Risk Management for E-Cash Systems with Partial Real-Time Audit

Transcription

1 Netnomics 3, , Kluwer Academic Publishers. Manufactured in The Netherlands. Risk Management for E-Cash Systems with Partial Real-Time Audit YACOV YACOBI Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA Abstract. We analyze coin-wallet and balance-wallet under partial real-time audit, and compute upper bounds on theft due to the fact that not all the transactions are audited in real time, assuming that everything else is perfect. In particular, we assume that the audit regime holds for innocent payees. Let v be the maximum allowed balance in a wallet, and 0 µ 1 be the fraction of transactions that are audited in real time in an audit round. Assume one unit transactions. We show that the upper bound on expected theft for coin-wallet is lim µ 0 µ 2, while for plausible (similar) parameter choice the bound for a balance-wallet is O(exp(mvµ)), where 1 <m. The former is nicely bounded for small transactions, however, the bound for balance-wallet can become huge in those cases where we require very small false alarm probability. We conclude that partial audit, may be suitable for coin-wallets with low denomination coins, and possibly for balance-wallet, when we may tolerate a relatively high false alarm rate, but it may be too risky for balance-wallet, where very low false alarm rate is required. Keywords: cryptography, e-cash, randomized-audit, risk-management, economy 1. Introduction 1.1. Background We use the term coin-wallet (in short c-wallet) for a device in which individual fixed value coins are maintained, and balance-wallet (b-wallet) for a device in which only the total value available is maintained. We analyze those systems separately, even though real devices can (and probably should) support both. The processing cost of a transaction must be very small compared to transaction value. For micropayments this may become a challenge. One way to save on transaction processing costs is to use off-line systems, where the bank is involved only in large batch-processing during withdrawal and deposit, but is not a party in ordinary payment transactions. This approach requires hardware wallets that are very hard to break. Reasonably priced consumer electronics devices (e.g., smart cards) are not very hard to break. Alternatively, a payment system can be fully on-line, where the bank is involved in every transaction. On-line systems have a much higher processing cost per transaction. On-line and off-line e-cash systems are at the ends of a spectrum characterized by real-time audit sampling rate, 0 µ 1. A system is sound if its breaking cost exceeds the expected theft (theft is due to the fact that possibly not all the transactions are audited). On the plane audit rate vs. breaking cost we want to explore the continuum

2 120 YACOBI along which soundness is maintained. For any breaking cost we can find the required sampling rate that assures soundness. The hope is that for a realistic breaking cost the required sampling rate is small enough so that the system is much cheaper to operate compared with a fully on-line system. Statement of the main problem Given that not all the transactions are audited in real time, a thief (after breaking one or more wallets) may be able to spend the same coin more than once without being caught (or likewise in a balance-wallet, may be able to spend beyond his balance). This has a non-zero success probability. Once a wallet is identified as misbehaving it is revoked, and can no longer engage in transactions with good wallets (that are equipped with proper revocation lists). So, theft can be bounded. Our goal is to upper bound the expected theft under the most adversarial conditions (i.e., most favorable to the thief ). Once we know the bounds we can design proper counter-measures to assure soundness. We show that under the assumption that a constant audit sampling rate µ is enforced (along with some other common assumptions about trust and cryptography, and some reasonable assumptions on parameters sizes) the tight upper bound on the value of theft from one broken coin-wallet is lim µ 0 µ 2, measured in the units of coins. 1 This approximation is quite good for all values of 0 µ 1. For example, for µ = 0there is no audit at all, hence, theft can go to infinity (E(µ) is not defined), while when all the transactions are audited in real time (µ = 1) theft goes to zero, and in this approximation we get a theft of just one unit (coin), which is close enough (a more precise expression for large values of µ is E(µ) µ 2 1). For balance-wallet with similar parameters the upper bound on expected theft, E(µ), iso(exp(+mvµ)) which in some cases can become huge. Implying that when partial audit is desired, coin wallets are much safer. Related work on e-cash (with emphasis on randomized audit): the first balancewallet is described in [4]. Paper [6] is the first known to me that proposes the use of randomized audit with e-cash systems. Papers [7,18] started the analysis of riskmanagement aspects of randomized audit on e-cash systems. The first analyzes balancewallets, while the second discusses coin-wallets, and finds the probability of failure to detect fraud for a burst attack (the optimal attack, as shown here, is a trickle attack). Paper [13] proposed a payment system based on lottery tickets. In [16] another randomized system is presented, where the payees do not always pay (in [13] they always pay, but the payee does not always deposit). Papers [2,3] pioneered the research on conditional anonymity. Later papers along these lines include [5,10 12,17]. An earlier version of this paper appeared in [19] Assumptions 1. Banks, auditors, and certification authorities (CA) are honest, and cryptographic signatures are unbreakable The First Depositor of a coin Wins (FDW).

3 RISK MANAGEMENT FOR E-CASH Audits happen in rounds. If a payer is detected as misbehaving, and is revoked before or during the current round then all of his transactions in the current round are invalidated. 4. A uniform distribution of randomized audit is enforced on all the honest players. The last item is difficult to approximate. We hint at a possible approach in the appendix. The idea is to design the system such that the cost of subverting the audit process of honest payee exceeds the maximum allowed balance in a wallet. Since this cannot violate soundness this subversion can be excluded from consideration Structure of the rest of the paper The analysis in section 2 is done under the assumption (among others) that the audit regime is enforced on all unbroken payees. In section 2.2 we tightly upper bound the expected theft for c-wallet. In section 2.3 we analyze balance-wallet under similar conditions, and find both the false alarm and the failure to alarm probabilities. We argue that in a b-wallet the false alarm probability must be extremely small, and show that under these assumptions expected theft may explode. Finally, in the appendix we give an example of a system that approximates the theoretical model. In this example all the transactions have to wait the same time, however, the infrastructure is cheaper, since it has to accommodate only the audited transactions in real time. 2. Analysis 2.1. Glossary ADW: All Depositors Win reimbursement policy, alarm threshold: a real value x>1, such that a b-wallet is signaled as a potential violator if the total value of audited transactions exceeds vµx, a = nµ: the total number of audited transactions out of n (see n below), b-wallet, c-wallet: balance-wallet, coin-wallet, respectively, C B : total breaking cost of a wallet, CRL: update to Certificate Revocation List, E{T }: expected theft, FDW: First Depositor Wins reimbursement policy, h : {0, 1} {0, 1} n : hash function (assumed to behave like a random function), k-off c-wallet: a c-wallet in which a coin may change k hands before it must be deposited, µ: audit (constant) sampling rate, m: multispending factor, a wallet with initial balance v, which spends s, has a multispending factor of m = s/v,

4 122 YACOBI m b, m c : the value of the optimal (for the adversary) multispending factor for b-wallet and c-wallet, respectively, n: the total number of transactions in the sample space (one audit round), q b (m), q c (m): failure to alarm probability for b-wallet and c-wallet, respectively, for multispending factor m, q b1 : false alarm probability for b-wallet, V : the maximum legal balance in a wallet, v: the number of coins used in a given audit round, from one wallet v<v Coin-wallet A thief spends v original coins, where coin i is multispent m i > 1 times, i = 0, 1,..., v 1, in one audit-interval, after which the auditor takes a fraction µ of sample transactions for an audit. We denote the failure to alarm probability for a given wallet as q c = Pr[none of the (multispent) coins is audited more than once]. It depends on the audit rate µ and on the vector of natural multispending factors m = (m 0...m v 1 ). It is defined only for 0 µ<1and where at least one of the multispending factors m j > 1 (otherwise, there is no crime, and failure to alarm is meaningless). Lemma 2.1. v 1 [ q c ( (1 µ) m i µ(m i 1) )]. Proof. Each of the v<vcoins used in the attack must escape detection. So each is audited at most once. Audit happens with probability µ. So for each coin we must add the probabilities of the independent events that it was not audited or audited once, and multiply these results for the v coins. So, [ v 1 1 ( ) ] mi v 1 [ q c µ j (1 µ) m i j = (1 µ) m i + m i µ(1 µ) ] m i 1 j j=0 v 1 [ = (1 µ) m i 1 ( 1 + µ(m i 1) )]. Lemma 2.2. For a fixed fraud volume (i.e., fixed value of v 1 m i), the choice of a uniform value for m for all the coins maximizes q c. In that case we denote it q c (m).

5 RISK MANAGEMENT FOR E-CASH 123 Proof. Consider the case v = 2 (i.e., just two original coins). Let m 0 m 1. We compare 1 (1 µ) ( m i µ(m i 1) ) to [ (1 µ) m 1( 1 + µ(m 1) )] 2, where m = (m 0 + m 1 )/2. One can easily see that if m 0 1andm 1 1then (1 µ) m 0 1 (1 µ) m 1 1 = [ (1 µ) m 1] 2, and that if m 0 m 1 then ( 1 + µ(m0 1) )( 1 + µ(m 1 1) ) < ( 1 + µ(m 1) ) 2. This implies that the adversary is better off replacing m 0 and m 1 with m. The case v>2follows likewise. If any two coins i, j with m i m j are replaced with two coins with the same m = (m i + m j )/2 then we know that q c increases. We can repeat this process until all the coins have the same m, changing one pair at a time. This technique could also be used to show that information-theoretic entropy is maximized for a uniform density. Lemma 2.3. q c (m) is maximized for m = 2. Proof. In the expression for q c we use a uniform value for m (and change the notation to q c (m)). So, q c (m) =[(1 µ) m 1 (1 + µ(m 1))] v. To see that the smallest m>1 (if m 1 there is no theft) maximizes q c (m) we take the derivative of q c (m) with respect to m and show that it is negative. This together with the fact that for c-wallet m must be an integer yields the claim. Let ψ = (1 µ) m 1 (1 + µ(m 1)). d dm (q c(m)) = vψ v 1[( (1 µ) m 1 ln(1 µ) )( 1 + µ(m 1) ) + (1 µ) m 1 µ ]. One can easily verify that for µ<1andm>1weget(d/dm)(q c (m)) < 0. Let E(µ) denote the expected theft in the following experiment: Experiment 2.1. In each audit round, as long as she is not revoked, the thief withdraws v fresh coins, and multispends each m times until she is caught. In each round, if she is not caught her gain (theft) is (m 1)v. We multiply this by the probability not to be caught, which for round i is q c (m) i (i.e., this is the probability that up to and including round i she was not caught). We sum over all the rounds, to get: E(µ) = (m 1)v q c (m) i q c (m) = (m 1)v 1 q c (m). Clearly the maximal q c (m) (i.e., q c (2)) maximizes E(µ). i=1

6 124 YACOBI Theorem 2.1. lim E(µ) = µ 0 µ 2. Proof. q c (2) =[1 µ 2 ] v. Plugging it (and m = 2) into the above expression for E(µ) yields (1 µ 2 ) v E(µ) = v 1 (1 µ 2 ). v The value of 1 v V that maximizes this expression is v = 1forwhichtheclaim follows Balance-wallet Let W be a wallet under consideration, with maximum balance v, and overspending factor m. Suppose that in a given audit interval there are overall n transactions, and the uniform audit rate is 0 <µ<1. Transactions have uniform value of one unit. Definition 2.1 (Alarm policy). Declare wallet W guilty if in an audit interval the number of samples coming from W (denoted S) exceeds vµx, wherex>1 is real. The assumption here is that within an audit interval a wallet cannot both spend and withdraw (to replenish its balance), x is a security parameter. It gives us some freedom to balance failure to alarm versus false alarm rates. Let a = nµ, andletx i, i = 1, 2, 3,...,a, denote mutually independent 0 1 random variables. X i = 1 iff audit i came from wallet W. Let p(m) denote Pr[X i = 1]. Then p(m) = mv/n and Pr[X i = 0] =1 p(m). LetS = a i=1 X i. Definition 2.2. (i) Failure to alarm probability q b (m) = Pr[S <vµx m>1]. (ii) False alarms probability q b1 = Pr[S >vµx m = 1]. Let M denote the mean of random variable S, namely, M = mvµ. From[9]we have the Chernoff bounds for left tail: (0 <δ 1) Pr [ S<(1 δ)m ] < e Mδ2 /2, and right tail: (0 <δ) Pr [ S>(1 + δ)m ] [ e δ ] M <. (1 + δ) 1+δ Using these inequalities we get: for 1 <x<mlet δ = 1 x/m. q b (m) < e Mδ2 /2,

7 RISK MANAGEMENT FOR E-CASH 125 and for any m = 1 <x [ e x 1 ] vµ q b1 <. For example, for µ = 0.01 and v = 10 3, x = 2 implies q b1 0.07, while x = 15 yields q b As before, in the case of c-wallet, E(µ) = (m 1)v(q b (m)/1 q b (m)),so x x E(µ)>(m 1)v ( e Mδ2 /2 1 ) 1. Attack If the adversary knows the threshold x, she can choose a multispending factor 1 <m< x. In this case the failure to alarm probability becomes the complement of a small right tail, and can become huge. Moreover, it grows as the sampling rate µ grows. Finding the alarm threshold x is similar to a common medical insurance fraud, where clients file false claims with gradually increasing value, until they hit an audit [15]. If we compensate with x for the increase in µ so as to keep false alarm fixed, then as µ goes up, x decreases. Once x<meverything at once goes back to normal (the failure to alarm probability becomes a small left tail as we would like it to be) Exact expressions For a given x>1, let r = Pr[S >mvµx 1 <m<x]. The expression for r resembles that of q b1, since both are the right tails of similar distributions. They become identical for m = 1. Using the previous Chernoff bound for a right tail with x = 1 + δ we get [ e x 1 ] mvµ r<. x x In this case q b (m) = 1 r. So, ( ) q b (m) 1 E(µ) > (m 1)v = (m 1)v. 1 q b (m) r 1 For x>1itisalways the case that x x > e x 1 and we get the paradoxical effect E(µ) = O ( exp(+mvµ) ). Explosion happens for large x, e.g., x = 15, which is needed in cases where it is important to have negligible false alarm probability. Acknowledgements I thank Brian Beckman, Josh Benaloh, Wei Dai, Paul England, Dan Simon, Matt Thomlinson, and Gideon Yuval, for many helpful discussions. I would also like to thank an anonymous referee of Netnomics for his constructive criticism.

8 126 YACOBI Appendix. Practical considerations The audit protocol Let CRL denote updates to Certificate Revocation Lists (with a proper design a CRL for the whole USA may be on the order of 1 MByte; so many hand held devices can store it). denotes broadcast, denotes transmissions, x i,x i+1,...denote audit instructions. We assume they are randomly generated in each wallet. T + i,t i denote signed hash trees [8] for good and bad transactions that were audited in round i; trans = transaction. Recall that we assume that all the communications are cryptographically protected for secrecy and integrity (and omit the mechanisms from this description). A typical audit round may look like this: Auditor Table 1 Round i of the audit protocol. Payee ( CRL i 1,T + i 1,T i 1 ) If h(trans) = x i 1 then ( CRL i,t i +,Ti ) (trans) Conclude current trans if payer not revoked, and for audited trans, trans T + i. Note that in this approximation both audited and non-audited transactions have the same one round delay before completion (we still benefit from partial real-time audit in terms of load on the infrastructure; there are other approximations which allow nonaudited transactions to conclude immediately, but they are riskier). We are interested in the net gain or loss of bad collusions, and assume that coins are nontransferable, i.e., that when an honest payee receives a coin he eventually deposits it back to the bank. This implies that we can lump any bad collusion into one large node. In addition, we engineer the system such that monitoring the behavior of an honest payee costs more than the maximum allowed balance in a wallet (an honest payee deposits when his balance reaches the maximum). Thus audit-subversion attacks on honest payees are excluded (they do not make economic sense to the thief). 3 Notes 1. Throughout the paper we express our results asymptotically, however, these asymptotes are good approximations of actual behaviors with realistic parameters. 2. These assumptions may seem too strong, but if we want users to be able to withdraw money from their bank accounts, and vendors to be able to deposit into their bank accounts, then we must trust that banks do not steal from those accounts. Likewise, we must trust that CA is honest, so that user A cannot impersonate user B, when talking to the bank. If risk management relies on some audit process, as

9 RISK MANAGEMENT FOR E-CASH 127 advocated here (and as done in any quality control) then the auditor must be trusted as well. Finally, it is convenient to assume that cryptographic signatures are unbreakable, since currently, to the best of our knowledge they are by far the most reliable element in any protection system. 3. Example attack on honest payees: The attacker breaks one c-wallet, to be used as a payer, and monitors the payee s interaction with auditor. She multispends a coin (not to the same payee) until it is sent for audit. Then stops using this coin, and starts using another coin. References [1] N. Alon, J.H. Spencer and P. Erdos, The Probabilistic Method (Wiley/Interscience, New York). [2] D. Chaum, Achieving electronic privacy, Scientific American (August 1992) [3] D. Chaum, Fiat and Naor, Untraceable electronic cash, in: Proc. of Crypto 88 (1992) Appendix A, pp [4] S. Even, O. Goldreich and Y. Yacobi, Electronic wallet, in: Proc of Crypto 83 (see also the Zurich 94 Seminar) pp [5] M. Franklin and M. Yung, Secure and efficient off-line digital money, in: Proc. of the 20th ICALP (1993). [6] E. Gabber and A. Silberschatz, Agora: A minimal distributed protocol for electronic commerce, in: USENIX Workshop on E-Commerce, Oakland, CA (November 1996). [7] S. Jarecki and A.M. Odlyzko, An efficient micropayment system based on probabilistic polling, in: Proc. Financial Cryptography-97, ed. R. Hirschfeld, Lecture Notes in Computer Science, Vol (Springer, Berlin). [8] R.C. Merkle, Protocols for public key cryptosystems, in: Proc. of 1980 Symp. on Security and Privacy, IEEE Computer Society (April 1980) pp [9] R. Motwani and P. Raghavan, Randomised Algorithms (Cambridge Univ. Press, Cambridge, 1997). [10] T. Okamoto, An efficient divisible electronic cash scheme, in: Proc. of Crypto 95, Lecture Notes in Computer Science, Vol. 963 (Springer, Berlin) pp [11] T. Okamoto and K. Ohta, Disposable zero-knowledge authentications and their applications to untraceable electronic cash, in: Proc. Crypto 89, Lecture Notes in Computer Science, Vol. 435 (Springer, Berlin) pp [12] T. Okamoto and K. Ohta, Universal electronic cash, in: Proc. Crypto 90, Lecture Notes in Computer Science, Vol. 576 (Springer, Berlin) pp [13] R.L. Rivest, Electronic lottery tickets as micropayments, in: Proc. Financial Cryptography-97, ed. R. Hirschfeld, Lecture Notes in Computer Science, Vol (Springer, Berlin) pp [14] D.R. Simon, Anonymous Communication and Anonymous Cash, in: Proc. Crypto 96, Lecture Notes in Computer Science, Vol (Springer, Berlin) pp [15] H. Varian, Private communication. [16] D. Wheeler, Transactions using bets, in: Proc. ARE, Lecture Notes in Computer Science, Vol (Springer, Berlin, 1997) pp [17] Y. Yacobi, Efficient E-money, in: Proc. Asiacrypt 94, Lecture Notes in Computer Science, Vol. 917 (Springer, Berlin) pp [18] Y. Yacobi, On the continuum between on-line and off-line e-cash systems I, in: Proc. Financial Cryptography-97, ed. R. Hirschfeld, Lecture Notes in Computer Science, Vol (Springer, Berlin). [19] Y. Yacobi, Risk management for e-cash systems with partial real-time audit, in: Proc. Financial Cryptography 1999, ed. M. Franklin, Lecture Notes in Computer Science, Vol (Springer, Berlin) pp