A Security Flaw of a Bilinear-Pairing-Based Electronic Cash Scheme with Trustee-Based Anonymity Revocation

Untraceable electronic cash (e-cash) provides anonymity to ensure the privacy of payers for electronic commerce. To prevent this anonymity property from being abused by criminals, Chen et al. proposed an electronic cash scheme with trustee-based anonymity revocation from pairing. They claimed their electronic cash scheme possessed superior advantages. First, an identity-based blind signature scheme is constructed for a bank to blindly sign on a message containing a trustee-approved token that includes the user´s identity. Second, the trustee can disclose the identity for e-cash using only one symmetric operation. Third, their scheme incorporates mutual authentication and key agreement into e-cash protocols to attain improvement in communication efficiency. They also declared their scheme satisfied five security properties, mutual authentication, verifiability, untraceability, unforgeability, and anonymity revocation. After thorough analysis, we find that a merchant can abuse a payer´s e-cash easily and will not be traced by the trustee. Instead, the legal payer´s identity will be traced because only the customer´s identity is embedded in the e-cash and mutual authentication is not ensured in payment phase. The found flaw will fatally damage Chen et al.´s electronic cash scheme.