Electronic Commerce Research and Applications 11 (2012) 388–396

Contents lists available at SciVerse ScienceDirect

Electronic Commerce Research and Applications

journal homepage: www.elsevier.com/locate/ecra

A robust e-commerce service: Light-weight secure mail-order mechanism

Jung-San Lee, Kun-Shian Lin ⇑
Department of Information Engineering and Computer Science, Feng Chia University, No. 100, Wunhua Rd., Situn Dist., Taichung City 40724, Taiwan, ROC

a r t i c l e i n f o a b s t r a c t

Article history: Mail order systems offer a convenient purchase service, in which buyers need not visit the store physi-
Received 16 September 2011 cally and instead choose what they want via a table of contents. Without a third party to play the roles
Received in revised form 30 March 2012 of verifier and recorder, however, buyers face a potential problem of being cheated by a malicious seller.
Accepted 3 April 2012
Thus, we aim to develop a mail order system over the Internet that can guarantee user anonymity and
Available online 13 April 2012
secrecy during the transaction process. The low computation of the mutual authentication between
the parties involved contributes to the practicality of this new system, while the correctness of this
Keywords:
process can be confirmed by the BAN logic model.
E-commerce
Mail-order
Ó 2012 Elsevier B.V. All rights reserved.
Smart card
Mutual authentication
BAN logic

1. Introduction
In recent decades, the rapid development of the Internet has led
to the great popularity of electronic commerce services. People
often buy something or handle financial investments through elec-
tronic commerce services, such as electronic auctions, lotteries,
and payment systems. Due to the convenience and economic
benefits of e-commerce, more and more traditional services have
been converted to the electronic mode, like e-voting, e-traveler
checks, and e-invoices. As a result, people are now paying more
attention to the issues of security and privacy; however, the digita-
lization of one traditional commerce service that is applied very
often in our daily life, i.e., the traditional mail order service, has re-
ceived very little attention.
Traditional mail order service (Fig. 1) is a commonly used
approach to shopping. As a simple transaction, it has many advan-
tages. The seller sends a menu of commodities to individual guests
or buyers in schools and companies who order regularly. The buyer
chooses the commodities she/he likes from the menu, sends the
purchase order back to the seller, and pays the money to the
seller’s account. Then, the seller checks to see whether she/he
has received the money. If so, she/he sends the commodities to
the buyer and the transaction is complete. This system deals with
business as a simple transaction flow. More specifically, the buyer
does not need to visit the store each time in person but only the
bank once. The bank is just a third party to handle the money; it
does not serve as the verifier or recorder of the transaction. Thus,
⇑ Corresponding author. Tel.: +886 4 24517250x3721; fax: +886 4 27066495.
E-mail addresses: leejs@fcu.edu.tw (J.-S. Lee), logoduo@hotmail.com (K.-S. Lin).
in this system, no one records the details of the transaction. This
may cause a serious problem in that a malicious seller could feasi-
bly choose not to send the commodity in order to cheat the buyer
after receiving payment.
Inheriting the merits of the original mail order mechanism, we
aim to realize this concept over the Internet, which can eliminate
the above-mentioned security problem. The Internet mail order
system is a money-concerned mechanism that uses an electronic
payment system, such as electronic cash (E-Cash) (Ling et al.
2007, Wang et al. 2007, Chaum et al. 1990), electronic check
(Chaum et al. 1989, Chen 2005, Chang et al. 2009), or electronic
traveler’s check (Chang and Chang 2009, Liaw et al. 2007). Many
scholars have analyzed the various types of electronic payment
systems (Yu et al. 2002, Ferreira and Dahab 1998). According to
their analyses, even though electronic cash has the advantages of
being simple and convenient to carry, it retains the same charac-
teristics as actual cash. When electronic cash is lost or stolen, the
user must bear the risk since it cannot be reissued. Although the
electronic check has added the signature protocol, it is still vulner-
able to the problem of being stolen or embezzled. Due to the
requirement for personal identification with a check, an electronic
traveler’s check seems to be more secure; however, it also involves
the drawbacks of a complex authentication procedure, as illus-
trated in Fig. 2.
When the seller receives the check, she/he cannot confirm the
validity of the check, so she/he must send the check to the bank
or a fair third party. Another problem is that, in the electronic
check and electronic traveler’s check system, personal information
is usually stored in the bank’s database directly. If an intruder or
bank employee accesses the database and obtains the user’s

1567-4223/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.elerap.2012.04.001
 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396
Fig. 1. Flowchart of traditional mail order system.
Fig. 2. Flowchart of the electronic traveler’s check payment system.
information to apply for services, it may lead to a stolen verifier
attack or insider attack. To remedy these drawbacks, Nakamoto
introduced the concept of BitCoin in 2009, which depends on no
central institution to ensure the transaction (Nakamoto 2012). It
applies a database of nodes distributed over P2P networks to
handle and record the E-Cash transaction. This can enhance the
efficiency of E-Cash verification and the system security. Neverthe-
less, a trustworthy third party does not get involved in the transac-
tion. Thus, an illegal deal or a dispute occurrence is usually beyond
being prevented.
Previous studies of electronic payment systems have focused on
the secrecy of the data transmitted between the buyer and the sell-
er, without considering the computation cost in the encryption and
decryption process. They often neglect the dispute caused in the
shopping flow phase. For example, if a buyer has paid money but
cannot receive the commodities ordered, then rights and interests
are seriously damaged. In such a situation, the buyer cannot find a
reasonable way to inquire about the transaction data in order to
prove his/her loss, and the seller is unable to propose valid proof
of his/her innocence. Considering these reasons, the Internet
mail-order system has adopted a digital cash mechanism based
on the hash chain (Lamport 1981), which can overcome the weak-
ness of previous payment systems and ensure practicality. Refer-
ring to the famous BAN logic model (Burrows et al. 1990), we
prove the correctness of mutual authentication in the new
mechanism.
To illustrate that our proposed system can be employed in real
life, we assume that Citibank and PayPal are the notaries in our
system (Citibank 2009, PayPal 2009). Citibank and PayPal provide
mail order service. These providers email commodity menus to
buyers and then receive orders as well as money. These companies
play the role of intermediary to consult with sellers and order the
commodities that the buyers have requested. We bring in a fair
third party to serve as the verifier and recorder in the transaction.
Thanks to the fair third party, i.e., the bank, it is easy for the buyer
389
Fig. 3. Flowchart of the Internet mail-order system.
and seller to query the transaction data in order to confirm the
non-repudiation of involved participants.
The rest of this article is organized as follows. In Section 2, we
define the system requirements in detail. In Section 3, we specify
the shopping environment and mechanism. Discussions and the
comparisons between related work and the novel mechanism are
given in Section 4. Then we demonstrate how the new mechanism
resists malicious attacks in Section 5. Finally, we make conclusions
in Section 6.
2. System requirements
In this section, we define the requirements of the Internet mail
order system and specify the significance of each requirement in
detail.
(1) Mutual authentication
The sender and the receiver can confirm each other’s iden-
tity in order to avoid man-in-the-middle and masquerading
attacks.
(2) Integrity of transaction data
Transactions of data between buyer and seller are protected
from modification. Additionally, the transferred data are
confirmed only by a fair third party.
(3) Anonymity of buyer
The personal information of the buyer is concealed to
protect his/her privacy so that no one can trace the transac-
tion records. Here, even the seller is unable to learn the real
identity of the buyer.
(4) No forgery of digital cash
For the purpose of confirming the profits of both seller and
buyer as well as keeping the whole process fair, only the
bank that acts as a fair third party can distribute the digital
cash.
(5) Double spending
The digital cash can only be used once.
(6) Reissue of smart card
To avoid losing smart cards, the buyer is allowed to reopen a
new smart card in order to get his/her digital cash.
(7) Non-repudiation
To protect the legal rights of both seller and buyer, the bank
records the data of the whole process. This way, if there are
any disputes, neither the seller nor the buyer can deny their
actions.
(8) Perfect forward secrecy
To protect the privacy of the communication, the compro-
mised current key cannot be used to derive or recover the
session key for previous or future sessions.
3. Mechanism
The proposed ordering mechanism consists of four phases: reg-
istration, payment, dealing confirmation, and smart card reissue.
390 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396

Table 1
Notations of the new mechanism.

Notation Definitions Notation Definitions

Ui The ith user Sj The jth seller
BANK Bank (trust third party) IDi Unique identification of Ui
PWi Unique password of Ui SIDj Unique identification of Sj
r Random number x Master key of BANK
N Random nonce h() One-way hash function
n The number of usage time of the digital cash AIDi Anonymous identification of Ui
RIDi A parameter for reissuing smart card SBj The shared information negotiated byBANK and Sj in advance
CUS The commodity which Ui wants [M]K Message M encrypted by secret key K
TI The detailed transaction data between Ui and BANK

Table 2
The database of BANK.

User Stored information

Alice RIDAlice . AIDAlice . rAlice . nAlice . h
nAlice þ1
ðr Alice ; UBAlice Þ
Bob RIDBob . AIDBob . rBob . nBob . n
h Bob
þ1
ðrBob ; UBBob Þ
Bob 1 BANK ... ... ... ... ... ...
Ui RIDi . AIDi . ri . ni . ni þ1
Secure channel h ðr i ; UBi Þ

Secure channel

Fig. 4. The flowchart of registration phase.

The flowchart of this mechanism is shown in Fig. 3. The bank is as-

sumed to be the trusted third party. Seller and Buyer must register
at the Bank before they conduct a transaction. Notations used in
the novel mechanism are defined in Table 1. Note that only the
Bank is able to write data into the smart card. Fig. 5. The information in the smart card of Bob.

3.1. Registration Phase

The flowchart of the registration phase is illustrated in Fig. 4.

Step 1: Bob ? BANK:IDBob, PWBob, n.

Generates a password PWBob and chooses n as the usage Bob BANK Sj
number of the digital cash. Then he offers IDBob, PWBob, Login
and n to BANK through a secure channel. Send purchased request
1
Step 2: BANK ? Bob: Smart card. Check digital cash
While BANK receives the registration request, it calculates Update database 2
h(IDBob, PWBob) and generates a random number r. Next, it Check commodities
employs r and its master key x to compute 3 Send an “accept”message

AIDBob ¼ hðhðIDBob ; PW Bob Þ; r; xÞ; Check the result

RIDBob ¼ hðhðIDBob ; PW Bob Þ; xÞ; Fig. 6. The flowchart of payment phase.

UBBob ¼ hðAIDBob ; xÞ; and
t
h ðr; UBBob Þ;
Step 1: Bob ! BANK : AIDBob ; N; ½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ
t
where h (r, UBBob) is considered as the digital cash and
t 2 1, 2, . . . , n + 1.
Then, it stores RIDBob, AIDBob, r, n, and hn+1(r, UBBob) into its database
and embeds AIDBob,h(IDBob, PWBob), h(), UBBob, and ht(r, UBBob) into
the smart card. Finally, BANK issues the smart card to Bob via a se-
cure channel. The database of BANK is depicted as Table 2, while the
information of the smart card are illustrated as Fig. 5. The symbol .
means the linkage of each information in the database.
3.2. Payment phase
After Bob obtains the smart card, he can start to purchase the
commodity via the Internet mail-order system. The flowchart of
this phase is shown in Fig. 6.
nþ1m
Bob needs to key in his IDBob and PWBob to login the
system. Then, the smart card calculates and compares
h(IDBob, PWBob) with the one stored in the card. If
they are not the same, the procedure is halted; otherwise,
it continues. Note that if the user keys in the incorrect
(ID, PW) combination three times, then the smart card is
locked. After passing the login process, Bob can
choose any SIDj and CUS he likes. If he needs to pay m
digital cash, the smart card computes hn+1m(r,UBBob). Fur-
thermore, the smart card generates N and calculates the
session key h(UBBob,N). Subsequently, it applies the key
to compute
nþ1m
½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ :
 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396
Table 3
The information of Bob in the database.
Bob BANK Sj
1 3
2 4
Fig. 7. The flowchart of dealing confirmation phase
nþ1m
Finally, it sends AIDBob,N, and ½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ to
BANK.
Step 2: BANK ! Sj : N; ½hðUBBob ; SIDj Þ; AIDBob ; C US ; mhðSBj ;NÞ .
Upon receiving the information from Bob, BANK checks the
validity of N and computes h(UBBob = h(AIDBob, x), N) to decrypt
the message. After obtaining hn+1m(r, UBBob) and m, it calculates
and compares hm(hn+1m(r, UBBob)) with the one kept in the data-
base. If they are different, the procedure is terminated; otherwise,
it replaces (hn+1(r, UBBob), n) with (hn+1m(r, UBBob), n  m) in the
database. The new database is illustrated in Table 3.
BANK deposits the money into the account of Sj and notes
the detailed transaction data TI. Subsequently, BANK calculates
h(UBBob,SIDj) and ½TIhðhðUBBob ;SIDj Þ;xÞ . The encrypted result is stored
in the database. Hereafter, BANK computes and sends
½hðUBBob ; SIDj Þ; AIDBob ; C US ; mhðSBj ;NÞ to Sj along with N.
Step 3: Sj? Bob: N, h(m, CUS, h(UBBob, SIDj), N)
While Sj obtains the purchase message from BANK, it ver-
ifies whether N is valid. If it is incorrect, the process is
stopped; otherwise, Sjcalculates h(SBj, N) to decrypt the
transaction data to retrieve AIDBob, CUS, m and h(UBBob,SIDj).
Furthermore, Sj saves h(UBBob, SIDj) in the database. Once
Sj confirms that the order is reasonable, it computes and
sends an ‘‘accept’’ message including h(m,CUS,h(UBBob, SIDj),
N) and N to Bob. After Bob receives the result, he can
compute and compare h(m, CUS, h(h(UBBob, SIDj), N)) with
the received one. If they are different, the procedure is
terminated; otherwise, the payment phase is completed.
Note that both Bob and Sj can compute the session key
h(h(UBBob, SIDj), N) for their following communications.
3.3. Dealing confirmation phase
When a transaction dispute occurs or involved participants
want to check the dealing record, they can ask for help from BANK
to enquire TI. The flowchart is depicted in Fig. 7.
Step 1: Bob! BANK : AIDBob ; N; ½SIDj hðUBBob ;NÞ .
Bob sends AIDBob ; N; ½SIDj hðUBBob ;NÞ to BANK.
Step 2: BANK ? Bob: N; ½TIhðUBBob ;NÞ .
While BANK receives the request of dealing confirmation,
it verifies whether N is valid. If N is incorrect, it rejects
391
Bob 1 BANK
Secure channel
Secure channel
Fig. 8. The flowchart of smart card reissue phase.
the request; otherwise, BANK computes h(UBBob =
h(AIDBob,x), N) to retrieve SIDj. Next, it calculates
h(h(UBBob, SIDj), x) to decrypt ½TIhðhðUBBob ;SIDj Þ;xÞ and uses the
session key h(UBBob,N) to compute ½TIhðUBBob ;NÞ . Finally, it
sends N and ½TIhðUBBob ;NÞ to Bob. Thus Bob can check the
transaction data.
Step 3: Sj ! BANK : SIDj ; N; ½hðUBBob ; SIDj ÞhðSBj ;NÞ .
If Sj wants to check the transaction data, it computes and
sends SIDj ; N; ½hðUBBob ; SIDj ÞhðSBj ;NÞ to BANK.
Step 4: BANK ! Sj : N; ½TIhðSBj ;NÞ .
While BANK receives the message, it first checks the valid-
ity of N. If N is invalid, the query procedure is terminated;
otherwise, BANK computes h(SBj,N) to retrieve h(UBBob,SIDj).
It then calculates
hðhðUBBob ; SIDj Þ; xÞ;
½TIhðhðUBBob ;SIDj Þ;xÞ ; and
½TIhðSBj ;NÞ :
Eventually, BANK sends ½TIhðSBj ;NÞ and N to Sj. Hence, Sj can decrypt
½TIhðSBj ;NÞ to obtain TI.
3.4. Smart card reissue phase
If the smart card is lost, this procedure can help buyers recover
their smart cards. The flowchart is shown in Fig. 8.
Step 1: Bob ? BANK:IDBob, PWBob.
As Bob can not calculate the session key without the smart
card, he has to offer his IDBob and PWBob to BANK via a
secure channel.
Step 2: BANK? Bob: Smart card.
When BANK receives the reissue request, it uses master
key x to calculate the index RIDBob = h(h(IDBob, PWBob), x).
Then, it searches the database to find Bob’s information
in its database. If nothing is found, the request is rejected;
otherwise, BANK computes UBBob = h(AIDBob, x) and embeds
the corresponding information into a new smart card
according to Table 4.
4. Discussion and performance analysis
4.1. Requirements
In this section, we discuss how the new mechanism can confirm
the requirements defined in Section 2. The security of this mecha-
nism is based on the symmetric encryption function and one-way
hash function, and is guaranteed by the following assumptions:
1. Symmetric encryption function [  ]K.
Given a plaintext P, it is easy to compute the ciphertext C = [P]K
with a symmetric key K. Nevertheless, it is computationally
infeasible to obtain P from C without K.
392 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396

Table 4 To complete the proof, we give the following assumptions:

The information of Bob in the database.

A1. Bobj  #(N).

Due to the fact that the random nonce N is generated by Bob,
he must believe that N is fresh.
A2. Sjj  #(N).
Since the trusted third party BANK can verify whether N is
fresh, BANK will not forward the message to Sj if N is invalid.
Thus, if Sj can receive N from BANK, it will believe in that N is
2. One-way hash function h().
fresh. SBj
For a security one-way hash function h() and a message M, it is
A3. Sj j  BANK (+ Sj .
easy to compute the digest y = h(M). Moreover, h() can confirm
Because SBj is negotiated by BANK and Sj in advance, we can
the following the properties (Menezes et al. 1996): SBj
suppose that Sj believes in BANK (+ Sj .
(i) Pre-image resistance – For a given digest, it is computation-
keyinfo
ally infeasible to learn the input (pre-image); i.e. it is hard A4. Sj j  BANKj ) Bob ( + Sj .
to find M such that h(M) = y when y is known. Because BANK is capable of generating and forwarding the
(ii) Second pre-image resistance – It is computationally infeasible information of session key (keyinfo) to Sj, we can suppose
to find another input with the same digest; i.e. for a given M, keyinfo

it is hard to find another message M0 such that h(M0 ) = h(M). that Sj believes in BANKj ) Bob ( + Sj .
(iii) Collision resistance – It is computationally infeasible to find HðUBBob ;SIDj Þ

two different inputs with the same digest; i.e. it is difficult A5. Bobj ) Bob ( + Sj .
to find M and M0 conducing that h(M) = h(M0 ). As UBBob is embedded into the smart card of Bob and SIDj is
selected by Bob, we can assume that Bob has jurisdiction
HðUBBob ;SIDj Þ
4.1.1. Mutual authentication over Bob ( + Sj .
We use the BAN logic model to prove the mutual authentication Now, we prove the mutual authentication of our mecha-
of our mechanism. The notations used in BAN logic are defined in nism. From A5, Bob must believe in what he generated. Thus,
Table 5. we obtain the following:
The flowchart and the goals of our mechanism are listed as
follows: HðUBBob ;SIDj Þ

M1. Bob ! BANK : AIDBob ; N; ½SIDj ; C US ; h

nþ1m
ðr; UBBob Þ; mhðUBBob ;NÞ . R1:Bobj  Bob ( + Sj : ðG1Þ
M2. BANK ! Sj : N; ½hðUBBob ; SIDj Þ; AIDBob ; C US ; mhðSBj ;NÞ .
According to A2 and A3, Sj is able to compute the session key, lead-
M3. Sj? Bob: N,h(m,CUS,h(UBBob,SIDj),N). ing to R2.
HðSBj ;NÞ
hðUBBob ;SIDj Þ R2. Sj j  BANK $ Sj .
G1. Bobj  Bob ( + Sj . Based on I2, we then get
hðUBBob ;SIDj Þ HðUBBob ;SIDj Þ HðUBBob ;SIDj Þ
G2. Sj j  Bob ( + Sj . R3. Sj / fBob ( + Sj ; ðBobj  Bob ( + Sj ÞgHðSBj ;NÞ .
hðUBBob ;SIDj Þ
G3. Sj j  Bobj  Bob ( + Sj . According to R2, R3, and the message-meaning rule, we have
hðUBBob ;SIDj Þ R4 and R5.
G4. Bobj  Sj j  Bob ( + Sj . HðUBBob ;SIDj Þ
R4. Sj j  BANKj  Bob ( + Sj .
According to the BAN logic model, we need to covert our
mechanism to the idealized form as below: HðUBBob ;SIDj Þ
R5. Sj j  BANKj  ðBobj  Bob ( + Sj Þ.
I1. Bob ?BANK:/ hðUBBob ;SIDj Þ
I2. BANK ! Sj : N; fBob ( + Sj ; ðBobj  Bob From A2 and I2, we can derive R6.
hðUBBob ;SIDj Þ
(
+ Sj ÞghðSBj ;NÞ . HðUBBob ;SIDj Þ
hðhðUBBob ;SIDj Þ;NÞ R6. Sj j  #ðBob ( + Sj Þ.
I3. Sj? Bob: N; < Bob $ Sj >hðhðUBBob ;SIDj Þ;NÞ .

As we have R4 and R6, we can employ the nonce-verification

rule to infer R7. HðUBBob ;SIDj Þ
Table 5 R7. Sj j  BANKj  Bob ( + Sj .
Notations of BAN logic.
Due to A4, R7, and the jurisdiction rule, we learn R8.
Notation Definitions HðUBBob ;SIDj Þ
X Statement R8:Sj j  Bob ( + Sj : ðG2Þ
P,Q Participants
Pj  X P believes in X Furthermore, we have the following based on A2 and I2.
P/X P sees X HðUBBob ;SIDj Þ
Pj  X P once said X R9. Sj j  #ðBobj  Bob ( + Sj Þ.
Pj ) X P has the jurisdiction over X
#(X) The formula X is fresh
K P and Q may use the shared key K to communicate
For R5, R9, and the nonce-verification rule, we can derive R10.
P$Q
Y The formula Y is a secret known only to P and Q HðUBBob ;SIDj Þ
P (+ Q R10. Sj j  BANKj  ðBobj  Bob ( + Sj Þ.
{X}K The formula X encrypted under the key K
hXiY The statement X combined with the formula Y
Corresponding to A4, R10, and the jurisdiction rule, we have
 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396
HðUBBob ;SIDj Þ
R11. Sj j  Bobj  Bob ( + Sj .
As R6,R11, and the nonce-verification rule, we acquire
HðUBBob ;SIDj Þ
R12:Sj j  Bobj  Bob ( + Sj :
From I3, we obtain
HðUBBob ;SIDj Þ
R13. Bob/ < Bob ( + Sj >HðUBBob ;SIDj Þ .
Subsequently, we can apply R1, R13, and the message-
meaning rule to derive
HðUBBob ;SIDj Þ
R14. Bobj  Sj j  Bob ( + Sj .
According to A1 and I3, we can obtain
HðUBBob ;SIDj Þ
R15. Bobj  #ðBob ( + Sj Þ.
Due to R14, R15, and the nonce-verification rule, we get the
final goal R16.
HðUBBob ;SIDj Þ
R16:Bobj  Sj j  Bob ( + Sj :
Therefore, both Bob and Sj can use the shared information
H(UBBob, SIDj) to construct a session key with random nonce N,
which guarantees the mutual authentication.
4.1.2. Integrity of transaction data
In the payment phase, when the legal buyer Bob wants to pur-
chase something from the store Sj, he has to make his choice and
send ½SIDj ; C US hðUBBob ;NÞ to BANK along with a random nonce N. When
BANK receives the request, it can employ h(UBBob, N) to decrypt the
message and obtain CUS. Next, BANK computes and sends ½C US hðSBj ;NÞ
to Sj, where SBj is the secret key shared between BANK and Sj. If a
malicious attacker Eve tries to modify the transaction data SIDj
and CUS in Step 1 of the payment phase, she will be able to decrypt
½SIDj ; C US hðUBBob ;NÞ . Nevertheless, it is computationally infeasible for
her to achieve that without the session key h(UBBob, N) due to the
symmetric encryption assumption.
On the other hand, she may try to compute h(UBBob, N) in order
to decrypt the ciphertext. Even if she can intercept the random
nonce N in Step 1, she still cannot obtain h(UBBob, N) without UBBob
under the assumption of the one-way hash function. Again, Eve
may try to obtain the UBBob in order to construct the session key.
Since UBBob = h(AIDBob, x), even though Eve can know the anony-
mous AIDBob of Bob, she cannot compute UBBob without the master
key x under the assumption of the second pre-image resistance. For
the same reason, if Eve tries to learn or modify CUS in Step 2 of the
payment phase, she will fail to decrypt the ciphertext without the
session key h(SBj, N) under the first assumption. Thus, the integrity
of transaction data in Steps 1 and 2 is guaranteed.
4.1.3. Anonymity of buyer
In the registration phase, the legal buyer Bob offers his IDBob and
PWBob to BANK through a secure channel. Then BANK uses IDBob,
PWBob, random number r, as well as master key x to generate a
temporary identification AIDBob = h(h(IDBob, PWBob), r, x) for Bob.
Next, Bob can use AIDBob to purchase services, thus preventing
his personal information from being known. If a malicious attacker
Eve wants to learn the real identification IDBob of Bob, she may try
to retrieve IDBob from AIDBob. Since AIDBob is public, Eve can obtain
Bob’s temporary identification; however, under the assumption of
the pre-image resistance, it is computationally infeasible for her to
factorize the component of AIDBob. Consequently, Eve cannot
obtain the IDBob from AIDBob, and thus the anonymity of buyer
can be guaranteed.
393
4.1.4. No forgery of digital cash
The digital cash ht(r,UBBob) of the legal user Bob contains the
shared information UBBob = h(AIDBob, x). That is, the cash includes
the master key x of BANK. If a malicious attacker Eve intends to
ðG3Þ forge digital cash, she should fail to achieve this attempt. This is be-
cause no one can fake the UBBob without the master key x under the
assumption of the one-way hash function. Even if Eve can obtain r
and n from the BANK database, she cannot calculate hn1(r, UBBob)
without the UBBob under the assumption of the second pre-image
resistance. In the same way, if Eve tries to obtain the next valid
digital cash hn1(r,UBBob) from hn(r,UBBob), it is computationally
infeasible based on the assumption of the pre-image resistance.
Due to the reasons mentioned above, no one but BANK can gener-
ate valid digital cash; thus, this essential can be preserved in this
new mechanism.
4.1.5. Double Spending
In the payment phase, when a legal buyer Bob wants to pay m
units of the digital cash, he applies the smart card to compute
hn+1m(r,UBBob). Then, BANK computes and compares
hm(hn+1m (r, UBBob)) with the one stored in the database. If they
ðG4Þ are different, the request is rejected; otherwise, BANK updates
the remaining number and the cash information in the database.
If Bob intends to reuse the digital cash hn+1m(r, UBBob), he will fail.
This is because BANK is able to detect this attempt according to the
update of hn+1m(r, UBBob) in the database. Therefore, when BANK
receives the digital cash, it computes and compares
hm(hn+1m(r,UBBob)) with hn+1m(r,UBBob), which is stored in the
database. Obviously, they are different, so BANK must reject the
purchased request. That is, even a legal buyer Bob cannot launch
double spending successfully. Hence, we can conclude that the
new method is able to prevent double spending.
4.1.6. Reissue of smart card
In this new mechanism, digital cash is stored in a smart card. If
the user loses the smart card or if the card is broken, then the user
needs to apply for a new one. In the smart card reissue phase, the
legal user Bob offers his IDBob and PWBob to BANK through a secure
channel. While BANK receives the request, it can use the master
key x to calculate and search RIDBob = h(h(IDBob,PWBob),x) from
the database to confirm the validity of the user. If the search is
invalid, BANK will reject the request; otherwise, it computes
UBBob = h(AIDBob,x) and embeds {AIDBob, h(IDBob, PWBob), UBBob, n,
h(), ht(r, UBBob)} into a new smart card. Finally, BANK issues the
new card to Bob through a secure channel and completes the smart
card reissue phase.
If a malicious attacker Eve aims to obtain the smart card or dig-
ital cash, she may try to masquerade as Bob to apply for a reissued
smart card. Nevertheless, she does not know the IDBob and PWBob,
so she cannot succeed in forging. Even if Eve can obtain RIDBob from
the BANK database, she cannot retrieve IDBob and PWBob from the
RIDBob according to the assumption of pre-image resistance. There-
fore, only the real Bob is able to ask for the reissue of a smart card
containing digital cash.
4.1.7. Non-repudiation
In the payment phase, when BANK receives a purchase request
from the buyer Bob, it computes h(UBBob,N) to decrypt
nþ1m
½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ . Since Bob has negotiated the
shared information UBBob with BANK in advance, they can compute
and use h(UBBob,N) to encrypt message. If BANK can retrieve the
plaintext in Step 2 of the payment phase, this means that the mes-
sage has been generated by Bob; BANK then calculates and stores
½TIhðhðUBBob ;SIDj Þ;xÞ into database. When a transaction dispute occurs,
if Bob intends to repudiate that he bought CUS from Sj, he must fail.
394 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396
Table 6
Functionality comparisons.
Requirement Mail-order
Anonymity Yes
Non-repudiation Yes
Resistance to Double spending Yes
Verification to E-Cash Yes
Trace to illegal deal Yes
Transaction proof Yes
Distributed computing No
Table 7
Computational overhead of the new mechanism.
Payment Phase Dealing Confirmation Phase
Buyer 4THash + 1TE 1THash + 1TD + 1TE
Bank (5 + m)THash + 1TD + 2TE 2THash + 1TD + 1TE
Seller 3THash + 1TD 1THash + 1TD + 1TE
THash: hash cost, TE: symmetric encryption cost, TD: symmetric decryption cost, m:
the amount of digital cash.
The reason is that no one can compute the purchase message
nþ1m
½SIDj ; C US ; h ðr; UBBob Þ; mhðUBBob ;NÞ without h(UBBob,N) under the
assumption of the symmetric encryption function. Thus, Bob
cannot deny that he has sent the order to BANK. For this reason,
the essential of non-repudiation can be guaranteed in this new
mechanism.
4.1.8. Perfect forward secrecy
In this mechanism, the legal user Bob can use the session key
h(UBBob, N) to communicate with BANK securely. If a malicious
attacker Eve is able to compromise h(UBBob,N), she still cannot ap-
ply this session key to recover the previous sessions or derive the
keys for future sessions. This is because each session contains an
individual random nonce; thus, all session keys are distinct. Even
if the attacker is able to collect the valid random nonce for other
sessions, she cannot succeed in deriving other session keys without
the knowledge of UBBob under the assumption of the one-way
hash function. Even if Eve can compromise the session key
h(h(UBBob, SIDj), N) shared between Bob and Sj, she cannot decrypt
the previous messages or construct future session keys. Hence,
we can conclude that the new mechanism can guarantee the
essential of perfect forward secrecy.
4.1.9. Comparison between BitCoin and proposed mechanism
To highlight the practicability of our proposal, we compare the
confirmed essentials of BitCoin with those of the proposed mecha-
nism in Table 6. It is clear that the function of a trustworthy third
party, namely the server, in BitCoin is only to provide users with
secure communication. The server does not get involved in the
dealing, so the tracing of illegal transactions cannot be ensured
in BitCoin. More precisely, there is no component that can be
totally trusted to keep all transaction records in BitCoin. Once a
dispute occurs, no one can help to resolve the problem. This is
unreasonable for the entire transaction. In our proposed mecha-
nism, however, since we have introduced a trustworthy third
party, i.e., BANK, to record all of the transactions, an illegal deal
or a dispute problem can be handled well.
Although both the BitCoin and mail order mechanism adopt the
hash chain as the core technique to generate E-Cash, BitCoin has
much higher computation costs than a mail order system. This is
due to the fact that BitCoin employs sophisticated computations
to mint E-Cash. This complexity guarantees that it is computation-
ally infeasible for users to generate E-Cash by themselves. Thus,
distributed computing is required for supporting the high compu-
tation cost, which is an unfriendly constraint in the field of
Table 8
Experimental situation of the new mechanism.
BitCoin Notebook DELL LATITUDE D400
Yes CPU Intel (R) Pentium (R) M 1.60 GHz
Yes RAM 512 MB
Yes OS Windows XP sp3
Yes Language Python 2.6
No
No
Yes
electronic commerce. As for the mail order system, a user just
needs to connect to the Internet and employ the smart card and
reader to complete a transaction individually. This can help to
popularize the mail order system over the field of electronic
commerce.
4.2. Performance analysis
In this section, we analyze the performance of the novel mech-
anism. The computational cost of the new mechanism is illustrated
in Table 7. The analysis focuses on the computational overhead of
the payment and dealing confirmation phases. To highlight the
practicality of the new method, we conduct experiments that sim-
ulate the system. Details of the platform are shown in Table 8.
The buyer may use several amounts of digital cash (m) to pur-
chase; thus, we suppose that there are three kinds of the amount
m = 10, m = 15, and m = 20 in the simulation. Next, we performed
the novel mechanism for 10,000 rounds and calculated the average
computational cost of each participant. In our experiment, since
the plaintext is no longer than 512 bits, the cost of AES symmetric
cryptosystem is lower than the SHA1 function. The performance is
shown in Table 9. It is clear that the efficiency of the new method is
satisfactory, since all steps can be done in a short time period.
To demonstrate that the new method can be applied to light-
weight devices, we modify the frequency of CPU to four different
levels (Fig. 9). According to the results, the new method can work
fluently even if the user uses an intelligent mobile phone in which
the CPU frequency is no more than 500 MHz to complete the
transaction.
5. Security analyses
In this section, we analyze how the new mechanism can resist
common attacks in electronic commerce.
5.1. Replay attack
Assume that a malicious attacker Eve is able to intercept the
messages during the transmission. If Eve intercepts the request
message from a legal user Bob and tries to launch the replay attack
to get service from BANK, she has to pass the verification of the
payment phase. If the message is a replayed one, it is easy for BANK
to be aware of this attempt according to the freshness of random
nonce. That is, Eve must replace N with a valid nonce N0 to pass
the verification that the nonce is fresh. Even though Eve can use
N0 to pass the first verification, she cannot construct the session
key h(UBBob, N0 ) without the knowledge of UBBob under the assump-
tion of the one-way hash function. Thus, BANK can be conscious of
this replayed attempt after it tries to compute h(UBBob, N0 ) to
decrypt the encrypted message.
5.2. Server master key guessing attack
If a malicious attacker Eve aims to guess the master key x of
BANK, she may try to register at BANK first. Then, she can try to re-
trieve the master key from four parameters containing x as below.
 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396 395

Table 9
Performance of each participant in the payment phase.

Cost (ls) Total (ls)

Buyer Computation of the session key 5.28807 18.74196
AES encryption 4.04403
Verification of the result message 9.40985
Bank AES decryption 3.94871 54.28027 (m = 10)
CH (m = 10) 37.16782 69.54124 (m = 15)
CH (m = 15) 52.42878 85.80814 (m = 20)
CH (m = 20) 68.69568
Construction of the session key 8.49635
AES encryption 4.66738
Seller Calculation of the session key 5.74416 16.43398
AES decryption 4.59016
Construction of the result message 6.09965

CH: Computation of hash chain.

Table 10
The information of Bob in the database.

RIDBob . AIDBob . rBob . nBob . hnBob þ1 ðr Bob ; UBBob Þ . ½TIhðhðUBBob ;SIDj Þ;xÞ

infeasible for Eve to decrypt the ciphertext without the secret

key under the assumption of symmetric encryption. In addition,
even though Eve can obtain AIDBob and N in Step 1 of the payment
phase, it is impossible for her to calculate the h(h(AIDBob, x), N)
without the master key x according to the assumption of the
one-way hash function. Hence, Eve cannot decrypt the message
to tamper with the purchase order or the privacy of the buyer.
On the other hand, if Eve tries to masquerade as BANK to send a
forged order to Sj in Step 2 of the payment phase, she must fail. This
is due to the fact that the order is encrypted by h(SBj, N). No one but
BANK and Sj knows the shared information SBj. In order to succeed
in sending the malicious order, she has to compromise the one-
way hash function, which violates the security assumption. Hence,
we can conclude that Eve cannot masquerade as BANK to obtain
the information of buyer nor can she spoof Sj. Thus, the new mech-
Fig. 9. Performance of the payment phase based on different CPU frequencies
(Bank10 means m = 10, Bank15 means m = 15, Bank20 means m = 20).
anism can resist the server spoofing attack.

5.4. Impersonation attack

Parameter 1: RIDEve = h(h(IDEve, PWEve), x).
After the registration phase, BANK generates and stores the
RIDEve in the database. We suppose that Eve can obtain RIDEve.
Parameter 2: AIDEve = h(h(IDEve, PWEve), r, x).
AIDEve is the anonymous identification of Eve and is public to
everyone.
Parameter 3: h(UBEve = h(AIDEve, x), N).
Eve can use the smart card to compute and obtain the session
key h(UBEve, N).
Parameter 4: hn+1m(rEve, UBEve = h(AIDEve, x)).
Eve can choose the amount she wants to spend m and employ
the card to calculate the corresponding digital cash.
It is clear that the master key is only embedded in these four
parameters. Even if Eve owns her IDEve and PWEve from the first
parameter, it is computationally infeasible to retrieve x from RIDEve
under the assumption of pre-image resistance. Similarly, she can-
not obtain x from the other three parameters under the assumption
of the one-way hash function. Therefore, Eve cannot succeed in
retrieving x in the novel mechanism.
5.3. Server spoofing attack
Here, we show that a malicious attacker Eve must fail in
masquerading as BANK to obtain the buyer information or tamper
with the purchase order. Since Bob uses the session key h(UBBob =
h(AIDBob, x), N) to encrypt purchase message, it is computationally
If the malicious attacker Eve intends to masquerade as the legal
user Bob to ask for service in Step 1 of the payment phase, she may
forge and send a purchase message containing AIDBob to BANK.
Nevertheless, without knowledge of the session key, she cannot
forge a message encrypted by h(UBBob, N) under the assumption
of the symmetric encryption function. Once BANK receives the re-
quest and computes the session key to decrypt the forged message,
it must be able to detect this attempt since it cannot obtain the
meaningful plaintext. Furthermore, Eve cannot construct the ses-
sion key h(UBBob, N) without the knowledge of UBBob under the
assumption of second pre-image resistance. Therefore, the new
mechanism can prevent impersonation attacks.
5.5. Password guessing attack
If the malicious attacker Eve can obtain the smart card of the le-
gal user Bob, she may try to launch a password guessing attack. As
the smart card needs to compute and compare h(ID, PW) with the
one stored in the card, Eve has to key in the correct ID and PW of
Bob in order to pass the verification. Without the knowledge of
IDBob and PWBob, it is very difficult to find the ID and PW such that
h(ID, PW) is equal to h(IDBob, PWBob) under the assumption of colli-
sion resistance. If Eve guesses the wrong ID and PW three times in a
row, then the smart card is locked. Thus, Eve cannot succeed in
mounting a password guessing attack on the new mechanism.
396 J.-S. Lee, K.-S. Lin / Electronic Commerce Research and Applications 11 (2012) 388–396
5.6. Stolen verifier attack
If the malicious attacker Eve is able to compromise the database
of BANK, then she can obtain some information of Bob as depicted
in Table 10.
Since the information of the verifier is only kept in the smart
card, even though Eve can compromise the database of BANK, she
cannot obtain any verifier to pass the verification. Thus, we can
conclude that the new mechanism is capable of withstanding the
stolen verifier attack.
6. Conclusions
By all accounts, Internet-based commerce services are neces-
sary. Currently, there is no global mail ordering system that allows
buyers to pay bills without personally visiting stores or banks. Our
proposed system has realized a novel type of online service that
not only keeps the advantages of previous electronic payment
systems but also guarantees mutual authentication between buyer
and seller. Moreover, this system can overcome different kinds of
malicious attacks and ensure the legal rights and behaviors of both
buyers and sellers. Benefiting from a light computational load, this
system can work well for mobile commerce, and the SIM card can
play the role of a smart card. As telecommunication companies
cooperate with banks, it can also allow users to pay phone bills
via banks. In practice, Citibank cooperates with telecommunication
companies to make the purchasing procedure more convenient for
users. All of these practical uses make the novel mechanism
feasible.
References
Burrows, M., Abadi, M., and Needham, R. A logic of authentication. ACM Transactions
on Computer Systems, 8, 1, 1990, 18–36.
Chaum, D., Boer, B. D., Heyst, E. V., Mjolsnes, S., and Steenbeek, A. Efficient off-line
electronic check. In Proceedings of the 89th Workshop on the Theory and
Application of Cryptographic Techniques on Advances in Cryptology, Germany,
1989, 294–301.
Chaum, D., Fiat, A., and Naor, M. Untraceable electronic cash. In Proceedings of the
88th Advances in Cryptology, California, USA, 1990, 319–327.
Chen, W. K. Efficient on-line electronic checks. Applied Mathematics and
Computation, 162, 3, 2005, 1259–1263.
Chang, C. C., Chang, S. C., and Lee, J. S. An on-line electronic check system with
mutual authentication. Computers and Electrical Engineering, 35, 2009, 1–4.
Chang, C. C., and Chang, S. C. The design of e-traveler’s check with efficiency and
mutual authentication. In Proceedings of the 3rd International Conference on
Ubiquitous Information Management and Communication, USA, 2009, 309–316.
Citibank. Available at http://www.citibank.com. Last accessed on July 30, 2009.
Ferreira, L. D. C., and Dahab, R. A scheme for analyzing electronic payment systems.
In Proceedings of the 14th Computer Security Applications Conference, Phoenix, AZ,
USA, 1998, 137–146.
Lamport, L. Password authentication with insecure communication.
Communications of the ACM, 24, 11, 1981, 770–772.
Ling, Y., Xiang, Y., and Wang, X. RSA-based secure electronic cash payment system.
In Proceedings of 2007 IEEE International Conference on Industrial Engineering and
Engineering Management, Hangzhou, China, 2007, 1898–1902.
Liaw, H. T., Lin, J. F., and Wu, W. C. A new electronic traveler’s check scheme based
on one-way hash function. Electronic Commerce Research and Applications, 6, 4,
2007, 499–503.
Menezes, A., Oorschot, P. V., and Vanstone, S. Handbook of Applied Cryptography. CRC
Press, USA, 1996. 321–376.
Nakamoto, S. Available at BitCoin, http://bitcoin.org/bitcoin.pdf. Last accessed on
January 20, 2012.
Paypal. Available at https://www.paypal.com. Last accessed on August 2, 2009.
Wang, C. J., Tang, Y., and Li, Q. ID-based fair off-line electronic cash system with
multiple banks. Journal of Computer Science and Technology, 2007, 487–493.
Yu, H. C., Hsi, K. H., and Kuo, P. J. Electronic payment systems: an analysis and
comparison of types. Technology in Society, 24, 3, 2002, 331–347.