A, l If fal, lshes,,,, I and Step 5: marks I as a dsualfed ssuer. Step 4: a, l A, l, n, A, l p g,0 l t QUAL, can then be lshed by each ssuer I. They assume that the n non-dsualfed ssuers n QUAL are I, n. Fg.. The preparaton phase of mult-authorty e-cash scheme. ( Wthdrawal phase (as shown n Fg.. In ths phase, customer IDc employs a threshold blnd sgnature scheme to get a blnd e-con from t honest ssuers. Wthout loss of generalty, they assume 6

7 that the t out of n ssuers reuested by and I, Step: Each IDc are I, t. ustomer IDc t, then together perform the followng protocol. I randomly chooses a number Z k k, computes rˆ p g, and sends rˆ to the customer. Step: After recevng all rˆ, the customer does the followng: omputes the value m H ID RD H x (, where H 0(, H ( H ( H (, x, RD s the redundancy nformaton for verfcaton, and are two random numbers, and H ID ( ( ID c s an unue header. hooses two random numbers, Z and computes r p g rˆ, t r p m k rk, and mˆ r. hecks to see f m ˆ 0. If so, he sends the strng mˆ to all I, t ; otherwse, goes back to step. Step: Upon recevng message mˆ, I, ( t, checks to see f the customer has enough money n the bank. If so, he nforms the bank to deduct x dollars from the customer s account, computes ŝ n t m(ˆ z l t ( fl ( x ( k, k ( x k ( x x k k, and sends ŝ back to the customer. Else, I reects the money wthdrawng of the customer. ustomer Step :, are random numbers, Z H m H r ID ( ID g mˆ r p Step 4: s g s ID c RD H ( s s rˆ, r sˆ r t p p n x m l t t r k k y r? ( ( l, t x k ( ( ( r k, k x x k rˆ mˆ 7 ŝ Step 5: Step : randomly hecks f the customer has enough money n the bank. Deducts x dollars from the customer s account. n t mˆ( z ( f l ( x ( ( l t k, k sˆ I chooses computes rˆ g Step : p t k k Z After t ssuers nform the bank to deduct x dollars from the customer s account, the bank performs the deducton operaton. x k k x x k

8 Fg.. The wthdrawal phase of mult-authorty e-cash scheme. Step4: After recevng all ŝ, ( t, the customer computes s ˆ s, s r and checks to see f g y r t x k n ( ( ( r k, k x x k p ( l t ( l,, ( t, holds. If t doesn t hold, s not vald. The customer then has to ask ŝ the correspondng ssuer to send t agan. Otherwse, he computes t s s. Step5: After exactly t ssuers nform the bank to deduct x dollars from the customer s account, the bank performs the deducton operaton. (4 Payng phase (as shown n Fg.. Assume that a customer has accumulatvely spent l dollars l n some shops for an e-con ( r,s,, H (, where l denotes the amount of l l x l l dollars that are spent at the l th transacton and l < l x. In ths phase, f the customer wants to pay the shop dollars, then the customer and the shop should cooperate to do the followng steps: ustomer ank Step : Step : r, s,,, H l l r, s,,, H l l heck f the prevous e-con s stored n the x l l x l l ( ( Shop Step : computes g H (? H x s r y r? m ( l l ( H x l l ( l l database. If yes or 0, the e-con s not double-spent. The shop accepts ths e-con and deposts t to the bank. Fg.. The payng phase of mult-authorty e-cash scheme. Step: If l l x, then the customer sends the e-con ( r,s,, l l, H x l l ( representng dollars to the shop. Otherwse, he stops. Step: After recevng the e-con, the shop verfes whether the e-con s vald by computng g s r y r m p 8 and checks to see f both H x( H ( l l ( H x l l ( and RD contans some redundancy nformaton hold. If both hold, the shop calls the bank to check f the e-con s double-spent by sendng hm the e-con

9 ( r, s,, l l, H x ( l l. Step: The bank checks to see f the prevous spent e-con ( r,s,, H ( was stored n the database. If so or 0, l l x l l l l the bank confrms that the e-con s not double-spent. Then the shop accepts the e-con and deposts dollars nto the bank. The bank ncreases the shop s account by dollars and stores the e-con ( r, s,, H x l l ( l l checkng. n hs database for subseuent double-spent ( Attack on Juang et al. s scheme It s obvous that Juang et al. s e-cash scheme suffers from man-n-the-mddle attack n the payng phase. For example, f the customer has one hundred dollars and wants to spend 0 dollars for a commodty, he sends r, s, 0, 0, H 60 ( to the shop, the adversary can smply ntercept and change ths e-con to r, s, 0, 0, H 70 (. He then can send ths faked e-con to the shop or another for purchasng hs wanted commodty whch costs 0 dollars. The shop wll verfy t as legal unconscously... Revew and attack on Juang s D-cash scheme In 007, Juang proposed a flexble pre-pad e-cash scheme for date-attachment [6]. Hs scheme manly concerns wth wthdrawng phase and date-attachng phase. He clamed that hs scheme s secure. However, we found that the scheme does not satsfy the unforgeable property snce an adversary can fake a sgnature for the customer durng the wthdrawal phase. In the followng, we wll do: (A brefly revew hs scheme, and ( show our attack. (A Revew of Juang s D-cash scheme Juang s scheme conssts of four phases: ( ntalzng phase, ( wthdrawng phase, ( date-attachng phase, and (4 depostng phase. In the followng, we wll do: (a show the defntons of used notatons, and (b descrbe the four phases. (a Defntons of used notatons h, h : two secure one-way hash functons p, : two large strong prme numbers satsfyng dvdes ( p : a generator of Z p c, c : the wthdrawng date and the effectve date, respectvely g : a generator of a subgroup of wth order Z p ( x, y, c : a lc polynomal defned as h c x h ( c y mod (b The four phases ( 9

10 ( Intalzng phase The bank generates hs prvate keys to be hs correspondng lc keys. z z Z z z, and sets y p g, y p g ( Wthdrawng phase (as shown n Fg. 4. When a customer wthdraws an e-con from a bank, he and the bank together perform the followng steps. Here, the bank s lc key s h ( c z h ( c z ( h ( c ( h ( c y c g g y y ( ( z, z, c p p p whch contans the wthdrawng date c, and t s correspondng prvate key s ( z, z, c h ( c z h ( c. ( z y ustomer Step :,, z Z g r Mg z mˆ r rˆ M ( m y Step 4: s s ˆ e-con s r, s, c ( rˆ mˆ ŝ c rˆ g ank Step : y g p k Z k Step : ( z, z, c s mˆ ( z, z, c k ˆ Fg. 4. The wthdrawng phase of D-ash. Step: The bank randomly chooses a number k Z, computes and sends k r ˆ g to the customer. Step: After recevng rˆ, the customer does the followng. Randomly chooses a prvate key z Z as hs pseudonym and z sets y to be the correspondng lc key for the p g pseudonym. He then computes 0 M m y, where m s the blnd ( message contanng a predefned message pattern for the e-con. hooses two random numbers, Z and computes r Mg r p ˆ, mˆ r. hecks to see f m ˆ 0. If so, sends mˆ to the bank; otherwse, goes back to. Step: Upon recevng mˆ, the bank computes and sends sˆ mˆ ( z, z, c k back to the customer. It then deducts w dolars from the customer s bank account.

11 Step4: After recevng ŝ, the customer computes s e-con r, s, c. ( ˆ s and obtans the ( Date-attachng phase (as shown n Fg. 5. When the customer wants to spend the e-con n a merchant, he and the merchant together perform the followng steps. Step: The customer sgns the effectve date c on the e-con ( r, s, c by computng r ( g k mod p and s k ( h ( r s c c z r, where k Z s randomly chosen by the customer. He then sends the result r, s, r, s, c, c to the merchant. ( Step: After recevng r, s, r, s, c, c, the merchant wll verfy the valdty of ( ths e-con by computng M s r g y r m y, and checkng f m p c ( contans the predefned message pattern. If so, he computes u h ( r s c c s mod, u r s mod and checks to see whether both g u y u mod r and c c hold. If both hold, the merchant calls the bank to check the freshness of the e-con. If t s fresh, the merchant wll pay the customer the nterest generated durng the wthdrawal date c and the effectve date c. ustomer Step : k Z r g k s k [ h ( r s c c z r ] ( r, s, r, s, c, c Merchant Step : M g u u g h ( r s c u y u s c? c y r s r c r? r c s Fg. 5. The date-attachng phase of D-ash. (4 Depostng phase After the effectve date c of the e-con, the merchant can depost t to hs bank account. The bank wl add w dolars to the merchant s account,pay the merchant nterest generated durng the wthdrawal date c of ths e-con, and store ths transacton n hs database. and the depost date

12 ( Attack on Juang s D-cash scheme Although Juang clamed that hs scheme s secure, we found that t has a serous weakness. We descrbe t as follows. In the wthdrawng phase, when the bank sends rˆto the customer, an adversary can ntercept rˆ, compute ~ k ~ k k rˆ rg ˆ ( g, where k ~ s a randomly chosen number by the adversary. The adversary then sends r ˆ to the customer. Upon recevng r ˆ, the customer computes ~ r Mg rˆ, m ˆ r ~ and sends m ˆ back to the bank. Upon recevng m ˆ, the bank computes and sends s ˆ mˆ ( z, z, c k to the ~ customer. The adversary can ntercept s ˆ, replace t wth s ˆ sˆ k, and send t to the customer. Upon recevng s ˆ, the customer computes ~ s ŝ. Then the faked e-con for the message m s ( ~ r, ~ s, c. When the customer pay the faked e-con ( ~ r, ~ s, r, s, c, c to the merchant n the date-attachng phase, where k r g, s k h ( ~ r ~ s c c z r ], and k Z s the random number [ chosen by the customer, the merchant frst computes g ~ s r y ~ c r~ ( s ˆ ( z, z, c ~ r ~ = g g r = g = g = g = g = g ~ [( sˆ k ] g ( z, z, c ~ r ~ {[ mˆ ( z, z, c k k ] } g ~ {[ ~ r ( z, z, c k k ] } ( k k ~ ( k k ~ Mg Mg ˆ r ~ ( k k g r~ ( z, z, c ~ r g r~ ( z, z, c ~ r = M, where M ( m y, to obtan y. He then computes u h ~ r ~ s c s mod, ( c u r s mod r~ to verfy the valdty of the e-con by checkng whether or not u g y u = r holds. The merchant performs the verfcaton process as follows: g u y u h ( ~ r ~ s c c s = g = g = g g s [ h ( ~ ~ r s c c z r ] ( s s k = g k zr s = r Hence, the faked e-con ~ r, ~ s, c ( can be verfed successfully by the merchant n the date-attachng phase. esdes, Juang clamed that hs scheme also satsfes the anonymous property. However, we found that n the wthdrawng phase, although the values of r and s n the e-con r, s, c ( are only known to the customer, the bank can know the e-con owner s dentty by the wthdrawng date c wth non-neglgble probablty snce the bank needs to deduct w dollars from the customer s bank account

13 n step of the wthdrawng phase (as shown n Fg Revew and attack on hen et al. s RSA based depost delegaton scheme hen et al. proposed a RSA based depost delegaton scheme n [7]. They clamed that ther scheme s secure. However, we found that t has a securty weakness. In the followng, we wll frst descrbe ther RSA based depost delegaton scheme (as shown n Fg. 6. n part (A, then show the weakness found n part (. (A Revew of hen et al. s scheme (as shown n Fg.6 hen et al. s scheme contans fve steps. In the followng, we wll do: (a lst the defntons of used notatons, and (b show the four steps. (a Defntons of used notatons ( px, x : a par of large prme numbers N x : a large number, where N x p x x ( N x : ( p x ( R, R Sg Acurer : two cphertexts x : the acurer s sgnature (b The four steps Step: Intally, each bank X chooses a par of prme numbers p, ( x x computes the product as N x. He then generates the lc key P x and the correspondng secret key Sx as the RSA encrypton/decrypton key such that P S (mod ( N. efore the merchant delegates ts x x x receved electronc cash to the acurer, the merchant randomly selects a blndng factor and computes the followng parameters: Mcash cash ID, ( Merchant P Acurer R ( Mcash mod N Acurer, P Issuer R ( IDAcurer Mcash mod ( R, R N. The merchant then sends Issuer to the acurer. Step: After recevng the above message, the acurer computes R S Acurer ( mod N Mcash mod N, Sg Acurer Acurer S Acurer ( Mcash mod N. He then sends hs sgnature Acurer Sg Acurer non-repudaton proof and forwards R depost money to hs account. Step: The ssuer uses ts secret key Acurer and back to the merchant as the to the ssuer for the ssuer to S Issuer to decrypt R, obtanng, SIssuer ID Acurer, cash, and ID Merchant. He then computes ( R mod N Issuer Mcash and Mcash cash ID. The ssuer ID Acurer ( Merchant

14 then verfes the cash to see f t s vald. If t s, he records these parameters cash, ID Acurer, and IDMerchant for the necessty of double depost checkng. Step4: Fnally, the ssuer transfers the correspondng funds to the desgnated Merchant ank (Acurer Step : Mcash ( cash ID R R ( Mcash ( ID Acurer P Acurer Merchant mod N Mcash Acurer P Issuer ( R, R mod N Issuer ank (Issuer Step : ( R Sg S Acurer Acurer mod N ( Mcash Acurer S Acurer Mcash mod N mod N Acurer Acurer P Sg Acurer acurer Mcash? ( Sg Acurer mod N Acurer Step : ( R ID R S Issuer Acurer (mod N Issuer Mcash Mcash ( cash ID Merchant verfes the cash s true or not Records cash, ID acurer,and IDMerchant Step 4: Transfers the funds nto the ( ID Acurer, IDMerchant acurer IDAcurer for IDAcurer to transfer t to ID Merchant s account. Fg. 6. hen et al. s RSA based depost delegaton scheme. ( Attack on hen et al. s scheme We found that, n hen et al. s scheme, f an adversary ntercepts cash from the wthdrawal or the payment phase, he can masuerade as a merchant, Merchant, to make the system confused. We llustrate our attack as follows (also shown n Fg.7: Step : Assume that an adversary ntercepts cash from the wthdrawal or the payment phase. He can compute Mcas h ( cash ID Merchan t, P Acurer ( Mcash mod N R Acurer, and P Issuer R ( IDAcurer Mcash mod N Issuer, where s a randomly blndng factor chosen by Merchant. He then sends ( R, R to the 4

15 acurer. Step : After recevng ( R, R, the acurer computes S Acurer ( R mod N Acurer Mcash mod N Acurer and S Acurer Sg ( Mcash mod N. Acurer Acurer He then sends the sgnature Sg Acurer back to the merchant as the non-repudaton proof and sends R to the ssuer for depostng money to hs account. Step : After recevng, R the ssuer can obtan cash, ID Merchan t, and IDAcurer computng SIssuer ( (mod N ID Mcash and R Mcash Issuer Acurer ( cash ID Merchan t. Step4: Fnally, the ssuer transfers the correspondng funds to the desgnated acurer IDAcurer for IDAcurer to transfer t to the adversary IDMerchant s account. by Merchant ank (Acurer Step : Mcash ( cash ID ( Mcash R ( ID R Acurer P Acurer Merchant mod N Mcash Acurer P Issuer, ( R R mod N Issuer ank (Issuer Step : ( R Sg S Acurer Acurer Sg Acurer mod N ( Mcash Acurer S Acurer Mcash mod N mod N Acurer R Acurer P acurer Mcash? ( Sg Acurer mod N Acurer Step : ( R ID S Issuer Acurer (mod N Issuer Mcash Mcash ( cash ID verfes the cash s true or not Records cash, ID acurer,and IDMerchan t Step 4: Transfers the funds nto the ( IDAcurer, ID Merchan t Merchant Fg. 7. The attack on hen et al. s RSA based depost delegaton scheme. It s obvous that the ssuer can verfy the cash successfully as ndcated n step of Fg.7. The ssuer then transfers the money from the customer account to the bank account of Merchant n the acurer. ut when the true merchant, the real cash 5

16 owner, wants to send the cash to the acurer, the ssuer wll fnd that the cash s double-spendng. However, t s dffcult for the ssuer to fnd out whch merchant should be the real owner of the cash. ecause Merchant can also provde the Sg Acurer to prove that he s the legal owner of the cash. So, an adversary can easly make the system confused by masueradng as any other merchant. 4. Our proposed scheme Due to that most of the proposed e-cash protocols are ether nsecure or ncomplete, n ths secton, we present a novel secure and complete e-cash scheme. Our protocol conssts of sx phases. They are: (setup phase, (regster phase, (wthdrawal phase, (4payment phase, (5depost phase, and (6tracng phase. 4. Setup phase Let G be a cyclc addtve group, generated by the generator P, whose order s a prme, G be a cyclc multplcatve group of the same order. A blnear parng s a map e : G G G. We defne three hash functons, H, H, and H, to be n H :{0, } G, H : G {0, }, and H : Z G Z respectvely. The lc key generator ( PG chooses a random number s and sets P sp. PG keeps s as hs prvate key and lshes the system parameters set { H G, G, e,, P, P, H, H, }. ustomer submts hs dentty ID to PG over a secure channel. PG computes s lc key as Q H ( ID and the matchng prvate key as S Q s. Smlarly, PG also generates the lc/prvate key pars Q, S, ( Q, S, and Q, S respectvely. ( M M Z ( T T for the Trusted Thrd Party (TTP, bank, and merchant 4. Regster phase After the customer obtans a key par Q, S ( 6 from PG, he has to regster to TTP to obtan a certfcate u. Our scheme permts a customer to regster over the nternet wthout the necessty of face-to-face or through secure channel regstraton. Ths can greatly reduce our system s cost ether n traffc overhead or n settng the secure channel. We descrbe the detals as follows and also llustrate t n Fg.8. Step: The customer chooses a random number a Z and computes the sesson key shared wth TTP as H ( e ( S, aq. He then sends T T E T ( AuthT, aq to TTP, where AuthT { ID, IDT, Ts, a}, Ts s a tmestamp, and E T Auth s the encrypton of AuthT by sesson key T. ( T Step: On recevng the messages from, TTP wll run the followng steps:

17 ( computes H ( e ( S, aq and decrypts Auth to obtan T T E T ( T AuthT { ID, IDT, Ts, a}. ( checks to see f T Ts s less than T (Assume that TTP s current system tmestamp s T, where T s the tolerant tme for transmsson delay. If t sn t, the reuest s reected. ( uses a and ID n AuthT to compute ah( ID and checks to see f ths computed value s eual to the receved aq. If t sn t, the reuest s reected. (4 chooses three random numbers x and computes, y, v Z u E ( ID x, where H ( S s only known by TTP. T T T ( v u, W (5 computes W yp, z H, V yp zs T, and sends E T ( v, u, W, V to. (6 stores the entry ( u, x n the database. Step: After recevng the message from TTP, verfes f V, P W, P H ( v reects the message. Step : a Z Auth T T H Step : ustomer { ID ( e ( S V, P? e ( W, P, ID u, W Q, P T T, T, aq T s, a} H ( v E T ( Auth, aq E T u, W QT, P The certfcate of the customer s u s eual to. If t s, the certfcate of s u. Otherwse, T ( v, u, W, V T TTP Fg. 8. The regster phase of our proposed scheme. Step : D aq T T T T u E H ( E s T W yp V yp T T x, y, v Z z H ( v T ( ID ( e ( S zs T T ( Auth H ( S u, W T x, aq? ah ( ID Stores (u, x n the database 4. Wthdrawal phase In ths phase, customer employs a blnd sgnature technue to wthdraw an e-con from bank. We descrbe the detals as follows and also llustrate t n Fg.9. 7

18 Step : b Z Auth D H Step : { ID ( E U vu ustomer ( e ( S R v R, ID U, P? e ( H, T, bq s econ ( U, R, c, u ( R, U s ( c Q, b, v H ( c, v, R uq E ( Auth, bq, P The blnd sgnature of the con c E u, W, V} ( R, U ank Step : D bq T T r Z ( E s W, P H V, P? R rp T? bh ( ID ( e ( S ( Auth H ( v, bq U ( rv H ( c v u, W Q, P u S T Fg. 9. The wthdrawal phase of our proposed scheme. Step: ustomer chooses a random number b Z and computes the sesson key H ( e ( S, bq. Let Auth { ID, ID, T, b, v H ( c, v u, W, V}. The customer sends E ( Auth, bq to bank, where Ts s a tmestamp, c s a seral number of a con, and Auth s encrypted by. Step: After recevng the messages from, wll run the followng: ( computes H ( e ( S, bq and decrypts Auth to obtan Auth { ID, ID, T, b, v H ( c, v u, W, V}. s E ( ( generates a tmestamp T and checks to see f T Ts T,where T reuest s reected. s less than s the tolerant tme for transmsson delay. If t sn t, the ( takes b and ID from Auth and computes bh( ID to check f t s eual to bq. If t sn t, he reects the reuest. (4 verfes f V, P s eual to W, P H ( v u, W Q, P. If t s, the data ( v u, W, V n Auth reuest. (5 chooses a random numbers ( rv H ( c uv. S T s actually from TTP. Else, he reects the R rp, U r Z and computes 8

19 (6 sends ( R, U to and deducts money, whose amount s negotated n E advance, from s account. Step: After recevng the message from, decrypts ( R, U to get R, U E and computes R v R, U vu. He then verfes f U, P s eual to e ( H( c Q, R uq, P. If so, the blnd sgnature of the con c s econ ( U, R, c, u. Otherwse, reects the message. 4.4 Payment phase In ths phase, we assume that there s a customer who wants to use hs econ for shoppng n merchant M. We descrbe the payment phase of our protocol as follows and also llustrate t as Fg.0. Step: frstly chooses a random number k Z and computes the sesson key M H ( kqm, P. He encrypts ( econ, Ts wth M and computes kp. Then sends E M ( econ, Ts, kp to merchant M, where Ts s s current tmestamp. Step: After recevng the message from, M computes H ( kq, P to M decrypt E M econ, T, obtanng econ, T. M checks to see f both ( s ( s T T s s less than T and U, P s eual to e H ( c Q, R uq, P, where T s M s system tmestamp and T M ( s the tolerant tme for transmsson delay. If both hold, M accepts the econ and sends goods to. Otherwse, M reects t. ustomer Step : k Z M H ( kq M, P E M ( econ, Ts, kp Merchant Step : H ( S, kp D M M T T ( E s M T U, P? e ( H M ( econ, T s ( c Q, R uq, P Fg. 0. The payment phase of our proposed scheme. 4.5 Depost phase In ths phase, assume that merchant M wants to depost an econ to bank. wll add the econ to the merchant s account. We descrbe the detals as follows and also llustrate t n Fg.. Step: Merchant M frstly chooses a random number 9 t Z and computes the

20 sesson key H ( tq, P. He encrypts econ, ID M, T M ( s wth M, computes tp, and then sends E M ( econ, IDM, Ts, tp to bank, where s M s system tmestamp. Ts Step: After recevng the message from M, computes M H ( S, tp to decrypt E M econ, ID, T, obtanng econ, ID M, T. checks to see f ( M s ( s T T s s less than T, where T s s current system tmestamp and s the tolerant tme for transmsson delay. If t sn t, the reuest s reected. Else, then verfes f U, P s eual to e H ( c Q, R uq, P. If t s, ( checks the econ to see f t s double-spendng. If so, reuests TTP to reveal the dentty of the dshonest customer. Else, he accepts the econ and adds t to M s bank account. T Merchant Step : t Z M H ( tq, P E M ( econ, IDM, Ts, tp ank Step : D M M T T H ( E s M T ( S, tp ( econ, ID U, P? e ( H ( c Q, R uq, P verfy f econ s double spendng from database M, T s Fg.. The depost phase of our proposed scheme. 4.6 Tracng phase In our scheme, f a customer ID uses the same econ twce, the bank can fnd out the llegal transacton by checkng the pad cons stored n the database. The bank then calls TTP for revealng the dentty of the dshonest customer usng the followng euatons: H ( S T ID T D ( u x T 5. Securty analyss: In ths secton, we wll show that our scheme s secure by examnng the followng reured propertes and demonstrate that our scheme satsfes the fve securty propertes (stated n Secton. as the followng. 5.. Mutual authentcaton We adopt the concept of an ID-parng-based cryptosystem n our scheme for the 0

21 advantage that t can establsh a sesson key between two communcatng partes wthout sharng any secret n advance. It not only can reduce the number of communcatonal passes but also can acheve mplct mutual authentcaton, f the two communcatng partes can use the establshed sesson key successfully. For example, n the wthdrawal phase, the customer and the bank each use hs own prvate key and the opposte s lc key to compute the sesson keys, H ( S, bq and H ( S, bq, respectvely. They can ( communcate secretly by usng ths sesson key wthout dong any key exchange n advance. If an adversary wants to masuerade as the customer to send an encrypted message to the bank, the bank wll reect t snce he can t decrypt the cphertext to obtan any meanngful nformaton. Up to date, only our scheme provdes a secure mutual authentcaton functon n the wthdrawal phase. The other proposed protocols [5-0] don t have ths functon. 5.. Verfablty We demonstrate the verfcaton processes of our scheme by usng the followng two euatons, ( and (. V, P e ( yp zs, P e ( yp, P zs, P T T e ( yp, P zqt, P W, P H ( v u, W Q, P......( and U, P e ( vu, P e ( v( rv H ( c uv e ( rv H( c u S e ( rv H ( c S e ( rv H( c Q e ( H ( c Q T S, P, P us, P, rv P uq uq, P, P, P, P H( c Q, R uq, P..( Euaton ( s used for two knds of verfcatons: the customer verfes whether the other party s the real TTP and whether the transmtted data ( v u, W, V from TTP s calculated n a specfed way snce z H ( v u, W (as shown n Fg. 8, and the bank verfes whether or not the other party s the real customer as clamed snce he needs to compute to obtan Auth (as shown n Fg. 9 and whether or not the data ( v u, W, V n Auth from the customer s actually from TTP. Ths s mpled by H ( v u, W Q T n the euaton.

22 Euaton ( s used for verfyng whether or not the econ ( U, R, c, u s vald and from the clamed bank as mpled n the euaton. (as shown n Fg. 9, 0 and. 5.. Anonymty Ths s a very mportant securty property especally for keepng the prvacy of a customer s dentty n an electronc cash system. To attan ths purpose n our scheme, we adopt the blnd sgnature technue. In the followng, we descrbe why our scheme possesses ths anonymous property by usng two reasons. Reason : In the wthdrawal phase, when customer wants to wthdraw an econ, he must provde both hs dentty ID and hs randomzed certfcate v u to the bank to deduct money from hs account. Although the bank knows the dentty of the customer, he can t get the customer s certfcate snce t has been randomzed by the customer blnds R,U by computng unable to know the dentty of the econ ( U, R, c, u when the bank receves the econ ( U, R, c, u v. esdes, R v R, U vu. Ths makes the bank owner. So, n the depost phase, from a merchant (as shown n Fg., wthout the knowledge of v, he doesn t know the dentty of the econ owner by comparng u wth the stored v u whch corresponds to ts owner ID n Auth (as shown n Fg. 9. Smlarly, the seral number c of the econ s embedded n value v H ( c n whch c s frst protected by a hash functon H, then randomzed by a random number v. It also corresponds to the dentty ID of ts owner. Therefore, n the depost phase, even f the bank, recevng the econ ( U, R, c, u from the merchant, can compute H (, he stll doesn t know the dentty of the econ owner by comparng H ( wth the stored v H c. c c Furthermore, our scheme can prevent the bank from knowng the dentty of the econ owner by some mathematc operatons. For example, f U, R = e ( U, R, the bank can fnd the econ owner by ths euaton. Although n our scheme, after recevng the econ ( U, R, c, u from the merchant, the bank can know e ( U, R = (, v 4 v e vu R = U, R. However, wthout the knowledge of v, he can t get the customer s dentty by usng the pont Reason : 4 v n G. U, R In the payment phase, when the merchant receves the econ ( U, R, c, u ( from a customer, he can t know the dentty of the econ owner by the certfcate u snce u E T ( ID x. That s to say, certfcate u s the result of the customer s dentty xor-ed by a random x and then encrypted by T whch s only known by TTP and PG. Hence, anyone who gets the certfcate u can t obtan any useful nformaton about the dentty of the customer.

23 5.4. Unforgeablty In our scheme, an adversary may try to fake an econ under the followng two possble cases. In each case, we show why our scheme possesses ths unforgeable property. ase. In the payment phase, the merchant can get the customer s certfcate u sent n E M ( econ, Ts as shown n Fg. 0. If the merchant gves u to an adversary, we must show whether or not the adversary can successfully embed the certfcate u n Auth A (see Fg. 9 to masuerade as ID for wthdrawng an econ and pass the bank s verfcaton. In the followng, we show why ths attack fals. Step: The adversary may get a certfcate u of customer from a compromsed merchant n whch had ever consumed. Step: The adversary randomly pcks W, P e ( W H ( v u, W Q v, W G, P Z T H ( v u, W Q T, P e ( s( W H ( v u, W QT, P e ( V, P. and computes If the adversary can fnd V = s( W H ( v u, W Q T to pass the bank s verfcaton (as shown n Fg. 9 and ndcated n euaton (, the attack succeeds. However, wthout the knowledge of s, the adversary s doomed to fal snce t s an EDLP problem. ase. Smlarly, n the payment phase, the merchant can get the certfcate u of the customer and the seral number c as well. If the merchant gves them to an adversary, we must know f the adversary can use them to fake an econ satsfyng the verfcaton of euaton ( (also shown n Fg. 9 wthout communcatng wth the bank. If so, the adversary can use the faked econ for shoppng and pass the verfcatons of: ( merchant verfes the econ from customer, and ( bank verfes the econ from the merchant as shown n Fg.0 and respectvely. We descrbe ths attack usng the followng steps and show why t can not succeed. Step: The adversary gets a certfcate u and the seral number c of an econ from a compromsed merchant n whch a legal customer consumes. Step: The adversary randomly chooses Step: He computes H ( c Q, R uq, P e ( H ( c Q, np suq, P n Z and lets R np.

24 e ( nh( c Q usq, P e ( U, P The adversary must let U ( nh ( c us Q to pass the verfcatons as shown n Fg.9, 0, and respectvely and ndcated n euaton (. However, wthout the knowledge of PG s secret key s, he s doomed to fal snce t s an EDLP problem. Not to menton, the adversary doesn t have the sesson keys, M, and M n the three scenaros Traceablty If any customer uses the same con ( U, R, c, u twce, then wth the help of TTP, the bank can fnd out ths llegal transacton by checkng the double-spent econ stored n the database because TTP can easly reveal the dentty of the customer by usng the followng euatons. H ( S T ID Snce T D ( u x ST T s TTP s prvate key and u s a fxed value correspondng to each customer s dentty, they can be pre-computed. Therefore, our scheme only needs one xor operaton to reveal the dentty of the llegal customer. Hence, the double spendng tracng s very effcent n our scheme. 6. omparsons In ths secton, we compare our protocol wth prevously proposed schemes [5-0] by usng the above-mentoned securty propertes. After comparng wth those schemes, we can see that our scheme not only can provde mutual authentcaton, econ verfcaton, and customer s dentty protecton but also can resst aganst double spendng and econ forgng. We summarze the comparsons of each property n Table and lst the reasons for why the correspondng scheme n the table can t attan some securty features n Appendx A. Table. The securty comparsons between our proposed scheme and other schemes Juang et al. s [5] Juang s [6] hen s [7] H.Wang et al. s [8] Popescu et al. s [9] S.Wang et al. s [0] 0 On Off - Off Off Off Off No No - No No Yes Yes Yes No - No No Yes Yes Yes Yes - Yes Yes Yes Yes 4 Yes Yes Yes Yes - Yes Yes 5 Yes No - No Yes Yes Yes 6 No No No No Yes No Yes 7 - No No Yes Yes Yes Yes Ours 4

25 0 : On represents On-lne type; Off represents Off-lne type : Mutual authentcaton n wthdrawal phase (checkng the dentty to each other before communcaton : The customer verfes the econ receved from the bank : The merchant verfes the econ receved from the customer 4 : The bank verfes the econ receved from the merchant 5 : Anonymty (protectng the dentty of the customer 6 : Unforgeablty (preventng from forgng a vald econ 7 : Traceablty (revealng the dentty of a party who uses econ twce n off-lne type - : For an ncomplete protocol, t lacks the consderaton n the correspondng feature From Table, we can see that our protocol not only s the most secure among all of the proposed protocols but also possesses complete functons whch a secure electronc cash reures. 7. oncluson In ths paper, we have revewed and shown the attacks on schemes [5, 6, 7]. We also propose a secure ID-based e-cash scheme from parngs. After analyss, we conclude that our scheme can satsfy the propertes of mutual authentcaton, anonymty, unforgeablty, traceablty, and double-spendng protecton. After comparsons, we can see that our scheme s not only more secure but also more complete than all of the proposed schemes for electronc cash systems nowadays. Appendx A ( Why are they not mutual authentcaton n wthdrawal phase n [5, 6, 8, 9]? From schemes [5, 6, 8, 9], we can see that they don t authentcate each other n the wthdrawal phase. That s to say, the bank may gve a vald econ to an llegal customer. Therefore, ther schemes are not secure. ( Why are they not The customer verfes the econ receved from the bank n [6, 8, 9]? From schemes [6, 8, 9], we can see that the customer doesn t verfy the valdty of the econ receved from the bank n the wthdrawal phase. Hence, the customer may therefore obtan a forged econ from an adversary. ( Why are they not anonymty n [6, 8]? In [6], we have demonstrated ths n Secton.. As for [8], n the wthdrawal phase, the customer wthdraws an econ from the bank wthout employng a blnd sgnature technology. Hence, after the depost 5

26 phase, the bank can reveal the dentty of the econ owner by searchng for the prevously spent econs recorded n hs database. (4 Why are they not unforgeablty n [5, 6, 7, 8, 0]? x In [5, 6, 7], we have demonstrated ths n Secton.,., and. respectvely. As [8], n the wthdrawal phase, a user chooses a, c, k, g a, y g then sends all k /, a ( I c 6 u and computes H ( x, y, where I g s the user s account. He to the bank. Fnally, the bank computes and sends econ to the user. In payment phase, when the user sends an econ to the shop, an adversary can ntercept t and respond wth a bnary strng z, z,..., z } { 0,,..., 0} to { k / the user. After recevng the bnary strng, the user responds as follows, for all k / : If z, he sends ( a, y ; else, he sends ( x, a ( I c, c to the shop. At ths tme, the adversary smply ntercepts t to let the payment fal. He then stores these ntercepted data n hs storage. If the user fnds t fals and wants to shop usng the same later, he must send to a shop (ether the orgnal or another. Once seeng the same transmtted, the adversary ntercepts t and responds wth a complementary bnary strng z, z,..., z } {, 0,..., } to the { k / user agan. After recevng t, the user sends ( a, y or ( x, a ( I c, c, for all k / to the shop accordng to whether the bt s set or not. The adversary ntercepts and stores them n hs storage. Hence, the adversary can use the two sets of stored data to respond any shop s reuest to pass the shop s verfcaton k /. We demonstrate the detal as follows: Step : the adversary sends ntercepted to any shop for shoppng. Step : the shop chooses a random bnary strng z, z,..., z } { k / and sends to the user. Here, we suppose the bnary strng s { k / z, z,..., z } = {0,, 0,,..., 0, } Step : the adversary uses all stored data to respond the shop s random bnary strng. Accordng to the bnary strng { 0,, 0,,..., 0, }, the adversary sends {( x, a ( I c, c, ( a, y, ( x, a ( I c, c, ( a 4, y4.( a k /, yk / } to the shop. Step 4: After recevng the data from the adversary, the shop computes the followng for verfcaton. a ( I c a ak / H ( x, g H ( g, y... H ( g, yk / H x, y H ( x, y... H ( x k, y ( / k /... k / k /

27 Obvously, the adversary can pass the shop s verfcaton successfully. Even worse, the adversary can repeatedly use at any shop wthout beng found. Snce the embedded owner dentty n s I, not the adversary. In [0], n ther authentcaton protocol of wthdrawal protocol, an adversary can pretend to be any legal customer to ntalze a wthdrawal phase by choosng a random number x Z and sendng x P to the bank. Upon recevng x, P chooses and sends a random number Z to the adversary. Upon recevng, the adversary chooses a random number k Z and computes t k P, c H( P x P t, s k c x. He then sends ( c, s to. Upon recevng ( c, s, computes c H( P x P s P c x P and verfes to see f c c. Eventually, accordng to ther authentcaton protocol, the euaton s doomed to hold. The adversary therefore proves that x P belongs to hm successfully. Hence, the adversary can get a vald E-cash ( m, U, V, W, t, rb P from the bank. (5 Why are they not traceablty n [6, 7]? In [6], we have demonstrated ths n Secton.. As for [7], ther scheme ust mentons the cash verfcaton n the depost phase wthout gvng a detaled method. Hence, ther scheme can t prevent from double spendng. Thereby, t lacks the traceablty mechansm. References [] A. Shamr. Identty-based cryptosystems and sgnature schemes, RYPTO 84, volume 96 of LNS, Sprnger-Verlag, 984, pp [] D. oneh and M. Frankln. Identty-based encrypton from the Wel parng, RYPTO 0, volume 9 of LNS, Sprnger-Verlag, 00, pp. -9. [] D.haum, lnd sgnatures for untraceable payments, rypt 8, Plenum, NY, 98, pp [4] F. Zhang and. m. Effcent ID-based blnd sgnature and proxy sgnature from blnear parngs, AISP 00, volume 77 of LNS, pp. -, 00. [5] Wen-Shen Juang, Horng-Twu Law, A practcal anonymous mult-authorty e-cash scheme, Appled Mathematcs and omputaton, Vol. 47, No., 6 January 004, pp [6] Wen-Shen Juang, D-cash: A flexble pre-pad e-cash scheme for date-attachment, Electronc ommerce Research and Applcatons, Vol. 6, No., Sprng 007, pp [7] Yu Y hen, Jnn e Jan, hn-lng hen, A novel proxy depost protocol for e-cash systems, Appled Mathematcs and omputaton, Vol. 6, 005, pp [8] H. Wang, Y. Zhang, Untraceable off-lne electronc cash flow n e-commerce, omputer Scence onference, 00. AS 00. Proceedngs. 4th Australasan 9 Jan-4 Feb 00 pp. 7

28 9 98. [9]. Popescu, H. Oros, An Off-lne Electronc ash System ased on lnear Parngs, Systems, Sgnals and Image Processng, 007 and 6th EURASIP onference focused on Speech and Image Processng, Multmeda ommuncatons and Servces. 4th Internatonal Workshop on 7-0 June 007, pp [0] Shangpng Wang, Zhang hen, Xaofeng Wang, A new certfcateless electronc cash scheme wth multple banks based on group sgnatures, IEEE Internatonal Symposum on Electronc ommerce and Securty, 008. [] Yun Lng, Ymng Xang, Xun Wang, RSA-based Secure Electronc ash Payment system, IEEE Internatonal onference, -4 December 007, pp [] Mattheu Gaud, Jacues Traore, On the Anonymty of Far Offlne E-cash Systems, LNS 74, 00, pp [] Alfredo De Sants, Anna Lsa Ferrara, arbara Masucc, An attack on a payment scheme, Informaton Scences, Vol. 78, No. 5, March 008, pp [4] Hua Wang, Jnl ao, Yanchun Zhang, A flexble payment scheme ant ts role-based access control, IEEE Trans. nowl. Data Eng, 7 March 005, pp [5] Ln-huan Wu, Y-Shung Yeh, omment on traceablty on RSA-based partally sgnature wth low computaton, Appled Mathematcs and omputaton, Vol. 70, No., 5 November 005, pp [6] Hsang-An Wen, uo-hang Lee, Sheng-Yu Hwang, Tzonelh Hwang, On the traceablty on RSA-based partally sgnature wth low computaton, Appled Mathematcs and omputaton, Vol. 6, No., 4 March 005, pp [7] Mn-Shang Hwang, heng-h Lee, Yan-h La, Traceablty on RSA-based partally sgnature wth low computaton, Appled Mathematcs and omputaton, Vol. 45, No. -, 5 December 00, pp [8] Wedong Qu, onvertng normal DLP-based sgnatures nto blnd, Appled Mathematcs and omputaton, Vol. 70, No., November 005, pp [9] Xaofeng hen, Fangguo Zhang, Shengl Lu, ID-based restrctve partally blnd sgnatures and applcatons, Journal of Systems and Software, Vol. 80, No., February 007, pp [0] Xaomng Hu, Shangteng Huang, Analyss of ID-based restrctve partally blnd sgnatures and applcatons, Journal of Systems and Software, Vol. 8, No., November 008, pp [] A. Menezes, T. Okamoto, S. Vanston, Reducng ellptc curve logarthms to logarthms n a fnte feld, IEEE Transacton on Informaton Theory, Vol. 9, ssue 5, 99, pp [] hun-i Fan, Sh-Yuan Huang, Pe-Hsu Ho, hn-laung Le, Far anonymous rewardng based on electronc cash, Journal of Systems and Software, n press, orrected Proof, Avalable onlne February 009. [] Mafruz Zaman Ashraf, See ong Ng, Prvacy-preservng e-payments usng one-tme payment detals, omputer Standards & Interfaces, Vol., Issue, February 009, pp