- Email: [email protected]
A faster single-term divisible electronic cash: ZCash
Electronic Commerce Research and Applications 1 (2002) 331–338 www.elsevier.com / locate / ecra
A faster single-term divisible electronic cash: ZCash Ming Zhong Department of Computer Science, University of Rochester, P.O. Box 270226, Rochester, NY 14627, USA
Abstract This paper presented a new unlinkable, single-term divisible electronic cash scheme, whose name is ZCash. This scheme overcomes the problems of previous schemes through its greater efficiency and the unlinkability of every cash it generates. Compared with Okamoto’s scheme [Advances in Cryptology—Crypto ’95, Springer, New York, 1995: 438–451] and Chan’s scheme [Advances in Cryptology—Eurocrypt ’98, Springer, New York, 1998: 561–575] (the two best known E-cash schemes), ZCash achieve higher efficiency by not using range-bounded commitment schemes. In addition, to prove the correctness of the blind candidate, we use some simple zero-knowledge protocols instead of the Account Opening protocol and Electronic License. By using the indirect disclosure proof in the payment protocol, ZCash realizes revocable anonymity, which allows a trustee to trace the owner of the E-cash according to its payment transcript. ZCash is the first E-cash scheme which realizes both divisibility and revocable anonymity. 2002 Published by Elsevier Science B.V. Keywords: Electronic commerce; Electronic cash; Nyberg–Rueppel blind signature; Zero-knowledge protocols
1. Introduction Chaum et al. [1] presented the first off-line and untraceable electronic cash system, where off-line refers to the property that communication with a bank or authorized center is unnecessary during the payment protocol, and untraceable refers to the purchases of the users being untraceable by anyone. At present, much research has been performed in the area of off-line electronic cash system. In the first generation of electronic cash schemes, the cash consists of many terms of the same form, and the cut-and-choose 1 method is used whenever the cus1
Cut-and-choose method means that a prover sends many candidates to a verifier, then the verifier randomly picks some candidates. The prover opens those chosen candidates to show its correctness. By choosing a large enough number of candidates, the interaction system can reach overwhelming soundness probability.
tomers are withdrawing cash from the bank. Thus the first generation of electronic cash schemes is inefficient. Ferguson [2] proposed the concept of ‘single-term’ E-cash. A single-term cash scheme means a cash scheme in which the cash consists of a single term and the cut-and-choose method is not used for withdrawing. Brand [3] proposed the first practical ‘single-term’ Electronic Cash scheme. The single-term cash scheme is realized by the restrictive blind signature in its withdrawal protocol, which can help the user prove to the bank that his identity information has been correctly embedded in the blind candidate in a zero-knowledge way. Eng and Okamoto [4] opened up another approach to realize ‘single-term’ electronic cash schemes. The single-term cash scheme is realized by the so-called electronic license generated by the cut-and-choose method when the customers
1567-4223 / 02 / $ – see front matter 2002 Published by Elsevier Science B.V. PII: S1567-4223( 02 )00024-8
332
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
are opening an account. The electronic license can be changed by executing the account opening protocol again. The bank can link the electronic cash generated by the same electronic license, although the cash are untraceable from the customer’s identity. ‘Divisible’ cash is cash that can be used as a whole, or as smaller pieces, until the total value of the pieces used is more than the value of the cash. Okamoto and Ohta [5] introduced the concept of divisibility with a binary tree. However, it is hard to design efficient divisible electronic cash. The divisible cash construction in Okamoto and Ohta [5] is inefficient. The communication complexity during payments is linear in the divisibility precision N (N 5 (the total cash value) / (minimum divisible cash value)). The single-term off-line electronic cash scheme in Brand [3] is efficient, but it is not divisible. The off-line divisible E-cash scheme in Eng and Okamoto [4] is also unpractical, because it requires a payment computation complexity of O(N), where N is divisibility precision. Okamoto [6] proposed the first practical divisible E-cash scheme. This E-cash scheme is very delicate and efficient. The computation and communication complexity of every protocol in this scheme is O(log N), where N is the precision of divisibility. Actually, the only inefficient part of this scheme is its Account Opening Protocol, as the Zero-Knowledge-Protocol used to create Electronic License is quite inefficient. The E-cash scheme [7] proposed by Agnes Chan is a further improvement based on Okamoto’s scheme. It improved the efficiency of the Account Opening Protocol of Okamoto’s scheme. Frankel et al. [8] introduced the notion of ‘indirect disclosure proof’ and used it to implement E-cash schemes with revocable anonymity. After that, several E-cash schemes [9,10] with revocable anonymity have been proposed. But none of these E-cash schemes are divisible, which will limit their applications.
1.1. Our contributions In the coming text, we will present a new efficient single-term divisible electronic cash scheme. The
complexities of computation and communication of ZCash are O(log N), N is the divisibility precision. The divisibility of ZCash is still realized with the binary tree. Unlike Okamoto’s E-cash scheme [6], we completely eliminated the need to use the inefficient Account Opening Protocol and ‘electronic license’, thus realize real unlinkability in every cash generated by ZCash. In the withdrawal protocol, Okamoto’s scheme and Chan’s scheme [7] both adopted a commitment scheme to prove the correctness of the blind candidate to be signed by the bank. We used some lightweight zero-knowledge protocols instead of the commitment schemes. This can improve the computation and communication complexity. In addition, when using commitment schemes, to assure that no wrap-around exponentiations occurred, a range bounded commitment scheme must be adopted. To limit the length of the committed numbers, the modulus has to be enlarged by multiplying the accuracy parameter. Thus all the operations (such as multiplications and exponentiations) have to been performed on a modulus with much larger length, which leads to much higher computation cost. This ‘waste’ of the length of the modulus does not happen in ZCash E-cash scheme, which makes the computational efficiency of ZCash scheme outperform Okamoto’s and Chan’s schemes. Okamoto’s scheme is vulnerable to the attack shown in Chan and Frankel [11]. To solve this problem, Chan’s scheme adds uNu (uNu is the Williams integer used in the payment protocol, usually should be 1024 bits) division operations in the payment protocol. This will reduce the computational efficiency. ZCash avoids this problem, since we do not associate the factors of the Williams integer with the user’s identity. Chan’s scheme uses the Schnorr signature-based restrictive blind signature in its withdrawal protocol. This delicate method is proposed by Brand [3]. It helps to prove the correctness of the blind candidate (the identity information has been correctly embedded) without leaking any information. ZCash adopts the Nyberg–Rueppel signature based restrictive blind signature in its withdrawal protocol, because it provides higher computation and communication
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
efficiency than the Schnorr restrictive blind signature. ZCash also has an optional function block to add revocable anonymity, which allows a trustee to trace the owner of the E-cash according to its payment transcript. ZCash is the first E-cash scheme which realizes both divisibility and revocable anonymity.
1.2. Organization We first introduce some basic zero-knowledge protocols used in ZCash. Then we review the binary tree approach to realize the divisibility of ZCash. Then the protocols of ZCash is described in Section 5. Section 6 explains how to add revocable anonymity to ZCash. In Section 7, we compared the efficiency of ZCash with Okamoto’s scheme and Chan’s schemes, since they are the two best known E-cash schemes. The security of ZCash is discussed in Section 8.
333
computes t 5 g r mod p and sends t to the verifier. The verifier picks random challenge c [ R h0, 1j k and sends it to the prover, here k is the security parameter. Then the prover computes s 5 r 2 cx mod q and sends s to the verifier. The verifier accepts, if g s y c 5 t mod p holds.
( 2). Proving the equality of the discrete logarithms [7,14] To prove that he knows x such that y 1 5 g x mod p and y 2 5 h x mod p, the prover chooses a random r [ R Z *q and computes t 1 5 g r mod p, t 2 5 h r mod p, and sends t 1,2 to the verifier. The verifier picks a random challenge c [ R h0, 1j k and sends it to the prover. The prover computes s 5 r 2 cx mod q and sends it to the verifier. The verifier accepts the proof if g s y c1 5 t 1 and h s y c2 5 t 2 hold.
4. The binary tree approach to realize divisibility 2. Notations and definitions The symbol [ R means to randomly choose an element. i denotes the string concatenation. uPu denotes the length of P. Z *p is the multiplicative group modulo p. Its formal definition is Z *p 5 hxu1 # x , p, gcd(x, p) 5 1j. Zq 5 hxu1 # x , q, x [ Zj. (a /N) denotes the Jacobi symbol of a modulo N.
3. Some basic protocols In this section, we’ll briefly review some zeroknowledge protocols for proving knowledge of discrete logarithms. For the detailed security proof, please refer to the relevant papers. Let p, q are primes, such that p 2 1 5 2q. g’s order in the multiplicative group Z *p is q:
( 1). Proving the knowledge of a discrete logarithm [12,13] To prove that he knows x such that y 5 g x mod p, the prover first chooses a random r [ R Zq and
The divisibility of ZCash will also be based on the most popular divisibility model: the binary tree approach [5,15]. In the binary tree approach: Each E-cash of worth v 5 2 t is associated with a tree of (1 1 t) levels and v leaves. Each node of the tree represents a certain denomination. The root node 0 is assigned a monetary value of v, and the value of any other node 0j 1 j 2 . . . jl are assigned a monetary value of 2 2l ? v ( j i [ h0, 1j for i 5 1, 2, . . . , l). It will be shown by making use of the mentioned tree that for a single E-cash of worth v, it will be possible for a consumer to engage in several transactions, such that the total sum of the amounts of transactions is less than or equal to v. This is exactly what unreusability means. Divisibility and unreusability (no overspending) can be realized by the following two rules: 1. Same node rule: No node can be used more than once. 2. Route node rule: When a node is used, none of the descendant and ancestor nodes of this node can be used.
334
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
In the Payment Protocol of ZCash in Section 5, we’ll show how to construct the binary tree node values in a way that the rules 1 and 2 can be satisfied.
5. An efficient electronic cash scheme Here are considered the protocols between the customer P, the bank B, and the shopkeeper S. B established the public system parameters ( p, q, g, g1 , g2 , h, hyv ,1 , yv ,2 j): Let p, q be primes, such that p 2 1 5 2q. The generators g, g1 , g2 , h’s orders in the multiplicative group Z *p are q. For the remainder of the paper, all the operations are performed on the modulo p basis. The secret key xv is used to sign on the E-cash with value $v, xv [ R Zq . The public keys are yv ,1 , yv ,2 such that yv ,1 5 g x1v , yv ,2 5 g x2v . B should publish different yv ,1 , yv ,2 values for all value possibilities of v. H, fX , fY , fZ are collision intractable hash functions. P B associates P with I 5 g ID 1 , where IDP [ R Zq is generated and only known by P, and Ig2 ± 1, here I can be used to identify P. B also transmits hsI ? g2d xv j to P. P also pre-computes hz 9v 5s yv ,1d IDP yv ,2 5 sIg2d xv j. Note all the above operations will be performed only once when the customer P establishes his account at the bank B.
5.1. Withdrawal When a customer P wants to withdraw $v from the account, an electronic cash of value $v is then obtained by executing the withdrawal protocol with the bank. At the end of the withdrawal protocol, the bank B provides user P with an electronic cash (EC). The secret key xv used by B to sign, is dependent on v, the value of the cash to be withdrawn. In the withdrawal protocol, we used the Nyberg– Rueppel restrictive blind signature [16,17] to obtain the bank’s signature on the E-cash without revealing any information about the E-cash. For the detailed discussion about this blind signature, please refer to Camenisch et al. [16]. 1. B chooses w [ R Zq , computes d 5 (Ig2 )w , then sends d to P.
2. P chooses s [ R Zq , computes A 1 5 I s , A 2 5 g s2 , z 5 (z 9v )s . P also randomly chooses a Williams integer N [ R Zq such that uNu 5 uqu. Note that this step can be pre-computed. P will always try his best to generate a ‘good’ N, since the anonymity of his identity is based on the hardness of the factorization of N. 3. P chooses u, v [ R Zq , computes m 5 H(A 1 ? A 2 , N, z) and r 5 m(A 1 A 2 )u d v?zv 9 , and m9 5 r / v mod q, then P sends m9 to B. 4. B sends c9 5 m9xv 1 w to P. 5. P computes c 5 c9v 1 u mod q. 6. P verifies that H(A 1 ? A 2 , N, z) 5 z 2c ? (A 1 A 2 )r ? r holds, then forms the Electronic Cash hA 1 , A, N, z, r, cj.
5.2. The payment protocol ( P to S) The payment protocol consists of the cash authentication and denomination revelation.
5.3. Cash authentication At cash authentication, S first verifies the correctness of the bank’s signature on the electronic cash hA 1 , A, N, z, r, cj: P sends hA 1 , A, N, z, r, cj to S. S checks that H(A 1 ? A 2 , N, z) 5 z 2c ? (A 1 A 2 )r ? r. S verifies that (21 /N) 5 1, (2 /N) 5 2 1. Then P sends e 5 ID 2P mod N to S and proves that e is correctly generated: (a) P sends h IDP , h IDP ?s to S. P proves log h h IDP ?s 5 log g 1 A 1 and log h IDP h IDP ?s 5 log g 2 A 2 by using the Proving the equality of discrete logarithms scheme introduced in Section 3. This can assure that the h IDP received by S is correctly generated. 2 (b) P sends h (ID2 P ) to S, then proves to S that log h IDP h (IDP ) 5 log h h IDP by using the Proving the equality of discrete logarithms scheme again. (c) Suppose (IDP )2 5 e 1 kN, then P proves 2to S that he knows k such that k 5 log h Nsh (IDP ) /h ed by using the proving the knowledge of a discrete logarithm scheme introduced in Sec-
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
tion 3, thus proved the correctness of e received by S.
4. S verifies that:
sZ0j 5.4. Denomination revelation
X0j 1 . . . j l 5 [(k(Y0j 1 . . . j l 22
)
j l 21
2 l 22 j l 21
)2
l 21 j
l
... l
(Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 21 where c 5 H(A 1 ? A 2 , N, z) and Y0j 1 . . . j i 5 k fY (c)i j 1 i j 2 i . . . i j i iNl 1 . 2. S computes Y0j 1 . . . j i for every j i 11 5 1. Then S verifies the validity of X0j 1 . . . j l :
sX0j
1
. . . jl
/Nd 5 2 1
sX0j
1
. . . jl
d2
; dsY0j 1 . . .
3sY0j 1 . . .
. . . ji
d2
uP u11
5 d92 2e fZsci j 1 i . . . i jl iNd
where d9 [ h61, 62j. If verification succeeds, S accepts P’s payment.
5.5. Deposit protocol ( S to B) S deposits the cash by providing the bank B with the transcript of the payment protocol. B saves the transcript into its database. Then B checks that if this cash has been overspent. If so, then the detecting of overspending protocol is executed to break the anonymity of P.
5.6. The detecting of overspending
1. P computes:
l
1
3 (mod N)
Our denomination revelation protocol is taken verbatim from Okamoto’s scheme [6]. For the detailed discussion and definition, please refer to Okamoto [6]. Assume that a customer P wants to spend $d to a shopkeeper S, P selects nodes according to d. We will show the denomination revelation protocol when P spends node 0j 1 j 2 . . . jl to S. If several nodes are spent per payment, we just need to execute the following protocol for each node to be spent. P firstly sends 0j 1 j 2 . . . jl to S, then executes the following steps:
3 (Y0j 1 . . .
335
d
j l 22
2 l 22 j l 21
j l 21
d2
l 21 j
If P overspends a cash, P must violate one of the two rules of the binary tree approach. First, we show that the ‘same node rule’ is securely realized: Assume that P used the same node 0j 1 j 2 . . . jl twice at a different time and place. Then the two challenges (say, e 1 , e 2 ) should be different with overwhelming probability. Then according to the lemma 2 of Okamoto’s scheme [6], B can easily factor N and computes IDP from c 5 ID P2 mod N. P Then B can trace P’s identity: I 5 g ID 1 . Next, we show that the ‘route node rule’ is securely realized: Assume that nodes 0j 1 j 2 . . . jl and 0j 1 j 2 . . . jl . . . j k are spent. Then the bank B has:
l
...
3sY0j 1d 2j 2 fXsci0iNd mod N where d [ h61, 62j. If they are valid, S selects a random value e9 [ R h0, 1j uP u , then sends S’s identity IDS , time T and e9 to P. 3. P computes e 5 HsIDS iT ie9d [ h0, 1j uPu . P also computes Z0j 1 . . . j i such that sZ0j 1 . . . j id 2 uP u11 5 2 2e k fZ (ci j 1 i . . . i jl iN)l QR (mod N), then sends it to S. Note that this can be easily done since P knows the factorization of N.
X0j 1 . . . j l 5 [(k(Y0j 1 . . .
j l 21
)2
l 21 j
l
(Y0j 1 . . .
j l 22
)2
l 22 j
l 21
3 (Y0j 1 )2j 2 fX(c i0iN )l QR ) 1 / 2 l mod N ] 21 and from X0j 1 . . . (X0j 1 . . .
jl . . . jk
)2
; ((Y0j 1 j 2 . . . ? [(k(Y0j 1 . . .
jl . . . jk
, B computes
k 2l
j k 21
j l 21
)2
)2
k 2l 21 j
l 21 j
l
k
. . . (Y0j 1 . . . j l )2
0j
l 11
)
... l
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 1 (mod N)
...
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
336
Therefore B can extract: [(k(Y0j 1 . . .
j l 21
)2
l 21 j
l
equality of discrete logarithms scheme in Section 3. Note that S received h IDP in the coin authentication phase.
... l
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 1 By using [(k(Y0j 1 . . .
j l 21
)2
l 21 j
l
...
The trustee T can trace the owner of the E-cash by x computing IDP 5 t /s g kd T .
7. The ZCash efficiency analysis l
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 1 and X0j 1 . . . j l 5 [(k(Y0j 1 . . .
j l 21
)2
l 21 j
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )
l
1 / 2l
... mod N] 21
then B can efficiently and deterministically factor N and computes IDP , thus B can trace P’s identity: P I 5 g ID 1 .
This section compares the storage, communication and computation efficiency of ZCash with those of Okamoto [6]. Let us assume that u pu 5 513, uqu 5 512 and uNu 5 512bits. Though 512 bits are not enough for a RSA modulus, we use these values because Okamoto [6] used the same standard in efficiency analyses. As Okamoto [6], our divisibility binary tree has 18 levels. The divisibility precision is 2 17 (dividing a $1000 cash down to 1 cent). It is sufficient for practical applications.
7.1. Storage comparison 6. To add the revocable anonymity We can add the revocable anonymity to our Ecash. During the payment protocol, the user P sends to the shopper S with the probabilistic encryption of his identity based on a trustee T’s public key, then proves in a zero-knowledge way that the encryption is correctly generated. Deposit means forwarding the original payment transcript and the above encryption information to the bank. For tracing the identity of the E-cash, the bank just needs to forward the encryptions to the trustee T, who can recover the identity of the user P. This protocol is an optional function block for ZCash. In ZCash, we adopt El-Gamal encryption algorithm to realize our revocable anonymity: For the trustee T, the private key x T [ R Zq , and the public key y T 5 g x T . 1. P sends the El-Gamal encryption of IDP to S, i.e. P sends g k , t 5 ( y T )k ? IDP to S, where k [ R Zq . 2. P proves to S that the El-Gamal encryption was correctly performed: P prove to S that log g g k 5 log ysh t /h IDPd by using the Proving the
The storage requirement of one E-cash hA 1 , A, N, z, r, cj of ZCash is 256 bytes, since the information P needs to store for hA 1 , A, N, z, r, cj is hs, N, r, cj. The E-cash in Okamoto [6] is 323 bytes long and in Brand [3] 264 bytes under the same parameters.
7.2. Computation comparison Since we use a modulus of 513 bits, Chan’s scheme [7] uses a modulus of 689 bits, and Okamoto’s scheme [6] uses a modulus of 1030 bits. According to the analysis in Okamoto [6] and Chan and Frankel [7], the exponentiation operation require O(log q log 2 p) bit operations. Thus our exponentiations are approximately 2.5 times less expensive than that of Chan and Frankel [7], and 8 times less expensive than that of Okamoto [6]. In the withdrawal phase, ZCash requires five exponentiations (512 bit modulo) and other three exponentiations which can be pre-computed any time before the execution of the withdrawal protocol. Chan’s scheme needs 16 exponentiations (689 bit modulo) other than the exponentiations which can be pre-computed. In Okamoto’s scheme, it is necessary
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
to perform more than 4000 exponentiations (1030 bit modulo) when the Account Opening protocol is performed at each withdrawal to obtain the same functionality (to obtain unlinkability among Ecash’s) In the cash authentication phase, ZCash requires 13 exponentiations, while Chan’s and Okamoto’s schemes require eight exponentiations and three exponentiations, respectively. But Chan’s scheme needs to perform uNu 5 512 times divisions to limit the way the user can misbehave. This is inefficient. ZCash does not need to do this. The denomination revelation phases of the three schemes are basically the same. On average, nine nodes are paid. According to Okamoto [6], the user computes about 20 square roots modulo N which the shop verifies.
7.3. Communication comparison In the withdrawal phase, ZCash transmits 192 bytes and Chan’s scheme transmits about 685 bytes. Okamoto’s scheme requires the user P to obtain an electronic license before the withdrawal protocol by executing the account opening protocol. As shown in [6], the amount of computation and communication of the opening protocol is O(log(N)uNu 4 ). This is quite inefficient. In addition, the E-cash withdrawn under the same electronic license can be linked together, which compromises the untraceability of Okamoto’s scheme. In the cash authentication phase, ZCash transmits 1216 bytes, while Chan’s scheme transmits 774 bytes and Okamoto’s scheme transmits 330 bytes. The denomination revelation phases of the three schemes are basically the same. On average, nine nodes are paid. For each node, two 512 bit values are sent to the shop.
8. Security In this section, we’ll show that ZCash satisfies all the essential security model properties of E-cash schemes under certain cryptographic assumptions (these security requirements of E-cash model are discussed and established in Okamoto [6], Chan and Frankel [7] and Franklin and Yung [18]). To save the
337
space, we just show how ZCash satisfies all these properties. For the formal definition of these properties, please refer to Okamoto [6]. 1. Unforgeability: informally speaking, after obtaining l E-cash’s from the bank, the user must not be able to create more than l E-cash’s. It depends on the unforgeability of the restrictive blind signature [16,17] used in ZCash scheme, which means that after obtaining l blind signatures of the bank, the user must not be able to create more than l signatures. This can prevent illegal users from forging E-cash. 2. Untraceability: for any polynomial-time nonuniform algorithm Adv (e.g. dishonest bank), after Adv’s execution as a bank and shops of the withdrawal and payment protocols with customer U0 and U1 , and given a protocol execution transcript by customer Ur (r [ h0, 1j), the probability that Adv output r correctly is less than 1 / 2 1 1 /m c for all constant c and for all sufficiently large m. This property depends on the zero-knowledgeness of the protocols we used in the payment protocol: the proving the knowledge of a discrete logarithm scheme, the proving the equality of discrete logarithms scheme and the blindness of the restrictive blind signature [3]. It means that the bank knows nothing about the Williams integer N and A 1 , A 2 to be signed, after the execution of the withdrawal protocol. This can assure the untraceability of the E-cash generated. 3. Unreusability (no overspending): informally speaking, supposes a user withdraws a E-cash which value is $x, then if the user spends more than $x by this E-cash, then his identity would be revealed by overspending detecting protocol with overwhelming probability. This property of ZCash has been shown in Section 5. The security of ZCash is based on the following assumptions: 1. Discrete logarithm assumption. 2. Factoring and Diffie–Hellman Assumption [6]: let P, P0 , Q 0 , P1 , Q 1 be primes, N0 5 P0 ? Q 0 and N1 5 P1 ? Q 1 , m 5 uP0 u 5 uQ 0 u 5 uP1 u 5 uQ 1 u , uPu , dm for a constant d. Let (P 2 1) / 2
338
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
be a prime, and the order of g in the multiplicative group Z *P is (P 2 1) / 2. Given (x 0 5 g P 0 mod P,y 0 5 g Q 0 mod P), (x 1 5 g P 1 mod P, y 1 5 g Q 1 mod P), (Nr , N12r )(r [ R h0, 1j), and P, g, for any probabilistic poly-time machine M, the probability that M can compute r is less than 1 / 2 1 1 /m c for all constant c and for all sufficiently large m. 3. Functions H, fX , fY , fZ are collision intractable. ZCash is based on the same assumptions as Okamoto’s scheme and Chan’s scheme.
9. Conclusion This paper proposed a single-term divisible electronic cash scheme which is more efficient than all previous schemes. As shown in ZCash efficiency analysis, the storage, computation and communication cost of ZCash is rather low, which makes it more suitable for practical applications. In addition, the electronic cash generated by out scheme is unlinkable, since it does not use the account opening protocol and the ‘electronic license’. We also clarified the cryptographic assumptions of ZCash. The open problems are: (a) The electronic cash security based on more fundamental cryptographic assumptions. (b) The further improvement of the efficiency of electronic cash schemes. (c) The unlinkability between the portions of the same divisible E-cash.
References [1] D. Chaum, A. Fiat, M. Naor, Untraceable electronic cash, in: Advances in Cryptology—Crypto ’88, Springer, New York, 1990, pp. 319–327, LNCS 403. [2] N.T. Ferguson, Single term off-line coins, in: Advances in Cryptology—Eurcrypt 93, Springer, New York, 1994, pp. 318–328, LNCS. [3] S. Brand, Untraceable off-line cash in wallet with observers, in: Advances in Cryptology—Crypto 93, Springer, New York, 1994, pp. 302–318, LNCS.
[4] T. Eng, T. Okamoto, Single-term divisible coins, in: Advances in Cryptology—Eurcrypt 94, Springer, New York, 1994, pp. 306–313, LNCS 950. [5] T. Okamoto, K. Ohta, Universal electronic cash, in: Advances in Cryptology—Crypto 91, Springer, New York, 1991, pp. 321–337, LNCS. [6] T. Okamoto, An efficient divisible electronic cash scheme, in: Advances in Cryptology—Crypto 95, Springer, New York, 1995, pp. 438–451, LNCS 963. [7] A. Chan, Y. Frankel, Easy come-easy go divisible cash, in: Advances in Cryptology—Eurocrypt 98, 1998, pp. 561–575, LNCS. [8] Y. Frankel, Y. Tsiounis, M. Yung, Indirect disclosure proofs: achieving fair off-line e-cash, in: Advances in Cryptology— Asiacrypt 96, Springer, New York, 1996, pp. 286–300, LNCS 1163. [9] G. Davida, Y. Frankel, Y. Tsiounis, M. Yung, Anonymity control in e-cash, in: Proceedings of the 1st Financial Cryptography Conference, Springer, New York, 1997, LNCS 1318. [10] Y. Frankel, Y. Tsiounis, M. Yung, Fair off-line e-cash made easy, in: Advances in Cryptology—Asiacrypt ’98, 1998, pp. 257–270, LNCS q1514. [11] A. Chan, Y. Frankel, Mis-representation of identities in E-cash schemes and how to prevent it, in: Advances in Cryptology—Asiacrypt 96, Springer, New York, 1996, pp. 276–285, LNCS 1163. [12] D. Chaum, J.H. Evertse, J. van de Graaf, R. Peralta, Demonstrating possessions of a discrete logarithm without revealing it, in: Advances in Cryptology—Crypto 86, Springer, New York, 1986, pp. 200–212, LNCS 263. [13] C.P. Schnorr, Efficient signature generation for smart cards, Journal of Cryptology 4 (3) (1991) 239–252. [14] J. Camenisch, M. Michels, Proving in zero-knowledge that a number is the product of two safe primes, in: Advances in Cryptology—EuroCrypt 99, Springer, New York, 2000, pp. 107–122, LNCS 1592. [15] T.C. Pailles, New protocols for electronic money, in: Advances in Cryptology—Auscrypt 92, Springer, New York, 1993, pp. 263–274, LNCS 718. [16] J. Camenisch, J. Piveteau, M. Stadler, Blind signature based on the discrete logarithm problem, in: Advances in Cryptology—Eurocrypt 94, Springer, New York, 1994, pp. 428–432, LNCS. [17] K.Q. Nguyen, Y. Mu, V. Varadharajan, A new digital cash scheme based on blind Nyberg–Rueppel digital signature, in: Proceedings of First International Information Security Workshop, Springer, New York, 1997, pp. 313–320, LNCS 1396. [18] M. Franklin, M. Yung, Secure and efficient online digital money, in: Proceedings of the 20th International Colloquium on Automata, Languages and Programming (ICALP 1993), Lund, Sweden, July 1993, Springer, 1993, pp. 265–276, LNCS 700.
A faster single-term divisible electronic cash: ZCash Ming Zhong Department of Computer Science, University of Rochester, P.O. Box 270226, Rochester, NY 14627, USA
Abstract This paper presented a new unlinkable, single-term divisible electronic cash scheme, whose name is ZCash. This scheme overcomes the problems of previous schemes through its greater efficiency and the unlinkability of every cash it generates. Compared with Okamoto’s scheme [Advances in Cryptology—Crypto ’95, Springer, New York, 1995: 438–451] and Chan’s scheme [Advances in Cryptology—Eurocrypt ’98, Springer, New York, 1998: 561–575] (the two best known E-cash schemes), ZCash achieve higher efficiency by not using range-bounded commitment schemes. In addition, to prove the correctness of the blind candidate, we use some simple zero-knowledge protocols instead of the Account Opening protocol and Electronic License. By using the indirect disclosure proof in the payment protocol, ZCash realizes revocable anonymity, which allows a trustee to trace the owner of the E-cash according to its payment transcript. ZCash is the first E-cash scheme which realizes both divisibility and revocable anonymity. 2002 Published by Elsevier Science B.V. Keywords: Electronic commerce; Electronic cash; Nyberg–Rueppel blind signature; Zero-knowledge protocols
1. Introduction Chaum et al. [1] presented the first off-line and untraceable electronic cash system, where off-line refers to the property that communication with a bank or authorized center is unnecessary during the payment protocol, and untraceable refers to the purchases of the users being untraceable by anyone. At present, much research has been performed in the area of off-line electronic cash system. In the first generation of electronic cash schemes, the cash consists of many terms of the same form, and the cut-and-choose 1 method is used whenever the cus1
Cut-and-choose method means that a prover sends many candidates to a verifier, then the verifier randomly picks some candidates. The prover opens those chosen candidates to show its correctness. By choosing a large enough number of candidates, the interaction system can reach overwhelming soundness probability.
tomers are withdrawing cash from the bank. Thus the first generation of electronic cash schemes is inefficient. Ferguson [2] proposed the concept of ‘single-term’ E-cash. A single-term cash scheme means a cash scheme in which the cash consists of a single term and the cut-and-choose method is not used for withdrawing. Brand [3] proposed the first practical ‘single-term’ Electronic Cash scheme. The single-term cash scheme is realized by the restrictive blind signature in its withdrawal protocol, which can help the user prove to the bank that his identity information has been correctly embedded in the blind candidate in a zero-knowledge way. Eng and Okamoto [4] opened up another approach to realize ‘single-term’ electronic cash schemes. The single-term cash scheme is realized by the so-called electronic license generated by the cut-and-choose method when the customers
1567-4223 / 02 / $ – see front matter 2002 Published by Elsevier Science B.V. PII: S1567-4223( 02 )00024-8
332
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
are opening an account. The electronic license can be changed by executing the account opening protocol again. The bank can link the electronic cash generated by the same electronic license, although the cash are untraceable from the customer’s identity. ‘Divisible’ cash is cash that can be used as a whole, or as smaller pieces, until the total value of the pieces used is more than the value of the cash. Okamoto and Ohta [5] introduced the concept of divisibility with a binary tree. However, it is hard to design efficient divisible electronic cash. The divisible cash construction in Okamoto and Ohta [5] is inefficient. The communication complexity during payments is linear in the divisibility precision N (N 5 (the total cash value) / (minimum divisible cash value)). The single-term off-line electronic cash scheme in Brand [3] is efficient, but it is not divisible. The off-line divisible E-cash scheme in Eng and Okamoto [4] is also unpractical, because it requires a payment computation complexity of O(N), where N is divisibility precision. Okamoto [6] proposed the first practical divisible E-cash scheme. This E-cash scheme is very delicate and efficient. The computation and communication complexity of every protocol in this scheme is O(log N), where N is the precision of divisibility. Actually, the only inefficient part of this scheme is its Account Opening Protocol, as the Zero-Knowledge-Protocol used to create Electronic License is quite inefficient. The E-cash scheme [7] proposed by Agnes Chan is a further improvement based on Okamoto’s scheme. It improved the efficiency of the Account Opening Protocol of Okamoto’s scheme. Frankel et al. [8] introduced the notion of ‘indirect disclosure proof’ and used it to implement E-cash schemes with revocable anonymity. After that, several E-cash schemes [9,10] with revocable anonymity have been proposed. But none of these E-cash schemes are divisible, which will limit their applications.
1.1. Our contributions In the coming text, we will present a new efficient single-term divisible electronic cash scheme. The
complexities of computation and communication of ZCash are O(log N), N is the divisibility precision. The divisibility of ZCash is still realized with the binary tree. Unlike Okamoto’s E-cash scheme [6], we completely eliminated the need to use the inefficient Account Opening Protocol and ‘electronic license’, thus realize real unlinkability in every cash generated by ZCash. In the withdrawal protocol, Okamoto’s scheme and Chan’s scheme [7] both adopted a commitment scheme to prove the correctness of the blind candidate to be signed by the bank. We used some lightweight zero-knowledge protocols instead of the commitment schemes. This can improve the computation and communication complexity. In addition, when using commitment schemes, to assure that no wrap-around exponentiations occurred, a range bounded commitment scheme must be adopted. To limit the length of the committed numbers, the modulus has to be enlarged by multiplying the accuracy parameter. Thus all the operations (such as multiplications and exponentiations) have to been performed on a modulus with much larger length, which leads to much higher computation cost. This ‘waste’ of the length of the modulus does not happen in ZCash E-cash scheme, which makes the computational efficiency of ZCash scheme outperform Okamoto’s and Chan’s schemes. Okamoto’s scheme is vulnerable to the attack shown in Chan and Frankel [11]. To solve this problem, Chan’s scheme adds uNu (uNu is the Williams integer used in the payment protocol, usually should be 1024 bits) division operations in the payment protocol. This will reduce the computational efficiency. ZCash avoids this problem, since we do not associate the factors of the Williams integer with the user’s identity. Chan’s scheme uses the Schnorr signature-based restrictive blind signature in its withdrawal protocol. This delicate method is proposed by Brand [3]. It helps to prove the correctness of the blind candidate (the identity information has been correctly embedded) without leaking any information. ZCash adopts the Nyberg–Rueppel signature based restrictive blind signature in its withdrawal protocol, because it provides higher computation and communication
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
efficiency than the Schnorr restrictive blind signature. ZCash also has an optional function block to add revocable anonymity, which allows a trustee to trace the owner of the E-cash according to its payment transcript. ZCash is the first E-cash scheme which realizes both divisibility and revocable anonymity.
1.2. Organization We first introduce some basic zero-knowledge protocols used in ZCash. Then we review the binary tree approach to realize the divisibility of ZCash. Then the protocols of ZCash is described in Section 5. Section 6 explains how to add revocable anonymity to ZCash. In Section 7, we compared the efficiency of ZCash with Okamoto’s scheme and Chan’s schemes, since they are the two best known E-cash schemes. The security of ZCash is discussed in Section 8.
333
computes t 5 g r mod p and sends t to the verifier. The verifier picks random challenge c [ R h0, 1j k and sends it to the prover, here k is the security parameter. Then the prover computes s 5 r 2 cx mod q and sends s to the verifier. The verifier accepts, if g s y c 5 t mod p holds.
( 2). Proving the equality of the discrete logarithms [7,14] To prove that he knows x such that y 1 5 g x mod p and y 2 5 h x mod p, the prover chooses a random r [ R Z *q and computes t 1 5 g r mod p, t 2 5 h r mod p, and sends t 1,2 to the verifier. The verifier picks a random challenge c [ R h0, 1j k and sends it to the prover. The prover computes s 5 r 2 cx mod q and sends it to the verifier. The verifier accepts the proof if g s y c1 5 t 1 and h s y c2 5 t 2 hold.
4. The binary tree approach to realize divisibility 2. Notations and definitions The symbol [ R means to randomly choose an element. i denotes the string concatenation. uPu denotes the length of P. Z *p is the multiplicative group modulo p. Its formal definition is Z *p 5 hxu1 # x , p, gcd(x, p) 5 1j. Zq 5 hxu1 # x , q, x [ Zj. (a /N) denotes the Jacobi symbol of a modulo N.
3. Some basic protocols In this section, we’ll briefly review some zeroknowledge protocols for proving knowledge of discrete logarithms. For the detailed security proof, please refer to the relevant papers. Let p, q are primes, such that p 2 1 5 2q. g’s order in the multiplicative group Z *p is q:
( 1). Proving the knowledge of a discrete logarithm [12,13] To prove that he knows x such that y 5 g x mod p, the prover first chooses a random r [ R Zq and
The divisibility of ZCash will also be based on the most popular divisibility model: the binary tree approach [5,15]. In the binary tree approach: Each E-cash of worth v 5 2 t is associated with a tree of (1 1 t) levels and v leaves. Each node of the tree represents a certain denomination. The root node 0 is assigned a monetary value of v, and the value of any other node 0j 1 j 2 . . . jl are assigned a monetary value of 2 2l ? v ( j i [ h0, 1j for i 5 1, 2, . . . , l). It will be shown by making use of the mentioned tree that for a single E-cash of worth v, it will be possible for a consumer to engage in several transactions, such that the total sum of the amounts of transactions is less than or equal to v. This is exactly what unreusability means. Divisibility and unreusability (no overspending) can be realized by the following two rules: 1. Same node rule: No node can be used more than once. 2. Route node rule: When a node is used, none of the descendant and ancestor nodes of this node can be used.
334
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
In the Payment Protocol of ZCash in Section 5, we’ll show how to construct the binary tree node values in a way that the rules 1 and 2 can be satisfied.
5. An efficient electronic cash scheme Here are considered the protocols between the customer P, the bank B, and the shopkeeper S. B established the public system parameters ( p, q, g, g1 , g2 , h, hyv ,1 , yv ,2 j): Let p, q be primes, such that p 2 1 5 2q. The generators g, g1 , g2 , h’s orders in the multiplicative group Z *p are q. For the remainder of the paper, all the operations are performed on the modulo p basis. The secret key xv is used to sign on the E-cash with value $v, xv [ R Zq . The public keys are yv ,1 , yv ,2 such that yv ,1 5 g x1v , yv ,2 5 g x2v . B should publish different yv ,1 , yv ,2 values for all value possibilities of v. H, fX , fY , fZ are collision intractable hash functions. P B associates P with I 5 g ID 1 , where IDP [ R Zq is generated and only known by P, and Ig2 ± 1, here I can be used to identify P. B also transmits hsI ? g2d xv j to P. P also pre-computes hz 9v 5s yv ,1d IDP yv ,2 5 sIg2d xv j. Note all the above operations will be performed only once when the customer P establishes his account at the bank B.
5.1. Withdrawal When a customer P wants to withdraw $v from the account, an electronic cash of value $v is then obtained by executing the withdrawal protocol with the bank. At the end of the withdrawal protocol, the bank B provides user P with an electronic cash (EC). The secret key xv used by B to sign, is dependent on v, the value of the cash to be withdrawn. In the withdrawal protocol, we used the Nyberg– Rueppel restrictive blind signature [16,17] to obtain the bank’s signature on the E-cash without revealing any information about the E-cash. For the detailed discussion about this blind signature, please refer to Camenisch et al. [16]. 1. B chooses w [ R Zq , computes d 5 (Ig2 )w , then sends d to P.
2. P chooses s [ R Zq , computes A 1 5 I s , A 2 5 g s2 , z 5 (z 9v )s . P also randomly chooses a Williams integer N [ R Zq such that uNu 5 uqu. Note that this step can be pre-computed. P will always try his best to generate a ‘good’ N, since the anonymity of his identity is based on the hardness of the factorization of N. 3. P chooses u, v [ R Zq , computes m 5 H(A 1 ? A 2 , N, z) and r 5 m(A 1 A 2 )u d v?zv 9 , and m9 5 r / v mod q, then P sends m9 to B. 4. B sends c9 5 m9xv 1 w to P. 5. P computes c 5 c9v 1 u mod q. 6. P verifies that H(A 1 ? A 2 , N, z) 5 z 2c ? (A 1 A 2 )r ? r holds, then forms the Electronic Cash hA 1 , A, N, z, r, cj.
5.2. The payment protocol ( P to S) The payment protocol consists of the cash authentication and denomination revelation.
5.3. Cash authentication At cash authentication, S first verifies the correctness of the bank’s signature on the electronic cash hA 1 , A, N, z, r, cj: P sends hA 1 , A, N, z, r, cj to S. S checks that H(A 1 ? A 2 , N, z) 5 z 2c ? (A 1 A 2 )r ? r. S verifies that (21 /N) 5 1, (2 /N) 5 2 1. Then P sends e 5 ID 2P mod N to S and proves that e is correctly generated: (a) P sends h IDP , h IDP ?s to S. P proves log h h IDP ?s 5 log g 1 A 1 and log h IDP h IDP ?s 5 log g 2 A 2 by using the Proving the equality of discrete logarithms scheme introduced in Section 3. This can assure that the h IDP received by S is correctly generated. 2 (b) P sends h (ID2 P ) to S, then proves to S that log h IDP h (IDP ) 5 log h h IDP by using the Proving the equality of discrete logarithms scheme again. (c) Suppose (IDP )2 5 e 1 kN, then P proves 2to S that he knows k such that k 5 log h Nsh (IDP ) /h ed by using the proving the knowledge of a discrete logarithm scheme introduced in Sec-
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
tion 3, thus proved the correctness of e received by S.
4. S verifies that:
sZ0j 5.4. Denomination revelation
X0j 1 . . . j l 5 [(k(Y0j 1 . . . j l 22
)
j l 21
2 l 22 j l 21
)2
l 21 j
l
... l
(Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 21 where c 5 H(A 1 ? A 2 , N, z) and Y0j 1 . . . j i 5 k fY (c)i j 1 i j 2 i . . . i j i iNl 1 . 2. S computes Y0j 1 . . . j i for every j i 11 5 1. Then S verifies the validity of X0j 1 . . . j l :
sX0j
1
. . . jl
/Nd 5 2 1
sX0j
1
. . . jl
d2
; dsY0j 1 . . .
3sY0j 1 . . .
. . . ji
d2
uP u11
5 d92 2e fZsci j 1 i . . . i jl iNd
where d9 [ h61, 62j. If verification succeeds, S accepts P’s payment.
5.5. Deposit protocol ( S to B) S deposits the cash by providing the bank B with the transcript of the payment protocol. B saves the transcript into its database. Then B checks that if this cash has been overspent. If so, then the detecting of overspending protocol is executed to break the anonymity of P.
5.6. The detecting of overspending
1. P computes:
l
1
3 (mod N)
Our denomination revelation protocol is taken verbatim from Okamoto’s scheme [6]. For the detailed discussion and definition, please refer to Okamoto [6]. Assume that a customer P wants to spend $d to a shopkeeper S, P selects nodes according to d. We will show the denomination revelation protocol when P spends node 0j 1 j 2 . . . jl to S. If several nodes are spent per payment, we just need to execute the following protocol for each node to be spent. P firstly sends 0j 1 j 2 . . . jl to S, then executes the following steps:
3 (Y0j 1 . . .
335
d
j l 22
2 l 22 j l 21
j l 21
d2
l 21 j
If P overspends a cash, P must violate one of the two rules of the binary tree approach. First, we show that the ‘same node rule’ is securely realized: Assume that P used the same node 0j 1 j 2 . . . jl twice at a different time and place. Then the two challenges (say, e 1 , e 2 ) should be different with overwhelming probability. Then according to the lemma 2 of Okamoto’s scheme [6], B can easily factor N and computes IDP from c 5 ID P2 mod N. P Then B can trace P’s identity: I 5 g ID 1 . Next, we show that the ‘route node rule’ is securely realized: Assume that nodes 0j 1 j 2 . . . jl and 0j 1 j 2 . . . jl . . . j k are spent. Then the bank B has:
l
...
3sY0j 1d 2j 2 fXsci0iNd mod N where d [ h61, 62j. If they are valid, S selects a random value e9 [ R h0, 1j uP u , then sends S’s identity IDS , time T and e9 to P. 3. P computes e 5 HsIDS iT ie9d [ h0, 1j uPu . P also computes Z0j 1 . . . j i such that sZ0j 1 . . . j id 2 uP u11 5 2 2e k fZ (ci j 1 i . . . i jl iN)l QR (mod N), then sends it to S. Note that this can be easily done since P knows the factorization of N.
X0j 1 . . . j l 5 [(k(Y0j 1 . . .
j l 21
)2
l 21 j
l
(Y0j 1 . . .
j l 22
)2
l 22 j
l 21
3 (Y0j 1 )2j 2 fX(c i0iN )l QR ) 1 / 2 l mod N ] 21 and from X0j 1 . . . (X0j 1 . . .
jl . . . jk
)2
; ((Y0j 1 j 2 . . . ? [(k(Y0j 1 . . .
jl . . . jk
, B computes
k 2l
j k 21
j l 21
)2
)2
k 2l 21 j
l 21 j
l
k
. . . (Y0j 1 . . . j l )2
0j
l 11
)
... l
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 1 (mod N)
...
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
336
Therefore B can extract: [(k(Y0j 1 . . .
j l 21
)2
l 21 j
l
equality of discrete logarithms scheme in Section 3. Note that S received h IDP in the coin authentication phase.
... l
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 1 By using [(k(Y0j 1 . . .
j l 21
)2
l 21 j
l
...
The trustee T can trace the owner of the E-cash by x computing IDP 5 t /s g kd T .
7. The ZCash efficiency analysis l
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )1 / 2 mod N] 1 and X0j 1 . . . j l 5 [(k(Y0j 1 . . .
j l 21
)2
l 21 j
3 (Y0j 1 )2j 2 fX (ci0iN)l QR )
l
1 / 2l
... mod N] 21
then B can efficiently and deterministically factor N and computes IDP , thus B can trace P’s identity: P I 5 g ID 1 .
This section compares the storage, communication and computation efficiency of ZCash with those of Okamoto [6]. Let us assume that u pu 5 513, uqu 5 512 and uNu 5 512bits. Though 512 bits are not enough for a RSA modulus, we use these values because Okamoto [6] used the same standard in efficiency analyses. As Okamoto [6], our divisibility binary tree has 18 levels. The divisibility precision is 2 17 (dividing a $1000 cash down to 1 cent). It is sufficient for practical applications.
7.1. Storage comparison 6. To add the revocable anonymity We can add the revocable anonymity to our Ecash. During the payment protocol, the user P sends to the shopper S with the probabilistic encryption of his identity based on a trustee T’s public key, then proves in a zero-knowledge way that the encryption is correctly generated. Deposit means forwarding the original payment transcript and the above encryption information to the bank. For tracing the identity of the E-cash, the bank just needs to forward the encryptions to the trustee T, who can recover the identity of the user P. This protocol is an optional function block for ZCash. In ZCash, we adopt El-Gamal encryption algorithm to realize our revocable anonymity: For the trustee T, the private key x T [ R Zq , and the public key y T 5 g x T . 1. P sends the El-Gamal encryption of IDP to S, i.e. P sends g k , t 5 ( y T )k ? IDP to S, where k [ R Zq . 2. P proves to S that the El-Gamal encryption was correctly performed: P prove to S that log g g k 5 log ysh t /h IDPd by using the Proving the
The storage requirement of one E-cash hA 1 , A, N, z, r, cj of ZCash is 256 bytes, since the information P needs to store for hA 1 , A, N, z, r, cj is hs, N, r, cj. The E-cash in Okamoto [6] is 323 bytes long and in Brand [3] 264 bytes under the same parameters.
7.2. Computation comparison Since we use a modulus of 513 bits, Chan’s scheme [7] uses a modulus of 689 bits, and Okamoto’s scheme [6] uses a modulus of 1030 bits. According to the analysis in Okamoto [6] and Chan and Frankel [7], the exponentiation operation require O(log q log 2 p) bit operations. Thus our exponentiations are approximately 2.5 times less expensive than that of Chan and Frankel [7], and 8 times less expensive than that of Okamoto [6]. In the withdrawal phase, ZCash requires five exponentiations (512 bit modulo) and other three exponentiations which can be pre-computed any time before the execution of the withdrawal protocol. Chan’s scheme needs 16 exponentiations (689 bit modulo) other than the exponentiations which can be pre-computed. In Okamoto’s scheme, it is necessary
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
to perform more than 4000 exponentiations (1030 bit modulo) when the Account Opening protocol is performed at each withdrawal to obtain the same functionality (to obtain unlinkability among Ecash’s) In the cash authentication phase, ZCash requires 13 exponentiations, while Chan’s and Okamoto’s schemes require eight exponentiations and three exponentiations, respectively. But Chan’s scheme needs to perform uNu 5 512 times divisions to limit the way the user can misbehave. This is inefficient. ZCash does not need to do this. The denomination revelation phases of the three schemes are basically the same. On average, nine nodes are paid. According to Okamoto [6], the user computes about 20 square roots modulo N which the shop verifies.
7.3. Communication comparison In the withdrawal phase, ZCash transmits 192 bytes and Chan’s scheme transmits about 685 bytes. Okamoto’s scheme requires the user P to obtain an electronic license before the withdrawal protocol by executing the account opening protocol. As shown in [6], the amount of computation and communication of the opening protocol is O(log(N)uNu 4 ). This is quite inefficient. In addition, the E-cash withdrawn under the same electronic license can be linked together, which compromises the untraceability of Okamoto’s scheme. In the cash authentication phase, ZCash transmits 1216 bytes, while Chan’s scheme transmits 774 bytes and Okamoto’s scheme transmits 330 bytes. The denomination revelation phases of the three schemes are basically the same. On average, nine nodes are paid. For each node, two 512 bit values are sent to the shop.
8. Security In this section, we’ll show that ZCash satisfies all the essential security model properties of E-cash schemes under certain cryptographic assumptions (these security requirements of E-cash model are discussed and established in Okamoto [6], Chan and Frankel [7] and Franklin and Yung [18]). To save the
337
space, we just show how ZCash satisfies all these properties. For the formal definition of these properties, please refer to Okamoto [6]. 1. Unforgeability: informally speaking, after obtaining l E-cash’s from the bank, the user must not be able to create more than l E-cash’s. It depends on the unforgeability of the restrictive blind signature [16,17] used in ZCash scheme, which means that after obtaining l blind signatures of the bank, the user must not be able to create more than l signatures. This can prevent illegal users from forging E-cash. 2. Untraceability: for any polynomial-time nonuniform algorithm Adv (e.g. dishonest bank), after Adv’s execution as a bank and shops of the withdrawal and payment protocols with customer U0 and U1 , and given a protocol execution transcript by customer Ur (r [ h0, 1j), the probability that Adv output r correctly is less than 1 / 2 1 1 /m c for all constant c and for all sufficiently large m. This property depends on the zero-knowledgeness of the protocols we used in the payment protocol: the proving the knowledge of a discrete logarithm scheme, the proving the equality of discrete logarithms scheme and the blindness of the restrictive blind signature [3]. It means that the bank knows nothing about the Williams integer N and A 1 , A 2 to be signed, after the execution of the withdrawal protocol. This can assure the untraceability of the E-cash generated. 3. Unreusability (no overspending): informally speaking, supposes a user withdraws a E-cash which value is $x, then if the user spends more than $x by this E-cash, then his identity would be revealed by overspending detecting protocol with overwhelming probability. This property of ZCash has been shown in Section 5. The security of ZCash is based on the following assumptions: 1. Discrete logarithm assumption. 2. Factoring and Diffie–Hellman Assumption [6]: let P, P0 , Q 0 , P1 , Q 1 be primes, N0 5 P0 ? Q 0 and N1 5 P1 ? Q 1 , m 5 uP0 u 5 uQ 0 u 5 uP1 u 5 uQ 1 u , uPu , dm for a constant d. Let (P 2 1) / 2
338
M. Zhong / Electronic Commerce Research and Applications 1 (2002) 331–338
be a prime, and the order of g in the multiplicative group Z *P is (P 2 1) / 2. Given (x 0 5 g P 0 mod P,y 0 5 g Q 0 mod P), (x 1 5 g P 1 mod P, y 1 5 g Q 1 mod P), (Nr , N12r )(r [ R h0, 1j), and P, g, for any probabilistic poly-time machine M, the probability that M can compute r is less than 1 / 2 1 1 /m c for all constant c and for all sufficiently large m. 3. Functions H, fX , fY , fZ are collision intractable. ZCash is based on the same assumptions as Okamoto’s scheme and Chan’s scheme.
9. Conclusion This paper proposed a single-term divisible electronic cash scheme which is more efficient than all previous schemes. As shown in ZCash efficiency analysis, the storage, computation and communication cost of ZCash is rather low, which makes it more suitable for practical applications. In addition, the electronic cash generated by out scheme is unlinkable, since it does not use the account opening protocol and the ‘electronic license’. We also clarified the cryptographic assumptions of ZCash. The open problems are: (a) The electronic cash security based on more fundamental cryptographic assumptions. (b) The further improvement of the efficiency of electronic cash schemes. (c) The unlinkability between the portions of the same divisible E-cash.
References [1] D. Chaum, A. Fiat, M. Naor, Untraceable electronic cash, in: Advances in Cryptology—Crypto ’88, Springer, New York, 1990, pp. 319–327, LNCS 403. [2] N.T. Ferguson, Single term off-line coins, in: Advances in Cryptology—Eurcrypt 93, Springer, New York, 1994, pp. 318–328, LNCS. [3] S. Brand, Untraceable off-line cash in wallet with observers, in: Advances in Cryptology—Crypto 93, Springer, New York, 1994, pp. 302–318, LNCS.
[4] T. Eng, T. Okamoto, Single-term divisible coins, in: Advances in Cryptology—Eurcrypt 94, Springer, New York, 1994, pp. 306–313, LNCS 950. [5] T. Okamoto, K. Ohta, Universal electronic cash, in: Advances in Cryptology—Crypto 91, Springer, New York, 1991, pp. 321–337, LNCS. [6] T. Okamoto, An efficient divisible electronic cash scheme, in: Advances in Cryptology—Crypto 95, Springer, New York, 1995, pp. 438–451, LNCS 963. [7] A. Chan, Y. Frankel, Easy come-easy go divisible cash, in: Advances in Cryptology—Eurocrypt 98, 1998, pp. 561–575, LNCS. [8] Y. Frankel, Y. Tsiounis, M. Yung, Indirect disclosure proofs: achieving fair off-line e-cash, in: Advances in Cryptology— Asiacrypt 96, Springer, New York, 1996, pp. 286–300, LNCS 1163. [9] G. Davida, Y. Frankel, Y. Tsiounis, M. Yung, Anonymity control in e-cash, in: Proceedings of the 1st Financial Cryptography Conference, Springer, New York, 1997, LNCS 1318. [10] Y. Frankel, Y. Tsiounis, M. Yung, Fair off-line e-cash made easy, in: Advances in Cryptology—Asiacrypt ’98, 1998, pp. 257–270, LNCS q1514. [11] A. Chan, Y. Frankel, Mis-representation of identities in E-cash schemes and how to prevent it, in: Advances in Cryptology—Asiacrypt 96, Springer, New York, 1996, pp. 276–285, LNCS 1163. [12] D. Chaum, J.H. Evertse, J. van de Graaf, R. Peralta, Demonstrating possessions of a discrete logarithm without revealing it, in: Advances in Cryptology—Crypto 86, Springer, New York, 1986, pp. 200–212, LNCS 263. [13] C.P. Schnorr, Efficient signature generation for smart cards, Journal of Cryptology 4 (3) (1991) 239–252. [14] J. Camenisch, M. Michels, Proving in zero-knowledge that a number is the product of two safe primes, in: Advances in Cryptology—EuroCrypt 99, Springer, New York, 2000, pp. 107–122, LNCS 1592. [15] T.C. Pailles, New protocols for electronic money, in: Advances in Cryptology—Auscrypt 92, Springer, New York, 1993, pp. 263–274, LNCS 718. [16] J. Camenisch, J. Piveteau, M. Stadler, Blind signature based on the discrete logarithm problem, in: Advances in Cryptology—Eurocrypt 94, Springer, New York, 1994, pp. 428–432, LNCS. [17] K.Q. Nguyen, Y. Mu, V. Varadharajan, A new digital cash scheme based on blind Nyberg–Rueppel digital signature, in: Proceedings of First International Information Security Workshop, Springer, New York, 1997, pp. 313–320, LNCS 1396. [18] M. Franklin, M. Yung, Secure and efficient online digital money, in: Proceedings of the 20th International Colloquium on Automata, Languages and Programming (ICALP 1993), Lund, Sweden, July 1993, Springer, 1993, pp. 265–276, LNCS 700.