by J. Orlin Grabbe
Note: In order to read the following text properly, your web browser must be able to handle subscripts and superscripts; i.e. the html commands "sub" and "sup". These commands are used as necessary.
A. General Features
Step 1:
The receiver (customer) sends a message (piece of digital cash) M to the
signer (the bank). It is intended that the bank sign M with its secret key x
(yielding z = M^x) and to also supply a signed proof about x
using the bank's public key h; namely, that log_g (h) = x = log_M
(z). The proof is to guarantee to the customer that the bank has signed M
with a valid signature; namely with its secret key x.
| primes | p, q where q divides p-1 |
| generator | g of G(q) in Z(p)* |
| message | M |
| signer private key | x |
| signer random number | w |
| signer public key | h = g^x mod p |
| signer pseudo-public key | a = g^w mod p |
| signed message | z = M^x mod p |
| pseudo-signed message | b = M^w mod p |
| collision-free hash function | H |
| challenge from receiver | c |
| signer response to challenge | r = w + c*x mod q |
| verification that
signature x is on g (g^x=h) and M (M^x=z) | a*h^c = g^r mod p b*z^c = M^r mod p |
| receiver-generated random numbers | s, t, u, v |
| blinded message | M' = M^s * g^t |
| signed blinded message | z' = z^s*h^t = M'^x |
| blinded pseudo- public key | a' = a^u*g^v = g^w' |
| blinded pseudo- signed message | b' =[a^(u*t)]*[b^(u*s)]*M'^v = M'^w' |
| equivalent blinded intercept | w' = u*w + v mod q |
| blinded challenge (hash value) | c' = H(M', z', a', b') |
| returned challenge to signer | c = c'/u mod q |
| receiver calculated response | r' = v + u*r = w' + c'*x mod q |
Step
2: The signer (the bank) generates a random number w and sends to the
receiver (customer) the following elements:
the signed
message z = M^x
the
pseudo-public key a = g^w
the
pseudo-signed message b = M^w.
[5] M' =
M^s * g^t (blinded message)
=
(M^x)^s*(g^x)^t
=
[M^s*g^t]^x
= M'^x
(signed blinded message)
[7] a' =
a^u*g^v = (g^w)^u*g^v = g^w',
=
[(g^w)^(u*t)]*[(M^w)^(u*s)]*M'^v
=
[(g^t)^(u*w)]*[(M^s)^(u*w)]*M'^v
=
[M'^(u*w)]*M'^v
= M'^w'.
[9] w' =
u*w + v mod q.
[10] c' =
H(M', z', a', b'),
[11] c =
c'/u mod q .
[12] r = w
+ c*x mod q.
[13] a*h^c
= g^r
[14] b*z^c
= M^r .
= g^(w+c*x)
= g^r
b*z^c = (M^w)*(M^x)^c
= M^(w+c*x)
= M^r .
r' = u*r + v mod q
= (u*w + v) + u*c*x mod q
= w' + c' *x mod q.
|
Definition: a
coin is two numbers A, B, and a
signature on A and B composed of four numbers a*h^c = g^r mod p b*z^c = A^r mod p where
c = H(A,B,z,a,b).
|
Note that this
definition looks exactly like equations [13] and [14], as it should, since the coin is the
signed message outcome of a restrictive blind signature. Now, where the different
numbers in the coin definition come from is explained in the following two sections. But,
briefly, is a challenge issued by the user U to the bank
banque. The number r is a response to that challenge. The
number g is a generator announced by the bank, while h is the bank's
public key. The number z is the bank's signature on some customer identifying
information. The origin of A, B, a, and b will be
explained presently.
[15]
hu = g1^u1 mod p
.
[16] z = (hu*g2)^x mod p .
| primes | p, q where q divides p-1 |
| generators | g, g1, g2 of G(q) in Z(p)* |
| secret identifier key of user | u1 |
| user public key | hu = g1^u1 mod p |
| equivalent identifier signed by bank | M = hu*g2 |
| bank's private key | x |
| bank's random number | w |
| bank's public key | h = g^x mod p |
| bank's pseudo- public key | a = g^w mod p |
| bank-signed user identifier | z = M^x mod p |
| bank-pseudo- signed user identifier | b = M^w mod p |
| collision-free hash function | H |
| challenge to bank | c |
| bank's response to challenge | r = w + c*x mod q |
| verification that
signature x is on g (g^x=h) and M (M^x=z) | a*h^c = g^r mod
p b*z^c = M^r = (hu*g2)^r mod p |
| user- generated random numbers | s, x1, x2, u, v |
| blinded user identifier (coin element) | A = M^s = (hu*g2)^s |
| additional coin element | B = g1^x1*g2^x2 |
| signed blinded user identifier | z' = z^s = A^x |
| blinded pseudo- public key | a' = a^u*g^v |
| blinded pseudo- signed user identifier | b' = b^(s*u)*A^v |
| equivalent blinded intercept | w' = u*w + v mod q |
| blinded challenge (hash value) | c' = H(A, B, z', a', b') |
| challenge returned to bank | c = c'/u mod q |
| user-calculated transformed response | r' = v + r*u = w' + c'*x mod q |
| coin definition | {A, B, (z',a',b',r')}, where a'* h^c' = g^r' mod p b'*z'^c' = A^r' mod p c' = H(A,B,z',a',b') |
| challenge from shop | d = Ho(A, B, SHOP-ID, DATE- TIME) |
| user response to shop challenge | r1 = d*(u1*s) +
x1 mod q r2 = d*s + x2 mod q |
| shop verification | A^d*B = g1^r1*g2^r2 mod p |
Step 1: The
bank banque generates a random number w from Z(q)*, and sends the
pseudo-public key a and the pseudo-signed message b to the user
U:
[17]
a= g^w mod p
[18]
b = (hu*g2)^w mod p .
[19]
A = (hu*g2)^s mod p
[20] B =
g1^x1*g2^x2 mod
p
[21] z' =
z^s mod p .
[22] a' = a^u*g^v
mod p
[23] b' = b^(s*u)*A^v
mod p
[25] c = c'/u
mod q .
[26] r = w
+ c*x mod q
[27]
g^r = a*h^c mod p
[29] r' = v + r*u mod q .
Step 1: The user
sends {A, B, (z',a',b',r')} to S.
[31] r1 = d*(u1*s) +
x1 mod q
[32]
r2 = d*s + x2 mod q
[33] A^d*B =
g1^r1*g2^r2
mod p
[34] g^r' = a'*h^c' mod p
[35] A^r' = b'*z'^c' mod p .
=
g1^(u1*s*d+
x1)*g2^(s*d+x2) mod p
=
g1^r1*g2^r2
mod p.
g^r' = g^(v+r*u) mod p
= g^(v+(w+c*x)*u) mod p
=
g^(w*u+v)*g^(x*c*u) mod p
=
(a^u*g^v)*h^(c*u) mod p
=
a'*h^c' mod p.
A^r' = ((hu*g2)^s)^(v+r*u)
mod p
=
(hu*g2)^(s*v+s*(w+c*x)*u)
mod p
=
[(hu*g2)^(s*w*u)]*[(
hu*g2)^(s*x*c*u+s*v)] mod p
=
[b^(s*u)]*[A^(x*c*u+v)] mod p
=
[b^(s*u)]*[z'^(c*u)*A^v] mod p
=
[b^(s*u)*A^v]*z'^(c*u) mod p
=
b'*z'^c' mod p.
Step 1: The
bank verifies equations [33] to [35] to see that this is a valid coin.
{A, B, DATE-TIME, r1,
r2}.
{A, B, DATE-TIME', r'1,
r'2}.
= u1 mod q.
hu = g1^u1
mod p.
u1 = log_g1
(hu) mod p
hu = g1^u1
mod p .
[15-O] I =
hu* ho = g1^(o1 +
u1) mod p,
[16-O] z =
(I*g2)^x mod p,
Step 1: This
step is new. Here the observer O generates a random number
o2 from Z(q)*. The observer calculates hc =
g1^o2 and transfers this to the user
U (i.e. the user's hardware or software).
[17-O] a =
g^w mod p
[18-O] b
= (I*g2)^w mod p .
[19-O] A =
(I*g2)^s mod p
[20-
O] B = g1^x1*g2^x2*
ho^(e*s)* hc mod p
[21-O] z' = z^s
mod p .
[22-O] a' = a^u*g^v
mod p
[23-O] b' =
b^(s*u)*A^v mod p
| primes | p, q where q divides p-1 |
| generators | g, g1, g2 of G(q) in Z(p)* |
| secret key of observer | o1 |
| secret identifier key of user | u1 |
| public key of observer | ho = g1^o1 mod p |
| public key of user | hu = g1^u1 mod p |
| user identifier (joint public key) | I = ho* hu = g1^(o1 + u1) mod p |
| equivalent identifier signed by bank | M = I*g2 |
| bank's private key | x |
| bank's random number | w |
| observer-created random number | o2 |
| observer public key in coin withdrawal | hc = g1^o2 |
| bank's public key | h = g^x mod p |
| bank's pseudo- public key | a = g^w mod p |
| bank-signed user identifier | z = M^x mod p |
| bank-pseudo- signed user identifier | b = M^w mod p |
| collision-free hash function | H |
| challenge to bank | c |
| response to challenge | r = w + c*x mod q |
| verification that signature x is on g (g^x=h) and M (M^x=z) | a*h^c = g^r b*z^c = M^r = (I*g2)^r |
| user-generated random numbers | s, x1, x2, u, v |
| blinded user identifier (coin element) | A = M^s = (I*g2)^s |
| additional coin element | B = g1^x1*g2^x2* ho^(e*s)* hc |
| signed blinded user identifier | z' = z^s = A^x |
| blinded pseudo- public key | a' = a^u*g^v |
| blinded pseudo- signed user identifier | b' = b^(s*u)*A^v |
| equivalent blinded intercept | w' = u*w + v mod q |
| blinded challenge (hash value) | c' = H(A, B, z', a', b') |
| challenge returned to bank | c = c'/u mod q |
| user-calculated transformed response | r' = v + r*u = w' + c'*x mod q |
| coin definition | {A, B, (z',a',b',r')}, where a'* h^c' = g^r' mod p b'*z'^c' = A^r' mod p c' = H(A,B,z',a',b') |
| challenge from shop to user | d = Ho(A, B, SHOP-ID, DATE- TIME) |
| user's challenge to observer | do= s*(d+e) mod q |
| response from observer | r1o = do*o1 + o2 mod q |
| user verfication of observer response | g1^r1o = ho^do*hc mod p |
| user response to shop challenge | r1 = r1o +
d*(u1*s) + x1 mod q r2 = d*s + x2 mod q |
| shop verification | A^d*B = g1^r1*g2^r2 mod p |
The user U then computes the the challenge c' as follows:
[24-O] c' = H(A, B, z', a', b')
and then sends the blinded challenge c back to the bank banque:
[25-O] c = c'/u mod q .
Step 4: The bank sends the response r :
[26-O] r = w + c*x mod q
and debits U's account in the amount equal to the value of one coin.
Step 5: U accepts the debit only if
[27-O] g^r = a*h^c mod p
[28-O] (I*g2)^r = b*z^c mod p .
The user U also calculates r':
[29-O] r' = v + r*u mod q .
The coin is the set of numbers {A, B, (z',a',b',r')}, as before.
2. Payment Protocol with Observer.
When the user U is ready to spend the coin, the following protocol is enacted between the user and the shop S.
Step 1: The user sends {A, B, (z',a',b',r')} to S.
Step 2: The shop returns the challenge d:
[30-O] d = Ho(A, B, SHOP-ID, DATE-TIME) .
Step 3: This step is new. The user U calculates the response
[30A-O] do = s*(d+e) mod q
and sends do to the observer O. The observer calculates its response
[30B-O] r1o = do*o1 + o2 mod q ,
returns o2 to the user U, and erases o2 from memory. Note this is the point where the observer prevents double-spending. For if o2 has already been erased, the observer locks up, and the transaction is not allowed to take place.
The observer here is in effect performing the Schnorr identification protocol, by proving its knowledge of the representation (o1, o2).
Step 4: The user U first verifies the response from the observer O:
[30C-O] g1^r1o = ho^do* hc mod p .
The user U then calculates the responses r1, r2 for the shop S:
[31-O] r1 = r1o + d*(u1*s) + x1 mod q
Step 5: The shop S accepts the coin only if (using c' calculated from the publicly known hash function):
[33-O] A^d*B = g1^r1*g2^r2 mod p
Note that equation [33-O] follows from
A^d*B = (I*g2)^(s*d)*[g1^x 1*g2^x2*ho^(e*s)* hc] mod p
= g1^[(o1+u1)*s*d+ x1+ o1*e*s+ o2]*g2^(s*d+x2) mod p
The user U does not know a representation of his identifying information I (because he doesn't know o1), hence he does not know A by himself. Hence the user can't spend the coin without the help of the observer O.
However, if the tamper-resistance is broken, and the user spends the coin without the help of the observer, the user can be identified, as we see next.
3. Deposit Protocol with Observer.
As before, when the shop S is ready to deposit the coin at the bank banque, the shop sends the payment transcript consisting of the coin {A, B, (z',a',b',r')}, along with (r1, r2) and the DATE-TIME of the transaction. The bank already knows the SHOP-ID, which is used in the communication. The steps below are exactly as those seen previously.
Step 1: The bank verifies equations [33-O] to [35-O] to see that this is a valid coin.
Step 2: If the coin is valid, the bank checks its database to see if the coin was spent previously (that is, the bank checks for double-spending).
a. If the coin is not in the database, then it was not previously spent. Hence the bank credits the account of S, and records the coin in the form
{A, B, DATE-TIME, r1, r2}.
b. If the coin is already in the database, then a fraud has occurred. If S previously deposited the coin, and the DATE-TIME are the same, then S is trying to deposit the same coin or transcript twice. The deposit is rejected for that reason. The bank knows the identity of the shop S responsible and can take steps to ascertain whether this is error or fraud.
c. Otherwise, the coin has been double-spent, and the bank takes steps to unmask the double-spender. The bank will have two sets of information regarding the coin:
{A, B, DATE-TIME, r1, r2}.
Hence, the shop can calculate
(r1 - r'1) / (r2 - r'2) = [d*s*(o1+u1) - d'*s*(o1+u1)] / [d*s - d's]
Thus the bank can check its database for the user identity (see equation [15-O])
I = g1^(o1+u1 ) mod p.
In addition, the bank, which already knew o1, now knows u1 also, which it would not otherwise known (without taking discrete logarithms). Hence the bank's knowledge of
u1 = log_g1 (I) - o1 mod p
serves as proof of the double-spending.
E. Internet Cash Using a Counter
To this point we have a digital cash system that uses a restrictive blind signature. The latter prevents the bank from tracing a coin after signing it, because the user transforms the withdrawn coin into a blinded version that has a valid signature of the bank. But if the coin is double-spent the blinding is stripped away, and the secret key (and hence the identity) of the user who double-spent is revealed. The latter is accomplished using the "two points determine a line" principle--the slope of the line being the user's secret key. We have also added an observer into the system, which prevents double-spending at its source (provided the tamper-resistance isn't broken), making the system more efficient, because resources do not have to be wasted tracking down counterfeiters.
The use of Schnorr authentication (a Schnorr signature, in fact, as the challenge is generated from a hash function) between the bank and the user at withdrawal means the user does not have to trust the bank to provide a valid signature on the coin. The use of Schnorr authentication between the user and the merchant means that the coin can be spent with a merchant off- line, because double-spenders can be traced after the fact. Schnorr authentication also takes place between the user and the observer to prevent double-spending before it occurs, and to assure the user the observer isn't secretly leaking identifying information.
But all coins in the system are of the same size. This would not be practical if the system were used for the small payments (micropayments) for information that are often contemplated for the Internet, such as pennies for several kilobytes of information from a research journal. Penny-sized coins would make the total number of coins much too large. So in this section we add a counter, which is a running (changeable) balance maintained in EEPROM by the observer in a smart card or a PC (PCMCIA) card. Withdrawals from the bank increase the counter balance, while payments to merchants decrease the balance.
This requires some system modifications. When a payment is made to a merchant, the observer will provide a digital signature on the payment amount. This will ensure that the counter has been decreased by the same amount as the payment to the merchant. (The observer will also verify that the amount of the payment is not greater than the existing balance on the counter.) An observer secret key that is used to sign the payment amount will be unique to the observer. Such a unique secret key in each observer is necessary because otherwise, if one observer were cracked and the secret key extracted, the entire system would be compromised.
The observer will also provide the merchant the observer's public key so that it can verify the observer's signature on the amount. This, however, creates a practical problem. How does the merchant know that the public key sent to it is a valid public key of the observer, and not one substituted by the user who has signed an invalid payment amount? The merchant could keep a large database of all valid observer public keys for comparison, but this would not be practical. A more realistic solution is to have the user also submit a certificate at payment time, where a certificate is the bank's signature on the observer's public key.
However, this alone is not sufficient for the bank's security. If the user were to break the tamper-resistance of the observer, the user could then forge a signature on payment amounts of arbitrary size, using the secret key embedded in the observer. (Meanwhile, the user could continue to supply certificates showing the bank's signature on the public key corresponding to this secret key.) So a further refinement, to limit the amount of damage to the bank (or digital cash supplier) in the event of observer failure or tampering, is to have each payment amount signed with a separate secret key of the observer, each of which is accompanied by a public key which has been certified by the bank. That means that a set of such key pairs will have to be periodically downloaded from the bank into the observer. (Only the secret keys need be stored in the observer. The public keys and certificates could be stored elsewhere in the user's computer.) Thus if the observer were cracked, the attacker- thief would have to keep withdrawing new certified keys from the bank in order to keep spending. This should limit the amount of damage before the double-spender is identified, and also limit the incentive to invest resources in order to compromise observers.
The use of payment certificates requires a certificate-issuing protocol. These payment certificates can be thought of as individual checks in an electronic checkbook. Each check (certificate) can only be used once, and the amount of the certificate is filled in at payment time. Once all the blank checks have been used, more must be downloaded from the bank. (This contrasts with the previous protocol, in which the user would download a set of coins of predetermined size. Because the coin size was fixed, we did not have to worry about filling in the amount.)
The details of this certificate-issuing protocol will be highlighted in the description of the modified system that follows.
1. Opening an Internet Account.
To open an account, the user (user's computer) U generates a random number u1 from Z(q)*, and computes the following number (a user identifier public key) which is sent to the bank
hu = g1^u1 mod p .
The user keeps u1 secret, perhaps even keeping part of u1 in the form of a password that must be typed into the computer as needed.
The bank banque verifies the identity of the user in some fashion. The bank generates for U a secret random number o1 from Z(q)*, and stores this along with the user information in an account database. The account database contains a balance variable representing the amount of money the user has with the bank.
The bank provides U with an observer (O), which has embedded within ROM the secret key o1, the generator g1, a description of G(q) (namely, p and q), computer code to enact the protocols below, and a variable called balance representing the amount of money withdrawn from the bank. The user U does not know what o1 is. The bank computes the observer identifier public key ho = g1^o1 and the joint user/observer identifier public key I,
[15-I] I = hu* ho = g1^(o1 + u1) mod p,
and stores these in the account database. The bank also computes a signature z on user identification information using its secret key x:
[16-I] z = (I*g2)^x mod p,
and makes ho and z known to the user. The variables ho, I, and z are stored in the user's software along with hu and u1.
Because the user U does not know o1, he cannot compute for himeself signatures with respect to the joint public key I. This will prevent him from double-spending certified keys issued by the bank banque. The user's secret key u1, meanwhile, prevents framing attempts by the bank. The bank can't falsely accuse the user of double-spending, because the bank can't demonstrate knowledge of u1. The bank can only learn u1 if the user (by breaking the observer) double-spends the same certified keys.
In addition to the key o1, the generator g1, the primes p and q, and the balance variable, the observer will need the following items:
seq, a sequence number, which the bank has set to some initial number;
These stored variables will be used by the observer O in the protocols that follow.
2. Internet Withdrawal Protocol.
Because we are now using a digital cash counter, we have to keep track of the circumstances under which the counter balance can be changed. Assuming that the bank does not extend credit in connection with digital cash, the first requirement will be that any amount paid via a digitally-signed check must not be greater than the available counter balance. Payments made will reduce the counter balance, while withdrawals from the bank will increase it.
The following withdrawal protocol is performed between the observer and the bank, intermediated by the user's software. The user identifies himself to the bank using the joint key I of the user and observer, and requests to withdraw an amount. Then
Step 1: The bank banque decreases the account balance of the user U by the amount the user withdraws. Using the notation ":=" to mean "replaced by", and balance' to denote the user's balance at the bank:
balance' := balance' - amount
Step 2: This information is passed to the observer O via the user. The observer first verifies that
v := f(key, sequence, amount) .
If so, then the observer adjusts the balance in the counter:
balance := balance + amount
This transfer is very simple, because we have only adjusted a total, without specifying anything about how this total will be spent.
The use of a sequence number is intended to prevent replay attacks. If the user replays the same bank instructions to the observer, in an attempt to increase the balance without another withdrawal, the replay attack will fail because the sequence number has changed. The observer created verification v will not match the one sent by the bank.
3. Key Certificate Issuing Protocol.
To make payment to a shop S (merchant, service provider), the user U must provide a signature on the intended payment amount, along with a key certificate from the bank banque certifying the public key corresponding to the signature. Various schemes are possible, but for explicitness, we will assume that each key certificate is good for a payment amount up to a prepaid maximum, and in any case is only good for an amount that does not exceed the available balance.
First, in the off-line preprocessing stage, these two steps take place:
Step 1: The observer O generates a random number o2 from Z(q)*. The observer calculates the corresponding public key hc = g1^o2 and transfers this to the user (i.e. the user's hardware or software).
Step 2: The user U generates five random numbers s, x1, x2, u, and v from Z(q)*. These are used to calculate
[19-I] A = (I*g2)^s mod p
As before, z' is a signature on A. That is, z' = A^x. The user (user's computer) stores A, B, and s, x1, x2 for later use in the payment protocol. The variables a', b', and u, v are stored temporarily.
A certificate is then withdrawn by the following on-line protocol between the bank banque and the user U.
Step 1: The bank generates a random number w from Z(q)*, and sends the pseudo-public key a and the pseudo-signed identifier b to the user U:
[17-I] a = g^w mod p
Step 2: The user U then computes the challenge c'
[24-I] c' = H(A, B, z', a*a', b^s*b'),
stores c', and then sends the blinded challenge c back to the bank banque:
[25-I] c = c' + u mod q .
Step 3: The bank sends the response r :
[26-I] r = w + c*x mod q
and debits U's account in the amount equal to the value of one coin.
Step 4: U, either while on-line or off-line, accepts the debit only if
[27-I] g^r = a*h^c mod p
The user U also calculates r':
[29-I] r' = r + v mod q .
and stores r'. The numbers a', b', and u, v can now be erased, as they are no longer needed.
The pair (A,B) can be considered the public key of the user with respect to a subsequent payment. The triple (z',c',r') is the bank's certificate on this key. Note the calculation of c' includes a, b, as well as A, B; z' bears the bank's signature x directly; and r' is calculated from the bank's reponse to the challenge c.
| primes | p, q where q divides p-1 |
| generators | g, g1, g2 of G(q) in Z(p)* |
| secret key of observer | o1 |
| secret identifier key of user | u1 |
| identifier public key of observer | ho = g1^o1 mod p |
| identifier public key of user | hu = g1^u1 mod p |
| joint user identifier (joint public key) | I = ho* hu = g1^(o1 + u1) mod p |
| equivalent identifier signed by bank | M = I*g2 |
| amount of observer-stored digital cash | balance |
| symmetric key shared between bank & observer | key |
| observer sequence number | seq |
| observer one- way function | f(.) |
| bank's private key | x |
| bank's random number | w |
| observer-created random number | o2 |
| observer public key in certificiate withdrawal | hc = g1^o2 mod p |
| bank's public key | h = g^x mod p |
| bank's pseudo- public key | a = g^w mod p |
| bank-signed user identifier | z = M^x mod p |
| bank-pseudo- signed user identifier | b = M^w mod p |
| collision-free hash function | H |
| challenge to bank | c |
| response to challenge | r = w + c*x mod q |
| verification that signature x is on g (g^x=h) and M (M^x=z) | a*h^c = g^r b*z^c = M^r = (I*g2)^r |
| user-generated random numbers | s, x1, x2, u, v |
| blinded certificate element | A = M^s = (I*g2)^s |
| additional certificate element | B = g1^x1*g2^x2*hc ^s |
| certificate public key of user | (A,B) |
| signed blinded user identifier | z' = z^s = A^x |
| temporary variable | a' = h^u*g^v |
| second temporary variable | b' = z'^u*A^v |
| blinded challenge (hash value) | c' = H(A, B, z', a*a', b^s*b') |
| challenge sent to bank | c = c' + u mod q |
| user-calculated transformed response | r' = r + v mod q |
| bank certificate on public key of user | (z',c',r') on (A,B) such that c' = H(A, B, z', g^r'*h^(-c'), A^r'*z'^(-c')) |
| payment specification | spec = (AMOUNT, SHOP-ID, DATE-TIME) |
| equivalent challenge from user to observer | d = Ho(A, B, spec) |
| response from observer | r1o = d*o1 + o2 mod q |
| user verfication of observer response | g1^r1o = ho^d*hc mod p |
| equivalent user response to shop | r1 = s*(r1o +
d*u1) + x1 mod q r2 = d*s + x2 mod q |
| shop verifications | A^d*B =
g1^r1*g2^r2
mod p c' = H(A, B, z', g^r'*h^(-c'), A^r'*z'^(-c')) |
| deposited payment transcript | {(A,B), (z', c', r'), (r1, r2), spec} |
Copyright 1997 J. Orlin Grabbe, 1475 Terminal Way, Suite E, Reno, NV 89502
Step 1: The user
decides on the amount AMOUNT to be transferred. This is concatenated into a
spec vector,
[30B-I] r1o = d*o1 +
o2
mod q
balance := balance -
AMOUNT.
[30C-I] g1^r1o =
ho^d*hc mod p .
Step 1: The user
U sends {(A, B), (z', c', r'), (r1,
r2), spec} to
S.
=
g1^[(o1+u1)*s*d+
x1+ o2*s]*g2^(s*d+x2)
mod p
=
g1^[s*((d*o1+ o2) +
d*u1) + x1 ]*g2^(s*d+x2)
mod p
=
g1^r1*g2^r2
mod p .
a*a' =
g^w*h^u*g^v
=
g^(w+u*x+v)
=
g^(w+c*x+v)*g^(u*x-c*x)
=
g^r'*h^(u-c)
=
g^r'*h^(-c'),
=
A^w*A^(x*u)*A^v
=
A^(w+x*u+v)
=
A^(r'-c*x+u*x)
=
A^r'*z'^(u-c)
=
A^r'*z'^(-c').
Step 1: The
bank checks its database to see if the transcript (A,B) was stored previously.
{A,
B, r1, r2, spec}.
{A, B, r'1, r'2,
spec}.
(r1 -
r'1) / (r2 - r'2) = [s*d*(
o1+u1) - s*d'*(
o1+u1) ] / [d*s - d's]
= o1+ u1 .
Web Page: http://www.aci.net/kalliste/