Research ArticleDate Attachable Offline Electronic Cash Scheme
Chun-I Fan Wei-Zhe Sun and Hoi-Tung Hau
Department of Computer Science and Engineering National Sun Yat-sen University Kaohsiung 80424 Taiwan
Correspondence should be addressed to Chun-I Fan cifanfacultynsysuedutw
Received 15 January 2014 Accepted 26 February 2014 Published 18 May 2014
Academic Editors T Cao M Ivanovic and F Yu
Copyright copy 2014 Chun-I Fan et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Electronic cash (e-cash) is definitely one of the most popular research topics in the e-commerce field It is very important thate-cash be able to hold the anonymity and accuracy in order to preserve the privacy and rights of customers There are two typesof e-cash in general which are online e-cash and offline e-cash Both systems have their own pros and cons and they can be usedto construct various applications In this paper we pioneer to propose a provably secure and efficient offline e-cash scheme withdate attachability based on the blind signature technique where expiration date and deposit date can be embedded in an e-cashsimultaneously With the help of expiration date the bank can manage the huge database much more easily against unlimitedgrowth and the deposit date cannot be forged so that users are able to calculate the amount of interests they can receive in thefuture correctly Furthermore we offer security analysis and formal proofs for all essential properties of offline e-cash which areanonymity control unforgeability conditional-traceability and no-swindling
1 Introduction
Due to the rapid growth of the Internet and communicationdevelopments electronic commerce has become much morepopular andwidely used than ever [1ndash8]Themobile telecom-munications have been developed from 2G to 35 G Further-more LTE Advanced 4G and 5G are being implemented tothe market in recent years With the convenience of mobilenetwork people can do shopping or electronic payments byusing any devices with network capability instead of leavinghome As a result electronic commerce has been emphasizednowadays Electronic cash (e-cash) is definitely one of themost popular research topics among electronic commerceE-cash and the traditional cash notes are very much alikeexcept e-cash is digitized and used on Internet transactionstherefore it is very important that e-cash be able to hold theaccuracy privacy and all other security concerns
A typical e-cash system usually consists of payers (cus-tomers) payees (shops) and a bank There are two types ofe-cash in general which are online e-cash [9ndash13] and offlinee-cash [14ndash27] Online e-cash system involves participationof the bank during transactions (the payment stage) Banksare able to check whether customers have double-spent the e-cash(s) or not and if yes banks can terminate the transactionsat once Thus the bank has to be online during every
transaction and it may lead to a bottleneck of the system Onthe other hand while banks do not participate in the paymentstage of offline e-cash systems double-spending check is onlyheld during the deposit stage Yet the bank is set to be offlinebut the system design is usually muchmore complicated thanthe online type and it may lead to a longer transaction timeSince both systems have their own pros and cons they areused under different circumstances
Extending online and offline e-cash systems many e-cashschemes with other different features have been proposedover the years For instance e-cash can be stored compactlysuch that the space to store these e-cash is much reduced[15 16] e-cash is generated by multiauthorities instead of onebank only [25] exact payments e-cash [13] recoverable e-cashwhich can be recoveredwhen an e-cash is lost [26] and so on
Based on the majority of the existing approaches wesummarize that a secure e-cash system should satisfy thefollowing requirements
(i) Anonymity no one except the judge can obtain anyinformation of the e-cash ownerrsquos identity from thecontents of e-cash
(ii) Unlinkability no one except the judge can link anye-cash payment contents
Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 216973 19 pageshttpdxdoiorg1011552014216973
2 The Scientific World Journal
(iii) Unforgeability no one except the bank can generatea legal e-cash
(iv) Double-Spending Control banks should have theability to check if the e-cash is double-spent or notNo e-cash is allowed to be spent twice or more in ane-cash system
(v) Conditional-Traceability the system should be able totrace and revoke the anonymity of users who violateany of the security rules so that they will receivepenalties
(vi) No-swindling no one except the real owner canspend a valid offline e-cash successfully
In order to perform double-spending checks banks haveto store information of e-cash(s) in their database Thus thedatabase of banks grows in direct proportion to the numberof e-cash(s) withdrawn Embedding an expiration date intoeach e-cash has been considered since it helps the banksto manage the database more easily On the other handcustomers have to exchange their expired e-cash(s) withbanks for new ones so as to keep the validity of the e-cashFurthermore customers will receive interest from banks aftercash is deposited In order to guarantee customers will receivethe right amount of interest it is necessary for customers toattach the deposit date to their e-cash(s) and the date cannotbe modified by anyone else [11] So far there are a numberof online e-cash schemes with an expiration date attachment[9 11 28] However there are very few offline approaches [21]
In this paper we are going to propose an efficient dateattachable offline e-cash scheme and provide formal proofson essential properties to it in the random oracle modelConsidering the practical needs we pioneer to embed twokinds of date which are expiration data and deposit date tothe offline e-cash Moreover we will offer an E-cash renewalprotocol in our scheme (Section 325) Users can exchangetheir unused expired e-cash for a new one with another validexpiration datemore efficiently Comparedwith other similarworks our scheme is efficient from the aspect of consideringcomputation cost
The rest of this paper is organized as follows InSection 2 we briefly review techniques employed through-out our scheme Our proposed scheme is described inSection 3 in detail Security proofs and analysis are covered inSection 4 Features and performance comparisons are madein Section 5 and the conclusion is given in Section 6
2 Preliminaries
In this section we briefly review techniques used in our dateattachable offline e-cash scheme
21 Chaumrsquos Blind Signature Scheme Blind signaturewas firstintroduced by Chaum [29] It has been widely used in e-cashprotocols since it has been proposed A signer will not be ableto view the content of the message while shehe is signingthe message Afterwards a user can get a message with thesignature of the signer by unblinding the signedmessageTheprotocol is described as follows
(1) InitializationThe signer randomly chooses two distinct largeprimes 119901 and 119902 then computes 119899 = 119901119902 and120601(119899) = (119901 minus 1)(119902 minus 1) Afterwards the signer selectstwo integers 119890 and 119889 at random such that 119890119889 equiv
1(mod 120601(119899)) Finally the signer publishes the publicparameters (119890 119899) and a one-way hash function119867
(2) User rarr Signer 120572The user chooses a message 119898 and a random integer119903 in Zlowast
119899 then blinds the message by computing 120572 =
119903119890
119867(119898)mod 119899 and sends it to the signer
(3) Signer rarr User 119905After receiving 120572 the signer signs it with herhisprivate key 119889 and sends it back to the userThe signedmessage will be 119905 = 120572
119889 mod 119899
(4) UnblindingAfter receiving 119905 from the signer the user unblinds itby computing 119904 = 119903
minus1
119905mod 119899 The signature-messagepair is (119904 119898)
(5) VerificationThe (119904 119898) can be verified by checking if 119904119890 equiv 119867(119898)
(mod 119899) is true or not
22 Chameleon Hashing Based on Discrete LogarithmChameleon hashing was proposed by Krawczyk and Rabin[30] The chameleon hash function is associated with a one-time public-private key pair it is a collision resistant functionexcept for users who own a trapdoor for finding collisionAny user who knows the public key can compute the hashingand for those who do not know the private key (trapdoor)it is impossible for them to find any two inputs which leadto the same hashing output On the contrary any user whoknows the trapdoor can find the collision of given inputsThe construction of the chameleon hashing based on discretelogarithm is described as follows
(1) Setup
(i) 119901 119902 two large primes such that 119901 = 119896119902 + 1(ii) 119892 an element order 119902 in Zlowast
119901
(iii) 119909 private key in Zlowast
119902
(iv) 119910 public key where 119910 = 119892119909 mod 119901
(2) The function a message 119898 isin Zlowast
119902is given and a
random integer 119903 isin Zlowast
119902is chosen The hash is defined
as cham-hash119910(119898 119903) = 119892
119898
119910119903 mod 119901
(3) Collision for a user who knows 119909 shehe is able tofind the collision of the hash for any given 119898 1198981015840
such that cham-hash119910(119898 119903) = cham-hash
119910(119898
1015840
1199031015840
)The user derives 119903
1015840 in the equation 119898 + 119909119903 = 1198981015840 +
1199091199031015840 (mod 119902)
The Scientific World Journal 3
3 The Proposed Date Attachable OfflineElectronic Cash Scheme
In this section we will introduce a new date attachableoffline e-cash scheme Considering the issues mentioned inSection 1 we propose a secure offline e-cash scheme withtwo specific kinds of date attached to the e-cash which areexpiration date and deposit date
31 Outline of the Proposed Scheme Here we are going tobriefly describe the procedures of our scheme The proposedscheme contains four protocols withdrawal protocol pay-ment protocol deposit protocol and e-cash renewal protocolA user withdraws an e-cash with an expiration date attachedto it from the bank A trusted computing platform (iejudge device) [31 32] as stated in the proposed scheme isinstalled in the bank to hold the identity information of allusers and it will further help trace users when it is neededIt is impossible for anyone except the judge to obtain anyinformation embedded in the device [33] Nowadays judgedevice can be implemented by the technique of TrustedPlatform Module (TPM) [32 34] in practice
Before an e-cash is deposited the depositor attaches thedeposit date on the e-cash and sends it to the bank duringthe deposit stage When the bank receives an e-cash it willperform double-spending checking to verify whether the e-cash is doubly spent or not The bank can derive secretparameters of the user who does double-spending and let thejudge revoke the anonymity of the user Besides when anunused e-cash is expired a user will be able to exchange it fora new one with a new expiration date In our scheme for theefficiency concerns some of the unused parameters of userscan remain unchanged while exchanging for a new valid e-cash In the following sections we will describe our schemein detail
32 The Proposed Scheme Firstly we define some notationsas follows
(1) 1198671 119867
2 119867
3 three one-way hash functions
1198671 119867
2 119867
3 0 1
lowast
rarr 0 1119899
(2) 1198674 119867
5 two one-way hash functions
1198674 119867
5 0 1lowast rarr 0 1
119902
(3) 119864119909119863
119909 a secure symmetric cryptosystem Plaintext is
both encrypted and decrypted with a symmetric key119909
(4) 119864119901119896
119863119904119896 a secure asymmetric cryptosystem Plaintext
is encrypted with a public key 119901119896 and decrypted withthe corresponding private key 119904119896
(5) (119901119896119895 119904119896
119895) the public-private key pair of the judge
(6) (119890119887 119889
119887) the public-private key pair of bank
(7) 119863119886119905119890 expiration date It represents an effective spend-ing date of awithdrawn e-cash Any e-cashwithdrawnin the same period will have the same expiration dateand vice versa
(8) ID119888 the identity of user 119862
(9) 119897119896 119897119903 the security parameters
(10) A judge device a tamper-resistant device which isissued by the judge It is installed into the system ofthe bank It is impossible to intercept or modify anyinformation stored in the device
321 Initialization Initially the bank randomly chooses twodistinct large primes (119901
119887 119902
119887) and computes RSA parameters
119899119887
= 119901119887119902119887 It selects an integer 119890
119887at random such that
GCD(120601(119899119887) 119890
119887) = 1 where 120601(119899
119887) = (119901
119887minus 1)(119902
119887minus 1) and
1 lt 119890119887lt 120601(119899
119887) Then it finds a 119889
119887such that 119890
119887119889119887equiv 1(mod
120601(119899119887)) Secondly it also chooses two other large primes 119901 and
119902 and two generators 1198921and 119892
2of order 119902 in Zlowast
119901 Then the
bank publishes (119899119887 119890
119887 119901 119902 119892
1 119892
2 119901119896
119895 119867
1 119867
2 119867
3 119867
4 119867
5
119864119863 119864119863) Meanwhile the judge embeds (119899119887 119890119887 119901 119902 119892
1 119892
2
119901119896119895 119904119896
119895 119867
1 119867
2 119867
3 119867
4 119867
5 119864 119863 119864 119863) into a judge device
and issues it to the bank
322 Withdrawal Protocol Users run the withdrawal pro-tocol with banks to get an e-cash as shown in Figure 1yet banks have to obtain information of usersrsquo identitysuch as ID
119888or account numbers before the withdrawal
protocol is proceeded Therefore users should perform anauthentication with banks beforehand Users can execute thewithdrawal protocol by any devices that have the ability tocompute and connect to the network For instance users canuse mobile phones or computers to perform the withdrawalprotocol and store the withdrawn e-cash The detailed stepsof the protocol are as follows
(1) Bank rarr User119863
Firstly the user prepares parameters for withdrawingan e-cash The user chooses integers 119886 119909
1 119909
2 119903
1 119903
2
and 1199033in random where 119886 isin
119877Zlowast
119899119887
and 1199091 119909
2 119903
1 119903
2
1199033isin1198770 1 119902 minus 1 and selects a string 119896 isin
1198770 1
119897119896
randomly The user then computes (1199101 119908
1 119910
2 119908
2)
where 119910119894
= 119892119909119894
119894mod119901 and 119908
119894= 119892
119903119894
119894mod119901 for
119894 = 1 2 Secondly the bank computes parametersfor expiration date It randomly chooses a 119903 in Zlowast
119899
prepares119863 = Date 119903 for some expiration date119863119886119905119890The bankwill send119863 to the user when shehe requeststo withdraw an e-cash
(2) User rarr Bank (120572 120598)
After receiving119863 the user prepares 120598 = 119864119901119896119895
(119896 ID119888)
and
120572 = [119886119890119887119867
2
1(119898 119863)]
minus1
mod 119899119887 (1)
where 119898 = (1199101 119908
1 119910
2 119908
2 119903
3) Finally the user
sends (120572 120598) to the bank
(3) Bank rarr Judge device (120598 120583 119863)
The bank sets 120583 = ID119888 where ID
119888is the identity of
user119862 and inputs it togetherwith 120598 and119863 to the judgedevice
4 The Scientific World Journal
UserBank
y1 = gx11 mod p w1 = g
r11 mod p
y2 = gx22 mod p w2 = g
r22 mod p
D
pb qb nb = pbqb120601(nb) = (pb minus 1)(qb minus 1)
p q two large primesg1 g2 generator of order q in Zlowast
p
(120572 120598)
Input (120598 120583) to the judge device
Judge device
No abort return ID error
t = (120572120573H2(D))d119887 mod nb
(120573 Ek(b 120590 rj))
(t Ek(b 120590 rj))
Decrypt Ek(b 120590 rj)
E-cash tuple (s y1 w1 y2 w2 r3 120590 D)
(120598 120583 D)
Compute s = abt mod nb
x1 x2 r1 r2 r3 isinR 0 1 q minus 1
m = y1 w1 y2 w2 r3
120572 = [ae119887H21 (m D)]minus1 mod nb
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
aisinRZlowastn119887 k isinR 0 1
l119896
r isinRZlowastn Date Expiration date
D = Date r
bisinRZlowastn119887 rj isinR 0 1
l119903119895
120590 = Epk119895 (120583 rj)
120573 = [be119887H3(120590 D)]minus1 mod nb
120598 = Epk119895 (k IDc)
= Dsk119895(120598)Compute (k IDc
Set 120583 = IDc
)
120583= If yes continueIDc
Verify 120590 = Epk119895 (IDc rj)
Figure 1 Withdrawal protocol
(4) Judge device rarr Bank (120573 119864119896(119887 120590 119903
119895))
The judge device decrypts 120598 and checks if 120583 = ID119888 If
not it returns ldquoID errorrdquo to the bank or else it picksa random integer 119887 isin
119877Zlowast
119899119887
and a string 119903119895isin1198770 1
119897119903119895
randomly Then it computes 120590 = 119864119901119896119895
(120583 119903119895) and
120573 = [119887119890119887119867
3(120590 119863)]
minus1 mod 119899119887 (2)
Finally it encrypts (119887 120590 119903119895) by using the symmetric
key 119896 and outputs it together with 120573 to the bank
(5) Bank rarr User (119905 119864119896(119887 120590 119903
119895))
After receiving (120573 119864119896(119887 120590 119903
119895)) from the judge device
it computes
119905 = (1205721205731198672(119863))
119889119887 mod 119899119887
(3)
and sends (119905 119864119896(119887 120590 119903
119895)) to the user
(6) VerificationsAfter receiving (119905 119864
119896(119887 120590 119903
119895)) the user firstly
decrypts the ciphertext by using the symmetric key 119896
in order to obtain (119887 120590 119903119895) Secondly shehe checks
if hisher ID is embedded correctly by computingif 120590 = 119864
119901119896119895(ID
119888 119903
119895) is true or not Thirdly shehe
computes
119904 = 119886119887119905 mod 119899119887
(4)
and verifies 119904 by checking if
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863) (mod 119899
119887) (5)
is true or not Finally when all verifications are donethe user gets the e-cash tuples (119904 119898 120590119863) and stores(119909
1 119909
2 1199031 1199032) for further payment usages
323 Payment Protocol When a user has to spend the e-cashshehe performs the protocol as shown in Figure 2 The stepsof the protocol are described as follows
(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)
Theuser sends (119904 119898 120590119863 1199092 1199032) to the shop where119863
contains the expiration date of the e-cash
The Scientific World Journal 5
User Shop
(s m 120590 D x2 r2)
Check the validity of D
rs
u = H4
s998400 = (r1 minus ux1) mod q(s998400 ru)
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
ru isinRZlowastq
Verify w1= y
H4(r119906 r119904)1 gs
998400
(mod p)
(ru rs)
r998400s isinR 0 1l119903119895 rs = (IDs r
998400s )
Figure 2 Payment protocol
(2) Shop rarr User 119903119904
The shop first checks 119863 to verify if the e-cash is stillwithin the expiration date or not If not it terminatesthe transaction Otherwise it continues to verify119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod119899
119887) If it is
not valid the protocol is aborted or else it selects astring 119903
1015840
119904isin1198770 1
119897119903119895 and sets a challenge 119903119904= (ID
119904
1199031015840
119904) where ID
119904is the identity of the shop Finally it
sends 119903119904to the user
(3) User rarr Shop (1199041015840 119903119906)
After receiving 119903119904from the shop the user randomly
selects a 119903119906isin119877Zlowast
119902and computes a response to the
challenge
1199041015840
= (1199031minus 119906119909
1) mod 119902 (6)
where 119906 = 1198674(119903119906 119903
119904) Then the user sends (1199041015840 119903
119906) to
the shop(4) Verifications
After receiving (1199041015840
119903119906) from the user the shop verifies
if 1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
(mod119901) is true or not If it is truethe shop will accept the e-cash On the other hand ifit is not the shop will reject it Since it is an offline e-cash the shop does not have to deposit it to the bankimmediately It can store the e-cash and deposit it latertogether with other received e-cash(s)
324 Deposit Protocol As Figure 3 shows shops attach thedeposit date to their e-cash(s) and deposit them to banks inthis protocol Banks perform double-spending checks whenthey receive these e-cash(s) If any e-cash is double-spent thebank will revoke the anonymity of the e-cash owner with thehelp of the judge The steps are described in detail as follows
(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
The shop computes 1199034
= 1199032minus 119909
21198675(119889) where 119889 is
the deposit date and sends (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
to the bank
(2) VerificationsFirstly the bank checks the correctness of expirationdate 119863 and deposit date 119889 respectively and alsochecks if
1199082= 119910
1198675(119889)
21198921199034
2mod 119901
1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
2mod 119901
(7)
are true or not Secondly the bank verifies if119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod 119899
119887) and
checks the uniqueness of (119904 119898 120590119863) Finally if all ofthe above facts are verified successfully the bank willaccept and store the e-cash in its database and record1198671(119898 119863) in exchange list Otherwise it will reject
this transaction and trace the owner of the e-cash
325 E-Cash Renewal Protocol In order to reduce the unlim-ited growth database problem of the bank we have expirationdate and renewal protocol in our scheme to achieve itas shown in Figure 4 When an unused e-cash is expiredthe user has to exchange it for another e-cash with a newexpiration date from the bank
(1) User rarr Bank (119904 120588 120590 119863)
The user recalls 119898 = (1199101 119908
1 119910
2 119908
2 119909
2 1199033) and
prepares
120588 = 1198671(119898 119863) (8)
and sends it together with the unused (119904 120590 119863) to thebank
(2) VerificationsFirstly the bank checks the correctness of expirationdate119863 andmakes sure120588 does not exist in the exchangelist Secondly the bank verifies if 119904
1198901198871198671(120588)119867
3(120590
119863) equiv 1198672(119863)(mod 119899
119887) Finally if all of the above
facts are verified successfully the bank will accept to
6 The Scientific World Journal
Shop Bank
r4 = r2 minus x2H5(d)
(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)
Check the validity of D d
Check w2= y
H5(d)2 g
r42 mod p
= H2(D)(mod nb)
Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin
d deposit date
Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)
w1= y
H4(r119906 r119904)1 gs
998400
1 mod p
Figure 3 Deposit protocol
User Bank
(s 120588 120590 D)
Check if 120588 exists in exchange list
Check if s is unique or notYes accept to exchange the coin
and store 120588 in the exchange listNo reject and trace the owner of the coin
Accept
D998400 = new expiration date
( 120598)
Repeat withdrawal protocol
120588 = H1(y1 w1 y2 w2 D r3)
= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb
Check the expiration date D
Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)
Figure 4 E-Cash renewal protocol
exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will
reject the exchange request(3) User rarr Bank ( 120598)
The user computes
= [119886119890119887119867
2
1(119898
1015840
1198631015840
)]minus1
mod 119899119887 (9)
where 1198981015840
= (1199101 119908
1 119910
2 119908
2 119909
2 1199031015840
3) 1199031015840
3is a random
and1198631015840 is the new expiration date issued by the bank
The user sends ( 120598 ID119888) to the bank Then the bank
repeats the withdrawal protocol in Section 322 fromStep 2 with the user
326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed
(1) Double-Spending Checking
When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910
1 119908
1 119910
2 119908
2 1199033 120590 119863) stored in the database of the
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 The Scientific World Journal
(iii) Unforgeability no one except the bank can generatea legal e-cash
(iv) Double-Spending Control banks should have theability to check if the e-cash is double-spent or notNo e-cash is allowed to be spent twice or more in ane-cash system
(v) Conditional-Traceability the system should be able totrace and revoke the anonymity of users who violateany of the security rules so that they will receivepenalties
(vi) No-swindling no one except the real owner canspend a valid offline e-cash successfully
In order to perform double-spending checks banks haveto store information of e-cash(s) in their database Thus thedatabase of banks grows in direct proportion to the numberof e-cash(s) withdrawn Embedding an expiration date intoeach e-cash has been considered since it helps the banksto manage the database more easily On the other handcustomers have to exchange their expired e-cash(s) withbanks for new ones so as to keep the validity of the e-cashFurthermore customers will receive interest from banks aftercash is deposited In order to guarantee customers will receivethe right amount of interest it is necessary for customers toattach the deposit date to their e-cash(s) and the date cannotbe modified by anyone else [11] So far there are a numberof online e-cash schemes with an expiration date attachment[9 11 28] However there are very few offline approaches [21]
In this paper we are going to propose an efficient dateattachable offline e-cash scheme and provide formal proofson essential properties to it in the random oracle modelConsidering the practical needs we pioneer to embed twokinds of date which are expiration data and deposit date tothe offline e-cash Moreover we will offer an E-cash renewalprotocol in our scheme (Section 325) Users can exchangetheir unused expired e-cash for a new one with another validexpiration datemore efficiently Comparedwith other similarworks our scheme is efficient from the aspect of consideringcomputation cost
The rest of this paper is organized as follows InSection 2 we briefly review techniques employed through-out our scheme Our proposed scheme is described inSection 3 in detail Security proofs and analysis are covered inSection 4 Features and performance comparisons are madein Section 5 and the conclusion is given in Section 6
2 Preliminaries
In this section we briefly review techniques used in our dateattachable offline e-cash scheme
21 Chaumrsquos Blind Signature Scheme Blind signaturewas firstintroduced by Chaum [29] It has been widely used in e-cashprotocols since it has been proposed A signer will not be ableto view the content of the message while shehe is signingthe message Afterwards a user can get a message with thesignature of the signer by unblinding the signedmessageTheprotocol is described as follows
(1) InitializationThe signer randomly chooses two distinct largeprimes 119901 and 119902 then computes 119899 = 119901119902 and120601(119899) = (119901 minus 1)(119902 minus 1) Afterwards the signer selectstwo integers 119890 and 119889 at random such that 119890119889 equiv
1(mod 120601(119899)) Finally the signer publishes the publicparameters (119890 119899) and a one-way hash function119867
(2) User rarr Signer 120572The user chooses a message 119898 and a random integer119903 in Zlowast
119899 then blinds the message by computing 120572 =
119903119890
119867(119898)mod 119899 and sends it to the signer
(3) Signer rarr User 119905After receiving 120572 the signer signs it with herhisprivate key 119889 and sends it back to the userThe signedmessage will be 119905 = 120572
119889 mod 119899
(4) UnblindingAfter receiving 119905 from the signer the user unblinds itby computing 119904 = 119903
minus1
119905mod 119899 The signature-messagepair is (119904 119898)
(5) VerificationThe (119904 119898) can be verified by checking if 119904119890 equiv 119867(119898)
(mod 119899) is true or not
22 Chameleon Hashing Based on Discrete LogarithmChameleon hashing was proposed by Krawczyk and Rabin[30] The chameleon hash function is associated with a one-time public-private key pair it is a collision resistant functionexcept for users who own a trapdoor for finding collisionAny user who knows the public key can compute the hashingand for those who do not know the private key (trapdoor)it is impossible for them to find any two inputs which leadto the same hashing output On the contrary any user whoknows the trapdoor can find the collision of given inputsThe construction of the chameleon hashing based on discretelogarithm is described as follows
(1) Setup
(i) 119901 119902 two large primes such that 119901 = 119896119902 + 1(ii) 119892 an element order 119902 in Zlowast
119901
(iii) 119909 private key in Zlowast
119902
(iv) 119910 public key where 119910 = 119892119909 mod 119901
(2) The function a message 119898 isin Zlowast
119902is given and a
random integer 119903 isin Zlowast
119902is chosen The hash is defined
as cham-hash119910(119898 119903) = 119892
119898
119910119903 mod 119901
(3) Collision for a user who knows 119909 shehe is able tofind the collision of the hash for any given 119898 1198981015840
such that cham-hash119910(119898 119903) = cham-hash
119910(119898
1015840
1199031015840
)The user derives 119903
1015840 in the equation 119898 + 119909119903 = 1198981015840 +
1199091199031015840 (mod 119902)
The Scientific World Journal 3
3 The Proposed Date Attachable OfflineElectronic Cash Scheme
In this section we will introduce a new date attachableoffline e-cash scheme Considering the issues mentioned inSection 1 we propose a secure offline e-cash scheme withtwo specific kinds of date attached to the e-cash which areexpiration date and deposit date
31 Outline of the Proposed Scheme Here we are going tobriefly describe the procedures of our scheme The proposedscheme contains four protocols withdrawal protocol pay-ment protocol deposit protocol and e-cash renewal protocolA user withdraws an e-cash with an expiration date attachedto it from the bank A trusted computing platform (iejudge device) [31 32] as stated in the proposed scheme isinstalled in the bank to hold the identity information of allusers and it will further help trace users when it is neededIt is impossible for anyone except the judge to obtain anyinformation embedded in the device [33] Nowadays judgedevice can be implemented by the technique of TrustedPlatform Module (TPM) [32 34] in practice
Before an e-cash is deposited the depositor attaches thedeposit date on the e-cash and sends it to the bank duringthe deposit stage When the bank receives an e-cash it willperform double-spending checking to verify whether the e-cash is doubly spent or not The bank can derive secretparameters of the user who does double-spending and let thejudge revoke the anonymity of the user Besides when anunused e-cash is expired a user will be able to exchange it fora new one with a new expiration date In our scheme for theefficiency concerns some of the unused parameters of userscan remain unchanged while exchanging for a new valid e-cash In the following sections we will describe our schemein detail
32 The Proposed Scheme Firstly we define some notationsas follows
(1) 1198671 119867
2 119867
3 three one-way hash functions
1198671 119867
2 119867
3 0 1
lowast
rarr 0 1119899
(2) 1198674 119867
5 two one-way hash functions
1198674 119867
5 0 1lowast rarr 0 1
119902
(3) 119864119909119863
119909 a secure symmetric cryptosystem Plaintext is
both encrypted and decrypted with a symmetric key119909
(4) 119864119901119896
119863119904119896 a secure asymmetric cryptosystem Plaintext
is encrypted with a public key 119901119896 and decrypted withthe corresponding private key 119904119896
(5) (119901119896119895 119904119896
119895) the public-private key pair of the judge
(6) (119890119887 119889
119887) the public-private key pair of bank
(7) 119863119886119905119890 expiration date It represents an effective spend-ing date of awithdrawn e-cash Any e-cashwithdrawnin the same period will have the same expiration dateand vice versa
(8) ID119888 the identity of user 119862
(9) 119897119896 119897119903 the security parameters
(10) A judge device a tamper-resistant device which isissued by the judge It is installed into the system ofthe bank It is impossible to intercept or modify anyinformation stored in the device
321 Initialization Initially the bank randomly chooses twodistinct large primes (119901
119887 119902
119887) and computes RSA parameters
119899119887
= 119901119887119902119887 It selects an integer 119890
119887at random such that
GCD(120601(119899119887) 119890
119887) = 1 where 120601(119899
119887) = (119901
119887minus 1)(119902
119887minus 1) and
1 lt 119890119887lt 120601(119899
119887) Then it finds a 119889
119887such that 119890
119887119889119887equiv 1(mod
120601(119899119887)) Secondly it also chooses two other large primes 119901 and
119902 and two generators 1198921and 119892
2of order 119902 in Zlowast
119901 Then the
bank publishes (119899119887 119890
119887 119901 119902 119892
1 119892
2 119901119896
119895 119867
1 119867
2 119867
3 119867
4 119867
5
119864119863 119864119863) Meanwhile the judge embeds (119899119887 119890119887 119901 119902 119892
1 119892
2
119901119896119895 119904119896
119895 119867
1 119867
2 119867
3 119867
4 119867
5 119864 119863 119864 119863) into a judge device
and issues it to the bank
322 Withdrawal Protocol Users run the withdrawal pro-tocol with banks to get an e-cash as shown in Figure 1yet banks have to obtain information of usersrsquo identitysuch as ID
119888or account numbers before the withdrawal
protocol is proceeded Therefore users should perform anauthentication with banks beforehand Users can execute thewithdrawal protocol by any devices that have the ability tocompute and connect to the network For instance users canuse mobile phones or computers to perform the withdrawalprotocol and store the withdrawn e-cash The detailed stepsof the protocol are as follows
(1) Bank rarr User119863
Firstly the user prepares parameters for withdrawingan e-cash The user chooses integers 119886 119909
1 119909
2 119903
1 119903
2
and 1199033in random where 119886 isin
119877Zlowast
119899119887
and 1199091 119909
2 119903
1 119903
2
1199033isin1198770 1 119902 minus 1 and selects a string 119896 isin
1198770 1
119897119896
randomly The user then computes (1199101 119908
1 119910
2 119908
2)
where 119910119894
= 119892119909119894
119894mod119901 and 119908
119894= 119892
119903119894
119894mod119901 for
119894 = 1 2 Secondly the bank computes parametersfor expiration date It randomly chooses a 119903 in Zlowast
119899
prepares119863 = Date 119903 for some expiration date119863119886119905119890The bankwill send119863 to the user when shehe requeststo withdraw an e-cash
(2) User rarr Bank (120572 120598)
After receiving119863 the user prepares 120598 = 119864119901119896119895
(119896 ID119888)
and
120572 = [119886119890119887119867
2
1(119898 119863)]
minus1
mod 119899119887 (1)
where 119898 = (1199101 119908
1 119910
2 119908
2 119903
3) Finally the user
sends (120572 120598) to the bank
(3) Bank rarr Judge device (120598 120583 119863)
The bank sets 120583 = ID119888 where ID
119888is the identity of
user119862 and inputs it togetherwith 120598 and119863 to the judgedevice
4 The Scientific World Journal
UserBank
y1 = gx11 mod p w1 = g
r11 mod p
y2 = gx22 mod p w2 = g
r22 mod p
D
pb qb nb = pbqb120601(nb) = (pb minus 1)(qb minus 1)
p q two large primesg1 g2 generator of order q in Zlowast
p
(120572 120598)
Input (120598 120583) to the judge device
Judge device
No abort return ID error
t = (120572120573H2(D))d119887 mod nb
(120573 Ek(b 120590 rj))
(t Ek(b 120590 rj))
Decrypt Ek(b 120590 rj)
E-cash tuple (s y1 w1 y2 w2 r3 120590 D)
(120598 120583 D)
Compute s = abt mod nb
x1 x2 r1 r2 r3 isinR 0 1 q minus 1
m = y1 w1 y2 w2 r3
120572 = [ae119887H21 (m D)]minus1 mod nb
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
aisinRZlowastn119887 k isinR 0 1
l119896
r isinRZlowastn Date Expiration date
D = Date r
bisinRZlowastn119887 rj isinR 0 1
l119903119895
120590 = Epk119895 (120583 rj)
120573 = [be119887H3(120590 D)]minus1 mod nb
120598 = Epk119895 (k IDc)
= Dsk119895(120598)Compute (k IDc
Set 120583 = IDc
)
120583= If yes continueIDc
Verify 120590 = Epk119895 (IDc rj)
Figure 1 Withdrawal protocol
(4) Judge device rarr Bank (120573 119864119896(119887 120590 119903
119895))
The judge device decrypts 120598 and checks if 120583 = ID119888 If
not it returns ldquoID errorrdquo to the bank or else it picksa random integer 119887 isin
119877Zlowast
119899119887
and a string 119903119895isin1198770 1
119897119903119895
randomly Then it computes 120590 = 119864119901119896119895
(120583 119903119895) and
120573 = [119887119890119887119867
3(120590 119863)]
minus1 mod 119899119887 (2)
Finally it encrypts (119887 120590 119903119895) by using the symmetric
key 119896 and outputs it together with 120573 to the bank
(5) Bank rarr User (119905 119864119896(119887 120590 119903
119895))
After receiving (120573 119864119896(119887 120590 119903
119895)) from the judge device
it computes
119905 = (1205721205731198672(119863))
119889119887 mod 119899119887
(3)
and sends (119905 119864119896(119887 120590 119903
119895)) to the user
(6) VerificationsAfter receiving (119905 119864
119896(119887 120590 119903
119895)) the user firstly
decrypts the ciphertext by using the symmetric key 119896
in order to obtain (119887 120590 119903119895) Secondly shehe checks
if hisher ID is embedded correctly by computingif 120590 = 119864
119901119896119895(ID
119888 119903
119895) is true or not Thirdly shehe
computes
119904 = 119886119887119905 mod 119899119887
(4)
and verifies 119904 by checking if
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863) (mod 119899
119887) (5)
is true or not Finally when all verifications are donethe user gets the e-cash tuples (119904 119898 120590119863) and stores(119909
1 119909
2 1199031 1199032) for further payment usages
323 Payment Protocol When a user has to spend the e-cashshehe performs the protocol as shown in Figure 2 The stepsof the protocol are described as follows
(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)
Theuser sends (119904 119898 120590119863 1199092 1199032) to the shop where119863
contains the expiration date of the e-cash
The Scientific World Journal 5
User Shop
(s m 120590 D x2 r2)
Check the validity of D
rs
u = H4
s998400 = (r1 minus ux1) mod q(s998400 ru)
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
ru isinRZlowastq
Verify w1= y
H4(r119906 r119904)1 gs
998400
(mod p)
(ru rs)
r998400s isinR 0 1l119903119895 rs = (IDs r
998400s )
Figure 2 Payment protocol
(2) Shop rarr User 119903119904
The shop first checks 119863 to verify if the e-cash is stillwithin the expiration date or not If not it terminatesthe transaction Otherwise it continues to verify119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod119899
119887) If it is
not valid the protocol is aborted or else it selects astring 119903
1015840
119904isin1198770 1
119897119903119895 and sets a challenge 119903119904= (ID
119904
1199031015840
119904) where ID
119904is the identity of the shop Finally it
sends 119903119904to the user
(3) User rarr Shop (1199041015840 119903119906)
After receiving 119903119904from the shop the user randomly
selects a 119903119906isin119877Zlowast
119902and computes a response to the
challenge
1199041015840
= (1199031minus 119906119909
1) mod 119902 (6)
where 119906 = 1198674(119903119906 119903
119904) Then the user sends (1199041015840 119903
119906) to
the shop(4) Verifications
After receiving (1199041015840
119903119906) from the user the shop verifies
if 1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
(mod119901) is true or not If it is truethe shop will accept the e-cash On the other hand ifit is not the shop will reject it Since it is an offline e-cash the shop does not have to deposit it to the bankimmediately It can store the e-cash and deposit it latertogether with other received e-cash(s)
324 Deposit Protocol As Figure 3 shows shops attach thedeposit date to their e-cash(s) and deposit them to banks inthis protocol Banks perform double-spending checks whenthey receive these e-cash(s) If any e-cash is double-spent thebank will revoke the anonymity of the e-cash owner with thehelp of the judge The steps are described in detail as follows
(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
The shop computes 1199034
= 1199032minus 119909
21198675(119889) where 119889 is
the deposit date and sends (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
to the bank
(2) VerificationsFirstly the bank checks the correctness of expirationdate 119863 and deposit date 119889 respectively and alsochecks if
1199082= 119910
1198675(119889)
21198921199034
2mod 119901
1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
2mod 119901
(7)
are true or not Secondly the bank verifies if119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod 119899
119887) and
checks the uniqueness of (119904 119898 120590119863) Finally if all ofthe above facts are verified successfully the bank willaccept and store the e-cash in its database and record1198671(119898 119863) in exchange list Otherwise it will reject
this transaction and trace the owner of the e-cash
325 E-Cash Renewal Protocol In order to reduce the unlim-ited growth database problem of the bank we have expirationdate and renewal protocol in our scheme to achieve itas shown in Figure 4 When an unused e-cash is expiredthe user has to exchange it for another e-cash with a newexpiration date from the bank
(1) User rarr Bank (119904 120588 120590 119863)
The user recalls 119898 = (1199101 119908
1 119910
2 119908
2 119909
2 1199033) and
prepares
120588 = 1198671(119898 119863) (8)
and sends it together with the unused (119904 120590 119863) to thebank
(2) VerificationsFirstly the bank checks the correctness of expirationdate119863 andmakes sure120588 does not exist in the exchangelist Secondly the bank verifies if 119904
1198901198871198671(120588)119867
3(120590
119863) equiv 1198672(119863)(mod 119899
119887) Finally if all of the above
facts are verified successfully the bank will accept to
6 The Scientific World Journal
Shop Bank
r4 = r2 minus x2H5(d)
(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)
Check the validity of D d
Check w2= y
H5(d)2 g
r42 mod p
= H2(D)(mod nb)
Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin
d deposit date
Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)
w1= y
H4(r119906 r119904)1 gs
998400
1 mod p
Figure 3 Deposit protocol
User Bank
(s 120588 120590 D)
Check if 120588 exists in exchange list
Check if s is unique or notYes accept to exchange the coin
and store 120588 in the exchange listNo reject and trace the owner of the coin
Accept
D998400 = new expiration date
( 120598)
Repeat withdrawal protocol
120588 = H1(y1 w1 y2 w2 D r3)
= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb
Check the expiration date D
Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)
Figure 4 E-Cash renewal protocol
exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will
reject the exchange request(3) User rarr Bank ( 120598)
The user computes
= [119886119890119887119867
2
1(119898
1015840
1198631015840
)]minus1
mod 119899119887 (9)
where 1198981015840
= (1199101 119908
1 119910
2 119908
2 119909
2 1199031015840
3) 1199031015840
3is a random
and1198631015840 is the new expiration date issued by the bank
The user sends ( 120598 ID119888) to the bank Then the bank
repeats the withdrawal protocol in Section 322 fromStep 2 with the user
326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed
(1) Double-Spending Checking
When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910
1 119908
1 119910
2 119908
2 1199033 120590 119863) stored in the database of the
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 3
3 The Proposed Date Attachable OfflineElectronic Cash Scheme
In this section we will introduce a new date attachableoffline e-cash scheme Considering the issues mentioned inSection 1 we propose a secure offline e-cash scheme withtwo specific kinds of date attached to the e-cash which areexpiration date and deposit date
31 Outline of the Proposed Scheme Here we are going tobriefly describe the procedures of our scheme The proposedscheme contains four protocols withdrawal protocol pay-ment protocol deposit protocol and e-cash renewal protocolA user withdraws an e-cash with an expiration date attachedto it from the bank A trusted computing platform (iejudge device) [31 32] as stated in the proposed scheme isinstalled in the bank to hold the identity information of allusers and it will further help trace users when it is neededIt is impossible for anyone except the judge to obtain anyinformation embedded in the device [33] Nowadays judgedevice can be implemented by the technique of TrustedPlatform Module (TPM) [32 34] in practice
Before an e-cash is deposited the depositor attaches thedeposit date on the e-cash and sends it to the bank duringthe deposit stage When the bank receives an e-cash it willperform double-spending checking to verify whether the e-cash is doubly spent or not The bank can derive secretparameters of the user who does double-spending and let thejudge revoke the anonymity of the user Besides when anunused e-cash is expired a user will be able to exchange it fora new one with a new expiration date In our scheme for theefficiency concerns some of the unused parameters of userscan remain unchanged while exchanging for a new valid e-cash In the following sections we will describe our schemein detail
32 The Proposed Scheme Firstly we define some notationsas follows
(1) 1198671 119867
2 119867
3 three one-way hash functions
1198671 119867
2 119867
3 0 1
lowast
rarr 0 1119899
(2) 1198674 119867
5 two one-way hash functions
1198674 119867
5 0 1lowast rarr 0 1
119902
(3) 119864119909119863
119909 a secure symmetric cryptosystem Plaintext is
both encrypted and decrypted with a symmetric key119909
(4) 119864119901119896
119863119904119896 a secure asymmetric cryptosystem Plaintext
is encrypted with a public key 119901119896 and decrypted withthe corresponding private key 119904119896
(5) (119901119896119895 119904119896
119895) the public-private key pair of the judge
(6) (119890119887 119889
119887) the public-private key pair of bank
(7) 119863119886119905119890 expiration date It represents an effective spend-ing date of awithdrawn e-cash Any e-cashwithdrawnin the same period will have the same expiration dateand vice versa
(8) ID119888 the identity of user 119862
(9) 119897119896 119897119903 the security parameters
(10) A judge device a tamper-resistant device which isissued by the judge It is installed into the system ofthe bank It is impossible to intercept or modify anyinformation stored in the device
321 Initialization Initially the bank randomly chooses twodistinct large primes (119901
119887 119902
119887) and computes RSA parameters
119899119887
= 119901119887119902119887 It selects an integer 119890
119887at random such that
GCD(120601(119899119887) 119890
119887) = 1 where 120601(119899
119887) = (119901
119887minus 1)(119902
119887minus 1) and
1 lt 119890119887lt 120601(119899
119887) Then it finds a 119889
119887such that 119890
119887119889119887equiv 1(mod
120601(119899119887)) Secondly it also chooses two other large primes 119901 and
119902 and two generators 1198921and 119892
2of order 119902 in Zlowast
119901 Then the
bank publishes (119899119887 119890
119887 119901 119902 119892
1 119892
2 119901119896
119895 119867
1 119867
2 119867
3 119867
4 119867
5
119864119863 119864119863) Meanwhile the judge embeds (119899119887 119890119887 119901 119902 119892
1 119892
2
119901119896119895 119904119896
119895 119867
1 119867
2 119867
3 119867
4 119867
5 119864 119863 119864 119863) into a judge device
and issues it to the bank
322 Withdrawal Protocol Users run the withdrawal pro-tocol with banks to get an e-cash as shown in Figure 1yet banks have to obtain information of usersrsquo identitysuch as ID
119888or account numbers before the withdrawal
protocol is proceeded Therefore users should perform anauthentication with banks beforehand Users can execute thewithdrawal protocol by any devices that have the ability tocompute and connect to the network For instance users canuse mobile phones or computers to perform the withdrawalprotocol and store the withdrawn e-cash The detailed stepsof the protocol are as follows
(1) Bank rarr User119863
Firstly the user prepares parameters for withdrawingan e-cash The user chooses integers 119886 119909
1 119909
2 119903
1 119903
2
and 1199033in random where 119886 isin
119877Zlowast
119899119887
and 1199091 119909
2 119903
1 119903
2
1199033isin1198770 1 119902 minus 1 and selects a string 119896 isin
1198770 1
119897119896
randomly The user then computes (1199101 119908
1 119910
2 119908
2)
where 119910119894
= 119892119909119894
119894mod119901 and 119908
119894= 119892
119903119894
119894mod119901 for
119894 = 1 2 Secondly the bank computes parametersfor expiration date It randomly chooses a 119903 in Zlowast
119899
prepares119863 = Date 119903 for some expiration date119863119886119905119890The bankwill send119863 to the user when shehe requeststo withdraw an e-cash
(2) User rarr Bank (120572 120598)
After receiving119863 the user prepares 120598 = 119864119901119896119895
(119896 ID119888)
and
120572 = [119886119890119887119867
2
1(119898 119863)]
minus1
mod 119899119887 (1)
where 119898 = (1199101 119908
1 119910
2 119908
2 119903
3) Finally the user
sends (120572 120598) to the bank
(3) Bank rarr Judge device (120598 120583 119863)
The bank sets 120583 = ID119888 where ID
119888is the identity of
user119862 and inputs it togetherwith 120598 and119863 to the judgedevice
4 The Scientific World Journal
UserBank
y1 = gx11 mod p w1 = g
r11 mod p
y2 = gx22 mod p w2 = g
r22 mod p
D
pb qb nb = pbqb120601(nb) = (pb minus 1)(qb minus 1)
p q two large primesg1 g2 generator of order q in Zlowast
p
(120572 120598)
Input (120598 120583) to the judge device
Judge device
No abort return ID error
t = (120572120573H2(D))d119887 mod nb
(120573 Ek(b 120590 rj))
(t Ek(b 120590 rj))
Decrypt Ek(b 120590 rj)
E-cash tuple (s y1 w1 y2 w2 r3 120590 D)
(120598 120583 D)
Compute s = abt mod nb
x1 x2 r1 r2 r3 isinR 0 1 q minus 1
m = y1 w1 y2 w2 r3
120572 = [ae119887H21 (m D)]minus1 mod nb
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
aisinRZlowastn119887 k isinR 0 1
l119896
r isinRZlowastn Date Expiration date
D = Date r
bisinRZlowastn119887 rj isinR 0 1
l119903119895
120590 = Epk119895 (120583 rj)
120573 = [be119887H3(120590 D)]minus1 mod nb
120598 = Epk119895 (k IDc)
= Dsk119895(120598)Compute (k IDc
Set 120583 = IDc
)
120583= If yes continueIDc
Verify 120590 = Epk119895 (IDc rj)
Figure 1 Withdrawal protocol
(4) Judge device rarr Bank (120573 119864119896(119887 120590 119903
119895))
The judge device decrypts 120598 and checks if 120583 = ID119888 If
not it returns ldquoID errorrdquo to the bank or else it picksa random integer 119887 isin
119877Zlowast
119899119887
and a string 119903119895isin1198770 1
119897119903119895
randomly Then it computes 120590 = 119864119901119896119895
(120583 119903119895) and
120573 = [119887119890119887119867
3(120590 119863)]
minus1 mod 119899119887 (2)
Finally it encrypts (119887 120590 119903119895) by using the symmetric
key 119896 and outputs it together with 120573 to the bank
(5) Bank rarr User (119905 119864119896(119887 120590 119903
119895))
After receiving (120573 119864119896(119887 120590 119903
119895)) from the judge device
it computes
119905 = (1205721205731198672(119863))
119889119887 mod 119899119887
(3)
and sends (119905 119864119896(119887 120590 119903
119895)) to the user
(6) VerificationsAfter receiving (119905 119864
119896(119887 120590 119903
119895)) the user firstly
decrypts the ciphertext by using the symmetric key 119896
in order to obtain (119887 120590 119903119895) Secondly shehe checks
if hisher ID is embedded correctly by computingif 120590 = 119864
119901119896119895(ID
119888 119903
119895) is true or not Thirdly shehe
computes
119904 = 119886119887119905 mod 119899119887
(4)
and verifies 119904 by checking if
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863) (mod 119899
119887) (5)
is true or not Finally when all verifications are donethe user gets the e-cash tuples (119904 119898 120590119863) and stores(119909
1 119909
2 1199031 1199032) for further payment usages
323 Payment Protocol When a user has to spend the e-cashshehe performs the protocol as shown in Figure 2 The stepsof the protocol are described as follows
(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)
Theuser sends (119904 119898 120590119863 1199092 1199032) to the shop where119863
contains the expiration date of the e-cash
The Scientific World Journal 5
User Shop
(s m 120590 D x2 r2)
Check the validity of D
rs
u = H4
s998400 = (r1 minus ux1) mod q(s998400 ru)
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
ru isinRZlowastq
Verify w1= y
H4(r119906 r119904)1 gs
998400
(mod p)
(ru rs)
r998400s isinR 0 1l119903119895 rs = (IDs r
998400s )
Figure 2 Payment protocol
(2) Shop rarr User 119903119904
The shop first checks 119863 to verify if the e-cash is stillwithin the expiration date or not If not it terminatesthe transaction Otherwise it continues to verify119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod119899
119887) If it is
not valid the protocol is aborted or else it selects astring 119903
1015840
119904isin1198770 1
119897119903119895 and sets a challenge 119903119904= (ID
119904
1199031015840
119904) where ID
119904is the identity of the shop Finally it
sends 119903119904to the user
(3) User rarr Shop (1199041015840 119903119906)
After receiving 119903119904from the shop the user randomly
selects a 119903119906isin119877Zlowast
119902and computes a response to the
challenge
1199041015840
= (1199031minus 119906119909
1) mod 119902 (6)
where 119906 = 1198674(119903119906 119903
119904) Then the user sends (1199041015840 119903
119906) to
the shop(4) Verifications
After receiving (1199041015840
119903119906) from the user the shop verifies
if 1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
(mod119901) is true or not If it is truethe shop will accept the e-cash On the other hand ifit is not the shop will reject it Since it is an offline e-cash the shop does not have to deposit it to the bankimmediately It can store the e-cash and deposit it latertogether with other received e-cash(s)
324 Deposit Protocol As Figure 3 shows shops attach thedeposit date to their e-cash(s) and deposit them to banks inthis protocol Banks perform double-spending checks whenthey receive these e-cash(s) If any e-cash is double-spent thebank will revoke the anonymity of the e-cash owner with thehelp of the judge The steps are described in detail as follows
(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
The shop computes 1199034
= 1199032minus 119909
21198675(119889) where 119889 is
the deposit date and sends (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
to the bank
(2) VerificationsFirstly the bank checks the correctness of expirationdate 119863 and deposit date 119889 respectively and alsochecks if
1199082= 119910
1198675(119889)
21198921199034
2mod 119901
1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
2mod 119901
(7)
are true or not Secondly the bank verifies if119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod 119899
119887) and
checks the uniqueness of (119904 119898 120590119863) Finally if all ofthe above facts are verified successfully the bank willaccept and store the e-cash in its database and record1198671(119898 119863) in exchange list Otherwise it will reject
this transaction and trace the owner of the e-cash
325 E-Cash Renewal Protocol In order to reduce the unlim-ited growth database problem of the bank we have expirationdate and renewal protocol in our scheme to achieve itas shown in Figure 4 When an unused e-cash is expiredthe user has to exchange it for another e-cash with a newexpiration date from the bank
(1) User rarr Bank (119904 120588 120590 119863)
The user recalls 119898 = (1199101 119908
1 119910
2 119908
2 119909
2 1199033) and
prepares
120588 = 1198671(119898 119863) (8)
and sends it together with the unused (119904 120590 119863) to thebank
(2) VerificationsFirstly the bank checks the correctness of expirationdate119863 andmakes sure120588 does not exist in the exchangelist Secondly the bank verifies if 119904
1198901198871198671(120588)119867
3(120590
119863) equiv 1198672(119863)(mod 119899
119887) Finally if all of the above
facts are verified successfully the bank will accept to
6 The Scientific World Journal
Shop Bank
r4 = r2 minus x2H5(d)
(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)
Check the validity of D d
Check w2= y
H5(d)2 g
r42 mod p
= H2(D)(mod nb)
Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin
d deposit date
Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)
w1= y
H4(r119906 r119904)1 gs
998400
1 mod p
Figure 3 Deposit protocol
User Bank
(s 120588 120590 D)
Check if 120588 exists in exchange list
Check if s is unique or notYes accept to exchange the coin
and store 120588 in the exchange listNo reject and trace the owner of the coin
Accept
D998400 = new expiration date
( 120598)
Repeat withdrawal protocol
120588 = H1(y1 w1 y2 w2 D r3)
= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb
Check the expiration date D
Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)
Figure 4 E-Cash renewal protocol
exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will
reject the exchange request(3) User rarr Bank ( 120598)
The user computes
= [119886119890119887119867
2
1(119898
1015840
1198631015840
)]minus1
mod 119899119887 (9)
where 1198981015840
= (1199101 119908
1 119910
2 119908
2 119909
2 1199031015840
3) 1199031015840
3is a random
and1198631015840 is the new expiration date issued by the bank
The user sends ( 120598 ID119888) to the bank Then the bank
repeats the withdrawal protocol in Section 322 fromStep 2 with the user
326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed
(1) Double-Spending Checking
When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910
1 119908
1 119910
2 119908
2 1199033 120590 119863) stored in the database of the
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 The Scientific World Journal
UserBank
y1 = gx11 mod p w1 = g
r11 mod p
y2 = gx22 mod p w2 = g
r22 mod p
D
pb qb nb = pbqb120601(nb) = (pb minus 1)(qb minus 1)
p q two large primesg1 g2 generator of order q in Zlowast
p
(120572 120598)
Input (120598 120583) to the judge device
Judge device
No abort return ID error
t = (120572120573H2(D))d119887 mod nb
(120573 Ek(b 120590 rj))
(t Ek(b 120590 rj))
Decrypt Ek(b 120590 rj)
E-cash tuple (s y1 w1 y2 w2 r3 120590 D)
(120598 120583 D)
Compute s = abt mod nb
x1 x2 r1 r2 r3 isinR 0 1 q minus 1
m = y1 w1 y2 w2 r3
120572 = [ae119887H21 (m D)]minus1 mod nb
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
aisinRZlowastn119887 k isinR 0 1
l119896
r isinRZlowastn Date Expiration date
D = Date r
bisinRZlowastn119887 rj isinR 0 1
l119903119895
120590 = Epk119895 (120583 rj)
120573 = [be119887H3(120590 D)]minus1 mod nb
120598 = Epk119895 (k IDc)
= Dsk119895(120598)Compute (k IDc
Set 120583 = IDc
)
120583= If yes continueIDc
Verify 120590 = Epk119895 (IDc rj)
Figure 1 Withdrawal protocol
(4) Judge device rarr Bank (120573 119864119896(119887 120590 119903
119895))
The judge device decrypts 120598 and checks if 120583 = ID119888 If
not it returns ldquoID errorrdquo to the bank or else it picksa random integer 119887 isin
119877Zlowast
119899119887
and a string 119903119895isin1198770 1
119897119903119895
randomly Then it computes 120590 = 119864119901119896119895
(120583 119903119895) and
120573 = [119887119890119887119867
3(120590 119863)]
minus1 mod 119899119887 (2)
Finally it encrypts (119887 120590 119903119895) by using the symmetric
key 119896 and outputs it together with 120573 to the bank
(5) Bank rarr User (119905 119864119896(119887 120590 119903
119895))
After receiving (120573 119864119896(119887 120590 119903
119895)) from the judge device
it computes
119905 = (1205721205731198672(119863))
119889119887 mod 119899119887
(3)
and sends (119905 119864119896(119887 120590 119903
119895)) to the user
(6) VerificationsAfter receiving (119905 119864
119896(119887 120590 119903
119895)) the user firstly
decrypts the ciphertext by using the symmetric key 119896
in order to obtain (119887 120590 119903119895) Secondly shehe checks
if hisher ID is embedded correctly by computingif 120590 = 119864
119901119896119895(ID
119888 119903
119895) is true or not Thirdly shehe
computes
119904 = 119886119887119905 mod 119899119887
(4)
and verifies 119904 by checking if
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863) (mod 119899
119887) (5)
is true or not Finally when all verifications are donethe user gets the e-cash tuples (119904 119898 120590119863) and stores(119909
1 119909
2 1199031 1199032) for further payment usages
323 Payment Protocol When a user has to spend the e-cashshehe performs the protocol as shown in Figure 2 The stepsof the protocol are described as follows
(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)
Theuser sends (119904 119898 120590119863 1199092 1199032) to the shop where119863
contains the expiration date of the e-cash
The Scientific World Journal 5
User Shop
(s m 120590 D x2 r2)
Check the validity of D
rs
u = H4
s998400 = (r1 minus ux1) mod q(s998400 ru)
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
ru isinRZlowastq
Verify w1= y
H4(r119906 r119904)1 gs
998400
(mod p)
(ru rs)
r998400s isinR 0 1l119903119895 rs = (IDs r
998400s )
Figure 2 Payment protocol
(2) Shop rarr User 119903119904
The shop first checks 119863 to verify if the e-cash is stillwithin the expiration date or not If not it terminatesthe transaction Otherwise it continues to verify119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod119899
119887) If it is
not valid the protocol is aborted or else it selects astring 119903
1015840
119904isin1198770 1
119897119903119895 and sets a challenge 119903119904= (ID
119904
1199031015840
119904) where ID
119904is the identity of the shop Finally it
sends 119903119904to the user
(3) User rarr Shop (1199041015840 119903119906)
After receiving 119903119904from the shop the user randomly
selects a 119903119906isin119877Zlowast
119902and computes a response to the
challenge
1199041015840
= (1199031minus 119906119909
1) mod 119902 (6)
where 119906 = 1198674(119903119906 119903
119904) Then the user sends (1199041015840 119903
119906) to
the shop(4) Verifications
After receiving (1199041015840
119903119906) from the user the shop verifies
if 1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
(mod119901) is true or not If it is truethe shop will accept the e-cash On the other hand ifit is not the shop will reject it Since it is an offline e-cash the shop does not have to deposit it to the bankimmediately It can store the e-cash and deposit it latertogether with other received e-cash(s)
324 Deposit Protocol As Figure 3 shows shops attach thedeposit date to their e-cash(s) and deposit them to banks inthis protocol Banks perform double-spending checks whenthey receive these e-cash(s) If any e-cash is double-spent thebank will revoke the anonymity of the e-cash owner with thehelp of the judge The steps are described in detail as follows
(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
The shop computes 1199034
= 1199032minus 119909
21198675(119889) where 119889 is
the deposit date and sends (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
to the bank
(2) VerificationsFirstly the bank checks the correctness of expirationdate 119863 and deposit date 119889 respectively and alsochecks if
1199082= 119910
1198675(119889)
21198921199034
2mod 119901
1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
2mod 119901
(7)
are true or not Secondly the bank verifies if119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod 119899
119887) and
checks the uniqueness of (119904 119898 120590119863) Finally if all ofthe above facts are verified successfully the bank willaccept and store the e-cash in its database and record1198671(119898 119863) in exchange list Otherwise it will reject
this transaction and trace the owner of the e-cash
325 E-Cash Renewal Protocol In order to reduce the unlim-ited growth database problem of the bank we have expirationdate and renewal protocol in our scheme to achieve itas shown in Figure 4 When an unused e-cash is expiredthe user has to exchange it for another e-cash with a newexpiration date from the bank
(1) User rarr Bank (119904 120588 120590 119863)
The user recalls 119898 = (1199101 119908
1 119910
2 119908
2 119909
2 1199033) and
prepares
120588 = 1198671(119898 119863) (8)
and sends it together with the unused (119904 120590 119863) to thebank
(2) VerificationsFirstly the bank checks the correctness of expirationdate119863 andmakes sure120588 does not exist in the exchangelist Secondly the bank verifies if 119904
1198901198871198671(120588)119867
3(120590
119863) equiv 1198672(119863)(mod 119899
119887) Finally if all of the above
facts are verified successfully the bank will accept to
6 The Scientific World Journal
Shop Bank
r4 = r2 minus x2H5(d)
(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)
Check the validity of D d
Check w2= y
H5(d)2 g
r42 mod p
= H2(D)(mod nb)
Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin
d deposit date
Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)
w1= y
H4(r119906 r119904)1 gs
998400
1 mod p
Figure 3 Deposit protocol
User Bank
(s 120588 120590 D)
Check if 120588 exists in exchange list
Check if s is unique or notYes accept to exchange the coin
and store 120588 in the exchange listNo reject and trace the owner of the coin
Accept
D998400 = new expiration date
( 120598)
Repeat withdrawal protocol
120588 = H1(y1 w1 y2 w2 D r3)
= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb
Check the expiration date D
Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)
Figure 4 E-Cash renewal protocol
exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will
reject the exchange request(3) User rarr Bank ( 120598)
The user computes
= [119886119890119887119867
2
1(119898
1015840
1198631015840
)]minus1
mod 119899119887 (9)
where 1198981015840
= (1199101 119908
1 119910
2 119908
2 119909
2 1199031015840
3) 1199031015840
3is a random
and1198631015840 is the new expiration date issued by the bank
The user sends ( 120598 ID119888) to the bank Then the bank
repeats the withdrawal protocol in Section 322 fromStep 2 with the user
326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed
(1) Double-Spending Checking
When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910
1 119908
1 119910
2 119908
2 1199033 120590 119863) stored in the database of the
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 5
User Shop
(s m 120590 D x2 r2)
Check the validity of D
rs
u = H4
s998400 = (r1 minus ux1) mod q(s998400 ru)
= H2(D)(mod nb)Verify se119887H2
1 (m D)H3(120590 D)
ru isinRZlowastq
Verify w1= y
H4(r119906 r119904)1 gs
998400
(mod p)
(ru rs)
r998400s isinR 0 1l119903119895 rs = (IDs r
998400s )
Figure 2 Payment protocol
(2) Shop rarr User 119903119904
The shop first checks 119863 to verify if the e-cash is stillwithin the expiration date or not If not it terminatesthe transaction Otherwise it continues to verify119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod119899
119887) If it is
not valid the protocol is aborted or else it selects astring 119903
1015840
119904isin1198770 1
119897119903119895 and sets a challenge 119903119904= (ID
119904
1199031015840
119904) where ID
119904is the identity of the shop Finally it
sends 119903119904to the user
(3) User rarr Shop (1199041015840 119903119906)
After receiving 119903119904from the shop the user randomly
selects a 119903119906isin119877Zlowast
119902and computes a response to the
challenge
1199041015840
= (1199031minus 119906119909
1) mod 119902 (6)
where 119906 = 1198674(119903119906 119903
119904) Then the user sends (1199041015840 119903
119906) to
the shop(4) Verifications
After receiving (1199041015840
119903119906) from the user the shop verifies
if 1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
(mod119901) is true or not If it is truethe shop will accept the e-cash On the other hand ifit is not the shop will reject it Since it is an offline e-cash the shop does not have to deposit it to the bankimmediately It can store the e-cash and deposit it latertogether with other received e-cash(s)
324 Deposit Protocol As Figure 3 shows shops attach thedeposit date to their e-cash(s) and deposit them to banks inthis protocol Banks perform double-spending checks whenthey receive these e-cash(s) If any e-cash is double-spent thebank will revoke the anonymity of the e-cash owner with thehelp of the judge The steps are described in detail as follows
(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
The shop computes 1199034
= 1199032minus 119909
21198675(119889) where 119889 is
the deposit date and sends (119904 119898 120590119863 119889 1199034 1199041015840
119903119906 119903119904)
to the bank
(2) VerificationsFirstly the bank checks the correctness of expirationdate 119863 and deposit date 119889 respectively and alsochecks if
1199082= 119910
1198675(119889)
21198921199034
2mod 119901
1199081= 119910
1198674(119903119906119903119904)
11198921199041015840
2mod 119901
(7)
are true or not Secondly the bank verifies if119904119890119887119867
2
1(119898 119863)119867
3(120590 119863) = 119867
2(119863)(mod 119899
119887) and
checks the uniqueness of (119904 119898 120590119863) Finally if all ofthe above facts are verified successfully the bank willaccept and store the e-cash in its database and record1198671(119898 119863) in exchange list Otherwise it will reject
this transaction and trace the owner of the e-cash
325 E-Cash Renewal Protocol In order to reduce the unlim-ited growth database problem of the bank we have expirationdate and renewal protocol in our scheme to achieve itas shown in Figure 4 When an unused e-cash is expiredthe user has to exchange it for another e-cash with a newexpiration date from the bank
(1) User rarr Bank (119904 120588 120590 119863)
The user recalls 119898 = (1199101 119908
1 119910
2 119908
2 119909
2 1199033) and
prepares
120588 = 1198671(119898 119863) (8)
and sends it together with the unused (119904 120590 119863) to thebank
(2) VerificationsFirstly the bank checks the correctness of expirationdate119863 andmakes sure120588 does not exist in the exchangelist Secondly the bank verifies if 119904
1198901198871198671(120588)119867
3(120590
119863) equiv 1198672(119863)(mod 119899
119887) Finally if all of the above
facts are verified successfully the bank will accept to
6 The Scientific World Journal
Shop Bank
r4 = r2 minus x2H5(d)
(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)
Check the validity of D d
Check w2= y
H5(d)2 g
r42 mod p
= H2(D)(mod nb)
Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin
d deposit date
Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)
w1= y
H4(r119906 r119904)1 gs
998400
1 mod p
Figure 3 Deposit protocol
User Bank
(s 120588 120590 D)
Check if 120588 exists in exchange list
Check if s is unique or notYes accept to exchange the coin
and store 120588 in the exchange listNo reject and trace the owner of the coin
Accept
D998400 = new expiration date
( 120598)
Repeat withdrawal protocol
120588 = H1(y1 w1 y2 w2 D r3)
= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb
Check the expiration date D
Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)
Figure 4 E-Cash renewal protocol
exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will
reject the exchange request(3) User rarr Bank ( 120598)
The user computes
= [119886119890119887119867
2
1(119898
1015840
1198631015840
)]minus1
mod 119899119887 (9)
where 1198981015840
= (1199101 119908
1 119910
2 119908
2 119909
2 1199031015840
3) 1199031015840
3is a random
and1198631015840 is the new expiration date issued by the bank
The user sends ( 120598 ID119888) to the bank Then the bank
repeats the withdrawal protocol in Section 322 fromStep 2 with the user
326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed
(1) Double-Spending Checking
When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910
1 119908
1 119910
2 119908
2 1199033 120590 119863) stored in the database of the
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 The Scientific World Journal
Shop Bank
r4 = r2 minus x2H5(d)
(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)
Check the validity of D d
Check w2= y
H5(d)2 g
r42 mod p
= H2(D)(mod nb)
Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin
d deposit date
Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)
w1= y
H4(r119906 r119904)1 gs
998400
1 mod p
Figure 3 Deposit protocol
User Bank
(s 120588 120590 D)
Check if 120588 exists in exchange list
Check if s is unique or notYes accept to exchange the coin
and store 120588 in the exchange listNo reject and trace the owner of the coin
Accept
D998400 = new expiration date
( 120598)
Repeat withdrawal protocol
120588 = H1(y1 w1 y2 w2 D r3)
= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb
Check the expiration date D
Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)
Figure 4 E-Cash renewal protocol
exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will
reject the exchange request(3) User rarr Bank ( 120598)
The user computes
= [119886119890119887119867
2
1(119898
1015840
1198631015840
)]minus1
mod 119899119887 (9)
where 1198981015840
= (1199101 119908
1 119910
2 119908
2 119909
2 1199031015840
3) 1199031015840
3is a random
and1198631015840 is the new expiration date issued by the bank
The user sends ( 120598 ID119888) to the bank Then the bank
repeats the withdrawal protocol in Section 322 fromStep 2 with the user
326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed
(1) Double-Spending Checking
When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910
1 119908
1 119910
2 119908
2 1199033 120590 119863) stored in the database of the
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 7
Linkage game
Random bit b
mb m1minusb
U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)
b998400
= |2Pr[b998400 = b] minus 1|
Engage with ℬ
ℬ
ℬ wins if b998400 = b
AdvLinkability119967119964119978ℰ119966119982
(ℬ)
Figure 5 The game environment of linkage game
bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 119904
1015840
119903119906 119903119904)
(119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 1199034 120590 119863 119889 1199041015840 119903
119906 119903119904)
(10)
Thus the bank can obtain two equations as follows
1199041015840
equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
1199041015840 equiv 1199031minus 119867
4(119903119906 119903
119904) 119909
1(mod 119902)
(11)
The bank can derive (1199091 1199031) from the above equations
and send (119904 1199101 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and (119909
1 1199031) to
the judge to trace the owner of the e-cash(2) Revocation
The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910
1 119908
1 119910
2 119908
2 119909
2 1199033 120590 119863) and
(1199091 1199031) from the bank it checks the following equa-
tions
119904119890119887119867
2
1(119898 119863)119867
3(120590 119863)
equiv 1198672(119863) (mod 119899
119887)
1199101
equiv 1198921199091
1(mod 119901)
1199081
equiv 1198921199031
1(mod 119901)
(12)
If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID
119888to the bank
4 Security Proofs
In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our
proposed date attachable offline electronic cash scheme(DAOECS)
41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS
Definition 1 (The Linkage Game) Let 1198800 119880
1 and J be
two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880
0119880
1 andJ The game environment is shown in
Figure 5
Step 1 According to DAOECS B generates the bankrsquospublic key (119890
119887 119899
119887) the bankrsquos private key (119889
119887 119901
119887 119902
119887) system
parameters (119901 119902 1198921 119892
2) the expiration date 119863 and the five
public one-way hash functions 1198671 119867
2 119867
3 119867
4 and 119867
5 J
generates the judgersquos public-private key pair (119901119896119895 119904119896
119895)
Step 2 B generates 1199091119894 119909
2119894 1199031119894 1199032119894 1199033119894in random where 119909
1
1199092 119903
1 119903
2 119903
3isin1198770 1 119902 minus 1 and computes (119910
119896119894 119908
119896119894) for
119896 = 1 2 and 119894 = 0 1 where 119910119896119894
= 119892119909119896
119896mod 119901 and119908
119896119894= 119892
119903119896
119896
mod 119901
Step 3 We choose a bit isin 0 1 randomly and place (1199101119887
1199081119887 119910
2119887 119908
2119887) and (119910
11minus119887 119908
11minus119887 119910
21minus119887 119908
21minus119887) on the private
input tapes of1198800and119880
1 respectively where is not disclosed
toB
Step 4 B performs the withdrawal protocol of DAOECSwith 119880
0and 119880
1 respectively
Step 5 If 1198800and 119880
1output two e-cash(s) (119904
119887 119898
119887 120590
119887 119863
119887) and
(1199041minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) where 119898
119894= (119910
1119894 119908
1119894 119910
2119894 119908
2119894 1199033119894) on
their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 The Scientific World Journal
Experiment ExpFG-1A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(1199041 119898
1 120590
1 119863
1) (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
119894) equiv 119867
2(119863
119894) (mod 119899
119887) forall119894 isin 1 ℓ + 1
(ii)1198981 119898
ℓ+1are all distinct
else return 0
Algorithm 1 Experiment FG-1
Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B
wins the game if 1015840 = andJ has not revoked the anonymityof (119904
119887 119898
119887 120590
119887 119863
119887) and (119904
1minus119887 119898
1minus119887 120590
1minus119887 119863
1minus119887) toB We define
the advantage ofB as
AdvLinkabilityDAOECS (B) =
100381610038161003816100381610038162Pr [1015840 = ] minus 1
10038161003816100381610038161003816 (13)
where Pr[1015840 = ] denotes the probability of 1015840 =
Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability
DAOECS(B) defined in Definition 1 is negligible
Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure
Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of
Here we assume that B gets two e-cash (1199040 119898
0 120590
0 119863
0)
and (1199041 119898
1 120590
1 119863
1) Let (120572
119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin
0 1 be the view of data exchanged between 119880119894and
B in the withdrawal protocol (Section 322) and let(119909
2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840
119894 119889
119894) be the view of data exchanged when
B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904
119894 119898
119894 120590
119894 119863
119894) where
119894 isin 0 1For (119904 119898 120590119863 119909
2 1199032 1199034 119903119906 119903119904 1199041015840
119889) isin
(1199040 119898
0 120590
0 119863
0 119909
20 11990320 11990340 1199031199060 1199031199040 1199041015840
0 119889
0)
(1199041 119898
1 120590
1 119863
1 119909
21 11990321 11990341 1199031199061 1199031199041 1199041015840
1 119889
1)
(14)
and (120572119894 120573
119894 119905119894 120598119894 119864
119896119894(119887119894 120590
119894 119903119895119894)) 119894 isin 0 1 there always exists a
pair (1198861015840119894 1198871015840
119894) such that
1198861015840
119894= [120572
1198941198672
1(119898 119863)]
minus119889119887 mod 119899119887
(via (1))
1198871015840
119894= [120573
1198941198673(120590 119863)]
minus119889119887 mod 119899119887
(via (2)) (15)
And from (3) 119905119894equiv (120572
1198941205731198941198672(119863))
119889119887 (mod 119899119887) (4) always holds
as
119904 equiv (1198861015840
1198941198871015840
119894119905119894)
equiv [(1198672
1(119898 119863)119867
3(120590 119863))
minus1
1198672(119863)]
119889119887
(mod 119899119887)
(16)
Besides 119864119901119896119895
and 119864119896119894
are semantically secure encryptionfunctions B cannot learn any information from 120598
119894and
119864119896119894(119887119894 120590
119894 119903119895119894)
From the above given any (119904 119898 120590119863) isin
(1199040 119898
0 120590
0 119863
0) (119904
1 119898
1 120590
1 119863
1) and (120572
119894 120573
119894 119905119894) where
119894 isin 0 1 there always exists a corresponding pair (1198861015840
119894 1198871015840
119894)
such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds
in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability
DAOECS(B) = 2120576 which is negligible so that
DAOECS satisfies the unlinkability property
42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows
Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
according to the queries from A A is allowed to query OS
for ℓ times consider the experiment ExpFG-1A (119897119896) shown in
Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897
119896) = 1] ofA is nonnegligible
Definition 5 (Forgery Game 2 in DAOECS (FG-2)) Let119897119896
isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events
(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)) according to the queries
fromA(ii) record the total number ℓ
119863119894of each distinct expiration
date119863119894
A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897
119896) shown in Algorithm 2 A wins the forgery game
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 9
Experiment ExpFG-2A (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904119894 119898
119894 120590
119894 119863
lowast
) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896
119895 119892
1 119892
2 119890119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 119904119890119887
119894119867
2
1(119898
119894)119867
3(120590
119894 119863
lowast
) equiv 1198672(119863
lowast
) (mod 119899119887) forall119894 isin 1 ℓ
119863lowast + 1
(ii)1198981 119898
ℓ119863lowast+1
are all distinctelse return 0
Algorithm 2 Experiment FG-2
Experiment ExpRSA-ACTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899 (119896)(119910
1 119910
119898) larr O
119905(119873 119890 119896)
120587 (1199091 119910
1) (119909
119899 119910
119899) larr AOinv O119905 (119873 119890 119896)
if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890
119894equiv 119910
119894(mod119873) forall119894 isin 1 119899
(iii) 119899 gt 119902ℎ
else return 0
Algorithm 3
FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible
Here we introduce the hard problems used in our proofmodels
Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O
119905 A is
allowed to queryO119905andOinv for119898 and 119902
ℎtimes respectively
Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability
Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible
Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890
equiv 119910 (mod 119899)
Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks
Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability
Proof S simulates the environment and controls three hashoracles O
1198671 O
1198672 O
1198673and an e-cash producing oracle O
119878
of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL
1198671 L
1198672 and L
1198673to record every response of O
1198671 O
1198672
and O1198673 respectively
Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively
Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)
119889) andO119905of RSA-ACTI problem
defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some 119894
then S retrieves the corresponding1198672
1(119898
119894) and
returns it toA(c) else if 119898 = 119867
1(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S queries O119905to get an instance
119910 and returns it to A then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 119910) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 The Scientific World Journal
mi
Di
H(mi)yi
yi
119964
119982
120591ei mod n
(120590i Di)120578i mod n
(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )
119978119982
120572i120573i120591ei
ti
RSA-ACTI
119978inv
119978t
Output Output
120588i119978H1
119978H2
119978H3
equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)
(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1
985747
985747
(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2
1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv
d
Figure 6 The proof model of FG-1
H3(120590i Di)
mi
Di
H(mi)
119964
119982
120591ei mod n
(120590i Di)
(120572i 120598i Di)
ti Ek119894 (bi 120590i rj119894 )
119978119982
Output Output
120588i 120589ei mod n 119978H1
119978H2
119978H3
sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)
985747D998400
1 foralli isin 985747D998400 + 11 (si mi 120590i D
998400) foralli isin 985747D998400 + 1 (si)e equiv (H2
1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1
x equiv yd equiv (si120589i120578i)minus1120591i (mod n)
Figure 7 The proof model of FG-2
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the correspond-
ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA
(b) otherwiseSwill select a random 120578 isin Z119899 record
((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back
toA
(iv) E-Cash Producing Query of OS
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)
(2) randomly select 119903119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120578
119890 mod 119899)and store ((120590 119863) 120578) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120578119890
)minus1 mod 119899
(5) retrieve or assign 120591 such that 1198672(119863) = (120591
119890
) asthe O
1198672query described above
(6) send (120572120573120591119890
) to oracle Oinv to get 119905 = (120572120573120591119890
)119889
mod 119899(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 11
Eventually assume thatA can successfully output ℓ+1 e-cashtuples
(1199041 119898
1 120590
1 119863
1) sdot sdot sdot (119904
ℓ+1 119898
ℓ+1 120590
ℓ+1 119863
ℓ+1) (17)
where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that
119904119890
1198941198672
1(119898)119867
3(120590119894 119863
119894) = 119867
2(119863
119894) (mod 119899) after ℓ times to query
OS with nonnegligible probability 120598AAccording to L
1198671 L
1198672 and L
1198673 S can compute and
retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)
(119910119894)119889
equiv (1198672
1(119898
119894))119889
equiv 119904minus1
119894(119867
3(120590
119894 119863
119894)minus1
1198672(119863
119894))119889
equiv 119904minus1
119894120578minus1
119894(120591119894) (mod 119899)
(18)
Via A querying the signing oracle O119878for ℓ times (ie query
Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances
(119904minus1
1120578minus1
1(1205911) 119910
1) (119904
minus1
2120578minus1
2(1205912) 119910
2)
(119904minus1
ℓ+1120578minus1
ℓ+1(120591ℓ+1
) 119910ℓ+1
)
(19)
and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A
Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding 120588119894and returns it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for
some 119894 then S selects a random 120589 isin Z119899
returns (120589119890mod 119899) toA and then fills the record(119898
119894 119867
1(119898
119894) perp) as (119898
119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 records
(119898 120588 perp) inL1198671 and returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) toS for1198673(120590 119863)S will look
up the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
1198673(120590119894 119863
119894)will be retrieved and returned toA
(b) otherwise S will select a random 120578 isin Z119899
set 1198673(120590 119863) = (120578
119890
119910 mod 119899) record((120590 119863) 120578119867
3(120590 119863)) in L
1198673 and return
1198673(120590 119863) back toA
(iv) E-Cash Producing Query of OS
Let ℓ119863119894
be a counter to record the number of querieson each expiration date 119863
119894 which is initialized by 0
WhenA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863) perp (120572120578
119890 mod 119899)) and (120590 119863) inL
1198673andL
119909 respectively
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1 mod
119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) set ℓ
119863= ℓ
119863+ 1 and return (119905 119864
119896(119887 120590 119903
119895)) back
toA
Eventually assume that A can successfully output ℓ1198631015840 + 1 e-
cash tuples for some expiration date 1198631015840
(1199041 119898
1 120590
1 119863
1015840
) sdot sdot sdot (119904ℓ1198631015840+1
119898ℓ1198631015840+1
120590ℓ1198631015840+1
1198631015840
) (20)
such that 1199041198901198941198672
1(119898
119894)119867
3(120590119894 119863
1015840
) = 1198672(119863
1015840
) (mod 119899) forall119894 1 le
119894 le ℓ1198631015840 + 1 after ℓ
1198631015840 times to query OS on 119863
1015840 withnonnegligible probability 120598A
Assume some (120590119894 119863
1015840
) 1 le 119894 le ℓ1198631015840 + 1 is not recorded
inL119909 then by theL
1198671L
1198672 andL
1198673 S can compute and
retrieve
(119904119894)119890
equiv (1198672
1(119898
119894)119867
3(120590
119894 119863
1015840
))minus1
1198672(119863
1015840
)
equiv ((120589119890
119894) (120578
119890
119894119910))
minus1
(120591119890
119894) (mod 119899)
119909 equiv 119910119889
equiv (119904119894120589119894120578119894)minus1
120591119894(mod 119899)
(21)
and solve the RSA inversion problem with nonnegligibleprobability at least 120598A
43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8
Definition 10 (Tampering Game (TG)) Let 119897119896
isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 The Scientific World Journal
Output Output
120590998400 notin 1205901
119978H1
119978H2
119978H3
mi
Di
H(mi)
119964
119982
120591ei mod n
(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )
119978119982
120588i 120589ei mod n
yi
yi
yi
xi
(120590i Di)Store in
qt
qh
xi = ydi mod n
119978t
119978inv
RSA-ACTI
(s998400 m998400 120590998400D998400)120590998400
- Choose 120578i isin Zn
= 120572i120578ei mod n
- Store in ℒH3ℒH3
andℒT
s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)
- Set H3(120590i Di)
985747
(y998400)dequiv (H3
dequiv sminus1(H2
1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)
(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG
Experiment ExpTGA (119897119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(1199041015840
1198981015840
1205901015840
1198631015840
) larr AOS (119901119896119879119860
119890119877 119899
119877 119867
1 119867
2)
1205901 120590
ℓ larr OS
if the following two checks are true return 1(i) 1205901015840 notin 120590
1 120590
ℓ
(ii) 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) = 1198672(119863
1015840
)mod 119899
else return 0
Algorithm 4
to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863))
accordingly A is allowed to query OS for ℓ times considerAlgorithm 4
A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible
Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability
Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O
119905A is allowed to query O
119905and Oinv for 119902119905 and
119902ℎtimes (119902
ℎlt 119902
119905) respectively Consider Algorithm 5
We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible
Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists
Experiment ExpRSA-AKTIA (119896)
(119873 119890 119889)119877
larr997888 119870119890119910119866119890119899(119896)(119910
1 119910
119902119905) larr O
119905(119873 119890 119896)
(1199091 119910
1) (119909
119902119905 119910
119902119905) larr AOinv O119905 (119873 119890 119896)
if 119909119890119894equiv 119910
119894(mod119873) forall119894 isin 1 119902
119905 return 1
else return 0
Algorithm 5
another adversary S who can break the RSA-AKTI problemwith nonnegligible probability
Proof S simulates the environment of DAOECS by con-trolling three hash oracles O
1198671 O
1198672 O
1198673 to respond hash
queries and an e-cash producing oracle O119878ofDAOECS to
respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L
1198671 L
1198672 and L
1198673to record every
response of O1198671 O
1198672 and O
1198673 respectively
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 13
Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)
119889) and O119905of the RSA-AKTI problem
defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)
Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows
(i) 1198671Query of O
1198671
Initially every blank record in L1198671
can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867
1(119898) S will check the listL
1198671
(a) if 119898 = 119898119894for some 119894 then S retrieves the
corresponding1198671(119898
119894) and return it toA
(b) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp for some
119894 then S retrieves the corresponding 120589119894and
returns (120589119890119894mod 119899) toA
(c) else if 119898 = 1198671(119898
119894) and 119867
2
1(119898
119894) = perp
for some 119894 then S chooses 120589 isin119877Z119899 sets
1198672
1(119898
119894) = (120589
119890 mod 119899) and returns 1198672
1(119898
119894) toA
then fills the original record (119898119894 119867
1(119898
119894) perp) as
(119898119894 119867
1(119898
119894) 120589) inL
1198671
(d) otherwise S selects a random 120588 isin Z119899 sets
1198671(119898
119894) = 120588 records (119898119867
1(119898
119894) perp) inL
1198671 and
returns 120588 toA
(ii) 1198672Query of O
1198672
WhenA asks for1198672query by sending119863 toSS will
look up the listL1198672
(a) if119863 = 119863119894for some 119894 the corresponding 120591will be
retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z
119899 record
(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA
(iii) 1198673Query of O
1198673
WhileA sends (120590 119863) to S for 1198673(120590) S will look up
the listL1198673
(a) if (120590 119863) = (120590119894 119863
119894) for some 119894 the corresponding
119910119894will be retrieved and returned toA
(b) otherwise S will query O119905to get an instance
119910 record 119910 and ((120590 119863) 119910) in L119879and L
1198673
respectively(c) return 119910 back toA
(iv) E-Cash Producing Query of OS
WhileA sends (120572 120598 119863) to S S will do the followingsteps
(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903
119895and prepare 120590 = 119864
119901119896119895(ID
119903119895)
(3) choose 120578 isin119877Z119899 set 119867
3(120590 119863) = (120572120578
119890 mod 119899)and store ((120590 119863)119867
3(120590 119863)) inL
1198673
(4) select 119887 isin119877Zlowast
119899and compute 120573 = (119887
119890
120572120578119890
)minus1
mod 119899(5) retrieve or assign 120591 such that 119867
2(119863) = (120591
119890
) asthe O
1198672query described above
(6) compute 119905 equiv (120572120573120591119890
)119889
equiv ((119887120578)minus1
120591) (mod 119899)(7) return (119905 119864
119896(119887 120590 119903
119895)) back toA
Assume that A can successfully output an e-cash tuples(1199041015840
1198981015840
1205901015840
1198631015840
) where 1205901015840 never appeals as a part for some OS
query such that 11990410158401198901198672
1(119898
1015840
)1198673(120590
1015840
1198631015840
) equiv 1198672(119863
1015840
) (mod 119899)then byL
1198671L
1198672 andL
1198673 S can derive
(1199101015840
)119889
equiv (1198673(120590
1015840
1198631015840
))119889
equiv 1199041015840minus1
(1198672
1(119898
1015840
)minus1
1198672(119863
1015840
))119889
equiv 1199041015840minus1
1205891015840minus1
1205911015840
(mod 119899)
(22)
Let |L119879| = 119902
119905and L
119879= 119910
1 119910
119902119905 S sends 119910
119894isin (L
119879minus
1199101015840
) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909
119894such that
119909119894= 119910
119889
119894mod 119899
Eventually S can output 119902119905RSA-inversion instances
(1199091 119910
1) (119909
2 119910
2) (119909
119902119905minus1 119910
119902119905minus1) ((119904
1015840minus1
1205891015840minus1
1205911015840
) 1199101015840
)
(23)
after querying Oinv for 119902ℎtimes where 119902
ℎ= 119902
119905minus 1 lt 119902
119905
and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A
44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events
(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully
(ii) No one can double spend an e-cash successfully
Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks
Definition 14 (Swindling Game in DAOECS) Let119897119896
isin N be a security parameter and A be an adversaryin DAOECS O
119861is an oracle issuing generic e-
cash(s) (ie (119904 1199101 119908
1 119909
2 1199032 1199033 120590 119863)) of DAOECS
to A Ooff is an oracle to show the expanding form(119904 119910
1 119908
1 119909
2 1199032 1199033 120590 119863 119903
119904 1199041015840
) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively
A wins the game if the probability Pr[ExpSWG-1A (119897
119896) = 1]
or Pr[ExpSWG-2A (119897
119896) = 1] ofA is nonnegligible
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
14 The Scientific World Journal
Experiment ExpSWG-1A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup (119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) never be a query to Ooff
else return 0
Algorithm 6 Experiment SWG-1
Experiment ExpSWG-2A (119897
119896)
(119901119896119895 119904119896
119895 119892
1 119892
2 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) larr Setup(119897
119896)
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) larr AO119861 Ooff (119901119896119895 119892
1 119892
2 119890119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5)
if the following checks are true return 1(i) 1199041198901198871198672
1(119910
1198674(119903119906119903119904)1198921199041015840
mod 119901 1199101 119908
2 119910
2 119863 119903
3)119867
3(120590 119863) = 119867
2(119863)mod 119899
119887
(ii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) is allowed to be queried to Ooff for once
(iii) (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904 1199041015840
) is not obtained from Ooffelse return 0
Algorithm 7 Experiment SWG-2
Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling
Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability
Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867
4of DAOECS in the
random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L
1198674to record every
response of O1198674 S is given all parameters (119901119896
119895 119904119896
119895 119892
1
1198922 119890119887 119889
119887 119901
119887 119902
119887 119899
119887 119901 119902119867
1 119867
2 119867
3 119867
4 119867
5) of DAOECS
and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =
119892119909lowast
mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1
A and ExpSWG-2A individually
The simulation for ExpSWG-1A is illustrated in Figure 9 and
each oracle is constructed as follows(i) Oracle O
119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
following
(a) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(b) if 119894 = ](1) compute (119908
1= (119910
lowast
)1199031 mod 119901) and (119910
1=
1198921199091 mod 119901)
(c) if 119894 = ]
(1) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)
(d) prepare 119904 = ((1198672
1(119898)119867
3(120590 119863))
minus1
1198672(119863))
119889119887
mod 119899119887 where119898 = (119908
1 119910
1 119908
2 119910
2 1199033 119863)
(e) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in list L
119861and
return (119904 119898 120590119863) toA
(ii) Oracle Ooff
When A sends a valid e-cash tuple(119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904) to Ooff it will look
up the listL119861
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] then abort(b) otherwise Ooff will retrieve the corresponding
(1199031 119909
1) choose a random 119903
119906 compute 119906 =
1198674(119903119906 119903
119904) and (1199041015840 = 119903
1minus 119906119909
1mod 119902) and send
(119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) back toA
Assume that A can successfully output a valid offline e-cash expansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906
119903lowast
119904 1199041015840lowast) where (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast
) is prefixedwith ] and postfixed with (119903
lowast
1 119909
lowast
1) in L
119861 Then since 119908
lowast
1=
119910lowast1198674(119903
lowast
119906119903lowast
119904)
11198921199041015840lowast
mod 119901 and 119908lowast
1= (119910
lowast
)119903lowast
1 S can derive
119909lowast
= (119903lowast
1)minus1
(119909lowast
11198674(119903lowast
119906 119903
lowast
119904) + 119904
1015840lowast
) mod 119902 (24)
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 15
i =
- w1 = (ylowast)r1 mod p- y1 = gx1 mod p
119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)
(s w1 y1 w2 y2 r3 120590 D rs ru s998400)
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts rlowastu s
998400lowast)
119978ℬ
Swindle
119978off
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
wlowast1 = (ylowast)rlowast1 mod pwlowast
1 = ylowastH4(r
lowast119906 rlowast119904 )
1 gs998400lowast
mod p
rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q
Figure 9 The proof model of SWG-1
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
The simulation for ExpSWG-2A is illustrated in Figure 10 and
each oracle is constructed as follows
(i) Oracle O119861
Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O
119861for an e-cash O
119861will do the
followings
(a) if 119894 = ]
(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199101
= (119910lowast
)1199091 mod 119901) and (119908
1=
119910119906
11198921199041015840
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (119906 1199041015840
))) in listLB
(b) if 119894 = ]
(1) select 1199031 119909
1 1199033isin119877Z119902and 119910
2 119908
2isin119877Z119901
(2) compute (1199081= 119892
1199031 mod 119901) and (1199101= 119892
1199091
mod 119901)(3) prepare 119904 = ((119867
2
1(119898)119867
3(120590
119863))minus1
1198672(119863))
119889119887 mod 119899119887 where 119898 = (119908
1
1199101 119908
2 119910
2 1199033119863)
(4) record (119894 (119904 119898 120590119863) (1199031 119909
1))) in listLB
(c) return (119904 119898 120590119863) toA
(ii) Oracle Ooff
A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908
1 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119904)
to Ooff it will look up the listLB
(a) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index ] and sta = 0 Ooff will perform thefollowing procedures
(1) set sta = 1
(2) retrieve the corresponding (119906 1199041015840
) fromLB
and choose a random 119903119906
(3) set 1198674(119903119906 119903
119904) = 119906 and record ((119903
119906 119903
119904) 119906)
inL119867
(4) record (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863 119903
119906 119903119904 1199041015840
) inlistLoff
(5) send (119904 1199081 119910
1 119908
2 119910
2 119903
3 120590 119863 119903
119906 119903
119904 1199041015840)
back toA
(b) if (119904 1199081 119910
1 119908
2 119910
2 1199033 120590 119863) exists with prefix
index = ] Ooff will retrieve the corresponding(1199031 119909
1) choose random 119903
119906and 119906 set 119867
4(119903119906
119903119904) = 119906 record ((119903
119906 119903
119904) 119906) in L
119867 compute
(1199041015840 = 1199031minus 119906119909
1mod 119902) and send (119904 119908
1 119910
1 119908
2
1199102 1199033 120590119863 119903
119906 119903119904 1199041015840) back toA
(c) Otherwise abort
(iii) Oracle O1198674
WhileA sends (119903119906 119903
119904) to query for 119867
4(119903119906 119903
119904) O
1198674
will check the listL119867
(a) if (119903119906
119903119904) exists as the prefix of some record
O1198674
will retrieve the corresponding 119906 and returnit toA
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
16 The Scientific World Journal
119978off
i = - y1 = (ylowast)x1 mod p- w1 = yu1 g
s998400 mod p
index sta = 0
- Set sta = 1119964
119982
(request i)
(s w1 y1 w2 y2 r3 120590 D)
(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s
998400)
119978ℬ
- Set H4(ru rs) = u store in ℒH
u
u 119978H4
Swindle
(slowast wlowast1 y
lowast1 w
lowast2 y
lowast2 r
lowast3 120590
lowast Dlowast rlowasts r
lowastu s
998400lowast)
- Record in ℒoff
(ru rs)
equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast
2 ylowast2 D
lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y
lowastH4(rlowast119906 rlowast119904 )
1 gs998400lowast
mod p
gs998400lowast
equiv wlowast1 equiv (ylowastxlowast1 gs
998400
(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r
lowast119904 )
u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1
Figure 10 The proof model of SWG-2
(b) otherwise O1198674
will choose a random 119906 record((119903
119906 119903
119904) 119906) inL
119867 and return 119906 toA
Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904
lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast
3 120590lowast 119863lowast 119903lowast
119906 119903lowast
119904 1199041015840lowast)
where (119904lowast 119908lowast
1 119910lowast
1 119908lowast
2 119910lowast
2 119903lowast3 120590lowast 119863lowast
) is prefixed with ] andpostfixed with (119906 119904
1015840
) inLB and1198674(119903lowast
119906 119903
lowast
119904) = 119906
Then viaLH since
(119910lowast119909lowast
1 )119906lowast
1198921199041015840lowast
equiv (119910lowast
1)1198674(119903lowast
119906119903lowast
119904)
1198921199041015840lowast
equiv 119908lowast
1
equiv (119910lowast119909lowast
1 )119906
1198921199041015840
(mod119901) (25)
S can derive
119909lowast
= (119909lowast
1(119906
lowast
minus 119906))minus1
(1199041015840
minus 1199041015840lowast
) mod 119902 (26)
and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861
is the total numberof O
119861query
Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property
5 E-Cash Advanced Features andPerformance Comparisons
In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary
51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes
We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 17
Table1Ad
vanced
featuresandperfo
rmance
comparison
s
Ours
[38]
[14]
[15]
[9]
[21]
[22]
[39]
[40]
[13]
[27]
Advanced
features
Onoff
-line
Off
Off
Off
Off
On
Off
Off
Off
Off
On
Off
Con
ditio
nal-
traceability
Yes
Yes
No
Yes
No
Yes
Yes
Yes
Yes
Yes
No
Datea
ttachability
Yes
No
No
No
Yes
Yes
No
No
No
No
Yes
No-sw
indling
Yes
No
No
No
mdashNo
Yes
No
No
mdashNo
Renewalprotocol
Yes
mdashYes
mdashNo
Yes
Yes
mdashmdash
mdashYes
Form
alproof
Yes
Yes
No
Yes
No
No
Yes
Yes
Yes
Yes
No
Perfo
rmance
Transactioncost⋆
5119864
+7119872
+7119867
+1inv
+1119860
asymp1454119872
14119864
+14119872
+1119867
+5119860
asymp3375119872
6119864
+8119872
asymp1448119872
23119864
+14119872
+1119860
asymp5534119872
2119864
+2119872
+2119867
asymp966119872
5119864
+9119872
+1119867
+1inv
+2119860
asymp1450119872
2119864
asymp480119872
18119864
+15119872
+2119867
+8119860
asymp4337119872
31119864
+22119872
+6119867
+10119860
asymp7468119872
22119864
+11119872
+4119860
asymp5291119872
6119864
+8119872
+1119867
asymp1449119872
Com
mun
ication
cost
1092
576
1288
939
769
644
300
828
968
1536
728
Accordingto
[41]119867
asymp119872119864asympinvasymp240119872
119864a
mod
ular
expo
nentiatio
n119872a
mod
ular
multip
lication119867a
hash
operationzkpaz
ero-kn
owledgep
roof
119860a
mod
ular
additio
ninvam
odular
inversion
⋆
Thec
ompu
tatio
ncostofwith
draw
alandpaym
entp
rotocolsatuser
side
Thec
ommun
icationcostofeach
transactionatuser
sideinbytes
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
18 The Scientific World Journal
52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication
With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends
According to [15] we assume the RSAparameters 119899 119901 119902
are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits
With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction
The details of the comparisons are summarized inTable 1
6 Conclusion
In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002
NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan
References
[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007
[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010
[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009
[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010
[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004
[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009
[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003
[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009
[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003
[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011
[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000
[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007
[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004
[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012
[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
The Scientific World Journal 19
[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006
[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007
[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008
[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990
[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997
[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011
[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013
[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004
[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005
[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005
[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001
[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013
[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007
[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983
[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000
[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002
[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002
[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010
[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002
[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000
[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997
[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003
[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993
[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006
[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004
[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of