Divisible E-cash Made Practical

Similar documents
ECash and Anonymous Credentials

Scalable Divisible E-Cash

Introduction to Cryptography Lecture 13

Multiple Denominations in E-cash with Compact Transaction Data

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Non-Interactive Zero-Knowledge Proofs of Non-Membership

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Achieving Optimal Anonymity in Transferable E-cash with a Judge

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

ABSTRACT. Haejung Park, Master of Arts, Department of Mathematics

Uncloneable Quantum Money

Essam Ghadafi CT-RSA 2016

Systèmes de preuve Groth-Sahai et applications

Fairness realized with Observer

Lecture 1: Introduction to Public key cryptography

Unlinkable Divisible Electronic Cash

Lecture Notes. (electronic money/cash) Michael Nüsken b-it. IPEC winter 2008

Robust Password- Protected Secret Sharing

Blind Collective Signature Protocol

Anonymous Transferable E-Cash

Divisible E-Cash in the Standard Model

An Overview of Homomorphic Encryption

Colluding Attacks to a Payment Protocol and Two Signature Exchange Schemes

Group Blind Digital Signatures: A Scalable Solution to Electronic Cash

Practical Compact E-Cash

Short Randomizable Signatures

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Efficient Smooth Projective Hash Functions and Applications

Public Key Authentication with One (Online) Single Addition

Cryptology. Vilius Stakėnas autumn

Balancing Accountability and Privacy Using E-Cash (Extended Abstract)

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

A Fully-Functional group signature scheme over only known-order group

Security Arguments for Digital Signatures and Blind Signatures

Cryptographical Security in the Quantum Random Oracle Model

George Danezis Microsoft Research, Cambridge, UK

Security Protocols and Application Final Exam

Introduction to Modern Cryptography. Benny Chor

Single-Term Divisible Electronic Coins

A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis

Question: Total Points: Score:

Dr George Danezis University College London, UK

Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way

Anonymous Credentials Light

Notes for Lecture 17

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Sub-linear Blind Ring Signatures without Random Oracles

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

A Direct Anonymous Attestation Scheme for Embedded Devices

A METHOD FOR REVOCATION IN GROUP SIGNATURE SCHEMES

Cryptography and Security Final Exam

Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys

Secure and Practical Identity-Based Encryption

Cryptography and Security Final Exam

An Anonymous Authentication Scheme for Trusted Computing Platform

A handy multi-coupon system

Theory of Computation Chapter 12: Cryptography

Question 1. The Chinese University of Hong Kong, Spring 2018

Public-Key Identification Schemes based on Multivariate Quadratic Polynomials

A Fair and Efficient Solution to the Socialist Millionaires Problem

A New RSA-Based Signature Scheme

Notes on Zero Knowledge

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Practice Assignment 2 Discussion 24/02/ /02/2018

recover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa

Authentication. Chapter Message Authentication

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Quantum Wireless Sensor Networks

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Anonymous Credentials Light

A Small Subgroup Attack on Arazi s Key Agreement Protocol

Accumulators and U-Prove Revocation

Compact E-Cash.

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture Notes 15 : Voting, Homomorphic Encryption

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

Type-based Proxy Re-encryption and its Construction

1 Number Theory Basics

Anonymous Credential Schemes with Encrypted Attributes

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture V : Public Key Cryptography

A Anonymous Split E-Cash Towards Mobile Anonymous Payments

Lecture 10: Zero-Knowledge Proofs

Ring Group Signatures

New Approach for Selectively Convertible Undeniable Signature Schemes

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Monero is Not That Mysterious

A Posteriori Openable Public Key Encryption *

Snarky Signatures: Minimal Signatures of Knowledge from Simulation-Extractable SNARKs

Automorphic Signatures and Applications

Keyword Search and Oblivious Pseudo-Random Functions

Cryptography and Security Final Exam

A Practical Set-Membership Proof for Privacy-Preserving NFC Mobile Ticketing

Non-Interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms

The Cramer-Shoup Strong-RSA Signature Scheme Revisited

Transcription:

Divisible E-cash Made Practical Sébastien Canard (1), David Pointcheval (2), Olivier Sanders (1,2) and Jacques Traoré (1) (1) Orange Labs, Caen, France (2) École Normale Supérieure, CNRS & INRIA, Paris, France PKC 2015, March 30, 2015

Agenda E-Cash Related Works Our construction Achieving Anonymity Divisible E-cash Made Practical? Conclusion PKC 2015 p 2

PKC 2015 p 3 E-Cash

Context Electronic payment systems offer greater convenience to end-users but at the cost of a loss in terms of privacy In 1982, Chaum proposed E-cash to reconcile the benefits of both solutions E-cash is the digital analogue of regular money PKC 2015 p 4

E-Cash PKC 2015 p 5

Security Properties Users must be anonymous Banks must be able to detect double spendings Defrauders must be identified The detection should be performed offline PKC 2015 p 6

Divisible E-cash Users of E-cash systems spend coins one by one To remain efficient, one must use several denominations = cumbersome for users = change issues Divisible E-cash Systems allow users to withdraw a coin of value V and to spend parts of it efficiently PKC 2015 p 7

Anonymity Different notions of anonymity: Weak Anonymity: transactions involving the same coin are linkable Unlinkability: transactions involving the same coin are unlinkable but some information on the coin is revealed Strong Unlinkability: transactions involving the same coin are unlinkable and no information on the coin is revealed Anonymity: identification of defrauders can be performed without a trusted entity PKC 2015 p 8

PKC 2015 p 9 Related Works

Related Works Eurocrypt 2007: Achieving anonymity is possible. Unpractical construction in the ROM FC 2008: More efficient construction but unconventional security model FC 2010: Improvement of the construction of EC 07. Still too complex Pairing 2012: Unpractical construction in the standard model PKC 2015 p 10

Divisible coin A coin of value 2 n is associated with a binary tree of depth n t ɛ 0 1 t 0 t 1 0 1...... t 00 t 01 Every node s is associated with an element t s PKC 2015 p 11

Divisible coin A coin of value 2 n is associated with a binary tree of depth n t ɛ 0 1 t 0 t 1 0 1...... t 00 t 01 z 00 z 01 Every leaf f is associated with a serial number z f PKC 2015 p 11

Divisible coin A coin of value 2 n is associated with a binary tree of depth n t ɛ 0 1 t 0 t 1 0 1...... t 00 t 01 z 00 z 01 Given t s we can recover z f for every leaf f descending from s PKC 2015 p 11

Security To spend a value 2 l, the user reveals t s with s of depth n l = implicitly reveals 2 l serial numbers Revealing t s must not leak any information on the other serial numbers. Only 2 n serial numbers by coin = double spendings can be detected Divisible E-cash systems without serial numbers are unpractical PKC 2015 p 12

Previous Constructions Alice Bank Bob Bank To withraw a coin, users generate their own tree PKC 2015 p 13

Previous Constructions Alice Bob Acc(t (A) 1,...t (A) V ) Cert A Acc(t (B) 1,...t (B) V ) Cert B Bank Cert A Sign(t (A) i ) Bank Cert B Sign(t (B) i ) To withraw a coin, users generate their own tree and interact with the bank to certify them (without revealing the elements t i ) PKC 2015 p 13

Previous Constructions Alice Bob Acc(t (A) 1,...t (A) V ) Cert A Acc(t (B) 1,...t (B) V ) Cert B Bank Cert A Sign(t (A) i ) Bank Cert B Sign(t (B) i ) Users must prove that their trees are well-formed = leads to complex POK during the Withraw or the Spend protocols PKC 2015 p 13

PKC 2015 p 14 Our Construction

Our setting: Bilinear groups Bilinear groups are sets of 3 groups G 1, G 2 and G T of prime order p along with a map e such that (G 1, G 2 ) G 1 G 2 and a, b Z p e(g a 1, G b 2 ) = e(g 1, G 2 ) a b e(g 1, G 2 ) = 1 GT = G 1 = 1 G1 or G 2 = 1 G2 They play a significant role in cryptography Identity Based Encryption Group Signature... They are compatible with the Groth-Sahai proofs system PKC 2015 p 15

Our construction Parameters: g G 1, g G 2, s, g s g rs for random r s g ɛ g 0... g 00 g 01 e(g, g) y00 e(g, g) y01 Our scheme makes use of only one tree, defined in the parameters No need to prove well-formedness of the tree PKC 2015 p 16

Our construction Parameters: g G 1, g G 2, s, g s g rs for random r s g ɛ g ɛ 00 g 0... gɛ 01 g 00 g 01 g 01 01 e(g, g) y00 e(g, g) y01 s and f, g s f g y f rs e(g s, g s f ) = e(g rs, g y f rs ) = e(g, g) y f PKC 2015 p 16

Withdraw To withdraw a coin, users generate a secret x $ Z p and gets a certificate Cert x on it Withdrawal achievable in constant time Implicitly defined the users trees as: g x ɛ 0 1 g x 0 g x 1 0 1...... g x 00 g x 01 PKC 2015 p 17

Withdraw To withdraw a coin, users generate a secret x $ Z p and gets a certificate Cert x on it Withdrawal achievable in constant time Implicitly defined the serial numbers as g x ɛ 0 1 g x 0 g x 1 0 1...... g x 00 g x 01 e(g, g) y00 x e(g, g) y01 x PKC 2015 p 17

Spend To spend 2 l, the user: computes: t s g x s π NIZK{x, Cert x : t s = g x s Cert x is valid} sends (t s, π) to the merchant who verifies π PKC 2015 p 18

Detection of Double-Spending The bank recovers the serial numbers by computing e(t s, g s f ) = e(g, g) y f x If users spend nodes 0 and 00: g x ɛ g x ɛ 0 1 0 1 g x 0 g x 1 g x 0 g x 1 0 1...... 0 1...... g x 00 g x 01 g x 00 g x 01 e(g, g) y00 x e(g, g) y01 x e(g, g) y00 x PKC 2015 p 19

Anonymity Transactions with the same coin involve elements g x s 1, g x s 2,... Linking g x s i with g x s j is hard, even with knowledge of the public parameters users are unlinkable Our scheme can be upgraded to achieve strong unlinkability and anonymity PKC 2015 p 20

PKC 2015 p 21 Achieving Anonymity

Achieving Strong Unlinkability The previous solution reveals the spent node s. Hiding such information rise two issues: 1. Users must now prove that they use a valid g s without revealing it 2. The bank no longer knows which g s f it must use To fix the former, the bank will compute certificates Cert(s) on every g s allow users to prove that g s is valid PKC 2015 p 22

Recovering Serial Numbers The bank only knows the level of the spent node g x ɛ 0 1 t s = g x 0? t s = g x 1? 0 1 0 1 g x 00 g x 01 g x 10 g x 11 PKC 2015 p 23

Recovering Serial Numbers The bank only knows the level of the spent node g x ɛ 0 1 t s = g x 0? t s = g x 1? 0 1 0 1 g x 00 g x 01 g x 10 g x 11 e(g, g) y00 x e(g, g) y01 x R 10 R 11 It will compute e(t s, g s f ) for every s of this level PKC 2015 p 23

Deposit The bank will recover the valid serial numbers but also invalid ones This increases the computational and storage cost of deposits but ensures detection of double spendings The resulting protocol is then strongly unlinkable and secure PKC 2015 p 24

Achieving Anonymity If a double-spending is detected the defrauder must be identified To achieve anonymity, this identification must be performed without a trusted entity We add to the previous protocol a double-spending tag which ensures the following properties: Users cannot be identified as long as they are honest Any defrauder can be identified by using only public information PKC 2015 p 25

Divisible E-Cash Made Practical? PKC 2015 p 26

Efficiency In the ROM, we can achieve a remarkable efficiency: The data sent to the merchant consist of Elements in Z p G 1 2 5 Users can precompute most of these elements. During the transaction the user only has to perform: Operations Z p Hash 1 1 We implemented this protocol on a SIM card embedded in a NFC-enabled phone. Spending values < 100$ can be performed in less than 500 ms PKC 2015 p 27

Efficiency The size of the public parameters remains reasonable: 330 KBytes for n = 10 The bank must additionally store the elements g s f (721 KBytes) Our construction is the first efficient one which achieves constant time for both the withdrawal and spending protocols Even in the worst-case scenario of our anonymous scheme, storing the serial numbers of one million transactions requires 10 GBytes PKC 2015 p 28

PKC 2015 p 29 Conclusion

Conclusion We proposed a practical construction for divisible E-cash Our construction is flexible: one can efficiently achieve different levels of anonymity Our scheme can be instantiated either in the ROM or in the standard model Our scheme is the first practical one achieving constant-time for both withdrawal and spending protocols Improving the efficiency of deposits of our anonymous scheme remains an open problem PKC 2015 p 30

PKC 2015 p 31 Appendix

Computational Assumption The unlinkability of our scheme relies on the following assumption: Given (g, g x, g a, g y a, g z ) G 5 1 and ( g, g a, g y ) G 3 2, it is hard to decide whether: z = x y a or z is random The only way to get a product of 3 scalars is to combine g y a with elements of G 2. However, x does not appear in the latter. PKC 2015 p 32

Double-Spending Tag Each node s is now associated with a pair (g s, h s ) (g rs, h rs ) for some h G 1 To spend 2 l, the user whose public key is upk G 1 also computes: and proves its validity v s upk h x s PKC 2015 p 33

Identification A double-spending involves two nodes s and s with a common leaf f. Therefore, we have: e(h s, g s f ) = e(h s, g s f ) Then, e(v s, g s f ) e(v s, g s f ) 1 = e(upk, g s f g 1 s f ) The defrauders can thus be identified by exhaustive search PKC 2015 p 34

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback