Efficient E-coupon systems with strong user privacy

Abstract

We propose two novel e-coupon systems that can achieve the following new properties: (1) The coupon issuer (or service provider) can trace the identity of a dishonest user while the identity privacy (or anonymity) of a honest user is still well protected. (2) A honest user’s redemption privacy (i.e., the items chosen when redeeming an e-coupon) is well protected from the service provider. (3) If a dishonest user redeems an e-coupon for more than the pre-determined number of times, then the user will lose the redemption privacy (i.e., all the choices the user has made in the previous redemptions can be revealed). We first propose a novel blind signature scheme that we employ together with oblivious transfer to construct our first e-coupon system, which achieves the first two properties without the involvement of any trusted third party. Then we propose a novel oblivious transfer scheme and use it to construct the second e-coupon system that can achieve all the properties given above. We also define the formal security models for these new security requirements, and show that our new e-coupon systems are proven secure in the proposed models.

Appendix

We analyze the security of the proposed oblivious transfer scheme under half-simulation model [27] in this section.

Theorem 10

The proposed OTRRP scheme provides receiver’s privacy for honest receivers.

Proof

Suppose a honest receiver runs the OT protocol with the sender for k times. The sender could obtain k pairs of transcripts \(\{(A_1,B_1,f(B_1)),(A_2,B_2, f(B_2)),\ldots ,(A_k,B_k,f(B_k))\}\) such that \(A_1=g^{r_1x}h^{\alpha _1},A_2=g^{r_2x}h^{\alpha _2},\ldots ,A_k=g^{r_kx}h^{\alpha _k}\), where \(\alpha _1,\alpha _2,\ldots ,\alpha _k\in \{1,2,\ldots ,n\}\) are the user’s choice and \(r_1,r_2, \ldots ,r_k\in _R\mathbb {Z}_q^*\). Given \(B_j=g^{r_j},rpk=g^x\) for some random \(r_j\in \mathbb {Z}_q^*\), it is computation-infeasible to decide the masked value equals \(g^{r_jx}\) or a random value Z in \(G_q\), thus for any two transcripts \(A_j\) and \(A_i\) such that \(1\le i \ne j \le k\) from the user, they are computationally indistinguishable to the service provider as long as the DDH problem is hard in \(G_q\). \(\square \)

Claim

The proposed encryption scheme is semantic secure.

Proof

As can be seen in the proposed OT scheme, the cipertext is \(c_i=((rpk)^{k_i},m_i(A_i/h^i)^{k_i})\) where \(k_i\in _R\mathbb {Z}_q\), for \(1\le i\le n\). The proposed encryption scheme in our OT scheme is a variant of ElGamal encryption. Therefore the encryption scheme is semantic secure. \(\square \)

Theorem 11

The proposed OTRRP scheme provides sender’s privacy.

Proof

Suppose a honest receiver runs the OT protocol with the sender k times. For any probabilistic polynomial-time malicious receiver \(\hat{U}\) in the real-world model, we are able to construct a probabilistic polynomial-time malicious receiver \(\hat{U}^*\) in the ideal model such that the outputs of \(\hat{U}\) and \(\hat{U}^*\) are indistinguishable. \(\square \)

Briefly, the ideal-world cheating receiver \(\hat{U}^*\) can extract \(\alpha \) from the proof of knowledge. This enables him to obtain the message \(m_\alpha \) form the TTP. \(\hat{U}^*\) simulates the honest sender S in the real-world and interacts with \(\hat{U}\) as follows:

1. 1.

   S sends \(m_1,m_2,\ldots ,m_n\) to the trusted third party TTP.

2. 2.

   \(\hat{U}^*\) sends \(c_1^*,c_2^*,\ldots ,c_n^*\) to TTP such that \(c_i^*\in _R G_q\) for \(i=1,2,\ldots ,n\).

3. 3.

   \(\hat{U}^*\) monitors the outputs \(A_{\alpha _1},A_{\alpha _2},\ldots ,A_{\alpha _k}\) of \(\hat{U}\), \(\hat{U}^*\) chooses \(A_{\alpha _1}^*,A_{\alpha _2}^*,\ldots ,\) \(A_{\alpha _k}^*\in _R G_q\).

4. 4.

   After \(\hat{U}\) runs \(Request \) protocol, if the verification of PoK fails, \(\hat{U}^*\) sends a value \(\alpha _i\notin \{1,2,\ldots ,n\}\) to TTP.

5. 5.

   If the verification of PoK successes, \(\hat{U}^*\) extracts \(\hat{U}\)’s choice \(\alpha _i\) from the PoK and gets back \(c_{\sigma _1}^*,c_{\sigma _2}^*,\ldots ,c_{\sigma _k}^*\) such that \(c_{\sigma _i}^*\in _R G_q\) for \(i=1,2,\ldots ,k\).

6. 6.

   If \(\hat{U}\) can compute \(g^{xr_{\alpha _i}}\), \(\hat{R}^*\) sends \(\alpha _i\) to TTP, TTP returns \(\frac{c_{\alpha _i,2}^*}{m_{\alpha _i}}\).

7. 7.

   \(\hat{U}^*\) outputs \((A_{\alpha _1}^*,A_{\alpha _2}^*,\ldots ,A_{\alpha _k}^*;c_1^*,c_2^*,\ldots ,c_n^*)\).

We can see from Theorem 10 and the Claim that \(\{A_{\alpha _1},A_{\alpha _2},\ldots ,A_{\alpha _k}\}\) and \(\{c_1,c_2,\ldots ,c_n\}\) are indistinguishable from random elements in \(G_q\). Therefore, no distinguishers can distinguish the outputs of \(\hat{U}\) and \(\hat{U}^\prime \) with a non-negligible probability.