A Fair Electronic Cash System with Identity-based Group Signature Scheme

A fair electronic cash system is a system that allows customers to make payments anonymously. Furthermore the trusted third party can revoke the anonymity when the customers did illegal transactions. In this paper, a new fair electronic cash system based on group signature scheme by using elliptic curve cryptography is proposed, which satisfies properties of secure group signature scheme (correctness, unforgeability, etc.). Moreover, our electronic cash contains group members (users, merchants and banks) and trusted third party which is acted by central bank as group manager.


Introduction
The first group signature scheme was proposed by David Chaum and van-Heyst in 1991 [1].Group signature schemes allow a group member to sign messages on behalf of the group.Such signatures must be anonymous and unlinkable but, whenever needed, a designated group manager can reveal the identity of the signer [1][2][3].Shamir proposed an identity based signature to simplify key management procedures of certificate-based public key infrastructures (PKI) [4].A lot of identity based group signatures have been proposed after Shamir [5][6][7][8].Many group signatures scheme have been proposed recently, but several of them were suggested application electronic cash.[9][10][11] introduced group signatures into electronic cash schemes which are anonymous and unlinkability.

Main Contribution
In this paper, identity based group signature scheme is proposed, which satisfies the electronic cash based on group signatures.Furthermore it provides to keep group member anonymous and unlinkability if he does not cheat.In this scheme we use trusted third party, which acts the group manager.The user is a group member who should register at TTP before start any interaction with the bank.
The rest of this paper is as follows: in the next section, we introduce some preliminaries work.Our identity based group signature is presented in Section 3. In Section 4, we propose a new electronic cash system.We explain security analysis of our scheme in Section 5. Final section concludes.

Preliminaries
In this section, we will describe the definition and properties of elliptic curve cryptography, bilinear pairings, Gap Diffie-Hellman Group and Group signature models.

Definition1: Addition Rules of Elliptic Curve [12]
It is possible to define an addition rule to add points on E. The addition rule is specified as follows: be two points such that 1 x x  then as shown in Figure 1, where , where: . Architecture of our electronic cash scheme.

Definition 2 Elliptic Curve Discrete Logarithm Problem (ECDLP)
Given an elliptic curve E defined over a finite field q Z , a point . The integer x is called the discrete logarithm of Q to the base P denoted as log P x Q  . If x is sufficient large, then it is infeasible to compute it [13].

Bilinear Pairings
Let 1 and 2 be two cyclic groups generates by P, whose order is a prime q, where 1 is additive groups and is multiplicative group.A pairing is a function: All pairing will satisfy the following properties: 1) Bilinear: For all  and then * , 2) Non-degenerate: There exists such that  e P Q  3) Computable: There is an efficient algorithm to compute for all , P Q  .

Gap Diffie-Hellman Group
We first introduce the following problems in G [14]. , to compute .
  P,a , , P bP cP , or * , , q a b c Z q  c ab Given , to decide whether  .
We call 1 a GDH group if DDHP can be solved in polynomial time but no polynomial times an algorithm can solve CDHP or DLP with non-negligible advantage within polynomial time.

Group Signature Model
A group signature scheme is comprised of the following procedures [5]: 1) Setup: An algorithm that generates the group public key and a group master key for the group manager.
2) Extract: A protocol between the group manager and a group member that generates the user's secret key and public key.
3) Sign: A probabilistic algorithm (with inputs as a group public key, a membership secret and a message m) outputs a group signature of m. 4) Verify: An algorithm for establishing the validity of an alleged group signature of a message with respect to the group public key.5) Reveal: An algorithm that, given a message, a valid group signature on it, a group public key and a group manager's master key, determines the identity of the actual signer.
A secure group signature scheme should satisfy all or part of the properties: 1) Correctness: Group signatures produced by a group member must be valid.
2) Unforgeability: Only group members are able to sign messages on behalf of the group.
3) Anonymity: It is infeasible to find out the group member who signed a message without the group manager's secret key.
4) Unlinkability: Deciding whether two different valid signatures were computed by the same group member is computationally hard.
5) Exculpability: Neither a group member nor the group manager can sign on behalf of other group members.
6) Traceability: The group manager is always able to identify the actual signer for a valid signature in case of disputes.
7) Coalition-resistance: No coalition of members can prevent a group signature from being opened.

Our Identity Based Group Signature
In this section we consider ID-based group signature scheme from bilinear pairings, which can be implemented as follows:

Setup
Setup is a system generation.The group manager executes the following: Choose 1 2 as defined in 2.2 and choose .Select three hash function cryptography which satisfy q , , , x Z  as secret key.Compute and publish as public key.

Extract
Before the user joins the group, manager should execute this step: When the user wants to become the member of group then the user i and the group manager can cooperates as follows: The user sends his public key with ID (identification) to the group manager.
2) Group manager select random numbers i q for every member who want become group member.
3) Group manager calculate and then sends to the user as the membership certificate.

Sign
When the user wants to sign message m, the user can do the followings: The user selects random elements * 1 2 q  and M 1 ,W G  , and then calculates the followings: The resulting signature on the message m is (U, C, D, W, R, S).

Verify
When the receiver wants to verify the group signature (U, C, D, W, R, S) of the message m which is signed by the signer, the receiver first computes      and then verifies     , , i e S G hH R P   .

Open
This algorithm is only executed by the group manager.Given valid group signatures the group manager can easily find the identity of the signer.The signer cannot deny his group signatures after group manager presents the followings: protocols: withdraw protocol, payment protocol and deposit

Electronic Cash Architecture
In this section, we describe our system architecture and how each protocol of e-cash works.er and the users act group membership.The user should be registering at TTP before start any interaction with the bank.After registration, the user will get a valid membership certificate and a secret key from TTP.
2) The bank issues the valid electronic cash.The b otects the privacy of the customers, and also uses the blind signature technique to sign the electronic cash.
3) The customer spends electronic cash in a paym otocol with a shop over an anonymous channel.
4) The shop deposits electronic cash that he get e user in the payment protocol into his bank account.
TTP (Central same system parameters that proposed in Section 3.1.
When Then the sk v and sk v to i u and M respectively.Every group member shou he needs it.They need to do as follows: 1) The group member sends i

ID to t 2) i B opens an account an nds it to th e emb
The withdrawal protocol i ves the user opens an account in.When gal i u ants to withdraw electronic cash from his account in the bank, the user must prove himself to the bank.The withdraw protocol request contains the amount of electronic cash, which is less than or equal the balance.If the amount is greater than balance then the withdraw protocol should be stopped, otherwise, the user and the bank execute the following steps: 1) the user ch * om nu s Z  and computes   , , , a a a a and a to i u .
, q s r r x x u v Z  and computes   , , , , , , , , ,  c H and    The payment protocol in merchant.If the customer wants to buy some goods from the merchant, they should execute the follows: 1) The customer chooses a random Now we can proof ( 3) and ( 4) as followings:  In this protocol the merc his bank i.There are two cases we will discuss as follows: First case: if the shop i and user i have accounts in th me bank.Since the deposit protocol involves merchant and bank, they will execute the following steps: 1) The merchant sends signatures of electronic cash , , , , , , , , , A B C D Z Z S f f f f and f to the bank.signature of e c 2) The bank verifies the validity of ash , , , , , , , , f f f f and f is hold, then the find out the same electronic cash has been deposited before or not.If it has not been in its deposit database, the bank accepts the electronic cash and credits the amount to the shop account, otherwise the bank i rejects transaction.
Second case: if the user bank searches the sit database to depo i and merchant i have accounts in received electro ant sends signature of electronic cash different banks such as user i has an account in the bank i and shop i has an account in bank j.
Assume merchant i wants to deposit the nic cash from user i to his bank j, they will do the following steps: 1) The merch  , , , , , , hether electronic cash has been deposited before, if it is not has bee e amount from user i account and sends it to the merchant i account in his bank j, otherwise bank i can detect double depositing or double spending.

Customer Tracing Protocol
The customer tracing protocol invol trusted third party.This protocol is identity of the customer in a sp Money laundering is big problem of electronic cash; here it can be protected by detecting the identity of the illegal customers.
1) The customer tracing protocol is as follows: The bank sends to the CB the signatures of electronic cash , , , D Z Z S f f f f and f that received fr cash as the merchant does in the depo  om the merchant in the deposit protocol.
2) The CB verifies the validity of the signature of electronic sit protocol.
3 A sG G   The bank calculates and sends 1 2 3 4

5
, , , a a a a and a back to him as withdraw protocol.

Theorem 4
Our proposed scheme keeps the system unlinkability.Proof: sh , provides electronic cash against double spending, blackmailing and money laundering.lectronic cash, which satisfy properties of ture scheme.Fro protocol above, it is easy to deduce that our scheme satisfies the security properties of group signatures and

Conclusion
We have presented new fair electronic cash system with identity based group signature scheme.It satisfies all basic requirements to protect electronic cash.Furthermore, we show how our group signature scheme could construct fair e secure group signa

i 4 . 3 .
Open an Account ld open an account in any bank G e w uG ds x P w vG ds P G e w uG w vG G e ds x P P G e D G e Pds x x G x G G e D G e ds P G P e D G e dA P

5 , 4 )
D Z Z S f f f f and f to bank j. of signature 2) Bank j verifies the validity of e , , , , , , , , A B C D Z Z S f f f f and f with bank i's publi 3) If it succeeds th tronic cash Bank i searches the deposit database to find out w n stored in deposit database then bank i debits th ves the bank and the used to determine the ecific payment transaction.
Thus group signatures architecture consists four main parties: Trust Third Party (TTP) acts the group manager; banks, users and shops acts the group member.
Figure 1 shows configuration of group signatures, which involves three protocol.* i the bank i   i u and merchant i  ) The CB can calculate P from  , In the payment protocol, only users that register in the CB are able to sign yment message with his memberkey.