An attack on a payment scheme

Recently, Wang et al. have proposed an offline payment scheme providing scalable anonymity. The authors claim that their scheme can prevent a consumer from spending a coin more than once, since after a double-spending the identity of the consumer is revealed. In this paper, we show that in Wang et al.'s scheme, given a valid coin and without knowing any secret information, everyone is able to spend the coin as many times as he wants. In particular, we show how a cheater, using only public information, can construct a faked proof of ownership of the coin without running any risk of being discovered.

[1]  Jan Camenisch,et al.  An efficient fair payment system , 1996, CCS '96.

[2]  Stefan Brands,et al.  Restrictive Blinding of Secret-Key Certificates , 1995, EUROCRYPT.

[3]  Tatsuaki Okamoto,et al.  Practical Escrow Cash System , 1996, Security Protocols Workshop.

[4]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[5]  Jan Camenisch,et al.  Fair Blind Signatures , 1995, EUROCRYPT.

[6]  David Naccache,et al.  On blind signatures and perfect crimes , 1992, Comput. Secur..

[7]  Ernest F. Brickell,et al.  Trustee-based tracing extensions to anonymous cash and the making of anonymous change , 1995, SODA '95.

[8]  Yanchun Zhang,et al.  A flexible payment scheme and its role-based access control , 2005, IEEE Transactions on Knowledge and Data Engineering.

[9]  David Pointcheval,et al.  Self-Scrambling Anonymizers , 2000, Financial Cryptography.