This invention relates to the field of electronic commerce transaction systems and, more particularly, to the tracing of anonymous digital cash.
Digital cash, also known informally as e-cash, is a form of digital currency. Cash is represented by electronic (digital) coins. As with ordinary coins, each digital coin has a fixed denomination. Coins are xe2x80x9cissuedxe2x80x9d by a coin issuer, also referred to as a bank. Using cryptography, a bank signs a coin to certify the coin""s authenticity.
In some electronic cash systems, such as the ECASH system commercially available from DIGICASH of Palo Alto, Calif., a user authenticates herself in a secure manner to a bank. The user then withdraws coins, which are numbers (or sets of numbers) that represent money, from the bank. The bank deducts funds corresponding to the withdrawn coins from her account. To spend a coin with a merchant, the user simply transmits the coin to the merchant. To prevent double spending of a coin, the merchant verifies on-line with the bank that the coin has not already been spent. An explanation of the DIGICASH protocols can be found in B. Schoenmakers, xe2x80x9cBasic Security of the ecash(trademark) Payment System,xe2x80x9d which appears in Computer Security and Industrial Cryptography: State of the Art and Evolution, ESAT Course 1997, edited by Bart Preenel et al.
One type of cryptography used in electronic cash systems is public/private key cryptography. One commercially available public/private key technology is RSA encryption technology, available from RSA Data Security, Inc. of San Mateo, Calif. To provide a simplified overview, an RSA signature is based on the difficulty of computing roots, for example cube roots, modulo a large modulus N with unknown factorization. A signer knows the factorization of the modulus N and so the signer is the only entity able to compute f1/n(x) mod N, for a given (x), where f is a one-way collision-free hash function, and f1/n(x) mod N represents the nth root of f(x) modulo (N). In the implementation of digital cash, a user who presents a merchant with the valid pair (x, f1/n(x) mod N), where n and N are publicly known numbers chosen by the bank, effectively demonstrates that the coin (x) has been authorized (or signed) by the bank, because only the bank can determine (f1/n(x) mod N) from x. To distinguish among different denominations in this scheme, the bank can use different public exponents. For example, (x, f1/3(x) mod N) might indicate a $0.50 coin, while (x, f1/17(x) mod N) might indicate a $1 coin.
Digital coins have been implemented that are both secure (in the bank""s interest) and afford a heightened assurance of consumer privacy by providing anonymity to users with respect to both merchants and banks. Informally, a digital cash scheme is referred to as unconditionally blind or anonymous if the bank that issues a coin is unable to determine, either at the time of withdrawal or later upon examining circulating or deposited coins, which coin was withdrawn by which user. The user can withdraw money from the bank in such a scheme, spend it at a merchant, and be confident that when the merchant deposits the money at the bank, the bank will not be able to recognize the money as the same cash given to the user.
There are several variants of anonymous digital cash, not all of which have been implemented commercially. In a commercially available, on-line version implemented by DIGICASH, a coin consists of an RSA signature by the bank on the hash of a message (x). In this blinded protocol, the bank signs coin (x) by calculating (f1/n(x) mod N) without knowing what (x) is. At the time the coin is submitted to the bank for signature, the coin (x) is xe2x80x9chiddenxe2x80x9d from the bank by a blinding factor, which the user xe2x80x9cmultiplies inxe2x80x9d and combines with (x) before transmission to the bank and xe2x80x9cdivides outxe2x80x9d after the bank has signed.
Referring to FIG. 1, the bank publishes a public modulus N=pq, for which it alone knows the factorization (pq), and chooses a public exponent, which for this example is the exponent 3 (i.e. cube root). A user chooses random numbers (x) and (r), where (x) is the number to be used in the coin, and (r) is a blinding factor and (X)xcex5rZN and (r)xcex5rZN, meaning that (x) and {circle around (R)} are integers between (0) and (Nxe2x88x921) inclusive. The user calculates f(x) mod N, and multiplies the result by the blinding factor (r3). The user sends (r 3f(x) mod N) to the bank. The bank determines the cube root mod N, which only the bank can do because the bank knows the factors (pq) of (N). The bank never knows (x), however, because it receives f(x) multiplied by the blinding factor (r3). The bank then returns (r f1/3(x) mod N) to the user. The user extracts f1/3(x) from the quantity (r f1/3(x) mod N) it receives from the bank by dividing by (r). The user then can provide a merchant with the xe2x80x9csignedxe2x80x9d coin (x, f1/3(x)). The merchant can verify that the bank has signed the coin (x, f1/3(x)) by calculating f(x) mod N from x, and comparing it to the cube of (f1/3(x)) modulo (N). This protocol is unconditionally blind, because the blindness does not rely on computational assumptions or statistical arguments.
A weaker notion of blindness can be described informally in terms of a lack of statistical correlation between the view of the signer at the time of signing and the set of produced signatures. A more formal definition of computational blindness may be described in terms of the following experiment. The user produces two messages m0 and m1 of length polynomial in k1. The user sets a bit (b) uniformly at random. In two arbitrarily interleaved (and presumed blind) digital signature protocols, she presents the documents m0 and m1 to the bank in an order specified by (b), i.e., in the order {mb, m1xe2x88x92b}. In this interaction, she obtains from the bank signatures s(m0) and s(m1) on the two messages. The user presents the message/signature pairs (m0, s(m0)) and (m1, s(m1)) to the bank. The bank then attempts to guess the bit b. If no polynomial-time algorithm exists which enables the bank do so with probability 1/2+1/poly (over its own coin-flips and those of the user), then we say that the digital signature scheme is blind or secure with respect to anonymity.
Researchers have observed that unconditional anonymity in payment systems might be exploited to facilitate crimes like blackmail and money laundering. This observation spurred research into the idea of making anonymity in payment systems conditional, and, in particular, revocable by a third party. This notion is referred to as a trustee-based coin tracing. A National Security Agency report has since declared the availability of tracing in e-cash systems vital to the security interests of the United States. The importance of traceability in e-cash systems has motivated the proposal of various trustee-based coin tracing schemes.
One trustee-based tracing scheme is based on a blind Schnorr-like signature scheme and involves use of interactive proofs between trustees and the bank. Another trustee-based tracing scheme is based on blind RSA signatures, but make use of a cut-and-choose protocol, resulting in a scheme that is flexible but has rather large coin sizes and computational requirements.
Another scheme makes use of a blind signature based on that of Chaum and Pedersen. In this scheme, the user requests a pseudonym and registration information from a trustee. The user presents this registration information to the bank, and also incorporates it into the coins she withdraws.
Another scheme introduces the notion of xe2x80x9cchallenge semantics,xe2x80x9d enabling flexible determination of coin value, so that coins can be invalidated, for example in case of a bank robbery. This scheme is capable of addressing stronger attack models than many others and a wider range of commercial settings. It is also adaptable to use with any underlying digital signature scheme. On the other hand, this scheme requires on-line participation of a trustee in both coin withdrawal and coin spending.
Another scheme, referred to as xe2x80x9cMagic Ink,xe2x80x9d makes use of blind DSS signatures. In this scheme, signing and anonymity revocation can be conducted by differing quorums of trustees. trustees are again, however, fully on-line, and the scheme is also rather computationally intensive for most operations.
A slightly different approach to trustee-based tracing is a system based on blind Schnorr signatures in which a user transfers funds from a non-anonymous to an anonymous account, and a trustee is capable of linking the two accounts. The chief disadvantage of this approach is that once the two accounts are linked, anonymity is eliminated.
Another approach is based on blind Schnorr signatures in which the trustee is wholly off-line. This system is quite complex, and involves well over a dozen modular exponentiations by the user at each coin withdrawal. Later developments reduced the computation required in the withdrawal protocol, as well as the database search requirements in owner tracing. The withdrawal protocol, however, still requires over a dozen modular exponentiations on the part of the user.
In addition to the above-described inefficiencies, the schemes described above involve changes or additions to the underlying structure of the coins. The therefore cannot be readily adapted to existing digital cash systems.
A simple and highly efficient trustee-based tracing mechanism is provided that can be added on top of anonymous cash schemes based on blind RSA signatures. The scheme can support both tracing of the identity of a user from a coin, referred to as coin tracing, and generation of a list of all coins belonging to a given user, referred to as owner tracing. Both of these operations require very little computation and database access.
The tracing mechanism according to the present invention has several important advantages over prior schemes. It can be incorporated straightforwardly on top of a commercially implemented on-line anonymous e-cash scheme, for example DIGICASH, with no change to the structure of the coins or the spending or deposit protocols, and can be easily applied to off-line e-cash variants as well. The tracing mechanism according to the present invention imposes minimal computational overhead on the underlying withdrawal scheme for the userxe2x80x94essentially just several modular multiplications and a Message Authentication Code (xe2x80x9cMACxe2x80x9d). Most other schemes carry overhead for the user amounting to several modular exponentiations per transaction, which means as much as one hundred times more computation. Computational and storage requirements for the bank are also minimal. The tracing operation is also highly efficient. In the case of coin tracing, for instance, this scheme requires no database lookups, which most other schemes do. The tracing mechanism according to the present invention is also provably secure with respect to underlying cryptographic primitives.
The tracing mechanism requires user registration with a trustee upon set up of the user""s account (and possibly again later, if the user spends a large number of coins). As a result of this interaction between user and trustee, the system requires storage of a small amount of authorization data for withdrawals. It should also be noted that to incorporate multiple trustees the system uses what amounts to a trusted dealer.
In general, in one aspect, the invention features a method for obtaining a trustee token from a trustee. The method includes transmitting to a trustee information describing a blinded digital coin and receiving from the trustee a trustee token comprising a signature by the trustee on the blinded coin.
Embodiments of this aspect of the invention include the following features. In one embodiment, the information describing the blinded digital coin is the blinded digital coin. In another embodiment, the information describing the blinded digital coin comprises a random seed for generating one or more blinded digital coins. In another embodiment, the information describing the blinded digital coin further comprises a quantity of desired coins for generating the quantity of desired blinded digital coins. In another embodiment, before the transmitting step, the method includes establishing identity with the trustee using a secret. In another embodiment, the secret comprises a public/private key pair.
In general, in another aspect, the invention features a system for obtaining a trustee token from a trustee. The system includes a transmitter transmitting to a trustee information describing a blinded digital coin, and a receiver receiving from the trustee a trustee token comprising a signature by the trustee on the blinded coin. In one embodiment, the trustee token comprises a signature by the trustee on one or a plurality of blinded coins.
In general, in another aspect, the invention features a method for generating a trustee token. The method includes receiving from a verified user information describing a blinded digital coin. Information describing the blinded digital coin and a verified user identifier are stored. A trustee token comprising a signature by a trustee on the blinded coin is generated using the information describing the blinded digital coin.
Embodiments of this aspect of the invention include the following features. In one embodiment, the the information describing the blinded digital coin is the blinded digital coin. In another embodiment, the information describing the blinded digital coin comprises a random seed for generating one or more blinded digital coins. In another embodiment, the information describing the blinded digital coin further comprises a number of desired coins for generating one or more blinded digital coins. In another embodiment, the trustee token includes the trustee""s signature on one or a plurality of coins. In another embodiment, after the generating step, the trustee token is transmitted to the user. In another embodiment, before the receiving step, the identity of the user is verified using a secret. In another embodiment, the generating step includes generating a trustee token by using the information describing the blinded digital coin to generate the blinded digital coin, and signing the blinded digital coin. In another embodiment, the blinded digital coin is signed using a private key of a public/private key pair. In another embodiment, the blinded digital coin is signed using a Message Authentication Code (xe2x80x9cMACxe2x80x9d).
In general, in another aspect, the invention features a system for generating a trustee token. The system includes a receiver for receiving from a verified user information describing a blinded digital coin, a data store for storing the information describing the blinded digital coin and for storing a verified user identifier, and a token generator for generating a trustee token using the information describing the blinded digital coin. In one embodiment, the trustee token is a signature by a trustee on the blinded coin.
In general, in another aspect, the invention features a method for issuing digital cash. The method includes receiving a blinded coin and a trustee token from a verified user. In one embodiment, the trustee token is a signature by a trustee on a blinded coin. The method also includes verifying the trustee token, deducting an amount from an account associated with the user, and issuing the blinded coin with a value related to the amount deducted from the user""s account.
Embodiments of this aspect of the invention include the following features. In one embodiment, before the receiving step, the identity of the user is verified using a secret. In another embodiment, the verifying step comprises calculating a Message Authentication Code (xe2x80x9cMACxe2x80x9d) on the blinded coin. In another embodiment, the verifying step includes verifying a trustee""s public key. In another embodiment, the issuing step comprises signing the blinded coin.
In general, in another aspect, the invention features a system for issuing digital cash. The system includes a receiver for receiving a blinded coin and a trustee token from a verified user. The trustee token includes a signature by a trustee on a blinded coin. The system also includes a verifier for verifying the trustee token, a withdrawl mechanism for deducting an amount from an account associated with the user, and an issuer for issuing the blinded coin with a value related to the amount deducted from the user""s account.
In general, in another aspect, the invention features a method for receiving digital cash from a coin issuer using a trustee token. The method includes transmitting a blinded digital coin and a trustee token to a coin issuer. The trustee token includes a signature by a trustee on the blinded coin. The method also includes receiving a signature on the blinded digital coin from the coin issuer.
In general, in another aspect, the invention features a system for receiving digital cash from a coin issuer using a trustee token. The system includes a transmitter transmitting a blinded digital coin and a trustee token to a coin issuer. The trustee token includes a signature by a trustee on the blinded coin. The system further includes a receiver receiving a signature on the blinded digital coin from the coin issuer.
In general, in another aspect, the invention features a method for obtaining revokably anonymous digital cash from a bank by using a trustee. The method includes establishing identity with the trustee using a secret, transmitting to the trustee information describing a blinded digital coin, receiving from the trustee a trustee token comprising a signature by the trustee on the blinded coin, transmitting the blinded coin and the trustee token to a bank, and receiving a signature from the bank certifying the blinded coin. Embodiments of this aspect of the invention further include unblinding the coin and transmitting the coin to a merchant.
In general, in another aspect, the invention features a method for tracing a digital coin. The method includes decrypting the coin to reveal a user identifier and matching the user identifier encrypted in the coin to an entity.
In general, in another aspect, the invention features a method for identifying a digital coin associated with a user. The method includes matching the user to a user identifier, matching the user identifier to coins transmitted to a trustee, and identifying the coins matched to the user identifier as coins associated with the user.
In general, in another aspect, the invention features a trustee token comprising a signature by a trustee on a blinded coin. In one embodiment, the trustee token comprises a signature by a trustee on one or more blinded coins. In another embodiment, the trustee token comprises a signature by a trustee on a plurality of blinded coins.
The foregoing and other objects, aspects, features, and advantages of the invention will become more apparent from the following description and from the claims.