MSRC: (M)icropayment (S)cheme with Ability to (R)eturn (C)hanges
Source: Journal of Information Science and Engineering in review
Presenter: Tsuei-Hung Sun (孫翠鴻 )
Date: 2010/11/26
2
Outline
Introduction Motivation Scheme Security analysis Comparison Advantage vs. weakness Comment
3
Introduction
PaywordCredit-basedChains of hash values
Ex. A=(a0,a1,…,an) where ai = h(ai+1), i = n-1, n-2, …, 0. Every chain has a face value d. a0 is used as an anchor for verification.
PayWord Certificate
R. Rivest, A. Shamir, 1996, “PayWord and MicroMint: two simple micropayment schemes,” Proceedings of the International Workshop on Security Protocols, LNCS Vol. 1189, pp. 69-87.
4
Introduction
Micropayment Scheme Using Single-PayWord Chain (MSSC)Only one denomination.
Micropayment Scheme Using Multi-PayWord Chains (MSMC)Multiple denomination.Combining several single-payword chains with differen
t denomination values.Using to reduce the length of hash chain and the hash o
perations of verification.
5
Micropayment Scheme Using Single-Payword Chain (MSSC)
PSR = {IDC , n, IDV}
PSR: Payment-chain service request. PK: Public key. PV: Private key. ID: Identity.n: Payord chain of length. dA: Face value. a0: An initially anchors used to verify A-chain.
Generates A = (a0, a1, …, an)satisfies ai = h(ai+1), i = n-1, n-2, …, 0total money = n x dA
CPKA}{CC PVPKAA }}{{ BPVa }{ 0
BB PKPVaa }}{{ 00
Pay (am, m))(
?
0 mm aha
Replace anchora0 by am.VPVmVC aIDID },,{
VV PKPVmVCmVC aIDIDaIDID }},,{{),,( Verifies am is legal or not.If legal, deposits (m x dA) to Vendor’s account and store am,If not, reject transaction.
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
6
Micropayment Scheme Using Multi-Payword Chains (MSMC)
PSR = {IDC,n,IDV}
dA < dB
A = (a0, a1, …, an), satisfies ai = h(ai+1), i = n-1, n-2, …, 0
B = (b0, b1, …, bn), satisfies bj = h(bj+1), j = n-1, n-2, …, 0
Chain A total money = n x dA
Chain B total money = n x dBCPKBA },{
CC PVPKBABA }},{{),( BPVba },{ 00
BB PKPVbaba }},{{),( 0000
)(?
0 mm aha
replace anchor a0 by am, b0 by bM.
VPVMmVC baIDID },,,{
VV PKPVMmVCMmVC baIDIDbaIDID }},,,{{),,,( Verifies am, bM are legal or not.If legal, deposits (M x dB + m x dA) to Vendor’s account and store am, bM.If not, reject transaction.
Pay (bM, M) (am, m)
)(?
0 MM bhb
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
7
Motivation
Problems of MSMC Find the minimum hash chain in a payment.Equally spend every single chain.
This paper propose three approaches to handle above two problems and supporting the ability of returning changes.
8
Scheme
Three approaches methodsMSRC-I: counter-mode encryption.MSRC-II: hashing function.MSRC-III: keyed hashing function.
9
MSRC-I: Counter-Mode Encryption (1/2)
PSR = {IDC,n,r,IDV}
CPKKBA },,{
CC PVPKKBAKBA }},,{{),,( VPKAba },,{ 00
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
VV PVPKAbaAba }}',,{{),,( 0000
EK: Counter-mode encryption using a secret key K. M x dB: Customer pay total money. n: Length of payment chain. r: Length of return-change chain. m x dA: Vendor return money.
))(),...,1((),...,( 11 rEaEaaaA KrnKnrnn
),...,,(
))(),...,1((),...,(
),...,,(
10
11'
10
n
KrnKnrnn
n
BA
bbbB
rEaEaaaA
aaaA
dd
, ai = h(ai+1), i = n-1, n-2, …, 0
, bj = h(bj+1), j = n-1, n-2, …, 0
10
MSRC-I: Counter-Mode Encryption (2/2)
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
VPVMmnVC baIDID },,,{
VV PKPVMmnVCMmnVC baIDIDbaIDID }},,,{{),,,(
Verifies a’n+m, bM are legal or not.If legal, deposits (M x dB + m x dA) to Vendor’ account and store a’n+m, bM.If not, reject transaction.
Return ),( ma mn
)(),...,(),(
)(
)(
21121
?
1
nnmnmnmnmn
mnm
n
Kmnmn
ahaahaaha
aha
mEaa
Than can get chain (an+1,…an+m) and worth (m x dA) dollars.
Replace anchorb0 by bM.
Pay (bM, M) )(?
0 MM bhb
11
MSRC-II: Hash Function (1/2)
PSR = {IDC,n,r,IDV}
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
0,...,2,1),(),,...,,(
0,...,2,1),( and )(satisfy
),...,,(),...,,(
),...,,(),...,,(
110
11
211021
211021
nnjbhbbbbB
rnrniahaaha
aaaaaaAAA
aaaaaaAAA
dd
jjn
iiii
rnnnn
rnnnn
BA
CPKBAA },,{ 1
CC PVPKBAABAA }},,{{),,( 11
VPKAbaa },,,{ 2000
VV PVPKAbaaAbaa }},,,{{),,,( 20002000
12
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
Return ),( ma mn
)(),...,(),(
)(
21121
?
nnmnmnmnmn
mnm
n
ahaahaaha
aha
MSRC-II:
Hash Function (2/2)
Than can get chain (an+1,a’n+1),…,(an+m,a’n+m) and worth (m x dA) dollars. VPVMmnVC baIDID },,,{
VPKMmnVCMmnVC baIDIDbaIDID },,,{{),,,( Verifies a’n+m, bM are legal or not.If legal, deposits (M x dB + m x dA) to Vendor’ account and store .If not, reject transaction.
Mmm baa ,,
Replace anchorb0 by bM.
K: secret key for keyed hash function
Pay (bM, M))(
?
0 MM bhb
13
MSRC-III: Keyed Hash Function (1/2)
PSR = {IDC,n,r,IDV}
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
),...,,(
),...,,(
),...,,(
10
21'
10
n
rnnn
n
BA
bbbB
aaaA
aaaA
dd
, ai = hK(ai+1), i = n+r-1, n+r-2, …, 0
, ai = hK(ai+1), i = n+r-1, n+r-2, …, 0
, bj = h(bj+1), j = n-1, n-2, …, 0
CPKKBA },,{
CC PVPKKBAKBA }},,{{),,( VPKKAba },,,{ 00
VV PVPKKAbaKAba }},,,{{),,,( 0000
14
MSRC-III: Keyed Hash Function (2/2)
Customer (PKC, PVC,IDC) Broker (PKB, PVB,IDB) Vendor (PKV, PVV,IDV)
VPVMmnVC baIDID },,,{ 1
VPKMmnVCMmnVC baIDIDbaIDID },,,{{),,,( 11 Verifies a’n+m+1, bM are legal or not.If legal, deposits (M x dB) to Vendor’ account and store .If not, reject transaction.
Mmn ba ,1
)(),...,(),(
)(
2111
11
?
nKnmnKmnmnKmn
mnmKn
ahaahaaha
aha
Than can get chain (an+1,…an+m) and worth (m x dA) dollars.
Replace anchorb0 by bM.
Pay (bM, M))(
?
0 MM bhb
Return ),( 1 ma mn
15
Security analysis
Counterfeit attackAttacker: Returned change a'n+i and an+i.Customer: Change a'n+i and an+i.
Reuse attackCustomer: Double spending and over-spending.Vendor: Double returning and over-returning.
Redemption attackVendor: Anchor ai and (ai,a’i).
16
Comparison
Fig. The chains of returned changes for our MSRC.
17
Comparison
H: The operation of a hash function h(.). H’: Operation of a keyed hash function hK(.). D: Counter-mode decryption. d: Denomination.M: Vendor verifying the payment (bj,M). m: Customer verifying and obtaining the returned changes.
Table. Comparison of micropayment schemes
18
Advantage vs. weakness
Advantage It can be implemented on mobile devices feasibly.The return change is useful for avoid some special
pay word chain be exhausted.All three mode are well protect, and the overhead
of these mode are not very heavy, so Customer can choose one is better for him or her.
WeaknessCustomer may need to maintain many kind of pay
word chains.
19
Comment
If the kind of face value of e-coin are many, that will be come a burden of Customer, Broker, and Vendor.
This is very inconvenient to trade only once, because Customer and Vendor need to redeem them cash after transaction.
Customer still using return changes after it expired that may incur collusion attack.
The largest denomination may incur some attack, because it didn’t have any protect.