prev
next
out of 12

Secure and Efficient Off-Line Digital Money

Embed Size (px)

Citation preview

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    1/12

    Secure and Eff icient Off-Line Digi tal Money(ex tended abs t r ac t )M a t t h e w F r a n k l i n "

    C o l u m b i a U n i v e r s i tyC o m p u t e r S c i en c e D e p a r t m e n t ,

    N e w Y o rk , N Y 1 0 0 2 7

    M o t i Y u n gI B M R e s e a r c h D i v i s i o n ,

    T . J . W a t s o n C e n t e r ,Y o r k t o w n H e i g h ts , N Y 1 0 5 9 8

    A b s t r a c tNo o f f - l i n e e l e c t ro n i c c o i n s c h e m e h a s y e t b e e n p ro p o s e d wh i c h i s b o t h p ro v a b l y s e c u re w i t h r e s p e c t t o

    n a t u r a l c ry p t o g ra p h l c a s s u m p t i o n s a n d e f f ic i e nt w i t h r e s p e c t t o r e a s o n a b l e m e a s u re s . W e s h o w t h a t o f f- li nec o i n sc h e m e s c a n b e i m p l e m e n t e d s e c u re ly a n d e f fi ci en tl y, wh e re s e c u r i ty i s p ro v e n b a s e d o n t h e h a rd n e s s o ft h e d i s c r e t e l o g fu n c t i o n a n d a p r e -p ro c e s s i n g s t a g e , a n d w h e re e ff ic ie nc y i s i n a n e w s e n s e t h a t we p u t f o r t hi n t h i s wo rk : " a p ro t o c o l i s e f f ic i e nt i f i t s c o m m u n i c a t i o n c o m p l e x i t y is i n d e p e n d e n t o f t h e c o m p u t a t i o n a lc o m p l e x i ty o f i ts p a r t i c i p a n t s" ( a n d t h u s t h e c o m m u n i c a t i o n l e ng t h a n d n u m b e r o f e n c r y p t io n o p e r a t i on s i so n l y a l o w-d e g ree p o l y n o m i a l o f t h e i n p u t ) .

    1 I n t r o d u c t i o n1 . 1 W h a t i s a n O f f - L i n e E l e c t r o n i c C o i n S c h e m e ?A n e l e c t r o n i c c o i n s c h e m e [ 4] i s a s e t o f c r y p t o g r a p h i c p r o t o c o l s f o r w i t h d r a w a l ( b y a c u s t o m e r f r o mt h e b a n k ) , p u r c h a s e ( b y a c u s t o m e r t o a v e n d o r w h i le p o s si b ly i n v o lv i n g t h e b a n k ) , a n d d e p o s i t( b y a v e n d o r t o th e b a n k ) , s u c h t h a t t h e s e c u r i ty n e e d s o f a l l p a r t i c i p a n t s a r e s a t is f ie d : a n o n y m i t yo f p u r c h a s e f o r t h e c u s t o m e r , a s s u r a n c e o f a u t h e n t i c i t y f o r t h e v e n d o r , i m p o s s i b il i ty o f u n d e t e c t e dr e u s e o r f o r g e r y f o r t h e b a n k .

    A c o in s c h e m e h a s t h e i n t e r e s t i n g " o f f- l in e " p r o p e r t y [5 ] i f t h e p u r c h a s e p r o t o c o l d o e s n o ti n v o l v e t h e b a n k ; e v e r y d a y n o n - d i g i t a l m o n e y i s o f c o u r s e of f- fi ne . T o b a l a n c e t h e c u s t o m e r ' sn e e d f o r a n o n y m i t y ( s o t h a t h e r / h i s s p e n d i n g s, a n d t h u s h e r / h i s l if e st yl e, c a n n o t b e t r a c e d b yt h e b a n k / g o v e r n m e n t ) w i t h t h e b a n k ' s n e e d fo r p r o t e c t i o n a g a i n s t r eu s e ( to p r e v e n t c o u n t e rf e i tm o n e y ) , e a c h c o i n i n a n of f- li ne sc h e m e m u s t s o m e h o w " e m b e d " t h e c u s t o m e r ' s i d e n t it y i n a w a yt h a t i s a c c e s si b le o n l y if t h e s a m e c o i n i s u s e d f o r m o r e t h a n o n e p u r c h a s e . M o r e o v e r , t o b a l a n c et h e c u s t o m e r ' s n e e d f o r a n o n y m i t y w i t h t h e b a n k ' s n e e d f o r p r o t e c t i o n a g a i n s t fo r ge r y, e a ch c o i nm u s t s o m e h o w g e t a n a u t h e n t i c a t i o n f r o m t h e b a n k ( e .g . , a d i g it a l s i g n a t u r e ) w i t h o u t b e i n g s e e nb y t h e b a n k !

    M e e t i n g a l l o f t h e s e s e c u r i t y n e e d s s i m u l t a n e o u s l y i s a d if f ic u lt t a s k . I n f a c t , n o s c h e m e h a s y e tb e e n p r o p o s e d w h i c h is b o t h p r o v a b l y se c u r e w i t h r e sp e c t t o n a t u r a l c r y p t o g r a p h i c a s s u m p t i o n s

    "Par t ial ly supp orted by an AT& T Bell Laboratories Scholarship. W ork supp orted in pa rt by NSF G rant CC K-9014605 and N SF C ISE Ins t i tu t iona l In f ras t ruc tu re G ran t CDA -90-24735

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    2/12

    266

    a n d e f fi c ie n t w i t h re s p e c t t o r e a s o n a b l e m e a s u r e s . W e re v i e w p r e v i o u s a p p r o a c h e s t o t h e p r o b l e ma n d p r e s e n t o u r n e w a p p r o a c h a n d c o n t r i b u t i o n s .1 . 2 P r e v i o u s A p p r o a c h e s t o O f f - L i n e C o i n S c h e m e sT h e r e h a v e b e e n t w o m a i n a p p r o a c h e s t o o ff -lin e c o i n s c h e m e s in t h e l i t e r a t u r e . O n e d i r e c t i o n isb a s e d o n b l i n d s i g n a t u r e s , a n d t h e o t h e r i s b a s e d o n z e r o k n o w l e d g e p r o o f s o f k n o w l e d g e .1 .2 .1 S c h e m e s B a s e d o n B l i n d S i g n a t u r e sA b l i n d s i g n a t u r e s c h e m e o f C h a u m [4 ] i s a p r o t o c o l t h a t e n a b l e s o n e p a r t y ( i. e ., a c u s t o m e r ) t or e c e iv e a s i g n a t u r e o f a m e s s a g e o f i t s c h o ic e u n d e r t h e s e c o n d p a r t y ' s ( i .e . , t h e b a n k ' s ) p r i v a t es i g n a t u r e k e y. T h e s e c o n d p a r t y l e a r n s n o t h i n g a b o u t t h e m e s s a g e i t h e lp e d t o s i g n . F o r u s e i n a no f f- li n e c o in s c h e m e , t h e b a n k m u s t b e s u r e t h a t t h e m e s s a g e it n e v e r s e es h a s a c e r t a i n f o r m ( i. e .,t h a t it e m b e d s t h e c u s t o m e r ' s i d e n t i ty in t h e p r o p e r w a y ) . T h i s c an b e d o n e b y c o m b i n i ng t h eb l i n d s i g n a t u r e s c h e m e w i t h a z e r o k n o w l e d g e p r o o f [1 5 , 13 ] o r " c u t - a n d - c h o o s e " c h e c k [ 2 6 ] t h a tt h e m e s s a g e h a s t h e r i g h t f o r m . T h e f i r s t o f f - f i n e c o i n s c h e m e , d u c t o C h a u m , F i a t , a n d N a o r [ 5 ]t a k e s t h i s a p p r o a c h , u s i n g t h e b l in d s i g n a t u r e s c h e m e b a s e d o n R S A [ 2 8 ] . T h i s a p p r o a c h i s e f fi c ie n tb u t h e u r i s t i c ; n o p r o o f or" s e c u r i t y h a s b e e n g i v e n t h a t r e l ie s o n a s s u m p t i o n s a b o u t R S A t h a t a r es i m p l e o r n a t u r a l . I n f a c t , r e f in e m e n t s t o t h e i r p r o t o c o l [ 1] w e r e l a t e r f o u n d t o i n t r o d u c e s e c u r i tyf l aw s [ 1 7 ] , w h i c h u n d e r s c o r e s t h e r i s k o f r e l y i n g o n h e u r i s t i c s .

    I t i s a l s o p o s s i b l e t o i m p l e m e n t b l i n d s i g n a t u r e s u s i n g g e n e r a l s e c u r e 2 - p a r t y c o m p u t a t i o np r o t o c o l s [3 0 ], a s s h o w n b y P f i t z m a n n a n d W a i d n e r [2 5 ], b u i l d i n g o n w o r k o f D a m g s [ 6] . Ac i rc u it t o c o m p u t e s i g n a t u r e s is j o i n tl y c o m p u t e d b y t h e b a n k a n d t h e c u s t o m e r , w i th t h e b a n kc o n t r i b u t i n g o n e i n p u t ( s e cr e t s ig n a t u r e k e y ) , t h e c u s t o n m r c o n t r i b u t i n g t h e o t h e r i n p u t ( m e s s a g et o b e si g n e d ) , a n d t h e c u s t o m e r a l o n e r e c e iv i n g t h e o u t p u t ( s ig n e d m e s s a g e ) . T h e s e c u r i t y o f as c h e m e o f th i s t y p e c a n b e r e d u c e d t o g e n er a l c r y p t o g r a p h i c a s s u m p t i o n s , t lo w e v e r , t h e m e s s ag ec o m p l e x i ty ( n u m b e r o f b i ts s e n t b e t w e e n p a r t ie s ) a n d e n c r y p t i o n c o m p l e x it y ( n u m b e r o f a p p f ic a t io n so f e n c r y p t i o n o p e r a t i o n s ) o f al l k n o w n s e c u r e c o m p u t a t i o n p r o t o c o l s is p r o p o r t i o n a l t o t h e s iz e o ft h e c i r c u i t b e i n g c o m p u t e d . I t is u n r e a s o n a b l e f or a c o in s c h e m e t o h a v e a e o m m u h i c a t im ~ c o s t t h a td e p e n d s o n t h e c o m p u t a t i o n a l c o m p l e x i ty o f th e u n d e r l y i n g s i g n a t u r e f un c t io n a l g o r i t h m ( w h i c hs h o u l d b e o n l y a " l o ca l " c o m p u t a t i o n f o r th e b a n k ) - - t h e s a m e w a y i t i s u n r e a s o n a b l e to h a v e a o n ec e n t c o i n w e i g h f i ft y k i l o g r a m s . T h u s , a s c h e m e o f t h i s t y p e is s e c u r e , b u t d e f i n i t e ly n o t e f f i c ie n t .1 .2 .2 S c h e m e s B a s e d o n Z e r o K n o w l e d g e P r o o f s o f K n o w l e d g eA z e r o k n o w l e d g e p r o o f o f k n o w l e d g e [ 1 5] is a p r o t o c o l b e t w e e n a p r o v e r a n d a v e r i fi e r, in w h i c h t h ev e r i fi e r i s c o n v i n c e d t h a t t h e p r o v e r p o s s e ss e s a w i tn e s s ( e .g . , f o r m e m b e r s h i p i n a l a n g u a g e ) w i t h o u tl e a r n i n g a n y t h i n g a b o u t t h a t w i tn e s s . I n a n o n - i n t e r a c t i v e z e r o k n o w l e d g e p r o o f o f k n o w l e d g e [ 2 ],a s i n g le m e s s a g e i s s e n t ( f r o m p r o v e r t o v e r i fi e r) ; i n t h i s c a s e, t h e t w o p a r t i e s a r e a s s u m e d t o s h a r ea r a n d o m s t r i n g . D e S a n t i s a n d P e r s i a n o [ 8] s h o w t h a t , w h e n n o n - i n t e r a c t l v e z e r o k n o w l e d g e p r o o f so f k n o w l e d g e a r e p o s s i b l e , b l i n d s i g n a t u r e s a r e n o t n e c e s s a r y f o r a n o f f -l in e c o i n s c h e m e ( s e e a l s o[ 23 ]). T h e b a s i c i d e a is t h a t t h e b a n k g i v es a n o r d i n a r y s i g n a t u r e t o t h e c u s t o m e r , b u t n o o n e e v e rs ee s t h a t s i g n a t u r e a g a i n . I n s t e a d o f p r e s e n t i n g t h e s i g n a t u r e t o v a l id a t e a c oi n a t p u r c h a s e t i m e ,t h e c u s t o m e r p r e s e n t s t h e v e n d o r w i t h a p r o o f t h a t i t p o ss e ss e s a v a li d s ig n a t u r e f r o m t h e b a n k .T o d e p o s i t t h e c o i n , t h e v e n d o r p r e s e n t s t h e b a n k w i t h a p r o o f t h a t i t p o s se s s e s a v a li d p r o o f o f

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    3/12

    267

    p o s s e ss i on f ro m t h e c u s t o m e r . T h e s e c u r i ty o f th i s t y p e o f sc h e m e c a n b e p r o v e n w i t h r e s p e c t t og e n e r a l c r y p t o g r a p h i c a s s u m p t i o n s . H o w e v e r, th e m e s s ag e c o m p l e x i ty a n d e n c r y p t i o n c o m p l e x i tyi s p r o h i b i t i v e l y l a r g e , e .g , t h e l e n g t h o f a p r o o f o f p o s s e s si o n o f a v a l i d s i g n a t u r e d e p e n d s o n t h ec o m p l e x i t y o f t h e s i g n i n g f u n c t i o n it se l f. T h u s a s c h e m e o f t h i s t y p e i s s e c u re , b u t a g a i n i t i s n o te f f i c i en t .I n t h e n e x t f o u r s u b s e c t i o n s , w e d i s c u ss o u r n e w n o t i o n o f ef fic ie nc y ( 1 . 3 ) , t h e o v e r v i e w o f o u ro f f- li ne c o in s c h e m e ( 1 . 4 ) , a n d t h e n a c l o s e r l o o k a t t w o b u i l d i n g b l o c k s fo r o u r s c h e m e ( 1 . 5 , 1 . 6 ).1 . 3 S e c u r i t y a n d E f f i c i e n c y : A C l o s e r L o o kW e w a n t a n o f f- li n e c o in s c h e m e t h a t i s b o t h s e c u r e a n d e f f ic ie n t. L e t u s c l a ri fy m o r e f o r m a l l y w h a tw e m e a n b y s e c u r i t y a n d b y e f f i c i e n c y .S e c u r i t y o f p r o t o c o ls m e a n s t h a t t h e c l a im e d p r o p e r t i e s c a n b e p r o v e n b a s e d o n s o m e i n t ra c t a b i l it ya s s u m p t i o n . T h i s i s t h e t y p i c a l n o t i o n o f c o m p l e x i t y - t h e o r e t ic s e c u ri ty .E f f i c i e n c y o f p ro t o c o ls , w h i c h is a n o t i o n w e t r y t o c a p t u r e i n t h i s w o r k , ca n b e f o r m a l iz e d b yr e q u ir i n g t h a t " t h e c o m m u n i c a t i o n c o m p l e x it y o f t h e p r o t o c o l is in d e p e n d e n t o f t h e c o m p u t a t i o n a lc o m p l e x i t y o f t h e p a r t i c i p a n t s " . I n s c h e m e s w h i c h le a d t o p r a c t i c a l i m p l e m e n t a t i o n s , li k e i d e n ti fi c a -t i o n s c h e m e s [ 1 1 ] a n d b a s i c p r a c t i c a l o p e r a t i o n s l ik e s i g n a t u r e a n d e n c r y p t i o n , t h i s is t h e c a s e ( t h ec o m m u n i c a t i o n is a l o w - d e gr e e p o l y n o m i a l f u n c t io n o f t h e s e c u r it y p a r a m e t e r a n d t h e i n p u t s iz e ).O n t h e o t h e r h a n d , g e n e r a l p r o t o c o ls w h i c h e n c r y p t c o m p u t a t i o n s o f r e s u l t s ( li k e g e n e r a l z er o -k n o w l e d g e sc h e m e s f or N P a n d I P , a n d s e c ur e c o m p u t a t i o n s c h e m e s ) a r e c o n s id e r e d im p r a c t i c a l b yu s e r s o f c r y p t o g r a p h y , s i n c e t h e l o c a l c o m p u t a t i o n i s t y p i c a ll y a m u c h h i g h e r - d e g r e e p o l y n o m i a lf u n c t i o n o f t h e i n p u t a n d t h e s e c u ri ty p a r a m e t e r s . T h i s m a k e s t h e m p r o h i b it iv e l y e x p e n si v e - a st h e y r e q u i r e m u c h c o m m u n i c a t i o n a n d , m o r e c ru c ia ll y , s i m i l a r ly m a n y a p p l i c a t io n s o f c r y p t o g r a p h i co p e r a t i o n s . W e f e el t h a t i t is i m p o r t a n t t o m a k e t h i s d is t i n c t io n t o f u r t h e r d e v e lo p a s o u n d t h e o r yo f c r y p t o g r a p h y w i t h r o b u s t n o t i o n s o f e ff ic ie n cy ; o u r e f f o r t h e r e is t o b e c o n s i d e r e d a s a f i rs t s t e pi n t h i s d i r e c t i o n . ( W e n o t e t h a t t h e r e a r e o t h e r m e a s u r e s o f ef fic ie nc y o f in t e r e s t i i n p a r t i c u l a r w ea ls o m e a s u r e a n d t r y t o m i n im i z e t h e n m n b e r o f r o u n d s ) .

    I n t h i s p a p e r , w e s h o w t h a t a s e c u r e a n d e f f i c i e n t o f f - f i n e c o i n s c h e m e i s p o s s i b l e , b a s e d o nw h a t w e c a l l " o b l i v i o u s a u t h e n t i c a t i o n " a n d t h e h a r d n e s s o f t h e d i sc r e te lo g fu n c t i o n . W e i m p l e-m e n t o b l i v io u s a u t h e n t i c a t i o n ( t o b e d e s c ri b e d la t e r ) b a s e d o n a n y o n e - w a y f u n c t io n t o g e t h e r w i t ha p r e- p r o c e s si n g st a g e i n d e p e n d e n t f r o m t h e w i th d r a w a l , p u r c h a se , a n d d e p o s it p r o to c o l s. T h ec o m m u n i c a t i o n c o m p l e x i ty o f o u r s c h e m e is O( k2 s ) b i t s w h e r e k i s a s e c u r i t y p a r a m e t e r a n d s i st h e s i z e o f a s i g n e d b i t ; O ( k 2) e n c r y p t i o n o p e r a ti o n s a re p e rf o r m e d . P u r c h a s e a n d d e p o s it a r en o n - i n t e r a c t i v e , w h i le w i t h d r a w a l r e q u ir e s t w o r o u n d s o f i n t e r a c t i o n .1 . 4 O f f - L i n e C o i n = P a s s p o r t + W i t n e s s + H i n t sN e x t w e i n fo r m a l l y ( a n d m e t a p h o r i c a l ly ) d e s c ri b e t h e b u i ld i n g b lo c k s a n d m e c h a n i s m s w h i c h u n -d e r l i e t h e e f f i c i e n t o ff -l in e d i g i t a l c o i n s c h e m e . I n r e a l f if e, a " p a s s p o r t " i s a n a u t h o r i z e d d o c u m e n tf r o m a t r u s t e d s o u rc e ( t h e g o v e r n m e n t ) t h a t i d e n ti fi es it s o w n e r . W e c a n a l s o im a g i n e a n a n o n y -m o u s p a s s p o r t w i t h o u t a n y n a m e o r p i c t u r e , b u t s t i l l s t a m p e d b y t h e p r o p e r a u t h o r i t y , a l l o w i n g

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    4/12

    268

    PRIMITIVESOblivious

    Authentication

    ID EmbeddingMechanism

    T O O L Spasspor t withembedded identi ty

    witness otembedded identi ty

    hint for witness ofembedded identi ty

    CA P A B I L I T I E Sconcea led- ident i tyauthentication

    revealed-identi tyauthentication

    once-concealedtwice-revealedauthent ica t ion = COiN

    F i g u r e 1 : B u i l d i n g a n o f f- l in e c o i n s c h e m e f r o m b a s i c p r i m i t i v e s

    a s o r t o f a n o n y m o u s a u t h e n t i c a t i o n . O f f- li ne c oi n s c h e m e s m a k e u s e o f y e t a n o t h e r t y p e o f p a s s-p o r t , i n w h i c h t h e i d e n t i t y o f it s o w n e r i s o n l y somewhat p r e s e n t , e m b e d d e d i n t h e d o c u m e n t i n ac o m p l e x i t y t h e o r e t i c s e n se ( t h r o u g h t h e u s e o f w h a t w e c al l a n I d e n t i t y E m b e d d i n g M e c h a n i s m ) .

    A p r i m i t i v e t h a t w e c a ll O b l i v io u s A u t h e n t i c a t i o n l e t s a n a u t h o r i z i n g a g e n c y is s u e a d i g i t a lp a s s p o r t w i t h a n e m b e d d e d i d en t i ty , t o g e t h e r w i t h a " w i t n e s s" o f t h e e m b e d d e d i d e n ti t y . T h ei s s u i n g p r o c e s s i s o b l i v i o u s i n t h e s e n s e t h a t t h e a u t h o r i z i n g a g e n c y c a n n o t l a t e r c o n n e c t aT lyp a s s p o r t t o t h e t i m e it w a s i s su e d . U s e o f t h e p a s s p o r t w i t h o u t t h e w i t n e s s w o u l d a ll ow r e p e a t e da u t h e n t i c a t i o n w h i l e c o n c e a li n g fo r e v e r t h e i d e n t i t y o f t h e u s er ( a g a i n s t a r e s o u r c e b o u n d e d a t t a c k ) .U s e o f t h e p a s s p o r t w i t h t h e w i t n e ss w o u ld a u t h e n t i c a t e t h e u s er a n d r e v e al t h e u s e r ' s e m b e d d e di d e n ti t y . W e w i ll u s e t h e p a s s p o r t w i t h a " h i n t " o f t h e w i t n e ss , w h e r e a n y t w o h i n t s , b u t n o s i n g l eh i n t , i s e n o u g h t o r e c o v e r t h e w i t n e s s 1 . T h i s i s t h e c r u x o f a n o f f- li n e c o i n s c h e m e ( s e e F i g u r e O n e ) .

    W i t h d r a w a l is a n i n s t a n c e o f O b l iv i ou s A u t h e n t i c a t i o n ( u s in g a n I d e n t i t y E m b e d d i n g M e c h a -n i s m ) , in w h i c h t h e b a n k is s u e s a p ~ s p o r t ( w i t h e m b e d d e d i d e n t it y ) a n d a w i t n e s s t o th e c u s t o m e r .T o m a k e a p u r c h a s e , t h e c u s t o m e r g i v es t h e p a s s p o r t a n d a u n i q u e h in t ( e x t r a c t e d f r o m t h e w i t n e s s )t o t h e v e n d o r . T o d e p o s i t , t h e v e n d o r f o rw a r d s th e p a s s p o r t a n d t h e h i n t t o t h e b a n k .1 . 5 I d e n t i t y E m b e d d i n g M e c h a n i s mT h e g o a l o f a n I d e n t i t y E m b e d d i n g M e c h a n i s m i s t o h i d e t h e c u s t o m e r ' s i d e n t i ty s o t h a t i t isc o n c e a l e d u n l e s s a w i t n e s s i s k n o w n , a n d t o a ll o w f o r t h e e x t r a c t i o n o f v e r i fi a b le h i n t s ( a n y t w oo f w h i c h r e v e a l a w i t n e s s ). T h e o n l y p r i o r I d e n t i t y E m b e d d i n g M e c h a n i s m f o r a n e f fi ci en t o f f- ll n ec o i n s c h e m e , d u e t o C h a u m , F i a t , a n d N a o r [ 5 ], h i d e s t h e i d e n t i t y i n a c o l l ec t i o n o f n e s t e d o n e - w a yf u n c t io n s t h a t e a c h h i d e a p a i r o f x o r s h a r e s o f t h e c u s t o m e r ' s id e n t i ty . D u r i n g p u r c h a s e , t h e v e n d o r

    1 W e c a n g e n e r a l i z e t o h i n t s t h a t r e v e a l t h e w i t n e s s a t t h r e s h o l d s g r e a t e r t h a n t w o , w h i c h i s u s e f ul ( e .g . , fo r m u l t ip l ea c c e s s a u t h o r i z a t i o n t o k e n s ) b u t n o t c o n s i d e r e d i n t h i s p a p e r .

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    5/12

    269

    c h a l le n g e s t h e c u s t o m e r t o " d e - n e s t " t h e f u n c t i o n s in a w a y t h a t r e v e a ls o n e x o r s h a r e f r o m e a c hp a i r ( " h i n t " o f t h e w i t n e s s ). I f a c o in is s p e n t t w i c e , th e n w i t h h i g h p r o b a b i l i t y b o t h x o r s h a r e sf r o m s o m e p a i r a r e re v e a l e d , f r o m w h i c h t h e i d e n t it y c a n b e r e co v e r e d . N o t e t h a t t h e c h a l le n g ea n d r e s p o n s e re q u i r es t h a t p u r c h a s e b e i n t e r a c ti v e .

    I n o u r m e t h o d , t h e i d e n t i t y i s h i d d e n a s b i ts o f th e d i s c re t e l o gs o f a n u m b e r o f v a lu e s. D u r i n gp u r c h a s e , t h e v e n d o r r e ce iv e s p oi n t~ o n l i n e s w h o s e s l o p e s a re t h e s e d i s c re t e lo g s ( % i n t " o f th ew i t n e s s ) . B y o u r c o n s t r u c t i o n , i t i s e a s y f o r t h e v e n d o r t o v e r i fy t h a t p o i n t s a r e o n l in e s as c l a im e d ;t h u s p u r c h a s e in o u r s c h e m e is n o n - i n t e r a c t i v e . I f a c o in i s s p e n t t w i c e , t h e n t h e p o i n t s c a n b ei n t e r p o l a t e d t o r e c o v e r t h e i d e n t it y . E f fi ci e nc y i s t h e s a m e a s t h e s c h e m e o f C h a u m , F i a t , a n d N a o r ,w h i l e se c u r it y r e d u c e s to t h e a s s u m p t i o n t h a t d i s c r e te l o gs a re h a r d t o c o m p u t e ( a n d p l u g g i n g ah e u r i s ti c i m p l e m e n t a t i o n o f O b l iv i o u s A u t h e n t i c a t i o n i n o u r g e n e r a l s c h e m e g i v es an i m p r o v e d -e ff ic ie n c y i m p l e m e n t a t i o n , w h i c h s u p p o r t s o u r a r g u m e n t a b o u t a n d d c f in l ti o n o f e ff ic ie n t s c h e m e s ) .1 . 6 I m p l e m e n t i n g O b l i v i o u s A u t h e n t i c a t i o nW e i m p l e m e n t O b l iv i ou s A u t h e n t i c a t io n b a s e d o n a n y o n e - w a y f u n c ti o n t o g e t h e r w i t h a p r e-p r o c e s s i n g s ta g e . T h e p u r p o s e o f t h e p r e - p r o c e s s i n g s t a g e is to p r o d u c e g e n e r i c s t r in g s t h a t a r es e n t t o a n y c u s t o m e r t h a t a s k s f o r t h e m . E a c h s t r i n g e n a b l e s a c u s t o m e r t o w i t h d r a w a s in g l e c oh ~f r o m t h e b a n k . T h e s e s t r i n g s a r e g e n e r ic i n t h e s e n s e t h a t a n y s t r i n g c o u ld g o t o a n y o n e , s o l o n ga s n o s t r i n g g o e s t o m o r e t h a n o n e p a r t y ( li ke " b l a n k w i t h d r a w a l s l i p s " ).

    T h e p r o - p r o c e s s i n g s t a g e o f o u r O b l iv i o u s A u t h e n t i c a t i o n p r o t o c o l c a n b e b a s e d o n t h e p r e s e n c eo f s o m e t r u s t e d a g e n t t h a t i s s e p a r a t e f r o m t h e b a n k , v e n d o r s , a n d c u s t o m e r s a n d is p r e s e n t a ti n i t ia t i o n . T h i s a g e n t , w h i c h w e c al l a " t r u s t e d m a n u f a c t u r e r , " m i g h t fill e a c h u s e r ' s s m a r t c a r dm e m o r y o n c e w i t h a l a r g e n u m b e r o f s t r in g s a n d t h e n d e s t r o y i t s re c o r d s . U n l i k e s o m e p h y s ic a ll yb a s e d s c h e m e s [ 1 0 ] , t h e s m a r t c a r d m e m o r y d o e s n o t n e e d t o b e s h i e l d e d i n a n y w a y f r o m t h eo w n e r o f t h e s m a r t c a r d ( i .e . , n o r e a d o r w r i t e r e s tr i c ti o n s a r e n e e d e d ) . T h e o n l y is s u e i s t h a t t h em a n u f a c t u r e r i s t r u s t e d t o p r o d u c e s t r in g s o f t h e p r o p e r f o r m , a n d t o n e v e r g i v e t h e s a m e s t r in gt o m o r e t h a n o n e p a r ty . T h i s m i l d a s s u m p t i o n , a s a r g u e d a b o v e , st il l l e av e s th e m a j o r p r o b l e m s o fo f f- li n e m o n e y s c h e m e s e c u r i ty w i t h n o t r iv i a l a n s w e r .

    } Io w r e a s o n a b l e i s t h i s a s s u m p t i o n ? M a n y c r y p t o g r a p h i e s y s t e m s n e e d a t r u s t e d c e n t e r . A n yc o m p l e t e p u b l ic k e y s y s t e m n e e d s a t r u s t e d c e n t e r o f o u r k i n d t o c e r t i fy t h e c o n n e c t i o n b e t w e e nk e y s a n d u s e r s w i t h o u t r i s k in g i m p e r s o n a t i o n a t t a c k s . T h e z e r o - k n o w l e d g e i d e n t if i ca t io n s c h e m e o fF e ig e , F i a t , a n d S h a m i r [ 1 1 ] u s e s a t r u s t e d c e n t e r to p u b l i s h a m o d u l u s w i t h u n k n o w n f a c t o ri z a ti o na n d t o m a i n t a i n a p u b l i c k e y d i r e c to r y ; in t h e " k e y le s s" v e r s i on o f th e i r s y s t e m , t h e t r u s t e d c e n t e ri s su e s ta m p e r - r e s i s t a n t ( u n r e a d a b l e , l m w r ! t a b l e ) s m a r t c a r d s t o a ll p a r t ic i p a n t s .

    A l t e r n a t iv e l y , p r e - p r o c e s s i n g c an b e d o n e i n e f fi c ie n tl y (h i g h d e g r e e p o l y n o m i a l c o m m u n i c a t i o n ) ,u n d e r g e n e r a l c r y p t o g r a p h i c a s s u m p t i o n s , a s a g e n e r a l s e c u re p r o t o c o l b e tw e e n b a n k a n d c u s t o m e r .T h e e f fi c ie n c y o f t h e w i t h d r a w a l , p u r c h a s e a n d d e p o s i t p r o t o c o l s w o u l d b e u n a f f e c t ed . O u r s t a t e dp r i n c i p l e o f e f fi c ie n c y w o u l d b e v i o l a t e d o n l y a t i n i t i a t i o n , w h i c h c a n b e a b a c k g r o u n d c o m p u t a t i o ni n d e p e n d e n t o f m o n e y - e x c h a n g i n g t r a n s a c t io n s . W h e n O b l iv i o u s A u t h e n t i c a t i o n i s r e al iz e d i n t h isw a y w i t h a n i n e ff i c ie n t p r e p a r a t o r y s t a g e a n d a n e f f ic i e n t m a i n s t a g e , i t h a s a fo r m s i m i l a r t o t h e" o n - l i n e / o f f - l i n e " s i g n a t u r e s c h e m e o f E v e n , G o l d r e i c h , a n d M i c a li [ 9 ].

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    6/12

    270

    2 Obl iv ious Authent i ca t ion2 .1 D e f i n i t i o n o f O b l i v i o u s A u t h e n t i c a t i o n S c h e m e sI n f o r m a l l y , a n o b l i v i o u s a u t h e n t i c a t i o n s c h e m e i s a p r o t o c o l b e t w e e n a r e q u e s t o r a n d a n a u t h e n t i -c a t o r . T h e r e q u e s t o r e n d s u p b e i n g a b le t o c o m p u t e a r e q u e s t s t r in g z , a n a u t h e n t i c a t i o n s tr i n g a ,a n d a w i t n e s s w i t . T h e a u t h e n t i c a t i o n a r e fl ec ts n o t o n ly t h a t t h e r e q u e s t o r a c tu a l ly w e n t th r o u g ht h e p r o t o c o l ( i .e . , c o u l d n o t c o m p u t e a o t h e r w i s e ) , b u t a l s o t h a t z s o m e h o w r e f e r s t o t h e i d e n t i t yid o f t h e r e q u e s t o r ( i. e ., w i t i s a w i t n e s s t h a t s o m e p r e d i c a t e r i d ) i s t r u e ) . A t t h e s a m e t im e ,t h e p r o t o c o l is " o b l i v io u s " f r o m t h e p o i n t o f v ie w o f t h e a u t h e n t i c a t o r , i .e . , a f t e r s e v e ra l e x e c u t i o n so f t h e p r o t o c o l, t h e a u t h e n t i c a t o r m u s t n o t b e a b l e to c o n n e c t a n y [z,a] p a i r t o t h e i n s t a n c e o ft h e p r o t o c o l t h a t p r o d u c e d i t. U s i n g t e r m i n o l o g y f r o m t h e I n t r o d u c t i o n , t h e a u t h e n t i c a t o r is su e sa " p a s s p o r t " [ z, a ] w i t h t h e r e q u e s t o r ' s id e n t i t y e m b e d d e d i n i t.D e f i n i t i o n 1 A n o b li vi o us a u t h e n t i c a ti o n s c h e m e i s [R , A , k , I D , R E Q , A U T , W I T , g , w f , r whereR (requestor) an d A (authenticator) are com mu nicating p .p . t Turing Machines , k i s a securityparameter , I D is the space of requestor identif iers , R E Q is the space of request s tr ings , A U T ist he s p a ce o f a u t h e n t i c a t io n s t ri n gs , W I T i s t h e s p a c e o f w i t n e s s s t ri ng s , g i s a p . p . t , c o m p ut ab lef u n c t i o n f r o m v i ew s o f R ( a f t e r a j o i n t e xe cu ti on o f R a n d A ) t o R E Q x A U T W I T , w f i s ap.p . t , computable boolean predicate on R E Q x A U T , and r i s a (no t necessarily p .p . t . ) computableboolean predicate on R E Q ID ( for which cons is ten t req, w it pairs can be e f fic iently sampled fora n y i d E I D ) . L e t Vin be th e v i ew o f R a f t e r R a n d A b e g i n w i t h id i E I D a n d k o n t h e s h a rc dinpu t tape; let V ~ b the v iew i f R i s cheating. The fo l lowin g requirements mu st be sat is fied:

    1 . ( C o r r e ct ) F o r a l l i dl E [ D , g ( V ~ ) = [ z , a , w i t ] w h e re w f ( z , a ) i s t ru e , a n d w i t i s a w i t n e s sthat r idl) is true, except with negligible probability ( in k ) .

    2 . ( O b li vi ou s ) L e t M b e a n y p . p .t . T M t h a t o n in p u t V ~ , V ~ , z , a , f ( z ) , c an o ut p u t b M E {0, 1},where [~, a, wit] = g ( v ~ ) / o r b e R { 0 , I} , and where f is any ( not necessarily ~fficiently)c o m p ut a bl e f u n c t i o n . T h e n t h er e e x i s t s a p . p . t . T M M t t h a t o n i n p u t z , f ( z ) c a n o u t p u tbM, e { 0 , 1 } su ch that IP rob(bM = b) - P rob(bM, = b)[ i s negligible 5n k ) .3 . ( U n ex pa n da bl e) N o p . p . t. T M o n in p u t V ~ , . . . V ~ c an o u t p u t [ z l , a l ] , . . ' , [ z n + l , a ~ + l ] s u c h

    that w f( z j , a j ) i s true for 1 < j < n + 1 , except with negligible probabili ty 5n k ) .4 . ( U n fo rg ea bl e) N o p . p .t . T M o n i n p u t V ~ , . . . V ~ c an o u t p u t [ z , a ] s u c h t h a t w f ( z , a ) i s t r u e

    w h i l e r id i) i s fa ls e for a l l 1 < i < n , except with negligible probabil ity ( in k ) .T h e f u n c t i o n g e n a b l e s t h e r e q u e s t o r t o e x t r a c t a v a l id [ z, a ] a n d w i t n e s s w i t a t t h e e n d o f t h ep r o t o c ol . T h e p r e d i c a t e w f e n a b l e s a n y o n e t o c h e c k t h a t [ z , a ] i s g e n u i n e . T h e p r e d i c a t e r r e f le c t s

    t h e r e q u e s t o r ' s i d e n t i t y e m b e d d e d i n z , b u t i s t y p i c a l l y n o t e a s y t o c o m p u t e o r v e r i f y w i t h o u t aw i t n e s s. I f r w e r e e a s y to c o m p u t e , a n d i f r i s n e v e r t r u e fo r t h e s a m e z w i t h d i f fe r e n t id , t h e n t h es e c o n d r e q u i r e m e n t ( o b l i v io u s n e s s ) w o u l d b e t r i v i a l ly s a t is f ie d w h e n e v e r ido # id l . F o r t h e o f f - l i n ec o in sc h e m e o f C h a u m , F i a t , a n d N a o r [ 5 ] , r is ea s y t o c o m p u t e b u t h a r d t o w i t n e ss , a n d i n fa c t i st r u e a l m o s t e v e r y w h e r e o n R E Q I D . F o r o u r o ff -l in e c o i n s c h e m e , ~b i s h a r d t o c o m p u t e w i t h o u ta w i t n e ss u n d e r t h e D i sc r e te L o g A s s u m p t i o n ( D L A ) , a n d n e v e r t r u e f o r t h e s a m e z w i th d i f fe r en tid .

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    7/12

    271

    F o r a l l o f t h e i n s t a n c e s o f o b l i v io u s a u t h e n t i c a t i o n s c h e m e s t h a t w i ll b e d i s c u s s e d i n t h i s p a p e r ,w e c a n m a k e t h e f o l lo w i n g a s su m p t i o n s ( s in c e a ll r e l y o n a c u t - a n d -c h o o s e p r o c e d u r e ) . I n s t e a d o fo n e l a r g e s p a c e R E Q f r o m w h i c h r e q u e s t s t r i n g s c o m e , t h e r e i s a s m a l l e r s p a c e R E Q ' s u c h t h a tI~E Q = ( I~E QI) k . M o r e o v e r , t h e r e is a b o o l e a n p r e d i c a t e r d e f in e d o n R E Q I I D s u c h t h a tr id ) i s t r u e i f a n d o n l y i f r i d ) i s t r u e f o r a m a j o r i t y o f i E [1 .. k ].2 . 2 H e u r i s t i c O b l i v i o u s A u t h e n t i c a t i o n v i a R S AM o s t o f f- li ne e le c t ro n i c m o n e y s c h e m e s in t h e l i te r a t u r e h a v e u s e d w h a t c a n b e a b s t r a c t e d a s ah e u r i s t i c O b l i v i o u s A u t h e n t i c a t i o n p r o t o c o l b a s e d o n R S A p u b l i c -k e y e n c r y p t i o n [ 2 8 ] ( i. e ., m u l t i p l eb l i n d i n g p l u s c u t - a n d - c h o o s e ) . W h e n a c t u a l l y u s e d i n e l e c t ro n i c m o n e y s c h e m e s , t h e p r e d i c a t er l o o k s f o r r e d u n d a n c y i n z , o r i n c o r p o r a t e s o n e - w a y f u n c t i o n s , as a w a y t o h o p e t o s a ti s f y t h er e q u i r e m e n t s o f u n e x p a n d a b i l i t y a n d u n f o r g e a b i l i ty d e s p i te t h e " n i c e " a l g e b r a i c p r o p e r t i e s o f R . SA( e .g . , m u l t i p l ic a t i v e h o m o m o r p h i s m ) . F o r e x a m p l e , i n t h e o ff -l in e c oin s c h e m e o f C h a u m , F i a t , a n dN a o r [ 5 ] , r i s t r u e i f z ' = f ( g ( r l , r z ) ,g ( r l @ i d , r 3 ) ) f o r s o m e r l , r 2 , r 3, w h e r e f , g a r e t w o -a r g u m e n t c o l l is io n - fr e e f u n c t i o n s , a n d w h e r e f i s " s im i l a r t o a r a n d o m o r a c l e . " H e r e t h e p r e d i c a t eC t i s i n f a c t e a s y t o c o m p u t e ( i . e . , i t i s t r u e a l m o s t a l w a y s ) , b u t h a r d t o w i t n e s s ( i . e . , w i t h ap a r t i c u l a r r x , r 2 , r 3 ) .

    N o t e t h a t t h e s e c u r i ty o f t h i s ty p e o f s c h e m e is h e u r is ti c , a n d h a s n e v e r b e e n r e d u c e d s i m p l yt o t h e d i ff ic u l ty o f i n v e r t i n g l~ SA . I n p a r t i c u l a r , p r o v i n g t h a t t h e s c h e m e is u n e x p a n d a b l e a n du n f o r g e a b le s ee m s t o r e q u i re a d d i t i o n a l a s s u m p t i o n s a b o u t R S A w h i c h a r e n e i t h e r n a t u r a l n o rs i m p l e .

    3 Secure Off-Line Money SchemeI n fo rm a l iy ~ a n o f f -l in e e l e c t r o n i c c o i n s c h e m e [ 4 ] i s t h e s i m p l e s t u s e f u l e l e c t r o n i c p a y m e n t s y s t e m .A n y c u s t o m e r c a n w i t h d r a w a c o in fr o m t h e b a n k , a s t h e b a n k d e b i ts t h e c u s t o m e r ' s a c c o u n t. T h a tc o in c a n t h e n b e u s e d t o p u r c h a s e f r om a n y v e n d o r . T h e v e n d o r w i ll b e a b le t o t r u s t t h a t t h e c o ini s v a l id w i t h o u t a s s i s t a n c e f r o m t h e b a n k . A v e n d o r c a n l a t e r d e p o s i t a c o in , a n d t h e b a n k w illc r e d i t t h e v e n d o r ' s a c c o u n t . T h e r i g h t s a n d p r i v il e g e s o f c u s t o m e r s , v e n d o r s , a n d t h e b a n k a r e a l lp r o t e c t e d w i t h in t h e s c h e m e . T h e c u s t o m e r is g u a r a n t e e d a n o n y m i t y o f p u r c h a s e , i. e. , t h a t t h eb a n k c a n n o t l in k a d e p o s i te d c o i n to i ts c o r r e s p o n d i n g w i t h d r a w a l . T h e v e n d o r is g u a r a n t e e d t h a ta n y a c c e p t a b l e p u r c h a s e w i ll l e a d t o a n a c c e p t a b l e d e p o s it . T h e b a n k i s g u a r a n t e e d t h a t n o n u m b e ro f w i t h d r a w a l s c a n l e a d t o a g r e a t e r n u m b e r o f d e p o si ts .3 . i D e f i n i t i o n o f S e c u r e O f f - L i n e C o i n sT h e r e i s a b a n k B , a c o l l e c ti o n o f v e n d o r s { ~ } , a n d a c o l le c t io n o f c u s t o m e r s { C ~ } , a ll o f w h o ma r e a s s u m e d t o b e c o m m u n i c a t i n g T u r i n g M a c h i n e s . T h e r e is a s e c u r it y p a r a m e t e r k .

    A n o ff -lin e c o i n s c h e m e c o n s i s t s o f t h r e e p r o t o c o l s : a w i t h d r a w a l p r o t o c o l b e t w e e n B a n d a n yC i ; a p u r c h a s e p r o t o c o l b e t w e e n a n y C i a n d a n y V j ; a n d a d e p o s i t p r o t o c o l b e t w e e n a n y ~ a n dB . T h e w i t h d r a w a l p r o t o c o l b e g i n s w i t h C ~ a n d B h a v i n g idi on t h e i r s h a r e d i n p u t t a p e , a n d e n d sw i t h C i h a v i n g a " c o in " r o n i ts p r i v a te o u t p u t t a p e . T h e p u r c h a s e p r o t o c o l b e g i n s w i t h C i h a v i n ga c o in ~- o n i ts i n p u t t a p e , a n d e n d s w i t h ~ h a v i n g a " s p e n t c o i n " r I o n i ts p r i v a t e o u t p u t t a p e .

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    8/12

    272

    T h e d e p o s i t p r o t o c o l b e g i n s w i t h 1 ~ h a v i n g a sp e n t c o i n r ' o n it s i n p u t t a p e a n d e n d s w i t h Bh a v i n g a " d e p o s i t e d c o i n " ~ .~r o n i t s p r i v a t e o u t p u t t a p e .D e f i n i t i o n 2 A n off- line coin schem e is secure i f the fo l low ing requirements are satis f ied:

    I . (Unreusable) I f any Ci begins two success fu l purchase protocols with the sa me coin r on i t sinput tape, then the fac t o f reuse and the ide nti ty idl can be computed in p .p . t , from the twocorresponding deposited coins r~' , r~' , except w ith negligible probability ( in k ) .

    2 . (Unexpandable) F rom thc v iews o f the cus tom ers o f n withdrawal protocols , n o p .p . t . TuringM achine can compute n + 1 d is t inct coins that wil l lead to success fu l purchase protocols (o rn + 1 distinct spent coins that will lead to successful deposit protocols) , except with negligibleprobabil i ty ( in k ) .

    3 . (Unforgeable) I f , from the v iews o f the cus tom ers o f n wilhdrawal protocols , s om e p .p . t . TuringMachine can compute a single coin that will lead to two successful purchase protocols, thenthe fac t o f reuse and the iden ti ty o f a t leas t one of these cus tome rs can be eJ~ciently computedfro m th e two corresponding deposited coins, except w ith negligible probability ( in k ) .

    4 . (Untraceable) L et V ~ ( V i) be the v iew of B ( I7) fo r a withdrawal (purchase) protocol with Ci .; J an d Vzv {V~z,v f ) , can outputhen, for a l l i , j , no p .p . t Turing M achine on input V b, V[3 E Ra g u e s s f o r l C { i , j ) non-negligibly bet ter than random guess ing ( in k ) .

    3 . 2 D i s c r e t e L o g B a s e d S e c u r e O f f - L i n e C o i n sF o r t h i s s c h e m e , w e u se o b li v i o u s a u t h e n t i c a t i o n f o r w h i c h t h e s p a c e o f a u t h e n t i c a t i o n s t r i n g s isR E Q = ( R E Q ' ) k , w h e r e ( R E Q ' ) = ( { 0 , 1 ) l ~ 2 m . A r e q u e s t s t r i n g z i s i n t e r p r e t e d a s a k - t u p l e o fm p a i r s o f e l e m e n t s f r o m Z ; ( a n d e a c h p a i r is i n t e r p r e t e d a s e l e m e n t s w h o s e d i s c r e te l og s ar e t h es l o p e a n d i n t e r c e p t o f a l in e o v e r Z p _ I ) . W e a s s u m e t h a t p is p r i m E , s u c h t b a t p - 1 b a s o n e la r g ef a c t o r q .

    T h e p r ed i c a te C / o n I t E Q ' I D i s t r u e i f t h e m p a i r s e n c o d e t h e r e q u e s t o r ' s i d e n t i t y id i n t h ef o ll o w i n g w a y : f o r e v e r y i , t h e i t h b i t o f id i s e q u a l t o t h e h a r d b i t h o f t h e d i s c r e t e l o g o f t h e f i rs te l e m e n t o f t h e i t h p a i r . N o t i c e t h a t ~ b' ( a n d h e n c e r t h e " m a j o r i t y v o t e " o f ~ b') i s h a r d t o c o m p u t eu n d e r t h e D L A . A w i t n e s s f o r r id ) i s t h e s e t o f d i s c r e t e l o g s f o r a l l m p a i r s o f z.

    T h e s e c u r e c o in s c h e m e i s g i v e n i n F i g u r e T w o . T h e i n t u i t i o n b e h i n d t h e s c h e m e is t b a t a c o ini s a p a ir [ z , a ] ( " p a s s p o r t " ) p r o d u c e d b y a n O b l iv i o u s A u t h e n t i c a t i o n p r o t o c o l w i t h R E Q ' a n d ra s d e s c r lb e d a b o v e . T o s p e n d a c o i n, [ z, a ] i s g i v e n , t o g e t h e r w i t h a p o i n t o n e v e r y " l i n e" u n d e r t h ei n t e r p r e t a t i o n o f z d e s c r ib e d a b o v e ( " h i n t " o f t h e w i t ne s s ). T h e x c o o r d i n a t e o f e a c h o f t h e s e p o i n t si s t h e s a m e d e t e r m i n i s t i c c o m b i n a t i o n o f t h e v e n d o r ' s i d a n d t h e c u r r e n t t i m e , t o g u a r a n t e e t h a td i f fe r e n t p u r c h a s e s w i t h t h e s a m e c o i n i n v o l v e d i f fe r e n t p o i n t s o n e a c h l in e . T h e a l g e b r a u n d e r l y i n gt h e c o i n e n s u r e s t h a t a c o r r e c t p u r c h a s e c a n b e v e r if i ed e a si l y a n d n o n - i n t e r a c t i v e l y ( i. e ., v e r i f yt h a t e a c h p o i n t i s i n d e e d o n t h e l in e i t i s s u p p o s e d t o b e o n ) , w h i l e m u l t i p l e s p e n d i n g w i ll r e v e a lt h e i d e n t i t y o f t h e c u s t o m e r ( i. e ., i n t e r p o l a t e t o r e c o v e r t h e c o e f f ic i en t s o f t h e l i ne s a n d h e n c e t h em a j o r i t y i d e n t i t y e n c o d e d i n z) w i t h h i g h p r o b a b i l i ty . T h e f o l lo w i n g h o l d s ( p r o o f o m i t t e d ) .T h e o r e m 1 I f obl ivious authentication i s poss ib le~ and i f d iscrete log has a hard b i t , then th isof f- l ine coin scheme is secure.

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    9/12

    273

    With drawal1 . C and B engage i n an O .A. p ro toco l wi t h i d c o n t h e s h a r e d i n p u t t a p e , w h e r eR E Q ' = ({0,1}l~ T M a n d w h e re(a ) r i s t rue i f and only i f , for all 1 < i < m, DLg,p(req~l) < q a n d

    h(req~l) = id.i, wh ere r eq ' = ( r ~ q h l l r e q ~ 2 [ I . . - I [ r e q ' l l i r e r and wh ere hi s a h ard b i t f o r t h e discrete log.Z. C f inds the coin g(V c ) = [z ,a , wi t] , wh ere z = z~II- .. i [z~, ~nd each zi =~ - d l z , ~ l l ' " l l . . . . II . . . . c s to re s w it = [DL g,p(z,j,) : 1

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    10/12

    274

    i ts el L F o r e x a m p l e , d a t a m a y b e p u t b y t h e m a n u f a c t u r e r in t o th e m e m o r y o f a s m a r t c a r d t h a t i st h e n s o l d t o a r e q u e s t o r . I t i s n o t n e c e s s a r y t o s h i e l d t h e s m a r t c a r d m e m o r y f r o m t h e r e q u e s t o r ,o n l y t h a t t h e a u t h e n t i c a t o r l e a r n s n o t h i n g a b o u t t h e d a t a ( e . g. , b y e a v e s d r o p p i n g o n t h e t r a n s f e ro f d a t a t o t h e r e q u e s t o r , o r b y c o r r u p t in g t h e m a n u f a c t u r e r ) .

    A l t e r n a t i v e l y , p r e - p r o c e s s i n g c a n b e i m p l e m e n t e d i n e f f i c i e n t l y u s i n g a g e n e r a l s e c u r e 2 - p a r t yc o m p u t a t i o n p r o t o c o l b e tw e e n t h e r e q u e s t o r a n d t h e a u t h e n t i c a t o r . A s s h o w n b y K i li an [ 20 ], t h ea s s u m p t i o n t h a t O b l i v i o u s T r a n s f e r [ 2 7 ] ( a b a s i c c r y p t o g r a p h i c p r i m i t iv e ) i s p o s s ib l e su ff ic es .

    I n t u i t i v e l y , t h e p r e - p r o c e s s i n g s t a g e s u p p l i e s e n c r y p t e d w i n d o w s , w h e r e e a c h w i n d o w p r e s i g n sb o t h a z e r o a n d a o n e f o r a g i v e n b i t p o s i t i o n in t h e m e s s a g e . E a c h s i g n a t u r e i s c o n c e a l ed i na h a l f -w i n d o w a s a p a i r o f e le m e n t s , w h e r e t h e f i r s t e le m e n t is a ( s e c r e t - k e y ) e n c r y p t i o n o f ar a n d o m m a s k , a n d t h e s e c o n d e l em e n t is th e x o r o f t h e m a s k w i t h t h e s i g n a t u r e . I n t h i s w ay , t h ea u t h e n t i c a t o r i s n e e d e d t o r e v e a l e i t h e r o f t h e s i g n a t u re s in a w i n d o w ( b y d e c r y p t i n g t h e m a s k ) ,b u t t h e a u t h e n t i c a t o r c a n n o t l a t e r re c o g n iz e a s ig n a t u r e h e h e l p e d r e v e a l.

    A c o l l e c ti o n o f m w i n d o w s ( c a l le d a " r o w " ) c a n b c u s e d t o s ig n a s t r i n g o f m b i t s. l l o w c v e r ,t o p r e v e n t s i g n e d b i ts f r o m o n e m e s s ag e b e i n g s u b s t i t u t e d i n a s e c o n d m e s s a g e , th e w i n d o w s m u s tb e " l i n k e d " t o g e t h e r . I n f a c t , a J] p a i r s o f a d j a c e n t h a l f- w i n d o w s a r e c o n n e c t e d , s o t h a t t h e s a m ec o l le c t io n o f w i n d o w s is c a p a b l e o f s i g n in g a n y p o s s i b le m e s s a g e . L i n k s a r e a l s o p a i r s o f e l e m e n t s ,w h e r e t h e f i rs t e l e m e n t i s a ( s e c r e t - k e y ) e n c r y p t i o n o f a r a n d o m m a s k , a n d t h e s e c o n d e l e m e n t is t h ex o r o f th e m a s k w i t h a s i g n a t u r e o f t h e t w o h a l f- w i n d o w s t h a t a r e b e i n g li n k e d. W h e n h a l f- w i n d o w sa r e " o p e n e d " ( i. e ., w h e n t h e i r m a s k s a r e d e c r y p t e d ) , t h e c o r r e s p o n d i n g l in k s a r e o p e n e d a s w e ll.

    A c u t - a n d - c h o o s e p r o c e d u r e i s u s e d t o g u a r a n t e e t h a t t h e p r e d i c a t e ~b(z, id) i s t r u e a t t h ee n d . T h e r e w i ll b e 2 k s t r i n g s t h a t a r e p r e s e n t e d t o t h e a u t h e n t i c a t o r , e a c h o f w h i c h s a ti sf i es s o m ep r e d i c a t e r i d ) , a n d f o r e a c h o f w h i c h t h e r e q u e s t o r k n o w s a w i t n e s s w i g . T h e a u t h e n t i c a t o rc h a l le n g e s h a l f o f t h e s t r i n g s , a n d r e c e i v e s w i tn e s s e s t h a t t h e p r e d i c a t e i s t r u e f o r t h e m . T h ea u t h e n t i c a t o r t h e n s e n d s d e c r y p t e d m a s k s f o r a ll h a l f -w i n d o w s a n d l i n k s fo r a ll u n c h a l l e n g e d s t r i n g s .T h e p r e d i c a t e r i s d e f in e d t o h o l d i f a n d o n l y i f a m a j o r i t y o f t h e k u n c h a l l e n g e d s t r in g s s a t is f y r

    A s e c o n d t y p e o f l in k is n e e d e d t o p r e v e n t c h e a t i n g w i t h t h e c u t - a n d - c h o o s e p r o c e d u r e . R o w s o fw i n d o w s n e e d t o b e l i n k e d t o g e t h e r , t o p r e v e n t a n e w c o l le c t io n o f k r o w s f r o m b e i n g p i e c e d t o g e t h e rf r o m t w o o r m o r e r u n s o f t h e p r o t o c o l . T h i s is a c h i e v e d b y p r o v i d i n g li n k s b e t w e e n h a l f - w i n d o w sa t t h e e n d o f o n e r o w t o h a l f- w i n d o w s a t t h e b e g i n n i n g o f t h e n e x t r o w .

    T h e e n t i r e d a t a s t r u c t u r e , w i n d o w s a n d l in k s , i s c a ll ed a " s t r u c t " ( se e F ig u r e T h r e e ) . W e a s s u m et h a t t h e p r e - p r o c e s si n g s ta g e ( v i a t r u s t e d m a n u f a c t u r e r o r se c u r e 2 - p a r t y c o m p u t a t i o n ) h a s s e n t as u p p l y o f s t r u c t s t o t h e r e q u e s t o r . T h e f o l lo w i n g h o l d s ( p r o o f o m i t t e d ) .T h e o r e m 2 O blivious au thentication with a pre-proeessing s tage (as su ming trusted man ufactureror O blivious Trans fer) is possible i f one-wa y func tions exist .

    T h i s p r o t o c o l r eq u ir e s t w o r o u n d s o f c o m m u n i c a t i o n b et w e e n t h e r e q ue s ~o r a n d t h e a u t h e n t i c a -t o r . T h e s i ze o f [ z, a ] is O ( m k ) s i g n e d e l e m e n t s ; t h i s i s a l s o t h e c o m m u n i c a t i o n c o m p l e x i t y o f t h ep r o t o co l . B y h a s h i n g e l e m e n t s in t~E Q ~, m c a n b e r e d u c e d t o O ( k ) .

    I f a t r u s t e d m a n u f a c t u r e r is p r e s e n t , t h e n t h e p r e - p r o c e s s i n g s ta g e f o r e a c h c u s t o m e r c o n s i s ts o fa s in g le t r a n s f e r o f s t r u c t s , u p o n r e q u e s t, f r o m t h e t r u s t e d m a n u f a c t u r e r t o t h e c u s t o m e r ( o r m o r ef r e q u e n t tr a n sf e rs ~ u p o n r e q u e s t , a s n e e d e d ) ; t h e m a n u f a c t u r e r d o e s n o t n e e d t o k n o w t h e i d e n t i t yo f t h e c u s t o m e r f o r t h i s p r e -p r o c e s s in g s t a g e . I f a g e n e ra l s ec u r e 2 - p a r t y c o m p u t a t i o n p r o to c o lw e r e t o b e u s e d , t h e n t h e p r e - p ro c e s si n g st a g e w o u l d h a v e r o u n d a n d m e s s ag e c o m p l e x it ie s t h a ta r e p o l y n o m i a l i n t h e s iz e o f t h e c i r c u i t to c o m p u t e a s t r u c t f r o m j o i n t l y p r o d u c e d r a n d o m v a l u e s .

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    11/12

    275

    ~. ~ WIN n,z.' ND J

    F i g u r e 3 : S t r u c t D a t a S t r u c t u r e ( i n fo r m a l p i c t u re : 4 o u t o f 2 k ro w s , m = 3

    AcknowledgmentsW e t h a n k D a v i d C h a u m , T o n y E n g , Z v i G a l i l , S t u a r t H a b e r , R a f a e l H i r s c h fe l d , R a f t O s t r o v s k y ,V e n k i e R a m a r a t h n a m , a n d Y a c o v Y a c o b i f o r h e l p f ul d i s c u ss i o n s.

    References[1 ] C . va n Antwerpen, ~Elect ronic cash ," M aste r 's thesis , Eindhoven Un iversity of Technology, 1990 .[2] M. B lum, A . De San ti s, S . Mica li , and G . Per s i ano , "Non- in terac ti v e zero k nowledge ," S IAM J . C om p u t . 6(1991) , 1084-1118.[3] M. B lum a nd S . Mica li , "H ow to genera t e c ryp tog rap h l cal ly s t rong sequences o f p seudo r andom b i t s " , S IAMJ. C om p u t . 1 3 , 8 5 0 -8 6 4 ~ 1 9 8 4 .[4] D . Ch aum , ~Secur i ty w i t h ou t i den ti fi ca ti on : t r ansac t i on sys t em s t o m ak e b ig b roth er obso l et e ," CA CM 2 8 ,10 (October 1985) .[5] D . C k au m , A . F i a t , a nd M . Naor , "Un t raceab l e e l ec t ron i c cash , ~ Cryp to 8 8 , p p . 3 1 9 -3 2 7 .[6] I . Dam gs ~Paymen t sys t e m s and creden ti a l mec h an i sm s w i t h p rov ab le secu ri ty aga ins t abuse by i nd iv idu -a l s, " C ryp to 8 8 , p p . 3 2 8 -3 3 5 .IT] W . DifJ le and M. t IeUm an, ~N ew di rections in cryptography, ~ IEEE T rans act io n on Informat ion Theory , vol .IT -2 2 , 1 9 7 6 , p p . 6 4 4 -6 5 4 .

  • 7/27/2019 Secure and Efficient Off-Line Digital Money

    12/12

    276

    [ 8] A . D e S a n t i s a n d G . P e r s i an o , " C o m m u n i c a t i o n ef fi ci en t z e r o - k n o w l e d g e p r o o f s o f k n o w l e d g e ( w i t h a p p l i c a t i o n st o e l e c t r on i c c a s h ) , " ST A G S 1 9 9 2 , p p . 4 4 9 - 4 6 0 .[ 9] S . Ev e n , O . G o l d re ie h , a nd S . M i e a li , " O n- l i ne / o f f - l i ne d i g i t a l s i gna t u r e s , " C r yp t o 1 9 8 9 , p p . 2 6 3 - 2 7 5 .

    [ 1 0 ] S . Ev e n , O . G o l dr e ic h , a nd Y . Y a e ob i, " E l e c t r on i c W a l l e t ,~ C r y p t o 8 3 , p p . 3 8 3 - 3 8 6 .[ 1 1 ] U . F e i ge , A . F i a t , a nd A . Sh a m i r , ~Z e r o -K now l e dge P r oo f s o f I de n t i t y , " J . C r yp t o l ogy , V o l . l , N o . 2 , 1 9 8 8 , p p .

    77-94 .[ 1 2] O . G o l d r e ic h a n d L . L e v i n , " A h a r d - c o r e p r e d i c a t e f o r a l l o n e - w a y f u n c t i o n s ," S T O C 1 9 8 9 , p p . 2 5 -3 2 .[ 1 3] O . G o l d r ei c h , S . M i ea li , a n d A . W i g d e r so n , " P r o o f s t h a t y i e l d n o t h i n g b u t t h e v a l i d i ty o f t h e a s s e r ti o n , a n d a

    m e t h o d o l o g y o f c r y p t o g r a p h i c p r o t o c o l d e s i g n ," F O G S 1 9 8 6 , 1 7 4 -1 8 7 .[ 1 4] S . G o l dw a s s e r a nd S . M i c a li , " P r ob a b i l i s t i e e nc r yp t i on , " J C SS 2 8 , p p . 6 4 4 - 6 5 4 , 1 9 8 4 .[ 1 5 ] S . G o l d w a s s e r, S . M i e a l i, a n d C . R a c k of f, " T h e k n o w l e d g e c o m p l e x i t y o f i n t e r a c t i v e p r o o f s y s t e m s , " S I A M J .G om p u t . , V o l . 1 8 , 1 9 8 9 , p p . 1 8 6 - 2 0 8 .[ 1 6] J . T . I f a s t a d , " P s e u d o - r a n d o m g e n e r a t o r s u n d e r u n i fo r m a s s u m p t i o n s , " S T O C t 9 9 0 . 3 9 5 -4 0 4 .[ 1 7 ] R . H i rs c h fe ld , " M a k i ng e l e c t r on i c r e f unds s a f e r , " C r yp t o 1 9 9 2 a bs t r a c t s , 3 .7 - 3 .1 0 .[ 1 8] K . I m p a g l i a z z o a n d M . L u b y , " O n e - w a y f u n c t i o n s a re e s s e n t ia l f o r c o m p l e x i t y b a s e d c r y p t o g r a p h y , " F O G S

    1 9 8 9 , 2 3 6 - 2 4 3 .[ 1 9] K . I m p a g l i a z zo , L . L e v i n , a n d M . L u b y , " P s e u d o r a n d o m g e n e r a t i o n fr o m o n e - w a y fu n c t i o n s ," S T O C 1 9 8 9 , p p .

    12-24 .[ 20 ] J . K i l i a n , " U s e s o f l t a n d o m n e s s i n A l g o r i t h m s a n d P r o t o c o ls , " A C M D i s t i n g u i s h e d D i s s e r t a ti o n , M I T P r e s s ,

    1 9 9 0 .[ 2 1] T . L o n g a n d A . W i g d e r s o n , " T h e d i s c r e t e l o g a r i t h m h i d e s O ( l o g n ) b i t s , " S I A M J . G o m p u t . 1 7 , 1 9 88 , 3 6 3 -3 7 2 .[ 2 2 ] M . N a o r a n d M . Y u n g , " U n i v e r s a l o n e - w a y h a s h f u n c t io n s a n d t h e i r c r y p t o g r a p h i c a p p l i c a t io n s , " S T O C 1 9 8 9 ,p p . 3 3 - 4 3 .[ 2 3] T . O k a m o t o a n d K . O h t a , " D i s p o s a b l e z e r o -k n o w l e d g e a u t h e n t i c a t i o n s a n d t h e i r a p p l i c a t i o n s t o u n t r a c e a b l e

    e l e c t r on i c c a s h , ~ G r y p t o 1 9 8 9 , p p . 4 8 1 - 4 9 6 .[24] T . O k a m o t o a n d K . O h t a , " U n i v e r s a l e l e c tr o n i c c a s h , " C r y p t o 1 9 9 1 , p p . 3 2 4 -3 3 7 .[ 2 5 ] B . P f i tz m a n n a n d M . W a l d n e r, " H o w t o b r e a k a n d r e p a i r a ' p r o v a b l y s e c u r e ' u n t r a c e a b l e p a y m e n t s y s t e m , "C r y p t o 9 1 , p p . 3 3 8 - 3 5 0 .[ 2 6] M . R a b i n , ~ D i g i ta l s i g n a t u r e s , " i n F o u n d a t i o n s o f S e c u r e C o m p u t a t i o n , R . D e M i ll o, D . D o b k i n , A . J o n e s , a n dR . L i p t o n ( e d i t o r s ) , A c a d e m i c P r e s s , N Y , 1 9 7 8 , 1 5 5 - 1 8 8 .[ 2 7] M . R a b l n , " I l o w t o e x c h a n g e s e c r e t s b y o b l iv i o u s t r a n s fe r , " T e c h. M e m o T R - 8 1 , A i k e n C o m p u t a t i o n L a b o r a -t o r y , H a r v a r d U n i v e r s i t y , 1 9 8 1 .[ 2 8 ] R . R i v e s t , A . S h a m i r , a n d L . A d l e m a n , " A m e t h o d f o r o b t a i n i n g d i g i t a l s i g n a t u r e s a n d p u b l i c -k e y c r y p to s y s -t e r n s , " C A G M , v o l . 2 1 , 1 9 7 8 , p p . 1 2 0 - 1 2 6 .[ 29 ] J . R o m p e l , " O n e - w a y f u n c t io n s a r e n e c e s s a r y a n d s u f f ic i e n t f o r s e c u r e si g n a t u r e s , " S T O C 1 9 9 0 , p p . 3 8 7 -3 9 4 .[ 3 0 ] A . Y a o j " I t o w t o g e n e r a t e a n d e x c h a n g e s e c r e ts , " F O G S 1 9 8 6 j p p . 1 6 2 -1 6 7 .


Efficient Secure BGP AS Path using FS-BGP

Efficient Secure BGP AS Path using FS-BGP

Documents
Efficient Two-Party Secure Computation on Committed Inputs

Efficient Two-Party Secure Computation on Committed Inputs

Documents
Cloud4Bizz Your Business IT: Secure Affordable Flexible Efficient

Cloud4Bizz Your Business IT: Secure Affordable Flexible Efficient

Technology
A SECURE AND EFFICIENT CONFERENCE KEY DISTRIBUTION SYSTEM

A SECURE AND EFFICIENT CONFERENCE KEY DISTRIBUTION SYSTEM

Documents
Secure and Efficient Network Access

Secure and Efficient Network Access

Documents
SeFER: Secure, Flexible and Efficient Protocol for Distributedpeople.sabanciuniv.edu/erkays/01462017.pdf · SeFER: Secure, Flexible and Efficient Routing Protocol for Distributed

SeFER: Secure, Flexible and Efficient Protocol for Distributedpeople.sabanciuniv.edu/erkays/01462017.pdf · SeFER: Secure, Flexible and Efficient Routing Protocol for Distributed

Documents
Secure, clean and efficient energy challenge Energy Efficiency

Secure, clean and efficient energy challenge Energy Efficiency

Documents
Making the cloud efficient & secure

Making the cloud efficient & secure

Documents
CDStore: Toward Reliable, Secure, and Cost- Efficient Cloud

CDStore: Toward Reliable, Secure, and Cost- Efficient Cloud

Documents
Smart, Secure and Efficient Data Sharing in IoT

Smart, Secure and Efficient Data Sharing in IoT

Technology
A prototype for efficient and secure file sharing and ...sala/events2016/2016_Telsy.pdf · A prototype for efficient and secure ... “Fully Secure Attribute-Based Encryption with

A prototype for efficient and secure file sharing and ...sala/events2016/2016_Telsy.pdf · A prototype for efficient and secure ... “Fully Secure Attribute-Based Encryption with

Documents
Fair, Efficient, and Secure Cooperation Incentive Mechanism for

Fair, Efficient, and Secure Cooperation Incentive Mechanism for

Documents
COST EFFICIENT SECURE AND PRIVACY PRESERVING GROUP MATCHING

COST EFFICIENT SECURE AND PRIVACY PRESERVING GROUP MATCHING

Documents
FAST,SECURE AND EFFICIENT SHIPPING SERVICES

FAST,SECURE AND EFFICIENT SHIPPING SERVICES

Documents
Fault Tolerant, Efficient, and Secure Runtimes

Fault Tolerant, Efficient, and Secure Runtimes

Documents
Making the grid more efficient, flexible and secure

Making the grid more efficient, flexible and secure

Technology
Anonymous, Secure and Efficient Vehicular Communications

Anonymous, Secure and Efficient Vehicular Communications

Documents
Efficient UC-Secure Authenticated Key-Exchange for Algebraic

Efficient UC-Secure Authenticated Key-Exchange for Algebraic

Documents
A Scalable, Secure, and Energy-Efficient Image

A Scalable, Secure, and Energy-Efficient Image

Documents
LESS WASTE SAVES MORE MONEY EFFICIENT · 2019. 9. 24. · less waste saves money more efficient. more choice less waste saves money more efficient. unique features. ada compliant

LESS WASTE SAVES MORE MONEY EFFICIENT · 2019. 9. 24. · less waste saves money more efficient. more choice less waste saves money more efficient. unique features. ada compliant

Documents
Secure and Efficient Probabilistic Skyline Computation for

Secure and Efficient Probabilistic Skyline Computation for

Documents
Efficient Asymmetric Secure iSCSI

Efficient Asymmetric Secure iSCSI

Documents
5 Energy Efficient Secure and Stable Routing Protocol

5 Energy Efficient Secure and Stable Routing Protocol

Documents
Energy Efficient County Realizing Money Buildings and

Energy Efficient County Realizing Money Buildings and

Documents
Efficient and Secure Authentication and Key Agreement Protocol

Efficient and Secure Authentication and Key Agreement Protocol

Documents
Secure and Efficient Routable Control Systems

Secure and Efficient Routable Control Systems

Documents
Efficient Authentication, Node Clone Detection, and Secure Data

Efficient Authentication, Node Clone Detection, and Secure Data

Documents
SECURE AND EFFICIENT INTEGRATION WITH YOUR BANK

SECURE AND EFFICIENT INTEGRATION WITH YOUR BANK

Documents
An Energy Efficient Secure Multipath Routing Algorithm for ... · The wireless sensor networks of the ... Previous work proposes a secure and efficient Cost-Aware Secure Routing

An Energy Efficient Secure Multipath Routing Algorithm for ... · The wireless sensor networks of the ... Previous work proposes a secure and efficient Cost-Aware Secure Routing

Documents
Cloud Economics: Enabling Efficient & Secure Enterprise Clouds

Cloud Economics: Enabling Efficient & Secure Enterprise Clouds

Technology