Date Attachable Offline Electronic Cash Scheme

Research ArticleDate Attachable Offline Electronic Cash Scheme

Chun-I Fan Wei-Zhe Sun and Hoi-Tung Hau

Department of Computer Science and Engineering National Sun Yat-sen University Kaohsiung 80424 Taiwan

Correspondence should be addressed to Chun-I Fan cifanfacultynsysuedutw

Received 15 January 2014 Accepted 26 February 2014 Published 18 May 2014

Academic Editors T Cao M Ivanovic and F Yu

Copyright copy 2014 Chun-I Fan et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Electronic cash (e-cash) is definitely one of the most popular research topics in the e-commerce field It is very important thate-cash be able to hold the anonymity and accuracy in order to preserve the privacy and rights of customers There are two typesof e-cash in general which are online e-cash and offline e-cash Both systems have their own pros and cons and they can be usedto construct various applications In this paper we pioneer to propose a provably secure and efficient offline e-cash scheme withdate attachability based on the blind signature technique where expiration date and deposit date can be embedded in an e-cashsimultaneously With the help of expiration date the bank can manage the huge database much more easily against unlimitedgrowth and the deposit date cannot be forged so that users are able to calculate the amount of interests they can receive in thefuture correctly Furthermore we offer security analysis and formal proofs for all essential properties of offline e-cash which areanonymity control unforgeability conditional-traceability and no-swindling

1 Introduction

Due to the rapid growth of the Internet and communicationdevelopments electronic commerce has become much morepopular andwidely used than ever [1ndash8]Themobile telecom-munications have been developed from 2G to 35 G Further-more LTE Advanced 4G and 5G are being implemented tothe market in recent years With the convenience of mobilenetwork people can do shopping or electronic payments byusing any devices with network capability instead of leavinghome As a result electronic commerce has been emphasizednowadays Electronic cash (e-cash) is definitely one of themost popular research topics among electronic commerceE-cash and the traditional cash notes are very much alikeexcept e-cash is digitized and used on Internet transactionstherefore it is very important that e-cash be able to hold theaccuracy privacy and all other security concerns

A typical e-cash system usually consists of payers (cus-tomers) payees (shops) and a bank There are two types ofe-cash in general which are online e-cash [9ndash13] and offlinee-cash [14ndash27] Online e-cash system involves participationof the bank during transactions (the payment stage) Banksare able to check whether customers have double-spent the e-cash(s) or not and if yes banks can terminate the transactionsat once Thus the bank has to be online during every

transaction and it may lead to a bottleneck of the system Onthe other hand while banks do not participate in the paymentstage of offline e-cash systems double-spending check is onlyheld during the deposit stage Yet the bank is set to be offlinebut the system design is usually muchmore complicated thanthe online type and it may lead to a longer transaction timeSince both systems have their own pros and cons they areused under different circumstances

Extending online and offline e-cash systems many e-cashschemes with other different features have been proposedover the years For instance e-cash can be stored compactlysuch that the space to store these e-cash is much reduced[15 16] e-cash is generated by multiauthorities instead of onebank only [25] exact payments e-cash [13] recoverable e-cashwhich can be recoveredwhen an e-cash is lost [26] and so on

Based on the majority of the existing approaches wesummarize that a secure e-cash system should satisfy thefollowing requirements

(i) Anonymity no one except the judge can obtain anyinformation of the e-cash ownerrsquos identity from thecontents of e-cash

(ii) Unlinkability no one except the judge can link anye-cash payment contents

Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 216973 19 pageshttpdxdoiorg1011552014216973

2 The Scientific World Journal

(iii) Unforgeability no one except the bank can generatea legal e-cash

(iv) Double-Spending Control banks should have theability to check if the e-cash is double-spent or notNo e-cash is allowed to be spent twice or more in ane-cash system

(v) Conditional-Traceability the system should be able totrace and revoke the anonymity of users who violateany of the security rules so that they will receivepenalties

(vi) No-swindling no one except the real owner canspend a valid offline e-cash successfully

In order to perform double-spending checks banks haveto store information of e-cash(s) in their database Thus thedatabase of banks grows in direct proportion to the numberof e-cash(s) withdrawn Embedding an expiration date intoeach e-cash has been considered since it helps the banksto manage the database more easily On the other handcustomers have to exchange their expired e-cash(s) withbanks for new ones so as to keep the validity of the e-cashFurthermore customers will receive interest from banks aftercash is deposited In order to guarantee customers will receivethe right amount of interest it is necessary for customers toattach the deposit date to their e-cash(s) and the date cannotbe modified by anyone else [11] So far there are a numberof online e-cash schemes with an expiration date attachment[9 11 28] However there are very few offline approaches [21]

In this paper we are going to propose an efficient dateattachable offline e-cash scheme and provide formal proofson essential properties to it in the random oracle modelConsidering the practical needs we pioneer to embed twokinds of date which are expiration data and deposit date tothe offline e-cash Moreover we will offer an E-cash renewalprotocol in our scheme (Section 325) Users can exchangetheir unused expired e-cash for a new one with another validexpiration datemore efficiently Comparedwith other similarworks our scheme is efficient from the aspect of consideringcomputation cost

The rest of this paper is organized as follows InSection 2 we briefly review techniques employed through-out our scheme Our proposed scheme is described inSection 3 in detail Security proofs and analysis are covered inSection 4 Features and performance comparisons are madein Section 5 and the conclusion is given in Section 6

2 Preliminaries

In this section we briefly review techniques used in our dateattachable offline e-cash scheme

21 Chaumrsquos Blind Signature Scheme Blind signaturewas firstintroduced by Chaum [29] It has been widely used in e-cashprotocols since it has been proposed A signer will not be ableto view the content of the message while shehe is signingthe message Afterwards a user can get a message with thesignature of the signer by unblinding the signedmessageTheprotocol is described as follows

(1) InitializationThe signer randomly chooses two distinct largeprimes 119901 and 119902 then computes 119899 = 119901119902 and120601(119899) = (119901 minus 1)(119902 minus 1) Afterwards the signer selectstwo integers 119890 and 119889 at random such that 119890119889 equiv

1(mod 120601(119899)) Finally the signer publishes the publicparameters (119890 119899) and a one-way hash function119867

(2) User rarr Signer 120572The user chooses a message 119898 and a random integer119903 in Zlowast

119899 then blinds the message by computing 120572 =

119903119890

119867(119898)mod 119899 and sends it to the signer

(3) Signer rarr User 119905After receiving 120572 the signer signs it with herhisprivate key 119889 and sends it back to the userThe signedmessage will be 119905 = 120572

119889 mod 119899

(4) UnblindingAfter receiving 119905 from the signer the user unblinds itby computing 119904 = 119903

minus1

119905mod 119899 The signature-messagepair is (119904 119898)

(5) VerificationThe (119904 119898) can be verified by checking if 119904119890 equiv 119867(119898)

(mod 119899) is true or not

22 Chameleon Hashing Based on Discrete LogarithmChameleon hashing was proposed by Krawczyk and Rabin[30] The chameleon hash function is associated with a one-time public-private key pair it is a collision resistant functionexcept for users who own a trapdoor for finding collisionAny user who knows the public key can compute the hashingand for those who do not know the private key (trapdoor)it is impossible for them to find any two inputs which leadto the same hashing output On the contrary any user whoknows the trapdoor can find the collision of given inputsThe construction of the chameleon hashing based on discretelogarithm is described as follows

(1) Setup

(i) 119901 119902 two large primes such that 119901 = 119896119902 + 1(ii) 119892 an element order 119902 in Zlowast

119901

(iii) 119909 private key in Zlowast

119902

(iv) 119910 public key where 119910 = 119892119909 mod 119901

(2) The function a message 119898 isin Zlowast

119902is given and a

random integer 119903 isin Zlowast

119902is chosen The hash is defined

as cham-hash119910(119898 119903) = 119892

119898

119910119903 mod 119901

(3) Collision for a user who knows 119909 shehe is able tofind the collision of the hash for any given 119898 1198981015840

such that cham-hash119910(119898 119903) = cham-hash

119910(119898

1015840

1199031015840

)The user derives 119903

1015840 in the equation 119898 + 119909119903 = 1198981015840 +

1199091199031015840 (mod 119902)

The Scientific World Journal 3

3 The Proposed Date Attachable OfflineElectronic Cash Scheme

In this section we will introduce a new date attachableoffline e-cash scheme Considering the issues mentioned inSection 1 we propose a secure offline e-cash scheme withtwo specific kinds of date attached to the e-cash which areexpiration date and deposit date

31 Outline of the Proposed Scheme Here we are going tobriefly describe the procedures of our scheme The proposedscheme contains four protocols withdrawal protocol pay-ment protocol deposit protocol and e-cash renewal protocolA user withdraws an e-cash with an expiration date attachedto it from the bank A trusted computing platform (iejudge device) [31 32] as stated in the proposed scheme isinstalled in the bank to hold the identity information of allusers and it will further help trace users when it is neededIt is impossible for anyone except the judge to obtain anyinformation embedded in the device [33] Nowadays judgedevice can be implemented by the technique of TrustedPlatform Module (TPM) [32 34] in practice

Before an e-cash is deposited the depositor attaches thedeposit date on the e-cash and sends it to the bank duringthe deposit stage When the bank receives an e-cash it willperform double-spending checking to verify whether the e-cash is doubly spent or not The bank can derive secretparameters of the user who does double-spending and let thejudge revoke the anonymity of the user Besides when anunused e-cash is expired a user will be able to exchange it fora new one with a new expiration date In our scheme for theefficiency concerns some of the unused parameters of userscan remain unchanged while exchanging for a new valid e-cash In the following sections we will describe our schemein detail

32 The Proposed Scheme Firstly we define some notationsas follows

(1) 1198671 119867

2 119867

3 three one-way hash functions

1198671 119867

2 119867

3 0 1

lowast

rarr 0 1119899

(2) 1198674 119867

5 two one-way hash functions

1198674 119867

5 0 1lowast rarr 0 1

119902

(3) 119864119909119863

119909 a secure symmetric cryptosystem Plaintext is

both encrypted and decrypted with a symmetric key119909

(4) 119864119901119896

119863119904119896 a secure asymmetric cryptosystem Plaintext

is encrypted with a public key 119901119896 and decrypted withthe corresponding private key 119904119896

(5) (119901119896119895 119904119896

119895) the public-private key pair of the judge

(6) (119890119887 119889

119887) the public-private key pair of bank

(7) 119863119886119905119890 expiration date It represents an effective spend-ing date of awithdrawn e-cash Any e-cashwithdrawnin the same period will have the same expiration dateand vice versa

(8) ID119888 the identity of user 119862

(9) 119897119896 119897119903 the security parameters

(10) A judge device a tamper-resistant device which isissued by the judge It is installed into the system ofthe bank It is impossible to intercept or modify anyinformation stored in the device

321 Initialization Initially the bank randomly chooses twodistinct large primes (119901

119887 119902

119887) and computes RSA parameters

119899119887

= 119901119887119902119887 It selects an integer 119890

119887at random such that

GCD(120601(119899119887) 119890

119887) = 1 where 120601(119899

119887) = (119901

119887minus 1)(119902

119887minus 1) and

1 lt 119890119887lt 120601(119899

119887) Then it finds a 119889

119887such that 119890

119887119889119887equiv 1(mod

120601(119899119887)) Secondly it also chooses two other large primes 119901 and

119902 and two generators 1198921and 119892

2of order 119902 in Zlowast

119901 Then the

bank publishes (119899119887 119890

119887 119901 119902 119892

1 119892

2 119901119896

119895 119867

1 119867

2 119867

3 119867

4 119867

5

119864119863 119864119863) Meanwhile the judge embeds (119899119887 119890119887 119901 119902 119892

1 119892

2

119901119896119895 119904119896

119895 119867

1 119867

2 119867

3 119867

4 119867

5 119864 119863 119864 119863) into a judge device

and issues it to the bank

322 Withdrawal Protocol Users run the withdrawal pro-tocol with banks to get an e-cash as shown in Figure 1yet banks have to obtain information of usersrsquo identitysuch as ID

119888or account numbers before the withdrawal

protocol is proceeded Therefore users should perform anauthentication with banks beforehand Users can execute thewithdrawal protocol by any devices that have the ability tocompute and connect to the network For instance users canuse mobile phones or computers to perform the withdrawalprotocol and store the withdrawn e-cash The detailed stepsof the protocol are as follows

(1) Bank rarr User119863

Firstly the user prepares parameters for withdrawingan e-cash The user chooses integers 119886 119909

1 119909

2 119903

1 119903

2

and 1199033in random where 119886 isin

119877Zlowast

119899119887

and 1199091 119909

2 119903

1 119903

2

1199033isin1198770 1 119902 minus 1 and selects a string 119896 isin

1198770 1

119897119896

randomly The user then computes (1199101 119908

1 119910

2 119908

2)

where 119910119894

= 119892119909119894

119894mod119901 and 119908

119894= 119892

119903119894

119894mod119901 for

119894 = 1 2 Secondly the bank computes parametersfor expiration date It randomly chooses a 119903 in Zlowast

119899

prepares119863 = Date 119903 for some expiration date119863119886119905119890The bankwill send119863 to the user when shehe requeststo withdraw an e-cash

(2) User rarr Bank (120572 120598)

After receiving119863 the user prepares 120598 = 119864119901119896119895

(119896 ID119888)

and

120572 = [119886119890119887119867

2

1(119898 119863)]

minus1

mod 119899119887 (1)

where 119898 = (1199101 119908

1 119910

2 119908

2 119903

3) Finally the user

sends (120572 120598) to the bank

(3) Bank rarr Judge device (120598 120583 119863)

The bank sets 120583 = ID119888 where ID

119888is the identity of

user119862 and inputs it togetherwith 120598 and119863 to the judgedevice


UserBank

y1 = gx11 mod p w1 = g

r11 mod p


r22 mod p

D

pb qb nb = pbqb120601(nb) = (pb minus 1)(qb minus 1)

p q two large primesg1 g2 generator of order q in Zlowast

p

(120572 120598)

Input (120598 120583) to the judge device

Judge device

No abort return ID error

t = (120572120573H2(D))d119887 mod nb

(120573 Ek(b 120590 rj))

(t Ek(b 120590 rj))

Decrypt Ek(b 120590 rj)

E-cash tuple (s y1 w1 y2 w2 r3 120590 D)

(120598 120583 D)

Compute s = abt mod nb

x1 x2 r1 r2 r3 isinR 0 1 q minus 1

m = y1 w1 y2 w2 r3

120572 = [ae119887H21 (m D)]minus1 mod nb

= H2(D)(mod nb)Verify se119887H2

1 (m D)H3(120590 D)

aisinRZlowastn119887 k isinR 0 1

l119896

r isinRZlowastn Date Expiration date

D = Date r

bisinRZlowastn119887 rj isinR 0 1

l119903119895

120590 = Epk119895 (120583 rj)

120573 = [be119887H3(120590 D)]minus1 mod nb

120598 = Epk119895 (k IDc)

= Dsk119895(120598)Compute (k IDc

Set 120583 = IDc

)

120583= If yes continueIDc

Verify 120590 = Epk119895 (IDc rj)

Figure 1 Withdrawal protocol

(4) Judge device rarr Bank (120573 119864119896(119887 120590 119903

119895))

The judge device decrypts 120598 and checks if 120583 = ID119888 If

not it returns ldquoID errorrdquo to the bank or else it picksa random integer 119887 isin

119877Zlowast

119899119887

and a string 119903119895isin1198770 1

119897119903119895

randomly Then it computes 120590 = 119864119901119896119895

(120583 119903119895) and

120573 = [119887119890119887119867

3(120590 119863)]

minus1 mod 119899119887 (2)

Finally it encrypts (119887 120590 119903119895) by using the symmetric

key 119896 and outputs it together with 120573 to the bank

(5) Bank rarr User (119905 119864119896(119887 120590 119903

119895))

After receiving (120573 119864119896(119887 120590 119903

119895)) from the judge device

it computes

119905 = (1205721205731198672(119863))

119889119887 mod 119899119887

(3)

and sends (119905 119864119896(119887 120590 119903

119895)) to the user

(6) VerificationsAfter receiving (119905 119864

119896(119887 120590 119903

119895)) the user firstly

decrypts the ciphertext by using the symmetric key 119896

in order to obtain (119887 120590 119903119895) Secondly shehe checks

if hisher ID is embedded correctly by computingif 120590 = 119864

119901119896119895(ID

119888 119903

119895) is true or not Thirdly shehe

computes

119904 = 119886119887119905 mod 119899119887

(4)

and verifies 119904 by checking if

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863) (mod 119899

119887) (5)

is true or not Finally when all verifications are donethe user gets the e-cash tuples (119904 119898 120590119863) and stores(119909

1 119909

2 1199031 1199032) for further payment usages

323 Payment Protocol When a user has to spend the e-cashshehe performs the protocol as shown in Figure 2 The stepsof the protocol are described as follows

(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)

Theuser sends (119904 119898 120590119863 1199092 1199032) to the shop where119863

contains the expiration date of the e-cash


User Shop

(s m 120590 D x2 r2)

Check the validity of D

rs

u = H4

s998400 = (r1 minus ux1) mod q(s998400 ru)


1 (m D)H3(120590 D)

ru isinRZlowastq

Verify w1= y

H4(r119906 r119904)1 gs

998400

(mod p)

(ru rs)

r998400s isinR 0 1l119903119895 rs = (IDs r

998400s )

Figure 2 Payment protocol

(2) Shop rarr User 119903119904

The shop first checks 119863 to verify if the e-cash is stillwithin the expiration date or not If not it terminatesthe transaction Otherwise it continues to verify119904119890119887119867

2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod119899

119887) If it is

not valid the protocol is aborted or else it selects astring 119903

1015840

119904isin1198770 1

119897119903119895 and sets a challenge 119903119904= (ID

119904

1199031015840

119904) where ID

119904is the identity of the shop Finally it

sends 119903119904to the user

(3) User rarr Shop (1199041015840 119903119906)

After receiving 119903119904from the shop the user randomly

selects a 119903119906isin119877Zlowast

119902and computes a response to the

challenge

1199041015840

= (1199031minus 119906119909

1) mod 119902 (6)

where 119906 = 1198674(119903119906 119903

119904) Then the user sends (1199041015840 119903

119906) to

the shop(4) Verifications

After receiving (1199041015840

119903119906) from the user the shop verifies

if 1199081= 119910

1198674(119903119906119903119904)

11198921199041015840

(mod119901) is true or not If it is truethe shop will accept the e-cash On the other hand ifit is not the shop will reject it Since it is an offline e-cash the shop does not have to deposit it to the bankimmediately It can store the e-cash and deposit it latertogether with other received e-cash(s)

324 Deposit Protocol As Figure 3 shows shops attach thedeposit date to their e-cash(s) and deposit them to banks inthis protocol Banks perform double-spending checks whenthey receive these e-cash(s) If any e-cash is double-spent thebank will revoke the anonymity of the e-cash owner with thehelp of the judge The steps are described in detail as follows

(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840

119903119906 119903119904)

The shop computes 1199034

= 1199032minus 119909

21198675(119889) where 119889 is

the deposit date and sends (119904 119898 120590119863 119889 1199034 1199041015840

119903119906 119903119904)

to the bank

(2) VerificationsFirstly the bank checks the correctness of expirationdate 119863 and deposit date 119889 respectively and alsochecks if

1199082= 119910

1198675(119889)

21198921199034

2mod 119901

1199081= 119910

1198674(119903119906119903119904)

11198921199041015840

2mod 119901

(7)

are true or not Secondly the bank verifies if119904119890119887119867

2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod 119899

119887) and

checks the uniqueness of (119904 119898 120590119863) Finally if all ofthe above facts are verified successfully the bank willaccept and store the e-cash in its database and record1198671(119898 119863) in exchange list Otherwise it will reject

this transaction and trace the owner of the e-cash

325 E-Cash Renewal Protocol In order to reduce the unlim-ited growth database problem of the bank we have expirationdate and renewal protocol in our scheme to achieve itas shown in Figure 4 When an unused e-cash is expiredthe user has to exchange it for another e-cash with a newexpiration date from the bank

(1) User rarr Bank (119904 120588 120590 119863)

The user recalls 119898 = (1199101 119908

1 119910

2 119908

2 119909

2 1199033) and

prepares

120588 = 1198671(119898 119863) (8)

and sends it together with the unused (119904 120590 119863) to thebank

(2) VerificationsFirstly the bank checks the correctness of expirationdate119863 andmakes sure120588 does not exist in the exchangelist Secondly the bank verifies if 119904

1198901198871198671(120588)119867

3(120590

119863) equiv 1198672(119863)(mod 119899

119887) Finally if all of the above

facts are verified successfully the bank will accept to


Shop Bank

r4 = r2 minus x2H5(d)

(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)

Check the validity of D d

Check w2= y

H5(d)2 g

r42 mod p

= H2(D)(mod nb)

Check if (s m 120590 D) are unique or notYes store the coin to deposit listNo trace the owner of the coin

d deposit date

Verify se119887H21 (y1 w1 y2 w2 D r3)H3(120590 D)

w1= y

H4(r119906 r119904)1 gs

998400

1 mod p

Figure 3 Deposit protocol

User Bank

(s 120588 120590 D)

Check if 120588 exists in exchange list

Check if s is unique or notYes accept to exchange the coin

and store 120588 in the exchange listNo reject and trace the owner of the coin

Accept

D998400 = new expiration date

( 120598)

Repeat withdrawal protocol

120588 = H1(y1 w1 y2 w2 D r3)

= [ae119887H21 (y1 w1 y2 w2 D998400 r9984003)]minus1 mod nb

Check the expiration date D

Verify se119887H1(120588)H3(120590 D)= H2(D)(mod nb)

Figure 4 E-Cash renewal protocol

exchange the e-cash It will send a new expiration date1198631015840 and store 120588 in the exchange list Otherwise it will

reject the exchange request(3) User rarr Bank ( 120598)

The user computes

= [119886119890119887119867

2

1(119898

1015840

1198631015840

)]minus1

mod 119899119887 (9)

where 1198981015840

= (1199101 119908

1 119910

2 119908

2 119909

2 1199031015840

3) 1199031015840

3is a random

and1198631015840 is the new expiration date issued by the bank

The user sends ( 120598 ID119888) to the bank Then the bank

repeats the withdrawal protocol in Section 322 fromStep 2 with the user

326 Double-Spending Checking and Anonymity ControlIn our scheme the identity of the users is anonymous ingeneral except when the users violate any security rules andtherefore their identities will be revealed

(1) Double-Spending Checking

When an e-cash is being doubly spent there mustbe two e-cash(s) with the same record prefixed by(119904 119910

1 119908

1 119910

2 119908

2 1199033 120590 119863) stored in the database of the


Linkage game

Random bit b

mb m1minusb

U0 U1 Output(mb 120590b) and (m1minusb 1205901minusb)

b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ

ℬ wins if b998400 = b

AdvLinkability119967119964119978ℰ119966119982

(ℬ)

Figure 5 The game environment of linkage game

bankTherefore the bank is able to detect any double-spent e-cash easily by checking the above parametersFor instance the bank has received two e-cash(s)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)

Thus the bank can obtain two equations as follows

1199041015840

equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)

The bank can derive (1199091 1199031) from the above equations

and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to

the judge to trace the owner of the e-cash(2) Revocation

The judge can trace any user who doubly spends e-cash(s) or violates any transaction regulations Whenthe judge receives (119904 119910

1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and

(1199091 1199031) from the bank it checks the following equa-

tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)

If all of the above equalities are true the judge willdecrypt 120590 and return the extracted ID

119888to the bank

4 Security Proofs

In this section we provide security definitions and for-mal proofs of the following security features unlinkabil-ity unforgeability traceability and no-swindling for our

proposed date attachable offline electronic cash scheme(DAOECS)

41 E-Cash Unlinkability Based on the definition of unlink-ability introduced by Abe and Okamoto [35] and Juelset al [36] we formally define the unlinkability property ofDAOECS

Definition 1 (The Linkage Game) Let 1198800 119880

1 and J be

two honest users and the judge that follows DAOECSrespectively LetB be the bank that participates the followinggame with119880

0119880

1 andJ The game environment is shown in

Figure 5

Step 1 According to DAOECS B generates the bankrsquospublic key (119890

119887 119899

119887) the bankrsquos private key (119889

119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892

2) the expiration date 119863 and the five

public one-way hash functions 1198671 119867

2 119867

3 119867

4 and 119867

5 J

generates the judgersquos public-private key pair (119901119896119895 119904119896

119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903

3isin1198770 1 119902 minus 1 and computes (119910

119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901

Step 3 We choose a bit isin 0 1 randomly and place (1199101119887

1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908

21minus119887) on the private

input tapes of1198800and119880

1 respectively where is not disclosed

toB

Step 4 B performs the withdrawal protocol of DAOECSwith 119880

0and 119880

1 respectively

Step 5 If 1198800and 119880

1output two e-cash(s) (119904

119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on

their private tapes respectively we give the two e-cash(s) ina random order toB otherwise perp is given toB


Experiment ExpFG-1A (119897119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5) larr Setup (119897

119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)

if the following checks are true return 1(i) 119904119890119887

119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898

ℓ+1are all distinct

else return 0

Algorithm 1 Experiment FG-1

Step 6 B outputs 1015840 isin 0 1 as the guess of The bank B

wins the game if 1015840 = andJ has not revoked the anonymityof (119904

119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) toB We define

the advantage ofB as

AdvLinkabilityDAOECS (B) =

100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)

where Pr[1015840 = ] denotes the probability of 1015840 =

Definition 2 (Unlinkability) A DAOECS satisfiesthe unlinkability property if and only if the advantageAdvLinkability

DAOECS(B) defined in Definition 1 is negligible

Theorem 3 ADAOECS satisfies the unlinkability propertyof Definition 2 if the adopted cryptosystems are semanticallysecure

Proof If B is given perp in the Step 5 of the game it willdetermine with probability 12 which is exactly the sameas a random guess of

Here we assume that B gets two e-cash (1199040 119898

0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin

0 1 be the view of data exchanged between 119880119894and

B in the withdrawal protocol (Section 322) and let(119909

2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889

119894) be the view of data exchanged when

B performs the payment protocol (Section 323) and thedeposit protocol (Section 324) by using (119904

119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin 0 1 there always exists a

pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894

are semantically secure encryptionfunctions B cannot learn any information from 120598

119894and

119864119896119894(119887119894 120590

119894 119903119895119894)

From the above given any (119904 119898 120590119863) isin

(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where

119894 isin 0 1 there always exists a corresponding pair (1198861015840

119894 1198871015840

119894)

such that (1) (2) (3) and (4) are satisfiedThus go back to Step 6 of the game the bankB succeeds

in determining with probability (12) + 120576 where 120576 isnegligible since 119864 and 119864 are semantically secure Thereforewe have AdvLinkability

DAOECS(B) = 2120576 which is negligible so that

DAOECS satisfies the unlinkability property

42 E-Cash Unforgeability In this section we will formallyprove that the proposed date attachable offline electronic cashscheme (DAOECS) is secure against forgery attack Theforgery attack can be roughly divided into two types one isthe typical one-more forgery type (ie (ℓ ℓ+1)-forgery) [37]and the other is the forgery on some specific expiration dateof an e-cash after sufficient communications with the signingoracle (ie bank) The details of definitions and our formalproofs will be described as follows

Definition 4 (Forgery Game 1 in DAOECS (FG-1)) Let119897119896

isin N be a security parameter and A be an adversaryin DAOECS OS is an oracle which plays the role ofthe bank in DAOECS to be responsible for issuing e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863))

according to the queries from A A is allowed to query OS

for ℓ times consider the experiment ExpFG-1A (119897119896) shown in

Algorithm 1 Awins the forgery game FG-1 if the probabilityPr[ExpFG-1A (119897

119896) = 1] ofA is nonnegligible


isin N be a security parameter and A be an adversary inDAOECS OS is an oracle which plays the role of the bankinDAOECS to take charge of the following two events

(i) issue e-cash(s) (ie (119904 119898 120590119863) where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)) according to the queries

fromA(ii) record the total number ℓ

119863119894of each distinct expiration

date119863119894

A is allowed to queryOS for ℓ times consider the experimentExpFG-2A (119897

119896) shown in Algorithm 2 A wins the forgery game



(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast

) 1 le 119894 le ℓ119863lowast + 1 larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1

are all distinctelse return 0


Experiment ExpRSA-ACTIA (119896)

(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)

if the following checks are true return 1(i) 120587 1 119899 rarr 1 119898 is injective(ii) 119909119890

119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3

FG-2 if the probability Pr[ExpFG-2A (119896) = 1] ofA is nonnegli-gible

Here we introduce the hard problems used in our proofmodels

Definition 6 (Alternative Formulation of RSA Chosen-TargetInversion Problem (RSA-ACTI)) Let 119896 isin N be a securityparameter and A be an adversary who is allowed to accessthe RSA-inversion oracle Oinv and the target oracle O

119905 A is

allowed to queryO119905andOinv for119898 and 119902

ℎtimes respectively

Consider Algorithm 3We sayA breaks the RSA-ACTI problem if the probability

Pr[ExpRSA-ACTIA (119896) = 1] ofA is nonnegligible

Definition 7 (The RSA Inversion Problem) Given (119890 119899)where 119899 is the product of two distinct large primes 119901 and119902 with roughly the same length and 119890 is a positive integerrelatively-prime to (119901 minus 1)(119902 minus 1) and a randomly-chosenpositive integer 119910 less than 119899 find an integer 119909 such that119909119890

equiv 119910 (mod 119899)

Definition 8 (E-Cash Unforgeability) If there exists no prob-abilistic polynomial-time adversary who canwin FG-1 or FG-2 thenDAOECS is secure against forgery attacks

Theorem 9 For a polynomial-time adversary A who canwin FG-1 or FG-2 with nonnegligible probability there existsanother adversaryS who can break the RSA-ACTI problem orRSA inversion problem with nonnegligible probability

Proof S simulates the environment and controls three hashoracles O

1198671 O

1198672 O

1198673and an e-cash producing oracle O

119878

of DAOECS scheme to respond to different queries fromA in the random oracle model and takes advantage of Ato solve RSA-ACTI problem or RSA inversion problemsimultaneouslyThen for consistencySmaintains three listsL

1198671 L

1198672 and L

1198673to record every response of O

1198671 O

1198672

and O1198673 respectively

Here we will start to do the simulation for the two games(ie FG-1 and FG-2) to prove DAOECS is secure againstforgery attacks The details of simulation are set below andillustrated in Figures 6 and 7 respectively

Simulation in FG-1 In this proof model S is allowed toquery the oraclesOinv (ie (sdot)

119889) andO119905of RSA-ACTI problem

defined inDefinition 6 for helpingS to produce e-cash(s) andthe corresponding verifying key is (119890 119899)

(i) 1198671Query of O

1198671

Initially every blank record in L1198671

can be repre-sented as (perp perp perp) WhenA sends119898 for querying thehash value119867

1(119898) S will check the listL

1198671

(a) if 119898 = 119898119894for some 119894 then S retrieves the

corresponding1198671(119898

119894) and returns it toA

(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894

then S retrieves the corresponding1198672

1(119898

119894) and

returns it toA(c) else if 119898 = 119867

1(119898

119894) and 119867

2

1(119898

119894) = perp for

some 119894 then S queries O119905to get an instance

119910 and returns it to A then fills the record(119898

119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671

(d) otherwise S selects a random 120588 isin Z119899 records

(119898 120588 perp) inL1198671 and returns 120588 toA

(ii) 1198672Query of O

1198672

WhenA asks for1198672query by sending119863 toSS will

look up the listL1198672

(a) if119863 = 119863119894for some 119894 the corresponding 120591will be

retrieved andS will send (120591119890 mod 119899) back toA(b) otherwiseSwill select a random 120591 isin Z

119899 record

(119863 120591) inL1198672 and return (120591119890 mod 119899) back toA

(iii) 1198673Query of O

1198673

WhileA sends (120590 119863) toS for1198673(120590 119863)S will look

up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3

equiv H2(Di) (mod n)sei H21 (mi)H3(120590i Di)

(s1 m1 1205901 D1) (s985747+1 m985747+1 120590985747+1 D985747+1)foralli isin 1 985747 + 1

985747

985747

(sminus11 120578minus11 (1205911) y1) (sminus12 120578minus12 (1205912) y2) (sminus1985747+1120578minus1985747+1(120591985747+1) y985747+1)(yi)d equiv (H2

1(mi equiv sminus1i (H3 (120590i Di)minus1H2(Di sminus1i 120578minus1i (120591i) (mod n)d)) )) equiv

d

Figure 6 The proof model of FG-1

H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3

sei H21 (mi)H3(120590i D998400) equiv H2(D998400) (mod n)

985747D998400

1 foralli isin 985747D998400 + 11 (si mi 120590i D

998400) foralli isin 985747D998400 + 1 (si)e equiv (H2

1 (mi)H3 ) H2(D998400) equiv ((120589ei )(120578ei y) (120591ei ) (mod n)(120590i D998400) )minus1 minus1

x equiv yd equiv (si120589i120578i)minus1120591i (mod n)


(a) if (120590 119863) = (120590119894 119863

119894) for some 119894 the correspond-

ing 120578 will be retrieved and (120578119890mod 119899) will bereturned toA

(b) otherwiseSwill select a random 120578 isin Z119899 record

((120590 119863) 120578) in L1198673 and return (120578119890 mod 119899) back

toA

(iv) E-Cash Producing Query of OS

WhenA sends (120572 120598 119863) to S S will do the followingsteps

(1) decrypt 120598 obtain (119896 ID)

(2) randomly select 119903119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673

(4) select 119887 isin119877Zlowast

119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899

(5) retrieve or assign 120591 such that 1198672(119863) = (120591

119890

) asthe O

1198672query described above

(6) send (120572120573120591119890

) to oracle Oinv to get 119905 = (120572120573120591119890

)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


Eventually assume thatA can successfully output ℓ+1 e-cashtuples

(1199041 119898

1 120590

1 119863

1) sdot sdot sdot (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)

where 119898119894are all distinct forall119894 1 le 119894 le ℓ + 1 such that

119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863

119894) (mod 119899) after ℓ times to query

OS with nonnegligible probability 120598AAccording to L

1198671 L

1198672 and L

1198673 S can compute and

retrieve RSA-inversion instances (forall119894 1 le 119894 le ℓ + 1)

(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)

Via A querying the signing oracle O119878for ℓ times (ie query

Oinv for ℓ times by S) S can output ℓ + 1 RSA-inversioninstances

(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)

and break the RSA-ACTI problem with nonnegligible proba-bility at least 120598A

Simulation in FG-2 InitiallyS is given an instance (119910 119890 119899) ofRSA inversion problem defined in Definition 7 and simulatesthe environment as follows


1198671




1198671


corresponding 120588119894and returns it toA

(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some

119894 then S retrieves the corresponding 120589 andreturns (120589119890 mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for

some 119894 then S selects a random 120589 isin Z119899

returns (120589119890mod 119899) toA and then fills the record(119898

119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863

119894) for some 119894 the corresponding

1198673(120590119894 119863

119894)will be retrieved and returned toA

(b) otherwise S will select a random 120578 isin Z119899

set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894

be a counter to record the number of querieson each expiration date 119863

119894 which is initialized by 0


(1) decrypt 120598 obtain (119896 ID)(2) randomly select 119903

119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863) perp (120572120578

119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod

119899(5) retrieve or assign 120591 such that 119867

2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA

Eventually assume that A can successfully output ℓ1198631015840 + 1 e-

cash tuples for some expiration date 1198631015840

(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ

1198631015840 times to query OS on 119863

1015840 withnonnegligible probability 120598A

Assume some (120590119894 119863

1015840

) 1 le 119894 le ℓ1198631015840 + 1 is not recorded

inL119909 then by theL

1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)

and solve the RSA inversion problem with nonnegligibleprobability at least 120598A

43 E-Cash Conditional-Traceability In this section we willprove that the ID information embedded in e-cash(s) cannotbe replaced or moved out by any user against being tracedafter some misbehavior or criminals The details of our proofmodel are illustrated in Figure 8

Definition 10 (Tampering Game (TG)) Let 119897119896

isin N be asecurity parameter and A be an adversary in DAOECSOS is an oracle which plays the role of bank in DAOECS


Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi

(120590i Di)Store in

qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400

- Choose 120578i isin Zn

= 120572i120578ei mod n

- Store in ℒH3ℒH3

andℒT

s998400eH21 (m998400)H3( D998400) equiv H2(D998400) (mod n)

- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2

1(m998400)minus1H2(D998400)))) equiv sminus1120589minus1120591998400 (mod n)d(120590998400 D998400)

(x1 y1) (x2 y2) (xq119905minus1yq119905minus1) ((sminus1120589minus1120591998400) y998400)120590985747Figure 8 The proof model of TG

Experiment ExpTGA (119897119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5) larr Setup(119897

119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS

if the following two checks are true return 1(i) 1205901015840 notin 120590

1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4

to record parameters from the queries of A and issue e-cash(s) (ie (119904 119898 120590119863) where 119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863))

accordingly A is allowed to query OS for ℓ times considerAlgorithm 4

A wins the game if the probability Pr[ExpTGA (119896) = 1] ofA is nonnegligible

Definition 11 (E-Cash Traceability) If there exists no proba-bilistic polynomial-time adversary who can win the tracinggame TG thenDAOECS satisfies the E-Cash Traceability

Definition 12 (Alternative Formulation of RSAKnown-Target Inversion Problem (RSA-AKTI)) Let119896 isin N be a security parameter and A be an adversary whois allowed to access the RSA-inversion oracle Oinv and thetarget oracle O

119905A is allowed to query O

119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902

119905) respectively Consider Algorithm 5

We sayA breaks theRSA-AKTI problem if the probabilityPr[ExpRSA-AKTIA (119896) = 1] ofA is nonnegligible

Theorem 13 For a polynomial-time adversaryAwho canwinthe tracing game TGwith nonnegligible probability there exists

Experiment ExpRSA-AKTIA (119896)

(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5

another adversary S who can break the RSA-AKTI problemwith nonnegligible probability

Proof S simulates the environment of DAOECS by con-trolling three hash oracles O

1198671 O

1198672 O

1198673 to respond hash

queries and an e-cash producing oracle O119878ofDAOECS to

respond e-cash producing queries fromA respectively in therandomoraclemodel EventuallySwill take advantage ofArsquoscapability to solve RSA-AKTI problemThen for consistencyS maintains three lists L

1198671 L

1198672 and L

1198673to record every

response of O1198671 O

1198672 and O

1198673 respectively


Besides in the proof model S is allowed to query theoracles Oinv (ie (sdot)

119889) and O119905of the RSA-AKTI problem

defined inDefinition 12 for helpingS produce valid e-cash(s)and the corresponding verifying key is (119890 119899)

Here we will do the simulation for game TG to provethat DAOECS satisfies the e-cash traceability Details aredescribed as follows


1198671




1198671



119894) and return it toA

(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898


119894 then S retrieves the corresponding 120589119894and

returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp

for some 119894 then S chooses 120589 isin119877Z119899 sets

1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA

then fills the original record (119898119894 119867

1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671

(d) otherwise S selects a random 120588 isin Z119899 sets

1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673

WhileA sends (120590 119863) to S for 1198673(120590) S will look up

the listL1198673

(a) if (120590 119863) = (120590119894 119863


119910119894will be retrieved and returned toA

(b) otherwise S will query O119905to get an instance

119910 record 119910 and ((120590 119863) 119910) in L119879and L

1198673

respectively(c) return 119910 back toA


WhileA sends (120572 120598 119863) to S S will do the followingsteps


119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1

mod 119899(5) retrieve or assign 120591 such that 119867

2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA

Assume that A can successfully output an e-cash tuples(1199041015840

1198981015840

1205901015840

1198631015840

) where 1205901015840 never appeals as a part for some OS

query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840

) (mod 119899)then byL

1198671L

1198672 andL

1198673 S can derive

(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889

equiv 1199041015840minus1

(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840

) 1 le 119894 le (119902119905minus 1) to Oinv and obtains 119902119905 minus 1 119909

119894such that

119909119894= 119910

119889

119894mod 119899

Eventually S can output 119902119905RSA-inversion instances

(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)

after querying Oinv for 119902ℎtimes where 119902

ℎ= 119902

119905minus 1 lt 119902

119905

and thus it breaks theRSA-AKTI problemwith nonnegligibleprobability at least 120598A

44 E-Cash No-Swindling In typical online e-cash transac-tions when an e-cash has been spent in previous transactionsanother spending will be detected immediately owing to thedouble-spending check procedure However in an offline e-cash model the merchant may accept a transaction involvinga double-spent e-cash first and then do the double-spendingcheck later In this case the original owner of the e-cash maysuffer from loss Therefore a secure offline e-cash schemeshould guarantee the following two events

(i) No one except the real owner can spend a fresh andvalid offline e-cash successfully

(ii) No one can double spend an e-cash successfully

Roughly it can be referred to as e-cash no-swindling propertyIn this section we will define the no-swindling property andformally prove that our scheme is secure against swindlingattacks

Definition 14 (Swindling Game in DAOECS) Let119897119896

isin N be a security parameter and A be an adversaryin DAOECS O

119861is an oracle issuing generic e-

cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS

to A Ooff is an oracle to show the expanding form(119904 119910

1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840

) for the payment according tothe input (119904 119898 120590119863) Consider the two experiments SWG-1and SWG-2 shown in Algorithms 6 and 7 respectively

A wins the game if the probability Pr[ExpSWG-1A (119897

119896) = 1]

or Pr[ExpSWG-2A (119897



Experiment ExpSWG-1A (119897

119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863) never be a query to Ooff

else return 0

Algorithm 6 Experiment SWG-1


119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863) is allowed to be queried to Ooff for once

(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840

) is not obtained from Ooffelse return 0


Definition 15 (E-Cash No-Swindling) If there exists noprobabilistic polynomial-time adversary who can win theswindling game defined in Definition 14 then DAOECSsatisfies e-cash no-swindling

Theorem 16 For a polynomial-time adversaryAwho canwinthe swindling game SWG with nonnegligible probability thereexists another adversarySwho can solve the discrete logarithmproblem with nonnegligible probability

Proof Consider the swindling game defined in Definition 14S simulates the environment by controlling the hash oraclesO1198674 to respond hash queries on 119867

4of DAOECS in the

random oracle model Eventually S will take advantage ofArsquos capability to solve the discrete logarithm problem Thenfor consistency S maintains a list L


response of O1198674 S is given all parameters (119901119896

119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS

and an instance 119910lowast of discrete logarithm problem (ie 119910lowast =

119892119909lowast

mod 119901) Here we will describe the simulations for the twoexperiments ExpSWG-1

A and ExpSWG-2A individually

The simulation for ExpSWG-1A is illustrated in Figure 9 and

each oracle is constructed as follows(i) Oracle O

119861

Initially S guesses that the generic e-cash producedfrom ]th query will be the attack target When Asends 119894th query to O

119861for an e-cash O

119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff

When A sends a valid e-cash tuple(119904 119908

1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904) to Ooff it will look

up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863) exists with prefix

index ] then abort(b) otherwise Ooff will retrieve the corresponding

(1199031 119909

1) choose a random 119903

119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909

1mod 119902) and send

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA

Assume that A can successfully output a valid offline e-cash expansion tuple (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast

3 120590lowast 119863lowast 119903lowast

119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast

3 120590lowast 119863lowast

) is prefixedwith ] and postfixed with (119903

lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast

mod 119901 and 119908lowast

1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =

- w1 = (ylowast)r1 mod p- y1 = gx1 mod p

119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)(s w1 y1 w2 y2 r3 120590 D rs)

(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590

lowast Dlowast rlowasts rlowastu s

998400lowast)

119978ℬ

Swindle

119978off

equiv H2(Dlowast) (mod nb)slowaste119887H21 (wlowast1 ylowast1 wlowast

2 ylowast2 D

lowast rlowast3 )H3(120590lowast Dlowast)wlowast1 = y

lowastH4(rlowast119906 rlowast119904 )

1 gs998400lowast

mod p

wlowast1 = (ylowast)rlowast1 mod pwlowast

1 = ylowastH4(r

lowast119906 rlowast119904 )

1 gs998400lowast

mod p

rarr xlowast = (rlowast1 )minus1(xlowast1H4(rlowastu rlowasts ) + s998400lowast)mod q

Figure 9 The proof model of SWG-1

and solve the discrete logarithm problem with nonnegligibleprobability at least (1119902O119861)120598A where 119902O119861

is the total numberof O

119861query


each oracle is constructed as follows

(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff

A status parameter sta is initialized by 0 When Asends a valid e-cash tuple (119904 119908

1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)

to Ooff it will look up the listLB

(a) if (119904 1199081 119910

1 119908

2 119910


index ] and sta = 0 Ooff will perform thefollowing procedures

(1) set sta = 1

(2) retrieve the corresponding (119906 1199041015840

) fromLB

and choose a random 119903119906

(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910


index = ] Ooff will retrieve the corresponding(1199031 119909

1) choose random 119903

119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort

(iii) Oracle O1198674

WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674

will check the listL119867

(a) if (119903119906

119903119904) exists as the prefix of some record

O1198674

will retrieve the corresponding 119906 and returnit toA


119978off

i = - y1 = (ylowast)x1 mod p- w1 = yu1 g

s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)

(s w1 y1 w2 y2 r3 120590 D rs)(s w1 y1 w2 y2 r3 120590 D rs ru s

998400)

119978ℬ

- Set H4(ru rs) = u store in ℒH

u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590

lowast Dlowast rlowasts r

lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast

equiv wlowast1 equiv (ylowastxlowast1 gs

998400

(mod p)(ylowastxlowast1 )ulowast gs998400lowast equiv (ylowast1 )H4(rlowast119906 r

lowast119904 )

u)rarr xlowast = (xlowast1 (ulowast minus u) (s998400 minus s998400lowast) mod q)minus1


(b) otherwise O1198674

will choose a random 119906 record((119903

119906 119903

119904) 119906) inL

119867 and return 119906 toA

Assume thatA can successfully output a valid offline e-cashexpansion tuple (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)

where (119904lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast3 120590lowast 119863lowast

) is prefixed with ] andpostfixed with (119906 119904

1015840

) inLB and1198674(119903lowast

119906 119903

lowast

119904) = 119906

Then viaLH since

(119910lowast119909lowast

1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1

equiv (119910lowast119909lowast

1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast

minus 119906))minus1

(1199041015840

minus 1199041015840lowast

) mod 119902 (26)



119861query

Summarize the proof models for the two experimentsshown above if there exists a polynomial-time adversary whocan win the swindling game with nonnegligible probabilitythen there exists another one who can solve the discretelogarithm problem with nonnegligible probability It impliesthat there exists no ppt adversarywho canwin the swindlinggame and our proposed offline e-cash scheme DAOECSsatisfies no-swindling property

5 E-Cash Advanced Features andPerformance Comparisons

In this section we compare the e-cash features and perfor-mance of our proposed scheme with other schemes givenin [9 13ndash15 21 22 27 38ndash40] We analyze the features andperformance of the aforementioned schemes and form a table(Table 1) for the summary

51 Features Comparisons All the schemes mentioned abovefulfill the basic security requirements stated in Section 1which are anonymity unlinkability unforgeability and nodouble-spending Besides these features there can be otheradvanced features on an e-cash system discussed in theliteratures We focus on three other advanced features whichare traceability date attachability and no-swindling andwe compare the proposed scheme with the aforementionedschemes

We also propose an e-cash renewal protocol for users toexchange a new valid e-cash with their unused but expirede-cash(s) therefore users do not have to deposit the e-cashbefore it expires and withdraw a new e-cash again Our pro-posed e-cash renewal protocol reduces the computation costby 495 as compared to withdrawal and deposit protocolswhich is almost half of the effort of getting a new e-cash at theuser side It does a great help to the users since their devicesusually have a weaker computation capability such as smartphones


Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867

asymp119872119864asympinvasymp240119872

119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes


52 Performance Comparisons According to [41] we cansummarize and induce the computation cost of all operationsas followsThe computation cost of amodular exponentiationcomputation is about 240 times of the computation cost of amodular multiplication computation while the computationcost of a modular inversion almost equals to that of amodular exponentiation Also the computation cost of a hashoperation almost equals to that of a modular multiplication

With the above assumptions the total computation costof users during withdrawal and payment phases of ourproposed scheme can be induced as 1452 times of a modularmultiplication computation while other works [9 13ndash1521 22 27 38ndash40] need 3375 1448 5534 966 1450 4804337 7468 5291 and 1449 times of a modular multiplicationcomputation to finish withdrawal and payment phases at theuser ends

According to [15] we assume the RSAparameters 119899 119901 119902

are 1024 512 and 512 bits respectively We adopt AES andSHA-1 as the symmetric cryotsystem and one-way hashfunction used in all protocols respectively therefore thesigned message and hash massage are in 128 and 160 bitsrespectively We assume the expiration date is in 32 bits

With the above assumptions we compute the commu-nication cost of each offline transaction withdrawal andpayment at the user side Our scheme needs 2048 bits forwithdrawing an e-cash and 6688 bits for spending an e-cashwhich is 1092 bytes for each transaction

The details of the comparisons are summarized inTable 1

6 Conclusion

In this paper we have presented earlier a provably secureoffline electronic cash scheme with an expiration date anda deposit date attached to it Besides we have also designedan e-cash renewal protocol where users can exchange theirunused and expired e-cash(s) for new ones more efficientlyCompared with other similar works our scheme is efficientfrom the aspect of considering computation cost of the userside and satisfying all security properties simultaneouslyExcept for anonymity unlinkability unforgeability and nodouble-spending we also formally prove that our schemeachieves conditional-traceability and no-swindling Not onlydoes our scheme help the bank to manage their hugedatabases against unlimited growth but also it strengthensthe preservation of usersrsquo privacy and rights as well

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work was partially supported by the National ScienceCouncil of Taiwan under Grants NSC 102-2219-E-110-002

NSYSU-KMU Joint Research Project (NSYSUKMU 2013-I001) and Aim for the Top University Plan of the NationalSun Yat-sen University and Ministry of Education Taiwan

References

[1] H Chen P P Y Lam H C B Chan T S Dillon J Cao and RS T Lee ldquoBusiness-to-consumer mobile agent-based internetcommerce system (MAGICS)rdquo IEEE Transactions on SystemsMan and Cybernetics C Applications and Reviews vol 37 no 6pp 1174ndash1189 2007

[2] S C Fan and Y L Lai ldquoA study on e-commerce applying inTaiwanrsquos restaurant franchiserdquo in Proceedings of the IET Interna-tional Conference on Frontier Computing Theory Technologiesand Applications pp 324ndash329 August 2010

[3] D R W Holton I Nafea M Younas and I Awan ldquoA class-based scheme for E-commerceweb servers formal specificationand performance evaluationrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 455ndash460 2009

[4] Z Jie and X Hong ldquoE-commerce security policy analysisrdquo inProceedings of the International Conference on Electrical andControl Engineering (ICECE rsquo10) pp 2764ndash2766 June 2010

[5] D R Liuy andT FHwang ldquoAn agent-based approach to flexiblecommerce in intermediary-Centric electronicmarketsrdquo Journalof Network and Computer Applications vol 27 no 1 pp 33ndash482004

[6] S J Lin and D C Liu ldquoAn incentive-based electronic paymentscheme for digital content transactions over the InternetrdquoJournal of Network and Computer Applications vol 32 no 3pp 589ndash598 2009

[7] H Wang Y Zhang J Cao and V Varadharajan ldquoAchievingSecure and FlexibleM-Services throughTicketsrdquo IEEETransac-tions on Systems Man and Cybernetics ASystems and Humansvol 33 no 6 pp 697ndash708 2003

[8] C Yue and H Wang ldquoProfit-aware overload protection inE-commerce Web sitesrdquo Journal of Network and ComputerApplications vol 32 no 2 pp 347ndash356 2009

[9] C C Chang and Y P Lai ldquoA flexible date-attachment schemeon e-cashrdquo Computers and Security vol 22 no 2 pp 160ndash1662003

[10] C L Chen and J J Liao ldquoA fair online payment system fordigital content via subliminal channelrdquo Electronic CommerceResearch and Applications vol 10 no 3 pp 279ndash287 2011

[11] C I Fan W K Chen and Y S Yeh ldquoDate attachable electroniccashrdquo Computer Communications vol 23 no 4 pp 425ndash4282000

[12] C I Fan and W Z Sun ldquoEfficient encoding scheme for dateattachable electronic cashrdquo in Proceedings of the 24th Workshopon Combinatorial Mathematics and Computation Theory pp405ndash410 2007

[13] T Nakanishi M Shiota and Y Sugiyama ldquoAn efficient onlineelectronic cash with unlinkable exact paymentsrdquo InformationSecurity vol 3225 pp 367ndash378 2004

[14] Y Baseri B Takhtaei and J Mohajeri ldquoSecure untraceable off-line electronic cash systemrdquo Scientia Iranica vol 20 pp 637ndash646 2012

[15] J Camenisch SHohenberger andA Lysyanskaya ldquoCompact e-cashrdquo inProceedings of the 24thAnnual International Conferenceon the Theory and Applications of Cryptographic TechniquesAdvances in Cryptology (EUROCRYPT rsquo05) pp 302ndash321 May2005


[16] J Camenisch S Hohenberger and A Lysyanskaya ldquoBalancingaccountability and privacy using E-cashrdquo in Security and Cryp-tography for Networks vol 4116 of Lecture Notes in ComputerScience pp 141ndash155 2006

[17] J Camenisch A Lysyanskaya and M Meyerovich ldquoEndorsede-cashrdquo in Proceedings of the IEEE Symposium on Security andPrivacy pp 101ndash115 May 2007

[18] S Canard A Gouget and J Traore ldquoImprovement of efficiencyin (unconditional) anonymous transferable E-cashrdquo in Finan-cial Cryptography and Data Security vol 5143 of Lecture Notesin Computer Science pp 202ndash214 2008

[19] D Chaum A Fiat and M Naor ldquoUntraceable electroniccashrdquo in Advances in Cryptology-CRYPTO rsquo88 vol 403 ofLecture Notes in Computer Science pp 319ndash327 Springer BerlinGermany 1990

[20] G Davida Y Frankel Y Tsiounis and M Yung ldquoAnonymitycontrol in E-cash systemsrdquo in Proceedings of the First Interna-tional Conference on Financial Cryptography pp 1ndash16 1997

[21] Z Eslami and M Talebi ldquoA new untraceable off-line electroniccash systemrdquo Electronic Commerce Research and Applicationsvol 10 no 1 pp 59ndash66 2011

[22] C I Fan V S M Huang and Y C Yu ldquoUser efficient recov-erable off-line e-cash scheme with fast anonymity revokingrdquoMathematical and Computer Modelling vol 58 pp 227ndash2372013

[23] X Hou and C H Tan ldquoFair traceable off-line electronic cash inwallets with observersrdquo in Proceedings of the 6th InternationalConference on Advanced Communication Technology pp 595ndash599 February 2004

[24] X Hou and C H Tan ldquoA new electronic cash modelrdquo inProceedings of the International Conference on InformationTechnology Coding and Computing pp 374ndash379 April 2005

[25] W S Juang ldquoA practical anonymous off-line multi-authoritypayment schemerdquo Electronic Commerce Research and Applica-tions vol 4 no 3 pp 240ndash249 2005

[26] J K Liu V K Wei and S H Wong ldquoRecoverable anduntraceable e-cashrdquo in International Conference on Trends inCommunications (EUROCON rsquo01) vol 1 pp 132ndash135 2001

[27] C Wang H Sun H Zhang and Z Jin ldquoAn improved off-lineelectronic cash schemerdquo in Proceedings of the 5th InternationalConference on Computational and Information Sciences (ICCISrsquo13) pp 438ndash441 2013

[28] W S Juang ldquoD-cash a flexible pre-paid e-cash scheme for date-attachmentrdquo Electronic Commerce Research and Applicationsvol 6 no 1 pp 74ndash80 2007

[29] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology-CRYPTO rsquo82 Lecture Notes in Com-puter Science pp 199ndash203 Springer Berlin Germany 1983

[30] H Krawczyk and T Rabin ldquoChameleon signaturesrdquo in Proceed-ings of the Network and Distributed System Security Symposium(NDSS rsquo00) pp 143ndash154 2000

[31] S Pearson Trusted Computing Platforms TCPA Technology inContext Prentice Hall New York NY USA 2002

[32] S Pearson ldquoTrusted computing platforms the next securitysolutionrdquo Tech Rep HPL-2002-221 Hewllet-Packard Labora-torie 2002

[33] C I Fan andV SMHuang ldquoProvably secure integrated onoff-line electronic cash for flexible and efficient paymentrdquo IEEETransactions on Systems Man and Cybernetics C Applicationsand Reviews vol 40 no 5 pp 567ndash579 2010

[34] S Bajikar Trusted platform module (TPM) based securityon notebook pcsmdashwhite paper Mobile Platform Group IntelCorporation 2002

[35] M Abe and T Okamoto ldquoProvably secure partially blindsignaturesrdquo in Proceedings of the 20th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo00) pp 271ndash286 Springer 2000

[36] A Juels M Luby and R Ostrovsky ldquoSecurity of blind digitalsignaturesrdquo in Proceedings of the 17th Annual InternationalCryptology Conference on Advances in Cryptology (CRYPTOrsquo97) pp 150ndash164 Springer 1997

[37] M Bellare C Namprempre D Pointcheval and M SemankoldquoThe one-more-RSA-inversion problems and the security ofchaumrsquos blind signature schemerdquo Journal of Cryptology vol 16no 3 pp 185ndash215 2003

[38] S Brands ldquoUntraceable off-line cash in wallets with observers(extended abstract)rdquo CRYPTO pp 302ndash318 1993

[39] Y Hanatani Y Komano K Ohta and N Kunihiro ldquoProvablysecure electronic cash based on blind multisignature schemesrdquoFinancial Cryptography vol 4107 pp 236ndash250 2006

[40] C Popescu ldquoAn off-line electronic cash system with revokableanonymityrdquo in Proceedings of the 12th IEEE MediterraneanElectrotechnical Conference pp 763ndash767 May 2004

[41] A Menezes P van Oorschot and S Vanstone Handbook ofApplied Cryptography CRC Press New York NY USA 1997

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



(iii) Unforgeability no one except the bank can generatea legal e-cash

(iv) Double-Spending Control banks should have theability to check if the e-cash is double-spent or notNo e-cash is allowed to be spent twice or more in ane-cash system

(v) Conditional-Traceability the system should be able totrace and revoke the anonymity of users who violateany of the security rules so that they will receivepenalties

(vi) No-swindling no one except the real owner canspend a valid offline e-cash successfully

In order to perform double-spending checks banks haveto store information of e-cash(s) in their database Thus thedatabase of banks grows in direct proportion to the numberof e-cash(s) withdrawn Embedding an expiration date intoeach e-cash has been considered since it helps the banksto manage the database more easily On the other handcustomers have to exchange their expired e-cash(s) withbanks for new ones so as to keep the validity of the e-cashFurthermore customers will receive interest from banks aftercash is deposited In order to guarantee customers will receivethe right amount of interest it is necessary for customers toattach the deposit date to their e-cash(s) and the date cannotbe modified by anyone else [11] So far there are a numberof online e-cash schemes with an expiration date attachment[9 11 28] However there are very few offline approaches [21]

In this paper we are going to propose an efficient dateattachable offline e-cash scheme and provide formal proofson essential properties to it in the random oracle modelConsidering the practical needs we pioneer to embed twokinds of date which are expiration data and deposit date tothe offline e-cash Moreover we will offer an E-cash renewalprotocol in our scheme (Section 325) Users can exchangetheir unused expired e-cash for a new one with another validexpiration datemore efficiently Comparedwith other similarworks our scheme is efficient from the aspect of consideringcomputation cost

The rest of this paper is organized as follows InSection 2 we briefly review techniques employed through-out our scheme Our proposed scheme is described inSection 3 in detail Security proofs and analysis are covered inSection 4 Features and performance comparisons are madein Section 5 and the conclusion is given in Section 6

2 Preliminaries

In this section we briefly review techniques used in our dateattachable offline e-cash scheme

21 Chaumrsquos Blind Signature Scheme Blind signaturewas firstintroduced by Chaum [29] It has been widely used in e-cashprotocols since it has been proposed A signer will not be ableto view the content of the message while shehe is signingthe message Afterwards a user can get a message with thesignature of the signer by unblinding the signedmessageTheprotocol is described as follows

(1) InitializationThe signer randomly chooses two distinct largeprimes 119901 and 119902 then computes 119899 = 119901119902 and120601(119899) = (119901 minus 1)(119902 minus 1) Afterwards the signer selectstwo integers 119890 and 119889 at random such that 119890119889 equiv

1(mod 120601(119899)) Finally the signer publishes the publicparameters (119890 119899) and a one-way hash function119867

(2) User rarr Signer 120572The user chooses a message 119898 and a random integer119903 in Zlowast

119899 then blinds the message by computing 120572 =

119903119890

119867(119898)mod 119899 and sends it to the signer

(3) Signer rarr User 119905After receiving 120572 the signer signs it with herhisprivate key 119889 and sends it back to the userThe signedmessage will be 119905 = 120572

119889 mod 119899

(4) UnblindingAfter receiving 119905 from the signer the user unblinds itby computing 119904 = 119903

minus1

119905mod 119899 The signature-messagepair is (119904 119898)

(5) VerificationThe (119904 119898) can be verified by checking if 119904119890 equiv 119867(119898)

(mod 119899) is true or not

22 Chameleon Hashing Based on Discrete LogarithmChameleon hashing was proposed by Krawczyk and Rabin[30] The chameleon hash function is associated with a one-time public-private key pair it is a collision resistant functionexcept for users who own a trapdoor for finding collisionAny user who knows the public key can compute the hashingand for those who do not know the private key (trapdoor)it is impossible for them to find any two inputs which leadto the same hashing output On the contrary any user whoknows the trapdoor can find the collision of given inputsThe construction of the chameleon hashing based on discretelogarithm is described as follows

(1) Setup

(i) 119901 119902 two large primes such that 119901 = 119896119902 + 1(ii) 119892 an element order 119902 in Zlowast

119901

(iii) 119909 private key in Zlowast

119902

(iv) 119910 public key where 119910 = 119892119909 mod 119901

(2) The function a message 119898 isin Zlowast

119902is given and a

random integer 119903 isin Zlowast

119902is chosen The hash is defined

as cham-hash119910(119898 119903) = 119892

119898

119910119903 mod 119901

(3) Collision for a user who knows 119909 shehe is able tofind the collision of the hash for any given 119898 1198981015840

such that cham-hash119910(119898 119903) = cham-hash

119910(119898

1015840

1199031015840

)The user derives 119903

1015840 in the equation 119898 + 119909119903 = 1198981015840 +

1199091199031015840 (mod 119902)







(1) 1198671 119867

2 119867


1198671 119867

2 119867

3 0 1

lowast

rarr 0 1119899

(2) 1198674 119867


1198674 119867


119902

(3) 119864119909119863



(4) 119864119901119896



(5) (119901119896119895 119904119896


(6) (119890119887 119889







119887 119902


119899119887



GCD(120601(119899119887) 119890

119887) = 1 where 120601(119899

119887) = (119901

119887minus 1)(119902

119887minus 1) and

1 lt 119890119887lt 120601(119899


119887such that 119890

119887119889119887equiv 1(mod




119901 Then the

bank publishes (119899119887 119890

119887 119901 119902 119892

1 119892

2 119901119896

119895 119867

1 119867

2 119867

3 119867

4 119867

5


1 119892

2

119901119896119895 119904119896

119895 119867

1 119867

2 119867

3 119867

4 119867








1 119909

2 119903

1 119903

2


119877Zlowast

119899119887

and 1199091 119909

2 119903

1 119903

2


1198770 1

119897119896


1 119910

2 119908

2)

where 119910119894

= 119892119909119894

119894mod119901 and 119908

119894= 119892

119903119894

119894mod119901 for


119899


(2) User rarr Bank (120572 120598)


(119896 ID119888)

and

120572 = [119886119890119887119867

2

1(119898 119863)]

minus1

mod 119899119887 (1)

where 119898 = (1199101 119908

1 119910

2 119908

2 119903

3) Finally the user







UserBank


r11 mod p


r22 mod p

D



p

(120572 120598)


Judge device


t = (120572120573H2(D))d119887 mod nb

(120573 Ek(b 120590 rj))

(t Ek(b 120590 rj))



(120598 120583 D)



m = y1 w1 y2 w2 r3



1 (m D)H3(120590 D)


l119896


D = Date r


l119903119895

120590 = Epk119895 (120583 rj)

120573 = [be119887H3(120590 D)]minus1 mod nb

120598 = Epk119895 (k IDc)


Set 120583 = IDc

)





119895))



119877Zlowast

119899119887

and a string 119903119895isin1198770 1

119897119903119895


(120583 119903119895) and

120573 = [119887119890119887119867

3(120590 119863)]

minus1 mod 119899119887 (2)



(5) Bank rarr User (119905 119864119896(119887 120590 119903

119895))

After receiving (120573 119864119896(119887 120590 119903


it computes

119905 = (1205721205731198672(119863))

119889119887 mod 119899119887

(3)

and sends (119905 119864119896(119887 120590 119903



119896(119887 120590 119903





119901119896119895(ID

119888 119903


computes

119904 = 119886119887119905 mod 119899119887

(4)


119904119890119887119867

2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863) (mod 119899

119887) (5)


1 119909



(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)




User Shop

(s m 120590 D x2 r2)


rs

u = H4



1 (m D)H3(120590 D)

ru isinRZlowastq

Verify w1= y

H4(r119906 r119904)1 gs

998400

(mod p)

(ru rs)

r998400s isinR 0 1l119903119895 rs = (IDs r

998400s )


(2) Shop rarr User 119903119904


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod119899

119887) If it is


1015840

119904isin1198770 1


119904

1199031015840

119904) where ID



(3) User rarr Shop (1199041015840 119903119906)




challenge

1199041015840

= (1199031minus 119906119909

1) mod 119902 (6)

where 119906 = 1198674(119903119906 119903


119906) to




if 1199081= 119910

1198674(119903119906119903119904)

11198921199041015840



(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840

119903119906 119903119904)


= 1199032minus 119909

21198675(119889) where 119889 is


119903119906 119903119904)

to the bank


1199082= 119910

1198675(119889)

21198921199034

2mod 119901

1199081= 119910

1198674(119903119906119903119904)

11198921199041015840

2mod 119901

(7)


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod 119899

119887) and




(1) User rarr Bank (119904 120588 120590 119863)

The user recalls 119898 = (1199101 119908

1 119910

2 119908

2 119909

2 1199033) and

prepares

120588 = 1198671(119898 119863) (8)



1198901198871198671(120588)119867

3(120590

119863) equiv 1198672(119863)(mod 119899




Shop Bank


(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)


Check w2= y

H5(d)2 g

r42 mod p

= H2(D)(mod nb)


d deposit date


w1= y

H4(r119906 r119904)1 gs

998400

1 mod p


User Bank

(s 120588 120590 D)




Accept


( 120598)


120588 = H1(y1 w1 y2 w2 D r3)







The user computes

= [119886119890119887119867

2

1(119898

1015840

1198631015840

)]minus1

mod 119899119887 (9)

where 1198981015840

= (1199101 119908

1 119910

2 119908

2 119909

2 1199031015840

3) 1199031015840

3is a random







1 119908

1 119910

2 119908



Linkage game

Random bit b

mb m1minusb


b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ



(ℬ)



(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)


1199041015840


4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)


and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to



1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and


tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)


119888to the bank

4 Security Proofs





1 and J be


0119880


Figure 5


119887 119899


119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892



2 119867

3 119867

4 and 119867

5 J


119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903


119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901


1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908




toB


0and 119880

1 respectively

Step 5 If 1198800and 119880


119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















(1) 1198671 119867

2 119867


1198671 119867

2 119867

3 0 1

lowast

rarr 0 1119899

(2) 1198674 119867


1198674 119867


119902

(3) 119864119909119863



(4) 119864119901119896



(5) (119901119896119895 119904119896


(6) (119890119887 119889







119887 119902


119899119887



GCD(120601(119899119887) 119890

119887) = 1 where 120601(119899

119887) = (119901

119887minus 1)(119902

119887minus 1) and

1 lt 119890119887lt 120601(119899


119887such that 119890

119887119889119887equiv 1(mod




119901 Then the

bank publishes (119899119887 119890

119887 119901 119902 119892

1 119892

2 119901119896

119895 119867

1 119867

2 119867

3 119867

4 119867

5


1 119892

2

119901119896119895 119904119896

119895 119867

1 119867

2 119867

3 119867

4 119867








1 119909

2 119903

1 119903

2


119877Zlowast

119899119887

and 1199091 119909

2 119903

1 119903

2


1198770 1

119897119896


1 119910

2 119908

2)

where 119910119894

= 119892119909119894

119894mod119901 and 119908

119894= 119892

119903119894

119894mod119901 for


119899


(2) User rarr Bank (120572 120598)


(119896 ID119888)

and

120572 = [119886119890119887119867

2

1(119898 119863)]

minus1

mod 119899119887 (1)

where 119898 = (1199101 119908

1 119910

2 119908

2 119903

3) Finally the user







UserBank


r11 mod p


r22 mod p

D



p

(120572 120598)


Judge device


t = (120572120573H2(D))d119887 mod nb

(120573 Ek(b 120590 rj))

(t Ek(b 120590 rj))



(120598 120583 D)



m = y1 w1 y2 w2 r3



1 (m D)H3(120590 D)


l119896


D = Date r


l119903119895

120590 = Epk119895 (120583 rj)

120573 = [be119887H3(120590 D)]minus1 mod nb

120598 = Epk119895 (k IDc)


Set 120583 = IDc

)





119895))



119877Zlowast

119899119887

and a string 119903119895isin1198770 1

119897119903119895


(120583 119903119895) and

120573 = [119887119890119887119867

3(120590 119863)]

minus1 mod 119899119887 (2)



(5) Bank rarr User (119905 119864119896(119887 120590 119903

119895))

After receiving (120573 119864119896(119887 120590 119903


it computes

119905 = (1205721205731198672(119863))

119889119887 mod 119899119887

(3)

and sends (119905 119864119896(119887 120590 119903



119896(119887 120590 119903





119901119896119895(ID

119888 119903


computes

119904 = 119886119887119905 mod 119899119887

(4)


119904119890119887119867

2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863) (mod 119899

119887) (5)


1 119909



(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)




User Shop

(s m 120590 D x2 r2)


rs

u = H4



1 (m D)H3(120590 D)

ru isinRZlowastq

Verify w1= y

H4(r119906 r119904)1 gs

998400

(mod p)

(ru rs)

r998400s isinR 0 1l119903119895 rs = (IDs r

998400s )


(2) Shop rarr User 119903119904


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod119899

119887) If it is


1015840

119904isin1198770 1


119904

1199031015840

119904) where ID



(3) User rarr Shop (1199041015840 119903119906)




challenge

1199041015840

= (1199031minus 119906119909

1) mod 119902 (6)

where 119906 = 1198674(119903119906 119903


119906) to




if 1199081= 119910

1198674(119903119906119903119904)

11198921199041015840



(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840

119903119906 119903119904)


= 1199032minus 119909

21198675(119889) where 119889 is


119903119906 119903119904)

to the bank


1199082= 119910

1198675(119889)

21198921199034

2mod 119901

1199081= 119910

1198674(119903119906119903119904)

11198921199041015840

2mod 119901

(7)


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod 119899

119887) and




(1) User rarr Bank (119904 120588 120590 119863)

The user recalls 119898 = (1199101 119908

1 119910

2 119908

2 119909

2 1199033) and

prepares

120588 = 1198671(119898 119863) (8)



1198901198871198671(120588)119867

3(120590

119863) equiv 1198672(119863)(mod 119899




Shop Bank


(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)


Check w2= y

H5(d)2 g

r42 mod p

= H2(D)(mod nb)


d deposit date


w1= y

H4(r119906 r119904)1 gs

998400

1 mod p


User Bank

(s 120588 120590 D)




Accept


( 120598)


120588 = H1(y1 w1 y2 w2 D r3)







The user computes

= [119886119890119887119867

2

1(119898

1015840

1198631015840

)]minus1

mod 119899119887 (9)

where 1198981015840

= (1199101 119908

1 119910

2 119908

2 119909

2 1199031015840

3) 1199031015840

3is a random







1 119908

1 119910

2 119908



Linkage game

Random bit b

mb m1minusb


b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ



(ℬ)



(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)


1199041015840


4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)


and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to



1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and


tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)


119888to the bank

4 Security Proofs





1 and J be


0119880


Figure 5


119887 119899


119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892



2 119867

3 119867

4 and 119867

5 J


119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903


119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901


1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908




toB


0and 119880

1 respectively

Step 5 If 1198800and 119880


119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










UserBank


r11 mod p


r22 mod p

D



p

(120572 120598)


Judge device


t = (120572120573H2(D))d119887 mod nb

(120573 Ek(b 120590 rj))

(t Ek(b 120590 rj))



(120598 120583 D)



m = y1 w1 y2 w2 r3



1 (m D)H3(120590 D)


l119896


D = Date r


l119903119895

120590 = Epk119895 (120583 rj)

120573 = [be119887H3(120590 D)]minus1 mod nb

120598 = Epk119895 (k IDc)


Set 120583 = IDc

)





119895))



119877Zlowast

119899119887

and a string 119903119895isin1198770 1

119897119903119895


(120583 119903119895) and

120573 = [119887119890119887119867

3(120590 119863)]

minus1 mod 119899119887 (2)



(5) Bank rarr User (119905 119864119896(119887 120590 119903

119895))

After receiving (120573 119864119896(119887 120590 119903


it computes

119905 = (1205721205731198672(119863))

119889119887 mod 119899119887

(3)

and sends (119905 119864119896(119887 120590 119903



119896(119887 120590 119903





119901119896119895(ID

119888 119903


computes

119904 = 119886119887119905 mod 119899119887

(4)


119904119890119887119867

2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863) (mod 119899

119887) (5)


1 119909



(1) User rarr Shop (119904 119898 120590119863 1199092 1199032)




User Shop

(s m 120590 D x2 r2)


rs

u = H4



1 (m D)H3(120590 D)

ru isinRZlowastq

Verify w1= y

H4(r119906 r119904)1 gs

998400

(mod p)

(ru rs)

r998400s isinR 0 1l119903119895 rs = (IDs r

998400s )


(2) Shop rarr User 119903119904


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod119899

119887) If it is


1015840

119904isin1198770 1


119904

1199031015840

119904) where ID



(3) User rarr Shop (1199041015840 119903119906)




challenge

1199041015840

= (1199031minus 119906119909

1) mod 119902 (6)

where 119906 = 1198674(119903119906 119903


119906) to




if 1199081= 119910

1198674(119903119906119903119904)

11198921199041015840



(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840

119903119906 119903119904)


= 1199032minus 119909

21198675(119889) where 119889 is


119903119906 119903119904)

to the bank


1199082= 119910

1198675(119889)

21198921199034

2mod 119901

1199081= 119910

1198674(119903119906119903119904)

11198921199041015840

2mod 119901

(7)


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod 119899

119887) and




(1) User rarr Bank (119904 120588 120590 119863)

The user recalls 119898 = (1199101 119908

1 119910

2 119908

2 119909

2 1199033) and

prepares

120588 = 1198671(119898 119863) (8)



1198901198871198671(120588)119867

3(120590

119863) equiv 1198672(119863)(mod 119899




Shop Bank


(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)


Check w2= y

H5(d)2 g

r42 mod p

= H2(D)(mod nb)


d deposit date


w1= y

H4(r119906 r119904)1 gs

998400

1 mod p


User Bank

(s 120588 120590 D)




Accept


( 120598)


120588 = H1(y1 w1 y2 w2 D r3)







The user computes

= [119886119890119887119867

2

1(119898

1015840

1198631015840

)]minus1

mod 119899119887 (9)

where 1198981015840

= (1199101 119908

1 119910

2 119908

2 119909

2 1199031015840

3) 1199031015840

3is a random







1 119908

1 119910

2 119908



Linkage game

Random bit b

mb m1minusb


b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ



(ℬ)



(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)


1199041015840


4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)


and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to



1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and


tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)


119888to the bank

4 Security Proofs





1 and J be


0119880


Figure 5


119887 119899


119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892



2 119867

3 119867

4 and 119867

5 J


119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903


119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901


1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908




toB


0and 119880

1 respectively

Step 5 If 1198800and 119880


119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










User Shop

(s m 120590 D x2 r2)


rs

u = H4



1 (m D)H3(120590 D)

ru isinRZlowastq

Verify w1= y

H4(r119906 r119904)1 gs

998400

(mod p)

(ru rs)

r998400s isinR 0 1l119903119895 rs = (IDs r

998400s )


(2) Shop rarr User 119903119904


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod119899

119887) If it is


1015840

119904isin1198770 1


119904

1199031015840

119904) where ID



(3) User rarr Shop (1199041015840 119903119906)




challenge

1199041015840

= (1199031minus 119906119909

1) mod 119902 (6)

where 119906 = 1198674(119903119906 119903


119906) to




if 1199081= 119910

1198674(119903119906119903119904)

11198921199041015840



(1) Shop rarr Bank (119904 119898 120590119863 119889 1199034 1199041015840

119903119906 119903119904)


= 1199032minus 119909

21198675(119889) where 119889 is


119903119906 119903119904)

to the bank


1199082= 119910

1198675(119889)

21198921199034

2mod 119901

1199081= 119910

1198674(119903119906119903119904)

11198921199041015840

2mod 119901

(7)


2

1(119898 119863)119867

3(120590 119863) = 119867

2(119863)(mod 119899

119887) and




(1) User rarr Bank (119904 120588 120590 119863)

The user recalls 119898 = (1199101 119908

1 119910

2 119908

2 119909

2 1199033) and

prepares

120588 = 1198671(119898 119863) (8)



1198901198871198671(120588)119867

3(120590

119863) equiv 1198672(119863)(mod 119899




Shop Bank


(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)


Check w2= y

H5(d)2 g

r42 mod p

= H2(D)(mod nb)


d deposit date


w1= y

H4(r119906 r119904)1 gs

998400

1 mod p


User Bank

(s 120588 120590 D)




Accept


( 120598)


120588 = H1(y1 w1 y2 w2 D r3)







The user computes

= [119886119890119887119867

2

1(119898

1015840

1198631015840

)]minus1

mod 119899119887 (9)

where 1198981015840

= (1199101 119908

1 119910

2 119908

2 119909

2 1199031015840

3) 1199031015840

3is a random







1 119908

1 119910

2 119908



Linkage game

Random bit b

mb m1minusb


b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ



(ℬ)



(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)


1199041015840


4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)


and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to



1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and


tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)


119888to the bank

4 Security Proofs





1 and J be


0119880


Figure 5


119887 119899


119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892



2 119867

3 119867

4 and 119867

5 J


119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903


119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901


1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908




toB


0and 119880

1 respectively

Step 5 If 1198800and 119880


119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Shop Bank


(s y1 w1 y2 w2 r3 r4 120590 D d s998400 ru rs)


Check w2= y

H5(d)2 g

r42 mod p

= H2(D)(mod nb)


d deposit date


w1= y

H4(r119906 r119904)1 gs

998400

1 mod p


User Bank

(s 120588 120590 D)




Accept


( 120598)


120588 = H1(y1 w1 y2 w2 D r3)







The user computes

= [119886119890119887119867

2

1(119898

1015840

1198631015840

)]minus1

mod 119899119887 (9)

where 1198981015840

= (1199101 119908

1 119910

2 119908

2 119909

2 1199031015840

3) 1199031015840

3is a random







1 119908

1 119910

2 119908



Linkage game

Random bit b

mb m1minusb


b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ



(ℬ)



(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)


1199041015840


4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)


and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to



1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and


tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)


119888to the bank

4 Security Proofs





1 and J be


0119880


Figure 5


119887 119899


119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892



2 119867

3 119867

4 and 119867

5 J


119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903


119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901


1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908




toB


0and 119880

1 respectively

Step 5 If 1198800and 119880


119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Linkage game

Random bit b

mb m1minusb


b998400

= |2Pr[b998400 = b] minus 1|

Engage with ℬ

ℬ



(ℬ)



(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 119904

1015840

119903119906 119903119904)

(119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 1199034 120590 119863 119889 1199041015840 119903

119906 119903119904)

(10)


1199041015840


4(119903119906 119903

119904) 119909

1(mod 119902)

1199041015840 equiv 1199031minus 119867

4(119903119906 119903

119904) 119909

1(mod 119902)

(11)


and send (119904 1199101 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and (119909

1 1199031) to



1 119908

1 119910

2 119908

2 119909

2 1199033 120590 119863) and


tions

119904119890119887119867

2

1(119898 119863)119867

3(120590 119863)

equiv 1198672(119863) (mod 119899

119887)

1199101

equiv 1198921199091

1(mod 119901)

1199081

equiv 1198921199031

1(mod 119901)

(12)


119888to the bank

4 Security Proofs





1 and J be


0119880


Figure 5


119887 119899


119887 119901

119887 119902

119887) system

parameters (119901 119902 1198921 119892



2 119867

3 119867

4 and 119867

5 J


119895)

Step 2 B generates 1199091119894 119909

2119894 1199031119894 1199032119894 1199033119894in random where 119909

1

1199092 119903

1 119903

2 119903


119896119894 119908

119896119894) for

119896 = 1 2 and 119894 = 0 1 where 119910119896119894

= 119892119909119896

119896mod 119901 and119908

119896119894= 119892

119903119896

119896

mod 119901


1199081119887 119910

2119887 119908

2119887) and (119910

11minus119887 119908

11minus119887 119910

21minus119887 119908




toB


0and 119880

1 respectively

Step 5 If 1198800and 119880


119887 119898

119887 120590

119887 119863

119887) and

(1199041minus119887 119898

1minus119887 120590

1minus119887 119863

1minus119887) where 119898

119894= (119910

1119894 119908

1119894 119910

2119894 119908

2119894 1199033119894) on




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041 119898

1 120590

1 119863

1) (119904

ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) larr AO119878 (119901119896

119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

119894) equiv 119867

2(119863

119894) (mod 119899

119887) forall119894 isin 1 ℓ + 1

(ii)1198981 119898


else return 0




119887 119898

119887 120590

119887 119863

119887) and (119904

1minus119887 119898

1minus119887 120590

1minus119887 119863




100381610038161003816100381610038162Pr [1015840 = ] minus 1

10038161003816100381610038161003816 (13)







0 120590

0 119863

0)

and (1199041 119898

1 120590

1 119863

1) Let (120572

119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590

119894 119903119895119894)) 119894 isin



2119894 1199032119894 1199034119894 119903119906119894 119903119904119894 1199041015840

119894 119889



119894 119898

119894 120590

119894 119863

119894) where

119894 isin 0 1For (119904 119898 120590119863 119909

2 1199032 1199034 119903119906 119903119904 1199041015840

119889) isin

(1199040 119898

0 120590

0 119863

0 119909

20 11990320 11990340 1199031199060 1199031199040 1199041015840

0 119889

0)

(1199041 119898

1 120590

1 119863

1 119909

21 11990321 11990341 1199031199061 1199031199041 1199041015840

1 119889

1)

(14)

and (120572119894 120573

119894 119905119894 120598119894 119864

119896119894(119887119894 120590


pair (1198861015840119894 1198871015840

119894) such that

1198861015840

119894= [120572

1198941198672

1(119898 119863)]

minus119889119887 mod 119899119887

(via (1))

1198871015840

119894= [120573

1198941198673(120590 119863)]

minus119889119887 mod 119899119887

(via (2)) (15)

And from (3) 119905119894equiv (120572

1198941205731198941198672(119863))

119889119887 (mod 119899119887) (4) always holds

as

119904 equiv (1198861015840

1198941198871015840

119894119905119894)

equiv [(1198672

1(119898 119863)119867

3(120590 119863))

minus1

1198672(119863)]

119889119887

(mod 119899119887)

(16)

Besides 119864119901119896119895

and 119864119896119894


119894and

119864119896119894(119887119894 120590

119894 119903119895119894)


(1199040 119898

0 120590

0 119863

0) (119904

1 119898

1 120590

1 119863

1) and (120572

119894 120573

119894 119905119894) where


119894 1198871015840

119894)








1 119910

1 119908

2 119910

2 1199033 119863))








1 119910

1 119908

2 119910




date119863119894





(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904119894 119898

119894 120590

119894 119863

lowast


119895 119892

1 119892

2 119890119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867

5)


119894119867

2

1(119898

119894)119867

3(120590

119894 119863

lowast

) equiv 1198672(119863

lowast

) (mod 119899119887) forall119894 isin 1 ℓ

119863lowast + 1

(ii)1198981 119898

ℓ119863lowast+1




(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899 (119896)(119910

1 119910

119898) larr O

119905(119873 119890 119896)

120587 (1199091 119910

1) (119909

119899 119910

119899) larr AOinv O119905 (119873 119890 119896)


119894equiv 119910

119894(mod119873) forall119894 isin 1 119899

(iii) 119899 gt 119902ℎ

else return 0

Algorithm 3




119905 A is






equiv 119910 (mod 119899)




1198671 O

1198672 O


119878


1198671 L

1198672 and L


1198671 O

1198672







1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for some 119894


1(119898

119894) and


1(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 119910) inL

1198671




1198672





119899 record



1198673


up the listL1198673


mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










mi

Di

H(mi)yi

yi

119964

119982

120591ei mod n

(120590i Di)120578i mod n

(120572i 120598i Di)ti Ek119894(bi 120590i rj119894 )

119978119982

120572i120573i120591ei

ti

RSA-ACTI

119978inv

119978t

Output Output

120588i119978H1

119978H2

119978H3



985747

985747



d


H3(120590i Di)

mi

Di

H(mi)

119964

119982

120591ei mod n

(120590i Di)

(120572i 120598i Di)

ti Ek119894 (bi 120590i rj119894 )

119978119982

Output Output

120588i 120589ei mod n 119978H1

119978H2

119978H3


985747D998400






(a) if (120590 119863) = (120590119894 119863





toA





119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120578

119890 mod 119899)and store ((120590 119863) 120578) inL

1198673


119899and compute 120573 = (119887

119890

120578119890

)minus1 mod 119899


119890

) asthe O


(6) send (120572120573120591119890


)119889

mod 119899(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA



(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











(1199041 119898

1 120590

1 119863


ℓ+1 119898

ℓ+1 120590

ℓ+1 119863

ℓ+1) (17)


119904119890

1198941198672

1(119898)119867

3(120590119894 119863

119894) = 119867

2(119863



1198671 L

1198672 and L



(119910119894)119889

equiv (1198672

1(119898

119894))119889

equiv 119904minus1

119894(119867

3(120590

119894 119863

119894)minus1

1198672(119863

119894))119889

equiv 119904minus1

119894120578minus1

119894(120591119894) (mod 119899)

(18)



(119904minus1

1120578minus1

1(1205911) 119910

1) (119904

minus1

2120578minus1

2(1205912) 119910

2)

(119904minus1

ℓ+1120578minus1

ℓ+1(120591ℓ+1

) 119910ℓ+1

)

(19)




1198671




1198671



(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp for



119894 119867

1(119898

119894) perp) as (119898

119894 119867

1(119898

119894) 120589) inL

1198671




1198672





119899 record



1198673


up the listL1198673

(a) if (120590 119863) = (120590119894 119863


1198673(120590119894 119863



set 1198673(120590 119863) = (120578

119890

119910 mod 119899) record((120590 119863) 120578119867

3(120590 119863)) in L

1198673 and return

1198673(120590 119863) back toA


Let ℓ119863119894





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578


119890 mod 119899)) and (120590 119863) inL

1198673andL

119909 respectively


119899and compute 120573 = (119887

119890

120572120578119890

)minus1 mod


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) set ℓ

119863= ℓ

119863+ 1 and return (119905 119864

119896(119887 120590 119903

119895)) back

toA



(1199041 119898

1 120590

1 119863

1015840

) sdot sdot sdot (119904ℓ1198631015840+1

119898ℓ1198631015840+1

120590ℓ1198631015840+1

1198631015840

) (20)

such that 1199041198901198941198672

1(119898

119894)119867

3(120590119894 119863

1015840

) = 1198672(119863

1015840

) (mod 119899) forall119894 1 le

119894 le ℓ1198631015840 + 1 after ℓ



Assume some (120590119894 119863

1015840



1198671L

1198672 andL


retrieve

(119904119894)119890

equiv (1198672

1(119898

119894)119867

3(120590

119894 119863

1015840

))minus1

1198672(119863

1015840

)

equiv ((120589119890

119894) (120578

119890

119894119910))

minus1

(120591119890

119894) (mod 119899)

119909 equiv 119910119889

equiv (119904119894120589119894120578119894)minus1

120591119894(mod 119899)

(21)






Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Output Output

120590998400 notin 1205901

119978H1

119978H2

119978H3

mi

Di

H(mi)

119964

119982

120591ei mod n

(120572i 120598i Di)ti Ek119894 (bi 120590i rj119894 )

119978119982

120588i 120589ei mod n

yi

yi

yi

xi


qt

qh

xi = ydi mod n

119978t

119978inv

RSA-ACTI

(s998400 m998400 120590998400D998400)120590998400


= 120572i120578ei mod n


andℒT


- Set H3(120590i Di)

985747

(y998400)dequiv (H3

dequiv sminus1(H2




(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119867

1 119867

2 119867

3 119867

4 119867


119896)

(1199041015840

1198981015840

1205901015840

1198631015840

) larr AOS (119901119896119879119860

119890119877 119899

119877 119867

1 119867

2)

1205901 120590

ℓ larr OS


1 120590

ℓ

(ii) 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) = 1198672(119863

1015840

)mod 119899

else return 0

Algorithm 4


1 119910

1 119908

2 119910

2 1199033 119863))






119905and Oinv for 119902119905 and

119902ℎtimes (119902

ℎlt 119902





(119873 119890 119889)119877

larr997888 119870119890119910119866119890119899(119896)(119910

1 119910

119902119905) larr O

119905(119873 119890 119896)

(1199091 119910

1) (119909

119902119905 119910

119902119905) larr AOinv O119905 (119873 119890 119896)

if 119909119890119894equiv 119910

119894(mod119873) forall119894 isin 1 119902

119905 return 1

else return 0

Algorithm 5



1198671 O

1198672 O




1198671 L

1198672 and L



1198672 and O








1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















1198671




1198671




(b) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898



returns (120589119890119894mod 119899) toA

(c) else if 119898 = 1198671(119898

119894) and 119867

2

1(119898

119894) = perp


1198672

1(119898

119894) = (120589

119890 mod 119899) and returns 1198672

1(119898

119894) toA


1(119898

119894) perp) as

(119898119894 119867

1(119898

119894) 120589) inL

1198671


1198671(119898

119894) = 120588 records (119898119867

1(119898

119894) perp) inL

1198671 and

returns 120588 toA


1198672





119899 record



1198673


the listL1198673

(a) if (120590 119863) = (120590119894 119863





1198673





119895and prepare 120590 = 119864

119901119896119895(ID

119903119895)

(3) choose 120578 isin119877Z119899 set 119867

3(120590 119863) = (120572120578

119890 mod 119899)and store ((120590 119863)119867

3(120590 119863)) inL

1198673


119899and compute 120573 = (119887

119890

120572120578119890

)minus1


2(119863) = (120591

119890

) asthe O


(6) compute 119905 equiv (120572120573120591119890

)119889

equiv ((119887120578)minus1

120591) (mod 119899)(7) return (119905 119864

119896(119887 120590 119903

119895)) back toA


1198981015840

1205901015840

1198631015840


query such that 11990410158401198901198672

1(119898

1015840

)1198673(120590

1015840

1198631015840

) equiv 1198672(119863

1015840


1198671L

1198672 andL


(1199101015840

)119889

equiv (1198673(120590

1015840

1198631015840

))119889


(1198672

1(119898

1015840

)minus1

1198672(119863

1015840

))119889


1205891015840minus1

1205911015840

(mod 119899)

(22)

Let |L119879| = 119902

119905and L

119879= 119910

1 119910

119902119905 S sends 119910

119894isin (L

119879minus

1199101015840


119894such that

119909119894= 119910

119889

119894mod 119899


(1199091 119910

1) (119909

2 119910

2) (119909

119902119905minus1 119910

119902119905minus1) ((119904

1015840minus1

1205891015840minus1

1205911015840

) 1199101015840

)

(23)


ℎ= 119902

119905minus 1 lt 119902

119905









cash(s) (ie (119904 1199101 119908

1 119909

2 1199032 1199033 120590 119863)) of DAOECS


1 119908

1 119909

2 1199032 1199033 120590 119863 119903

119904 1199041015840



119896) = 1]





119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


else return 0



119896)

(119901119896119895 119904119896

119895 119892

1 119892

2 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867


119896)

(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) larr AO119861 Ooff (119901119896119895 119892

1 119892

2 119890119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5)


1(119910

1198674(119903119906119903119904)1198921199041015840

mod 119901 1199101 119908

2 119910

2 119863 119903

3)119867

3(120590 119863) = 119867

2(119863)mod 119899

119887

(ii) (119904 1199081 119910

1 119908

2 119910


(iii) (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904 1199041015840






4of DAOECS in the




119895 119904119896

119895 119892

1

1198922 119890119887 119889

119887 119901

119887 119902

119887 119899

119887 119901 119902119867

1 119867

2 119867

3 119867

4 119867

5) of DAOECS


119892119909lowast





119861



119861will do the

following

(a) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(b) if 119894 = ](1) compute (119908

1= (119910

lowast

)1199031 mod 119901) and (119910

1=

1198921199091 mod 119901)

(c) if 119894 = ]

(1) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)

(d) prepare 119904 = ((1198672

1(119898)119867

3(120590 119863))

minus1

1198672(119863))

119889119887

mod 119899119887 where119898 = (119908

1 119910

1 119908

2 119910

2 1199033 119863)

(e) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in list L

119861and

return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903


up the listL119861

(a) if (119904 1199081 119910

1 119908

2 119910



(1199031 119909


119906 compute 119906 =

1198674(119903119906 119903

119904) and (1199041015840 = 119903

1minus 119906119909


(119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) back toA


lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906

119903lowast

119904 1199041015840lowast) where (119904

lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast



lowast

1 119909

lowast

1) in L

119861 Then since 119908

lowast

1=

119910lowast1198674(119903

lowast

119906119903lowast

119904)

11198921199041015840lowast


1= (119910

lowast

)119903lowast

1 S can derive

119909lowast

= (119903lowast

1)minus1

(119909lowast

11198674(119903lowast

119906 119903

lowast

119904) + 119904

1015840lowast

) mod 119902 (24)


i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










i =


119964

119982

(request i)


(s w1 y1 w2 y2 r3 120590 D rs ru s998400)

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


998400lowast)

119978ℬ

Swindle

119978off


2 ylowast2 D



1 gs998400lowast

mod p


1 = ylowastH4(r


1 gs998400lowast

mod p





119861query



(i) Oracle O119861



119861will do the

followings

(a) if 119894 = ]

(1) select 1199041015840 119906 1199091 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199101

= (119910lowast

)1199091 mod 119901) and (119908

1=

119910119906

11198921199041015840

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (119906 1199041015840

))) in listLB

(b) if 119894 = ]

(1) select 1199031 119909

1 1199033isin119877Z119902and 119910

2 119908

2isin119877Z119901

(2) compute (1199081= 119892

1199031 mod 119901) and (1199101= 119892

1199091

mod 119901)(3) prepare 119904 = ((119867

2

1(119898)119867

3(120590

119863))minus1

1198672(119863))

119889119887 mod 119899119887 where 119898 = (119908

1

1199101 119908

2 119910

2 1199033119863)

(4) record (119894 (119904 119898 120590119863) (1199031 119909

1))) in listLB

(c) return (119904 119898 120590119863) toA

(ii) Oracle Ooff


1 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119904)


(a) if (119904 1199081 119910

1 119908

2 119910



(1) set sta = 1


) fromLB


(3) set 1198674(119903119906 119903

119904) = 119906 and record ((119903

119906 119903

119904) 119906)

inL119867

(4) record (119904 1199081 119910

1 119908

2 119910

2 1199033 120590 119863 119903

119906 119903119904 1199041015840

) inlistLoff

(5) send (119904 1199081 119910

1 119908

2 119910

2 119903

3 120590 119863 119903

119906 119903

119904 1199041015840)

back toA

(b) if (119904 1199081 119910

1 119908

2 119910




119906and 119906 set 119867

4(119903119906

119903119904) = 119906 record ((119903

119906 119903

119904) 119906) in L

119867 compute

(1199041015840 = 1199031minus 119906119909

1mod 119902) and send (119904 119908

1 119910

1 119908

2

1199102 1199033 120590119863 119903

119906 119903119904 1199041015840) back toA

(c) Otherwise abort


WhileA sends (119903119906 119903

119904) to query for 119867

4(119903119906 119903

119904) O

1198674


(a) if (119903119906


O1198674



119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










119978off


s998400 mod p

index sta = 0

- Set sta = 1119964

119982

(request i)

(s w1 y1 w2 y2 r3 120590 D)


998400)

119978ℬ


u

u 119978H4

Swindle

(slowast wlowast1 y

lowast1 w

lowast2 y

lowast2 r

lowast3 120590


lowastu s

998400lowast)

- Record in ℒoff

(ru rs)


2 ylowast2 D



1 gs998400lowast

mod p

gs998400lowast


998400


lowast119904 )





119906 119903

119904) 119906) inL



lowast 119908lowast

1 119910lowast

1 119908lowast

2 119910lowast

2 119903lowast


119906 119903lowast

119904 1199041015840lowast)


1 119910lowast

1 119908lowast

2 119910lowast



1015840


119906 119903

lowast

119904) = 119906

Then viaLH since


1 )119906lowast

1198921199041015840lowast

equiv (119910lowast

1)1198674(119903lowast

119906119903lowast

119904)

1198921199041015840lowast

equiv 119908lowast

1


1 )119906

1198921199041015840

(mod119901) (25)

S can derive

119909lowast

= (119909lowast

1(119906

lowast


(1199041015840


) mod 119902 (26)



119861query







Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Table1Ad

vanced

featuresandperfo

rmance

comparison

s

Ours

[38]

[14]

[15]

[9]

[21]

[22]

[39]

[40]

[13]

[27]

Advanced

features

Onoff

-line

Off

Off

Off

Off

On

Off

Off

Off

Off

On

Off

Con

ditio

nal-

traceability

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Datea

ttachability

Yes

No

No

No

Yes

Yes

No

No

No

No

Yes

No-sw

indling

Yes

No

No

No

mdashNo

Yes

No

No

mdashNo

Renewalprotocol

Yes

mdashYes

mdashNo

Yes

Yes

mdashmdash

mdashYes

Form

alproof

Yes

Yes

No

Yes

No

No

Yes

Yes

Yes

Yes

No

Perfo

rmance

Transactioncost⋆

5119864

+7119872

+7119867

+1inv

+1119860

asymp1454119872

14119864

+14119872

+1119867

+5119860

asymp3375119872

6119864

+8119872

asymp1448119872

23119864

+14119872

+1119860

asymp5534119872

2119864

+2119872

+2119867

asymp966119872

5119864

+9119872

+1119867

+1inv

+2119860

asymp1450119872

2119864

asymp480119872

18119864

+15119872

+2119867

+8119860

asymp4337119872

31119864

+22119872

+6119867

+10119860

asymp7468119872

22119864

+11119872

+4119860

asymp5291119872

6119864

+8119872

+1119867

asymp1449119872

Com

mun

ication

cost

1092

576

1288

939

769

644

300

828

968

1536

728

Accordingto

[41]119867


119864a

mod

ular

expo

nentiatio

n119872a

mod

ular

multip

lication119867a

hash

operationzkpaz

ero-kn

owledgep

roof

119860a

mod

ular

additio

ninvam

odular

inversion

⋆

Thec

ompu

tatio

ncostofwith

draw

alandpaym

entp

rotocolsatuser

side

Thec

ommun

icationcostofeach

transactionatuser

sideinbytes








6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation
















6 Conclusion




Acknowledgments



References













































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation






































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Date post:	21-Nov-2023
Category:	Documents
Upload:	nsysu
View:	0 times
Download:	0 times

Date Attachable Offline Electronic Cash Scheme

Documents