diff --git a/Auditable, Anonymous Electronic Cash-Berkeley b/Auditable, Anonymous Electronic Cash-Berkeley new file mode 100644 index 0000000..5020239 --- /dev/null +++ b/Auditable, Anonymous Electronic Cash-Berkeley @@ -0,0 +1,757 @@ +http://www.cs.tau.ac.il/~amnon/Papers/ST.crypto99.pdf + +Auditable, Anonymous Electronic Cash +(Extended Abstract) +Tomas Sander and Amnon Ta–Shma +International Computer Science Institute +1947 Center Street, Berkeley, CA 94704, USA +{sander,amnon}@icsi.berkeley.edu +Abstract. Most anonymous, electronic cash systems are signaturebased. +A side effect of this is that in these systems the bank has the +technical ability to issue unreported, valid money. It has been noticed in +the past that this may lead to a disaster if the secret key of the bank +is compromised. Furthermore, the above feature prevents any effective +monitoring of the system. +In this paper we build a fully anonymous, auditable system, by constructing +an electronic cash system that is signature-free, and where the +bank needs to have no secret at all. The security of the system relies +instead on the ability of the bank to maintain the integrity of a public +database. Our system takes a completely new direction for meeting the +above requirements, and, in particular, it is the first to do so without the +necessity of making individual transactions potentially traceable: payers +enjoy unconditional anonymity for their payment transactions. The +system is theoretically efficient but not yet practical. +Keywords: electronic cash, anonymity. +1 Introduction +Payment systems should be safe and sound. When we deposit money into a bank +we believe the bank will honor its commitments to us, and even though individual +banks may run into problems (e.g., because of bad investments they make) most +bank accounts are insured by national governments protecting consumers from +losses. In return the banking industry is highly regulated and monitored by +governmental agencies. There are at least two sides to this monitoring. One is to +ensure that transactions are executed correctly. The other is to check the financial +stability of the bank where it is verified that banks reasonably control their risks +in issuing credits and loans, investing their assets and their operational risks +(including insider crime) [32, 31]. This monitoring becomes even more critical +with electronic cash systems in which issuers can issue money themselves. +We call a system auditable if it allows to effectively control the money supply, +i.e. if there can not be valid money that is not known to the auditor (we later +give a more formal definition). An electronic cash system that has this property +and also has a complete report of transactions (which is ”standard” in monetary +systems) allows monitoring the same way the banking system is monitored +Michael Wiener (Ed.): CRYPTO’99, LNCS 1666, pp. 555–572, 1999. + +c Springer-Verlag Berlin Heidelberg 1999 +556 T. Sander, A. Ta–Shma +today. On the other hand, if this property is violated then monitoring may not +reflect the actual reality. We believe that even just for that reason auditability +is important and desirable. Unfortunately, not too much attention was given to +this property and there are many systems (e.g. [10]) which violate it. I.e., in +such systems the issuer can issue valid money that is not reported anywhere, and +thus such a system can be “technically” functioning correctly, and apparently +stable, while it is in fact insolvent. +Further abuses of anonymous systems exist. Some of these exploit another +bad property that may exist in an electronic cash system, and which we call +rigidity. We say a system is non-rigid if any withdrawn money (in a standard +or a non-standard withdrawal transaction) can be later invalidated (see a formal +definition in Section 4). We argue that auditable, non-rigid systems defend +against most of the major known attacks and abuses of anonymous electronic +cash systems. The challenge is to build a fully anonymous yet auditable and +non-rigid system. Previous solutions to the problem use electronic cash systems +with “escrow” agents that can revoke the anonymity of users or coins. Thus, they +compromise the anonymity feature. We take a completely different direction and +present a solution that gives users full statistical anonymity. +1.1 Our Solution +In our system there is no trustee and a users’ privacy can never be compromised. +Furthermore, our system is not signature based, and in fact it is “secret-free”; +there is no secret key the bank needs to hold (and therefore nothing that can +be stolen,e.g. by insiders!). Furthermore, in our system all relevant bank actions +are public and publicly verifiable, and the system is also fully auditable in the +same way banks are auditable today. +The security of the system relies on the ability of the bank to maintain the +integrity of a public database, and the auditability property follows from the +fact that all transactions (including issuing new coins) are made public and can +not be forged. +Our system also protects from blackmailing attacks against the bank; the +only way a blackmailer can force the bank to issue electronic coins that will +be accepted as valid payments is by forcing the bank to add some public data. +The bank (and the whole world) knows which data have been added during +the blackmailing, and as our system is also non-rigid the situation can be later +reversed. Furthermore, even if the bank is willing to follow all terms dictated by +blackmailers, there is no way for the bank to issue non-rigid coins. This leaves, +for example, kidnapers with the knowledge that once they free the hostage they +are left with worthless coins. Certainly also the bank knows that paying the +ransom can not lead to a release of the hostage. This loose/loose scenario will +strongly discourage both players to use this non–rigid system in blackmailing +scenarios. Our system also has the advantage that it can remain off line after a +blackmailing attack on the bank has occurred once the system has been updated. +On the conceptual level it is the first system that simultaneously guarantees +unconditional user anonymity together with strong protection against the black- +Auditable, Anonymous Electronic Cash 557 +mailing and the bank robbery attack, in which the bank’s secret key for signing +coins is compromised. Recall that previous work addressed potential criminal +abuses of electronic cash systems mainly in the escrowed cash paradigm, where +each user transaction is made potentially traceable by Trustee(s). As Camenisch, +Piveteau and Stadler [17] put it, these type of systems “offer a compromise between +the legitimate need for privacy protection and an effective prevention of +misuse by criminals”. Our system defends against these attacks without doing +the “compromise” cited above, and this is achieved using a simple, straightforward +approach. +This raises the question whether other significant system abuses like money +laundering can be effectively prevented by still preserving unconditional user +anonymity. That the latter is possible was shown by the authors in [36] where +an amount–limited, strongly non–transferable payment system was suggested. +Amount–limitedness and non-transferability assure that a money launderer can +not obtain the large amounts of anonymous electronic cash that are typically +involved and needed in money laundering activities, neither by withdrawing them +from the bank, nor by buying them on a “black market” for anonymous electronic +cash. Using the techniques developed in [36] the current system can also be +made amount–limited and non-transferable. The combined system then strongly +defends against blackmailing, bank robbery and money–laundering abuses while +offering unconditional privacy for users in their transactions. We therefore believe +that the need for escrowed cash systems should be reexamined. +1.2 Organization of the Paper +In Section 2 we describe several attacks on electronic payment systems and +previous work in which they were defeated. In Section 3 we outline the ideas +underlying our electronic cash system and show how it differs conceptually from +previous systems offering anonymity that were blind signature based. In Section 4 +we give a formal description of model and requirements for our system. In Section +5 we describe the building blocks which we use in the protocol. In Section 6 we +present the protocols of our auditable anonymous system and point in Section +7 to possible directions how the efficiency of the system can be improved. +2 Previous Work +We start by describing some major attacks on anonymous electronic cash systems: +Bank robbery attack: Jakobsson and Yung [26] describe an attack where the +secret key of the issuer is compromised and the thief starts counterfeiting money. +The attack is especially devastating if no one will be able to detect that there +is false money in the system until the amount of deposited money surpluses the +amount of withdrawn money. Obviously, by that time the whole market is flooded +with counterfeited money, and the system may collapse. The Group of Ten report +from 1996 [14] expresses “serious concern”: “one of the most significant threats +558 T. Sander, A. Ta–Shma +to an electronic money system would be the theft or compromising of the issuer’s +cryptographic keys by either an inside or an outside attacker.” In the 1998 report +[33] it is stated that “of direct concern to supervisory authorities is the risk of +criminals counterfeiting electronic money, which is heightened if banks fail to +incorporate adequate measures to detect and deter counterfeiting. A bank faces +operational risk from counterfeiting, as it may be liable for the amount of the +falsified electronic money balance.” It further states “Over the longer term, if +electronic money does grow to displace currency to a substantial degree, loss +of confidence in a scheme could conceivably have broader consequences for the +financial system and the economy.” +Money laundering attacks: There are many possible ways to abuse an anonymous +electronic cash system for money laundering (cf. e.g. [2]). +Blackmailing attack: Van Solms and Naccache [38] described a “perfect” +blackmailing scenario that exploits anonymity features of (blind) signature-based +electronic cash systems. +An auditor should not have to trust the issuer because an issuer can make +profits from unreported money in several ways, e.g. for offering not properly +backed credits or by assisting in money laundering activities (for documented +cases in which financial institutions indeed assisted in unlawful activities see e.g. +[1] and also [20]). +These types of attacks motivated a substantial amount of research started +in [13] and [16], where electronic cash with revocable anonymity (“escrowed +cash”) was suggested. In, e.g. [26, 28, 15, 19, 34, 18], several systems following this +approach have been described 1. These cash systems allow a Trustee(s) to revoke +the anonymity of each individual transaction. A typical revocability feature is +“coin tracing” where the coin withdrawn by a user during a particular withdrawal +session can be identified. This feature allows to defeat the blackmailing attack in +the case a private user is blackmailed (as he may later ask to trace and blacklist +the blackmailed coins). +Few systems of the ones mentioned above protect also against (the stronger) +blackmailing attacks on the bank: a blackmailer may force the bank to enter a +non–standard withdrawal protocol to withdraw coins (and thereby disable coin +tracing mechanisms) or extort the bank’s secret key. In the related bank robbery +attack the secret key of the bank is stolen. Only the systems in [26, 19, 34, 25] +prevent against these very strong latter attacks. Some of these systems require +a third party involvement at withdrawal time and some can not remain off-line +after such an attack had occurred. +1 It has been pointed out before in [28] that systems like the one described in [37] +are not vulnerable to several of these attacks as their security (for the bank) does +not critically rely on (blind) signature techniques. Although the system [37] offers +privacy to a certain extent it is not fully anonymous. We are not aware of a previous +description of an electronic cash system that achieves full anonymity but does not +rely on blind signatures techniques. +Auditable, Anonymous Electronic Cash 559 +3 The Basic Idea +3.1 Stamps and Signatures +As stated above, whereas most previous systems offering anonymity are signaturebased +and the issuer gives (blinded) signatures to coins, ours is not. Our approach +and its difference to previous ones can be best understood by considering +the “membership in a list” problem. In this problem a bank holds a list of values +L = {x1,...,xk}, The elements in the list “correspond” to valid coins (and +will be hash values of their serial numbers). If x ∈ L there is a short proof of +membership, whereas if x 6∈ L it is infeasible to find such a proof, i.e. only when +a user has a valid coin he can give such a proof, else he can not. +Let us now focus on the membership problem. One possible solution is to +keep a public list of all values in L. However, such a solution requires the verifier +to be able to access a large file. Another solution is for the bank to sign each +value in L and to accept an element as belonging to L iff it carries a signature, +which from an abstract point of view is how systems like, e.g., [10] work. Now, +however, the security of the system relies on the secrecy of the secret key of the +bank and the system becomes potentially vulnerable to blackmailing attacks. +A third solution for the membership problem was suggested by Merkle [27]. In +Merkle’s solution, all values x1,...,xk are put into the leaves of a tree, and a +hash tree is formed over the leaves using a collision resistant function h (for +more details see Section 6). The root of the hash tree is made public, and the +assumption is that this data is authenticated and its integrity can be maintained. +A proof that x is in the list amounts to presenting a hash chain from x to the +root. The collision resistant property of h then guarantees that it is infeasible to +find a membership proof for an element x 6∈ L. +When the bank adds a value to the tree it “authenticates” or “stamps” the +value as being valid for payment. Stamping is very similar to signing: Anyone +who has access to the authenticated data (the root of the tree) can validate a +stamp (by checking the hash chain leading to the root) which is similar to the +public verification predicate in signature schemes. Also, it can be achieved that +it is infeasible to forge neither signatures nor stamps. The key difference, from +our perspective, between signatures and stamps, is that the secret/public key +pair required in a signature scheme is “replaced” with authenticated public data +(the root of the tree) which is exactly what we need for solving the bank robbery +attack, the blackmailing attack and achieving auditability. Although the security +requirements are different our system has technically some similarities to time +stamping protocols [24, 8, 3] that also made use of tree based methods. +Our protocol uses Merkle’s solution in a way that also allows to incorporate +full anonymity, detection of double spenders and full auditability. Other features +(as non-transferability and amount limitedness) can be easily added. +560 T. Sander, A. Ta–Shma +3.2 On the Update of Roots and Hash Chains +Let us say for the ease of explanation that a time frame lasts a minute, an hour +has two minutes, a day has two hours, a week has two days, etc. At the first +minute the bank creates a minute tree with all the coins issued at that minute on +its leaves. At the second minute another minute tree is formed. When the second +minute ends the two minute tress are combined into an hour tree by hashing the +two roots of the minute trees together. During the next hour a new hour tree is +used. When the second hour ends we combine the two hour trees to a day tree, +and a new day tree is formed, and so on. Altogether we have a forest. Let us say +that a root is alive if it is a root in the forest, i.e. it is the root of one of the last +hour,day,week etc tree. If our system is to cover one hundred real years, then +the system has to have about 5, 000, 000 roots (100 · 365 · 24 · 60 << 226 ) and +therefore 26 levels are necessary (with the bottom level covering minutes, the +level above it hours etc.). In particular, at any given minute there are at most +26 live roots. +Each merchant should hold a subset of the live roots. A merchant can choose +how often to update his list. If a merchant chooses to keep 20 live roots he needs +to update his list every 26 minutes, and he can not accept coins that were issued +in the last 26 minutes. He can choose to keep all 26 live roots (and therefore +accept all issued coins) but then he needs to update his list every minute. +When a user withdraws a coin the bank sends him a hash chain from his coin +to the root of the current tree, and each time the tree is combined with another +tree the bank updates the chain so that it leads to the root of the combined tree. +Altogether the bank sends the user 26 update messages. A payment transaction +begins with the merchant sending the user the set of all live roots he knows. The +user proves in a zero knowledge way that he knows a hash chain to one of the +roots in the set. +We point out the following: +– The updates are independent of the actual transaction that takes place and +the specific user. An update at the end of an hour should only contain the +values of the roots of the last two minutes, an update at the end of a day +should only contain the roots of the last two hours etc. As a result the +updates can be broadcasted to every system participant. +– Each merchant can choose how often he makes the updates. The only disadvantage +in making less updates is that coins that were issued within the +last uncovered period can not be accepted by the merchant. +– When a user tries to spend a coin to a merchant who does not accept coins +from the last k minutes, the only information the user reveals is that his coin +was not withdrawn during the last k minutes. +We believe that such a system might offer a flexible and practical solution +to anonymous off-line cash. We call the system off-line because if a merchant +chooses to be updated only once a day he can certainly do so. The users can +also spend their money without involving the bank. They suffer however from +the disadvantage that at least at the beginning they need to be updated often. +This can be improved if more recent roots are kept by the merchant. +Auditable, Anonymous Electronic Cash 561 +3.3 On the Security of the System +A crucial property we need is that the integrity of the published root of the tree +is maintained. This can be achieved by publishing the root in the New York +Times, or mirroring it in many different places, as was already pointed out in +the original paper of Merkle. +Besides the authenticated data the bank keeps all sorts of data structures, +including, e.g., the tree itself, a data structure carrying the balance of each +account in the system, and more. It is clear that the bank can change these +data structures, and in fact this can be done even in the banking system of +today, where a bank can technically take all the money from one’s account. Such +accounting problems are well understood, and they are quite successfully dealt +with in the banking industry. We do not deal with them in our system. +In an off-line system a merchant needs to verify membership to L reliably, +i.e. he needs the correct roots. Criminals might establish a site that claims to +contain the necessary authenticated data, and try to trick merchants into accepting +a forged root. There are many different ways to address this problem, and +furthermore such an attack is detected by the bank as soon as a forged coin is +deposited. The bank can take a variety of steps immediately like shutting down +the false source of the root, raising an alert or redistributing the correct root. +The merchant can also set his own policy how to verify the authenticity of the +root, and thereby manage his risk. +4 System +We first describe our model: +The participants: Users, merchants, a bank and the auditor. +Infrastructure: We assume there is an authenticated way for the bank to +distribute the roots of its trees of issued coins. +Time: We assume that there are consecutive time frames denoted T1, T2,.... +We call the basic time frame a ’minute’. Two minutes are grouped together to +an hour, two hours to a day and so forth. +Computing Power: All participants are probabilistic polynomial time players. +Trust Model: The network and the distribution channels are reliable and +anonymous. Users and merchants trust the bank not to steal their money 2. The +auditor does not trust the bank not to issue unreported money. +System Events: We focus on the following system events: +– A user opens an account. +– A user withdraws money at the bank. +– The bank updates and broadcasts the roots of the forest. +– A user pays a coin to a merchant. +– A merchant deposits a received coin at the bank. +2 By introducing receipts this trust requirement can be minimized using well known +techniques. In this work we focus on the auditability property. +562 T. Sander, A. Ta–Shma +– The bank invalidates funds that have been withdrawn before. +We have the following requirements for our system: +Unforgeability: It is infeasible for any coalition of participants in the system +excluding the bank to create an amount of payments accepted by the bank that +exceeds the amount of withdrawn coins. +Auditability: There is a file, accessible by the auditor, that is supposed +to describe all the events that have occurred in the system. In particular all +withdrawals are supposed to be reported there. A withdrawal record should at +least report who withdrew the money. We say c is a coin if it can be deposited, +or if it was already successfully deposited. +Definition 1. A system is auditable if there is a one to one correspondence +between all coins c and the withdrawal records. +We stress that we do not require that the one to one correspondence is known +to the auditor or anyone else. In fact, in a truly anonymous system it is not. All +we require is that such a correspondence exists. If the system is auditable, we +also say the system does not admit any unreported money. +Non-Rigidness We say a system is non–rigid if any coin that can be accepted +as a valid payment by the deposit protocol (and it does not matter +whether it was withdrawn in a standard or non–standard transaction) can be +invalidated. +Unconditional Payer Anonymity: A payer has unconditional anonymity, +if transcripts of withdrawals are statistically uncorrelated to transcripts of payments +and deposits. +We stress that at withdrawal time the user has to identify himself to the +bank, and the bank might record the withdrawn string z along with the identity +of its owner. Yet, as transcripts of withdrawals are statistically uncorrelated to +transcripts of payments and deposits, this does not give the bank any information +on how or to whom a withdrawn coin is spent. +5 Tools +Definition 2. We say a function f : A×B → C is one-way, if the probability a +polynomial time machine given a random c ∈ C can find (x, r) s.t. f(x, r) = c is +negligible. We say a function f : A×B → C is collision resistant, if the probability +a polynomial time machine can find (x, r) 6= (x0 +, r0 +) s.t. f(x, r) = f(x0 +, r0 +) is +negligible. +Definition 3. Let G be a domain of size p. We say a function g : [0..p − 1] × +[0..p − 1] → G is concealing if for any [0..p − 1] the distribution g(x, [0..p − 1]) +obtained by picking r ∈ [0..p−1] at random and computing g(x, r) is the uniform +distribution over G. +Auditable, Anonymous Electronic Cash 563 +b_1=h(a_1,a_2) b_2=h(a_3,a_4) +a_1 a_4 a_2 a_3 +R=h(b_1,b_2) +Fig. 1. A hash chain ((1, 0); a3; (a4, b1)). +Assuming DLog is hard for certain groups of prime order G (see [9]) oneway, +collision resistant and concealing functions exist and can be based on the +representation problem [9]. More specifically, if G is a group of prime order p, for +which DLOG is hard, and g1, g2 are chosen at random (so almost always they +are two distinct generators of G), then g : [0..p − 1] × [0..p − 1] → G defined by +g(x, y) = gx +1 gy +2 has these properties (see [9] Proposition 7 and Corollary 8, for +details). +5.1 Hash Chains and Hash Trees +Hash Chains. A hash chain of length 1 to a root R is a triplet (i1; x; y) s.t. +f(i1)(x, y) = R, where f(0)(x, y) = h(x, y) and f(1)(x, y) = h(y, x). +A chain of length d > 1 to a root R is a triplet ((i1,...,id); x; (y1,...,yd)) +s.t. ((i1,...,id−1); f(id) +(x, yd); (y1,...,yd−1)) is a hash chain of length d−1. We +also say that the hash chain starts with the value x and leads to the root R. See +Figure 1. +Hash Trees. For a given domain D, and a known hash function h : D×D → D +a hash tree (T, val) consists of a balanced binary tree T, with vertices V , together +with a function val : V → D s.t. for any vertex v with two children v1 and v2, +val(v) = h(val(v1), val(v2)). The only operation that can be performed on a +hash tree is UP DAT E(leaf, w) where the leaf’s value is changed to w and the +values of the internal nodes from the leaf to the root are accordingly updated. +5.2 Non-interactive Zero Knowledge Arguments of Knowledge +under the Random Oracle Assumption +We will frequently use perfect zero knowledge arguments of knowledge (ZKA) +i.e., proofs that show that the prover knows a witness w to the predicate φ (i.e. +φ(w) = T rue). These proof are convincing if the prover is polynomially bounded, +and the proofs statistically do not reveal extra information. The notion of a proof +of knowledge is from [23, 5]. Under the discrete log assumption any NP predicate +has a perfect zero knowledge argument of knowledge ([11, 12, 22, 21], see also [29] +564 T. Sander, A. Ta–Shma +for zero knowledge arguments under weaker conditions and [4] for further details +on ZKA’s of knowledge). +We will need non-interactive perfect zero knowledge arguments (ZKA) of +knowledge. We make the random oracle assumption [6] that has been commonly +used in the design of electronic cash systems. Assuming the random oracle assumption, +and using the techniques of Bellare and Rogaway [6], the zero knowledge +argument of knowledge protocols can be made non-interactive (See [6] for +the treatment of the similar case of zero-knowledge proofs). +6 An Anonymous Auditable Electronic Cash System +We now build an auditable, electronic cash system that allows users to have +unconditional anonymity. +When Alice withdraws a coin, she chooses x and r (which she keeps secret) +and sends z = g(x, r) to the Bank. x should be thought of as the serial number +of the coin, r is a random number and g is concealing and collision resistant. The +bank adds the coin z to the public list of coins, yet only a person who knows a +pre-image (x, r) of z can use z for payment, and because g is one-way only Alice +can use the coin z. To make the system anonymous for Alice when she wants +to spend a coin z she proves with a zero knowledge argument that she knows +a pre-image (x, r) of some z that appears in the list of coins, without actually +specifying the value z. To prevent double–spending extra standard mechanisms +are added to the system. +As it turns out the most expensive part of the protocol is the zero knowledge +argument of membership where Alice has to prove she knows a coin z from the +public list of coins that has certain properties. A straight forward implementation +of this would require a proof that is polynomially long in the number of coins. +A better, and theoretically efficient, protocol for testing membership in a list +was suggested by Merkle [27] using hash trees, and our system builds upon this +solution. We now give a more formal description of the protocol. +6.1 The Protocol +Setup: During system setup bank and auditor (and possibly users) choose jointly +the following objects. Fq is a field of size q = poly(N) and N is an upper +bound on the number of coins the bank can issue. G is a group of prime order +p for which DLOG is hard, and |G| ≥ q3. Further an efficient 1-1 embedding +E : F3 +q → [0..p−1] is chosen (e.g., by using binary representations of the elements +in Fq and concatenating them). g : [0..p−1]×[0..p−1] → G is a one-way, collision +resistant and concealing function. +D is a large domain, |D|≥|G|, and h : D ×D → D a collision resistant hash +function. An efficient 1-1 embedding F : G → D is chosen. The bank keeps a +hash tree T over D with N leaves. This hash tree is gradually built. There is no +need to initialize the tree. +Auditable, Anonymous Electronic Cash 565 +Each merchant obtains a unique identifying identity, and we assume the existence +of a random oracle H : TIME × ID → Fq that maps time and an id +to a random element of Fq. We assume that each merchant can do at most one +transaction per time unit (this time unit can be chosen to be very short). Alternatively +the merchant has to add a serial number to each transaction occurring +at the same time unit and is not allowed to use the same serial number twice. +Account Opening: When Alice opens an account, Alice has to identify herself +to the bank, and the bank and Alice agree on a public identity PA ∈ Fq that +uniquely identifies Alice. +Withdrawal: Alice authenticates herself to the bank. Alice picks u1 ∈R Fq, +serial ∈R Fq and computes u2 = PA − u1 ∈ Fq and x = (u1, u2, serial) ∈ F3 +q . +serial is the serial number of the coin and u1, u2 are used to encode Alice’s +identity. She also picks r ∈R [0..p − 1] and sends z = F(g(E(x), r)) ∈ D. to the +bank. She gives the bank a non-interactive zero knowledge argument that she +knows u1, u2, serial and r s.t. z = F(g(E(u1, u2, serial), r)) and u1 + u2 = PA, +i.e, that the coin is well formed. The bank also makes sure that the coin z has +not been withdrawn before. See Figure 2. +Fig. 2. Withdrawal +Alice Bank +u1 ∈R Fq , u2 = PA − u1 ∈ Fq +serial ∈R Fq, r ∈R [0..p − 1] +z = F(g(E(u1, u2, serial), r)) PA,z −→ +Alice gives a non-interactive +ZKA that z is well formed +−→ +In the zero knowledge argument Alice has to answer challenges. These challenges +are determined in the non-interactive ZKA protocol using the random +oracle H. +The bank then subtracts one dollar from Alice’s account, and updates one of +the unused leaves in the tree T to the value z (along with the required changes to +the values along the path from the leaf to the root). When the time frame ends +the bank takes a snapshot of the tree T and creates a version. After creating +the version the bank sends Alice the hash chain from z to the root of T, taken +from the hash tree T. Alice checks that she was given a hash chain from z to +the public root of the hash tree T. +Updates: Each minute a new minute tree is generated, and a version of it +is taken at the end of the minute. When two minute versions exist, they are +566 T. Sander, A. Ta–Shma +combined together to an ’hour’ tree, by hashing the two roots together. Similarly, +if two hour trees exist, they are combined together to a day tree and so forth. +At the end of each hour,day, week etc. a broadcast message is sent to all users +who withdrew a coin during that time period. The hour update, e.g., contains +the values of the two minute roots that were hashed together to give the hour +tree root. Merchants can follow their own updating policy. +Payment: Alice wants to make a payment with a coin +z = F(g(E(u1, u2, serial), r)) to a merchant M with identity mid. The protocol +starts with M sending Alice the set ROOT S of live roots he knows. A root is alive +if it is the root of the tree of the last minute, hour,day etc. Alice then sends the +merchant serial, time and the value v = u1 + cu2, where 1 6= c = H(time, mid). +She then proves to the merchant with a non-interactive ZKA that she knows +u1, u2, r, R and a hash chain ((i1,...,id); w; (y1,...,yd)) to R s.t. +– R ∈ ROOT S, +– w = F(g(E(u1, u2, serial), r)) and +– v = u1 + cu2. +The merchant verifies the correctness of the non-interactive ZKA. See Figure 3. +Fig. 3. Payment +Alice Merchant +ROOT S ←− +c = H(time, mid) ∈ Fq +v = u1 + cu2 ∈ Fq +time,v,serial −→ +Alice gives non-interactive ZKA +that she knows a valid hash chain +with the above c, v, serial, ROOTS +−→ +Deposit: The merchant transfers the payment transcript to the bank. The +bank checks that the merchant with identity mid has not earlier deposited a +payment transcript with this particular parameter time. The bank verifies that +the challenges are correct (i.e., they are H(time, mid)), that the set ROOT S in +the payment transcript consists of valid roots, and that the non-interactive ZKA +is correct. The bank then checks whether serial has already been spent before. +If not the bank credits the merchant’s account and records serial ∈ Fq as being +spent along with the values c ∈ Fq and v(= u1 + cu2) ∈ Fq. +If serial has been spent before the bank knows two different linear equations +v1 = u1 + c1u2 and v2 = u1 + c2u2. The bank solves the equations to obtain u1 +and u2, and P = u1 + u2. The bank then finds the user with the public identity +P. +Auditable, Anonymous Electronic Cash 567 +Invalidation of funds: The bank removes the coins that should be invalidated +from the forest and recomputes the corresponding roots and the hash chains for +each leaf in the forest. The bank distributes the updated snapshot of the forest +and sends the updated hash chains for each of the withdrawn coins in the forest +to the user who withdrew it. +6.2 Correctness +Theorem 1. Under the random oracle assumption, if DLOG is hard, and the +assumptions we made in the description of our model in Section 4 the electronic +cash system is statistically anonymous, unforgeable, auditable, non–rigid and +detects double spenders. The system is also efficient, and the time required from +all players at withdrawal, payment and deposit time is polynomial in the log of +the total number of coins N (i.e. the depth of the tree) and the security parameter +of the system. Each user receives logN messages per withdrawal. +Proof. Unforgeability: We prove that any spent coin must appear as a leaf in T. +To spend a coin Charlie needs to know a hash chain ((i1,...,id); w; (y1,...,yd)) +to a root R of a valid tree T. Because h is collision resistant, and all the players +are polynomial, they can not find two different chains, with the same (i1,...,id) +leading to the same value. Hence, it follows that the hash chain Charlie knows +is exactly the path in T going down from the root according to (i1,...,id). In +particular w is a leaf of T. +Double Spending: If Charlie spends a coin z then this coin must have been +withdrawn before, as was shown in the proof of the unforgeability property, let’s +say by Alice. When Alice withdrew z she proved she knew u1, u2, serial and r +s.t. z = F(g(E(u1, u2, serial), r)) and u1 + u2 = PA. When Charlie spends the +coin he proves he knows a hash chain that starts at z, and u0 +1, u0 +2, serial0 +, r0 s.t. +F(g(E(u1, u0 +2, serial0 +), r0 +)) = z. As g is collision resistant and E and F are 1-1, +it follows that u0 +1 = u1, u0 +2 = u2 and serial0 = serial. In particular, any time +a coin z is spent, the serial number that is reported is always the same (the +serial number chosen at withdrawal time). In particular double spent coins can +be easily detected by observing the serial number. +When a coin is spent a challenge to u0 +1 + cu0 +2 is answered and answered +correctly (we have a non-interactive zero knowledge argument of correctness). +Furthermore, as we have seen above the u0 +1, u0 +2 are always the same and they +are identical to the u1, u2 chosen at withdrawal time. By the random oracle +assumption, the assumption that each merchant has a distinct ID and that he +can only do one transaction per time unit, no challenge is repeated twice. Hence if +the same coin is spent twice, we see the answers to different challenges and we can +easily solve the system of two equations to discover u1 and u2 and consequently +u1 + u2 = P which is the identity of the double spender. +Anonymity: The non-interactive zero knowledge arguments do not reveal any +information in an information theoretic sense about Alice’s inputs beyond the +fact that the coin is well formed (resp. the validity of the claim that is proved). We +568 T. Sander, A. Ta–Shma +would like to show that the information at withdrawal time (i.e. P and z) is statistically +independent of the information at deposit time (c, v = u1 + cu2, serial +and ROOT S). We first observe that even given u1, u2, c, serial and ROOT S the +value z = F(g(E(u1, u2, serial), r)) is uniform, because g is concealing. We are +left with P at withdrawal time and c, v = u1 + cu2, ROOT S at deposit time. +Since u2 = P −u1 we have v = cP + (1−c)u1. As u1 is uniformly distributed, so +is v. Also, c is a function of time and merchant id (which are public data) and +is independent of the coin. +The only possible information leakage can result from the subset ROOT S +the user uses. However, ROOT S covers all the time periods acceptable by the +merchant. Hence the deposit does not reveal more information then merely the +fact that some user paid a merchant M a coin that was proved to be valid +according to the update policy of the merchant. Thus, the system is anonymous. +Merchants who try to provide users with a manipulated list ROOT S can be +detected by the user (e.g., if he knows a valid root not in the list that should +be there) and will definitely be caught by the bank (or the auditor) when they +check the payment transcripts. +Auditability: We have already shown that if a polynomial time player can +spend a coin c then it must have appeared as a leaf in the tree. As all the leaves +in the tree are different, this shows that a one to one correspondence between +usable coins and leaves in the tree (and therefore withdrawals) exists. +Non–Rigidness: We have seen that a coin z is only usable for payment if z +appears as a leaf in the tree. Furthermore, the bank and the auditor know who +withdrew z. To invalidate z all the bank has to do is replace z with a NULL, +and update the tree, the hash chains and the roots as described in the system +event “invalidation of funds”. +Efficiency: +Withdrawal, Payment, Deposit: The dominating complexity stems from the +zero knowledge arguments. Each non-interactive ZKA of an NP statement takes +resources polynomial in the length of the NP statement. The way we described +the protocol, the user claims knowledge of a valid root, and a hash chain leading +to that root. Thus, the NP statement is of length O((log(N)+|ROOT S|) log(|D|), +(A root among all possible roots is a claim of length O(|ROOT S| log(|D|), and +a hash chain is a sequence of O(log(N)) elements each of length O(log(|D|))). +Thus, altogether the statement size is O(log2 N). +Updates and Invalidation: Whenever a minute, hour, day, year etc. ends, the +bank has to broadcast two root values to all the users who withdrew money +during that period. E.g., at the end of the year the bank has to update all +customers who withdrew money during that year. Minute updates are done +frequently but involve only few users, year updates happen only once a year but +involve many users. Each user will ultimately receive log N update messages each +containing two root values. We point out that the bank can avoid notifying the +users about year (and all infrequent) updates by simply publishing the two roots +in the New York Times or a similar medium. It should also be noted that once +Auditable, Anonymous Electronic Cash 569 +a broadcasting technology becomes widely accessible, the complexity of updates +is only a constant. +Invalidation takes O(N) applications of the hash function to update the tree, +and messages should be sent to all users. Unlike regular updates this update involves +the whole tree (with O(N) data items) and can not be done by broadcast. +However, invalidation should not happen too often as mentioned above, and is +mainly used to deal with extreme cases where the bank surrendered to blackmailing. +7 Some Comments +Other protocols for testing membership in a list exist. In particular, the protocol +suggested by Benaloh and de Mare [7] using one-way accumulators, has the +property that it produces hash chains of length 1. The later protocol, however, +suffers from the disadvantage that the coalition of parties which generates the +one–way accumulator h knows a trapdoor for h. Employing the protocol in our +payment system will reduce the length of the zero knowledge proofs to a constant +independent of the number of withdrawn coins. However a person who knows the +trapdoor, can completely bypass the system’s security and pay with counterfeited +money. Thus, if an honest agency constructs h and then destroys the trapdoor +the system is safe. But at least during system setup the payment system is still +vulnerable to the bank robbery attack as the trapdoor may be compromised. +We consider this a serious disadvantage 3. +We leave open the question of designing a practically efficient system that +is both anonymous and auditable. We believe that by designing an appropriate +accumulator–like hash function and the efficient corresponding zero knowledge +proofs this should be possible. A first step in this direction was taken in [35], +where efficient accumulators without trapdoor are constructed. +Finally, we ask if there are conceptually different ways to design anonymous +payment systems which have the auditability property, and how existing anonymous +electronic payment systems can be transformed into auditable ones with +minimal performance overhead. +Acknowledgments +We would like to thank Moni Naor and Moti Yung for stimulating conversations +and Mike Just for a having pointed out a reference to us. +3 Benaloh and de Mare leave open whether one-way accumulators can be built without +using a trapdoor. Nyberg [30] builds such a system, with an accumulated hash of +length N log(N), where N is the number of items to be hashed. The large hash +length makes this protocol completely irrelevant to our case. +570 T. Sander, A. Ta–Shma +References +1. FATF-VII report on money laundering typologies. Financial Crimes Enforcement +Network Publications, August 1996. http://www.treas.gov/fincen/pubs.html. +2. Cyberpayments and money laundering. RAND, 1998. +http://www.rand.org/publications/MR/MR965/MR965.pdf/. +3. D. Bayer, S. Haber, and W. S. Stornetta. Improving the efficiency and reliability of +digital time-stamping. In R. M. Capocelli et al., editor, Sequences II: Methods in +Communication, Security and Computer Science, pages 329–334. SV , New York, +1992. +4. Bellare, Jakobsson, and Yung. Round-optimal zero-knowledge arguments based on +any one-way function. In EUROCRYPT: Advances in Cryptology: Proceedings of +EUROCRYPT, 1997. +5. M. Bellare and O. Goldreich. On defining proofs of knowledge. In Ernest F. +Brickell, editor, Advances in Cryptology—CRYPTO ’92, volume 740 of Lecture +Notes in Computer Science, pages 390–420. Springer-Verlag, 1993, 16–20 August +1992. +6. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A pardigm for +designing efficient protocols. In Victoria Ashby, editor, 1st ACM Conference on +Computer and Communications Security, Fairfax, Virginia, November 1993. ACM +Press. also appeared as IBM RC 19619 (87000) 6/22/94. +7. J. Benaloh and M. de Mare. One-way accumulators: A decentralized alternative +to digital signatures. Lecture Notes in Computer Science, 765:274–??, 1994. +8. J. Benaloh and M. de Mare. Efficient broadcast time-stamping. Technical Report 1, +Clarkson University Department of Mathematics and Computer Sciences. August, +1991. +9. S. Brands. An efficient off-line electronic cash system based on the representation +problem. In 246. Centrum voor Wiskunde en Informatica (CWI), ISSN 0169-118X, +December 31 1993. AA (Department of Algorithmics and Architecture), CS-R9323, +URL=ftp://ftp.cwi.nl/pub/CWIreports/AA/CS-R9323.ps.Z. +10. S. Brands. Untraceable off-line cash in wallet with observers. In Douglas R. Stinson, +editor, Crypto 93, volume 773 of LNCS, pages 302–318. SV, 1993. +11. Brassard and Crepeau. Non-transitive transfer of confidence: A perfect zeroknowledge +interactive protocol for SAT and beyond. In FOCS: IEEE Symposium +on Foundations of Computer Science (FOCS), 1986. +12. G. Brassard, D. Chaum, and C. Cr´epeau. Minimum disclosure proofs of knowledge. +Journal of Computer and System Sciences, 37:156–189, 1988. +13. E. Brickell, P. Gemmell, and D. Kravitz. Trustee-based tracing extensions to +anonymous cash and the making of anonymous change. In Proceedings of the +Sixth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA’95), pages +457–466. Sandia National Labs, January 1995. +14. Report by the Committee on Payment, Settlement Systems, and the Group of +Computer Experts of the central banks of the Group of Ten countries. Security +of electronic money. Publication of the Bank for International Settlements, Basle, +August 1996. http://www.bis.org/publ/index.htm. +15. J. Camenisch, U. Maurer, and M. Stadler. Digital payment systems with passive +anonymity-revoking trustees. Lecture Notes in Computer Science, 1146:33–, 1996. +16. J. Camenisch, J. Piveteau, and M. Stadler. Fair blind signatures. In L. Guilloy +and J-J. Quisquater, editors, EuroCrypt 95, LNCS, pages 209–219. SV, 1995. +Auditable, Anonymous Electronic Cash 571 +17. J. Camenisch, J. Piveteau, and M. Stadler. An efficient fair payment system. In +Clifford Neuman, editor, 3rd ACM Conference on Computer and Communications +Security, pages 88–94, New Delhi, India, March 1996. ACM Press. +18. G. Davida, Y. Frankel, Y. Tsiounis, and Moti Yung. Anonymity control in E-cash +systems. In Rafael Hirschfeld, editor, Financial Cryptography: First International +Conference, FC ’97, volume 1318 of Lecture Notes in Computer Science, pages +1–16, Anguilla, British West Indies, 24–28 February 1997. Springer-Verlag. +19. E. Fujisaki and T. Okamoto. Practical escrow cash system. Lecture Notes in +Computer Science, 1189:33–??, 1997. +20. General Accounting Office (GAO). Private banking: Raul Salinas, +Citibank, and alleged money laundering. GAO/OSI-99-1, December 1998. +http://www.gao.gov/monthly.list/dec98/dec9811.htm. +21. O. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their +validity or all languages in NP have zero-knowledge proof systems. Journal of the +ACM, 38(3):691–729, July 1991. +22. Oded Goldreich, Silvio Micali, and Avi Wigderson. How to prove all NP statements +in zero-knowledge and a methodology of cryptographic protocol design (extended +abstract). In A. M. Odlyzko, editor, Advances in Cryptology—CRYPTO ’86, volume +263 of Lecture Notes in Computer Science, pages 171–185. Springer-Verlag, +1987, 11–15 August 1986. +23. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of +interactive proof systems. SIAM Journal on Computing, 18(1):186–208, February +1989. +24. Stuart Haber and W. Scott Stornetta. How to time-stamp a digital document. +Journal of Cryptology, 3(2):99–111, 1991. +25. M. Jakobsson and J. Muller. Improved magic ink signatures using hints. In proceedings +of Financial Cryptography ‘99. Forthcoming volume in Lecture Notes in +Computer Science, 1999. +26. M. Jakobsson and M. Yung. Revokable and versatile electronic mony. In Clifford +Neuman, editor, 3rd ACM Conference on Computer and Communications Security, +pages 76–87, New Delhi, India, March 1996. ACM Press. +27. R. Merkle. Protocols for public key cryptosystems. In IEEE, editor, Proceedings +of the 1980 Symposium on Security and Privacy, April 14–16, 1980 Oakland, California, +1109 Spring Street, Suite 300, Silver Spring, MD 20910, USA, 1980. IEEE +Computer Society Press. +28. D. M’Raihi. Cost-effective payment schemes with privacy regulation. In +Kwangjo Kim and Tsutomu Matsumoto, editors, Advances in Cryptology— +ASIACRYPT ’96, volume 1163 of Lecture Notes in Computer Science, pages 266– +275, Kyongju, Korea, 3–7 November 1996. Springer-Verlag. +29. M. Naor, R. Ostrovsky, Venkatesan, and M. Yung. Perfect zero-knowledge arguments +for NP using any one-way permutation. Journal of Cryptology, 11, 1998. +30. K. Nyberg. Fast accumulated hashing. In Dieter Grollman, editor, Fast Software +Encryption: Third International Workshop, volume 1039 of Lecture Notes in Computer +Science, pages 83–87, Cambridge, UK, 21–23 February 1996. Springer-Verlag. +31. Report of the working party on electronic money of the Group of Ten countries. +Electronic money - consumer protection, law enforcement, supervisory and cross +border issues. Publication of the Bank for International Settlements, Basle, April +1997. http://www.bis.org/publ/index.htm. +32. Basle Committee on Banking Supervision. Core principles for effective banking supervision. +Publication of the Bank for International Settlements, Basle, September +1997. http://www.bis.org/publ/index.htm. +572 T. Sander, A. Ta–Shma +33. Basle Committee on Banking Supervision. Risk management for electronic banking +and electronic money activities. Publication of the Bank for International +Settlements, Basle, March 1998. http://www.bis.org/publ/index.htm. +34. H. Peterson and G. Poupard. Efficient scalable fair cash with off-line extortion +prevention. Lecture Notes in Computer Science, 1334:463–??, 1997. +35. T. Sander. Efficient accumulators without trapdoor. Manuscript, 1999. +36. T. Sander and A. Ta-Shma. Flow control: A new approach for anonymity control in +electronic cash systems. In proceedings of Financial Cryptography ‘99. Forthcoming +volume in Lecture Notes in Computer Science, 1999. +37. Daniel R. Simon. Anonymous communication and anonymous cash. In Neal +Koblitz, editor, Advances in Cryptology—CRYPTO ’96, volume 1109 of Lecture +Notes in Computer Science, pages 61–73. Springer-Verlag, 18–22 August 1996. +38. S. von Solms and D. Naccache. On blind signatures and perfect crimes. Computers +and Security, 11(6):581–583, October 1992. +