MSRC: (M)icropayment (S)cheme
with Ability to (R)eturn (C)hanges
Source: Journal of Information Science and Engineering in review
Presenter: Tsuei-Hung Sun (孫翠鴻)
Date: 2010/11/26
Outline
Introduction
Motivation
Scheme
Security analysis
Comparison
Advantage vs. weakness
Comment
2
R. Rivest, A. Shamir, 1996, “PayWord and MicroMint: two
simple micropayment schemes,” Proceedings of the International
Workshop on Security Protocols, LNCS Vol. 1189, pp. 69-87.
Introduction
Payword
Credit-based
Chains of hash values
Ex. A=(a0,a1,…,an) where ai = h(ai+1), i = n-1, n-2, …, 0.
Every chain has a face value d.
a0 is used as an anchor for verification.
PayWord Certificate
3
Introduction
Micropayment Scheme Using Single-PayWord
Chain (MSSC)
Only one denomination.
Micropayment Scheme Using Multi-PayWord
Chains (MSMC)
Multiple denomination.
Combining several single-payword chains with
different denomination values.
Using to reduce the length of hash chain and the hash
operations of verification.
4
Micropayment Scheme Using
Single-Payword Chain (MSSC)
Customer (PKC, PVC,IDC)
Vendor
Broker (PKB, PVB,IDB)
(PKV, PVV,IDV)
PSR = {IDC , n, IDV}
A  {{ A}PKC }PVC
{ A}PKC
Generates A = (a0, a1, …, an)
satisfies ai = h(ai+1), i = n-1, n-2, …, 0
total money = n x dA
{a0 }PVB
Pay (am, m)
a0  {{a0 }PVB }PK B
?
a0  h m ( a m )
{IDC , IDV , am }PVV
( IDC , IDV , am )  {{ IDC , IDV , am }PVV }PKV
Replace anchor
a0 by am.
Verifies am is legal or not.
If legal, deposits (m x dA) to Vendor’s account and store am,
If not, reject transaction.
PSR: Payment-chain service request. PK: Public key. PV: Private key. ID: Identity.
n: Payord chain of length. dA: Face value. a0: An initially anchors used to verify A-chain.
5
Micropayment Scheme Using
Multi-Payword Chains (MSMC)
Customer (PKC, PVC,IDC)
Vendor
Broker (PKB, PVB,IDB)
(PKV, PVV,IDV)
PSR = {IDC,n,IDV}
dA < dB
A = (a0, a1, …, an), satisfies ai = h(ai+1), i = n-1, n-2, …, 0
B = (b0, b1, …, bn), satisfies bj = h(bj+1), j = n-1, n-2, …, 0
( A, B)  {{ A, B}PKC }PVC
Chain A total money = n x dA
Chain B total money = n x dB
{a0 , b0 }PVB
{ A, B}PKC
(a0 , b0 )  {{a0 , b0 }PVB }PK B
Pay (bM, M) (am, m)
?
a0  h m ( a m )
?
{IDC , IDV , am , bM }PVV
( IDC , IDV , am , bM )  {{ IDC , IDV , am , bM }PVV }PKV
Verifies am, bM are legal or not.
If legal, deposits (M x dB + m x dA) to
Vendor’s account and store am, bM.
If not, reject transaction.
b0  h M (bM )
replace anchor
a0 by am, b0 by bM.
6
Motivation
Problems of MSMC
Find the minimum hash chain in a payment.
Equally spend every single chain.
This paper propose three approaches to
handle above two problems and supporting
the ability of returning changes.
7
Scheme
Three approaches methods
MSRC-I: counter-mode encryption.
MSRC-II: hashing function.
MSRC-III: keyed hashing function.
8
MSRC-I:
Counter-Mode Encryption (1/2)
Customer (PKC, PVC,IDC)
Broker (PKB, PVB,IDB)
Vendor
(PKV, PVV,IDV)
PSR = {IDC,n,r,IDV}
d A  dB
A  (a0 , a1 ,..., an ) , ai = h(ai+1), i = n-1, n-2, …, 0
A'  (an 1 ,..., an  r )  (an1  EK (1),..., an r  EK (r ))
B  (b0 , b1 ,..., bn ) , bj = h(bj+1), j = n-1, n-2, …, 0
{ A, B, K }PKC
( A, B, K )  {{ A, B, K }PKC }PVC
A  (an 1 ,..., an r )  (an1  EK (1),..., anr  EK (r ))
{a0 , b0 , A}PKV
(a0 , b0 , A)  {{a0 , b0 , A'}PKV }PVV
EK: Counter-mode encryption using a secret key K. M x dB: Customer pay total money.
n: Length of payment chain. r: Length of return-change chain. m x dA: Vendor return money.
9
MSRC-I:
Counter-Mode Encryption (2/2)
Customer (PKC, PVC,IDC)
an  m  an  m 1  EK (m)
Broker (PKB, PVB,IDB)
Vendor
(PKV, PVV,IDV)
?
Pay (bM, M)
b0  h M (bM )
 m , m)
Return (an
Replace anchor
b0 by bM.
?
an  h m ( an  m )
an  m 1  h(an  m ), an  m  2  h(an  m 1 ),..., an 1  h(an  2 )
Than can get chain (an+1,…an+m)
and worth (m x dA) dollars.
{IDC , IDV , an  m , bM }PVV
( IDC , IDV , an  m , bM )  {{ IDC , IDV , an  m , bM }PVV }PKV
Verifies a’n+m, bM are legal or not.
If legal, deposits (M x dB + m x dA) to
Vendor’ account and store a’n+m, bM.
If not, reject transaction.
10
MSRC-II:
Hash Function (1/2)
Customer (PKC, PVC,IDC)
Broker (PKB, PVB,IDB)
Vendor
(PKV, PVV,IDV)
PSR = {IDC,n,r,IDV}
d A  dB
A  A1 A2  (a0 , a1 ,..., an ) (an 1 , an  2 ,..., an  r )
A  A1 A2  (a0 , a1,..., an ) (an 1 , an  2 ,..., an  r )
satisfy ai  h(ai 1 ) and ai  h(ai1 ), i  n  r  1, n  r  2,...,0
B  (b0 , b1 ,..., bn ), b j  h(b j 1 ), j  n  1, n  2,...,0
{ A, A1, B}PKC
( A, A1, B)  {{ A, A1, B}PKC }PVC
{a0 , a0 , b0 , A2 }PKV
(a0 , a0 , b0 , A2 )  {{a0 , a0 , b0 , A2 }PKV }PVV
11
MSRC-II:
Hash Function
Customer (PKC, PVC,IDC)
?
(2/2)
Broker (PKB, PVB,IDB)
Vendor
(PKV, PVV,IDV)
Pay (bM, M)
b0  h M (bM )
 m , m)
Return (an
Replace anchor
b0 by bM.
?
an  h m (an  m )
an  m1  h(an  m ), an  m2  h(an  m1 ),..., an 1  h(an  2 )
Than can get chain (an+1,a’n+1),…,(an+m,a’n+m)
and worth (m x dA) dollars.
{IDC , IDV , an  m , bM }PVV
( IDC , IDV , an  m , bM )  {{ IDC , IDV , an  m , bM }PKV
Verifies a’n+m, bM are legal or not.
If legal, deposits (M x dB + m x dA) to
Vendor’ account and store am , am , bM.
If not, reject transaction.
K: secret key for keyed hash function
12
MSRC-III:
Keyed Hash Function (1/2)
Customer (PKC, PVC,IDC)
Broker (PKB, PVB,IDB)
Vendor
(PKV, PVV,IDV)
PSR = {IDC,n,r,IDV}
d A  dB
A  (a0 , a1 ,..., an ), ai = hK(ai+1), i = n+r-1, n+r-2, …, 0
A'  (an 1 , an  2 ,..., an  r ) , ai = hK(ai+1), i = n+r-1, n+r-2, …, 0
B  (b0 , b1 ,..., bn ), bj = h(bj+1), j = n-1, n-2, …, 0
{ A, B, K }PKC
( A, B, K )  {{ A, B, K }PKC }PVC
{a0 , b0 , A, K }PKV
(a0 , b0 , A, K )  {{a0 , b0 , A, K }PKV }PVV
13
MSRC-III:
Keyed Hash Function (2/2)
Customer (PKC, PVC,IDC)
?
an  hKm1 (an m1 )
Broker (PKB, PVB,IDB)
Vendor
(PKV, PVV,IDV)
?
Pay (bM, M)
b0  h M (bM )
Return(an  m1 , m)
Replace anchor
b0 by bM.
an  m  hK (an m1 ), an m1  hK (an m ),..., an1  hK (an 2 )
Than can get chain (an+1,…an+m)
and worth (m x dA) dollars.
{IDC , IDV , an m1 , bM }PVV
( IDC , IDV , an  m1 , bM )  {{ IDC , IDV , an  m1 , bM }PKV
Verifies a’n+m+1, bM are legal or not.
If legal, deposits (M x dB) to
Vendor’ account and store an  m1 , bM .
If not, reject transaction.
14
Security analysis
Counterfeit attack
Attacker: Returned change a'n+i and an+i.
Customer: Change a'n+i and an+i.
Reuse attack
Customer: Double spending and over-spending.
Vendor: Double returning and over-returning.
Redemption attack
Vendor: Anchor ai and (ai,a’i).
15
Comparison
16
Fig. The chains of returned changes for our MSRC.
Comparison
Table. Comparison of micropayment schemes
H: The operation of a hash function h(.). H’: Operation of a keyed hash function hK(.).
D: Counter-mode decryption. d: Denomination.
M: Vendor verifying the payment (bj,M).
m: Customer verifying and obtaining the returned changes.
17
Advantage vs. weakness
Advantage
It can be implemented on mobile devices feasibly.
The return change is useful for avoid some special
pay word chain be exhausted.
All three mode are well protect, and the overhead
of these mode are not very heavy, so Customer can
choose one is better for him or her.
Weakness
Customer may need to maintain many kind of pay
word chains.
18
Comment
If the kind of face value of e-coin are many,
that will be come a burden of Customer,
Broker, and Vendor.
This is very inconvenient to trade only once,
because Customer and Vendor need to redeem
them cash after transaction.
Customer still using return changes after it
expired that may incur collusion attack.
The largest denomination may incur some
attack, because it didn’t have any protect.
19