A Group Signature Based Electronic Toll Pricing System Proof of Theorem 1
Lemma 1 Let L′ be the set of fee tuples sent to the authority in phase 4. If the server wants to collect the right tolls from clients and clients have no intention to pay more than their tolls, then our protocol guarantees: 1. for any two sets of fee tuples L′1 and L′2 sent to clients c1 and c2 from G in phase 3, we have L′1 = L′2 = L′ ; 2. for each (ℓ, t, fee, G) ∈ L′ , we have fee = f (ℓ, t); 3. L′ consists of all location tuples sent by clients. Proof. We prove the three sub-lemmas one by one. 1. Suppose L′1 , L′2 and L′ are not equivalent to each other. If a dishonest client c sends Cost(c) to the server which is less than Cost r (c), the server can initiate the dispute solving protocol. The authority will perform two checks according to Alg. 1, which can be instantiated as follows: checksign(Sigc1 (Cost(c1 ), SigS (L′1 , sid )), (Cost(c1 ), SigS (L′ , sid )), pkc )) checksign(Sigc2 (Cost(c2 ), SigS (L′2 , sid )), (Cost(c2 ), SigS (L′ , sid )), pkc )) If L′1 , L′2 and L′ are not equal to each other, then these two checks never pass. The protocol terminates. Thus the server has to accept the loss of clients’ tolls, i.e., toll(G) < tollr (G). This contradicts with our assumption that the server wants no loss of tolls. 2. Suppose a fee tuple (ℓ, t, fee, G) with fee 6= f (ℓ, t). From the first sub-lemma, all clients receive the same set of fee tuples. According to the toll calculation protocol, clients check the correctness of fees before computing their payments. They will refuse to commit payments to the server as fee 6= f (ℓ, t). Furthermore, since the server cannot start the dispute resolving protocol without any client’s payment commitment, the server loses all clients’ payments. This contradicts our assumptions. 3. Suppose in L′ , the server removes a fee tuple ϕ = (ℓ, t, fee, G) which belongs to client c. Form the first two sub-lemmas, client c receives the same set of correct fee tuples without ϕ as the others. Thus, Cost(c) = Cost r (c) − fee. The server initiates dispute resolving protocol. The authority gives no results saying that client c paid less (according to Alg. 1, the authority computes from L′ T (c) which is equal to Cost(c)). Thus, the server has to accept pay(c) = Cost(c) and suffer the loss of f ee. This contradicts our assumptions. Proof of Theorem 1: Proof. We first prove the correctness of our protocol and then the accountability.
Correctness. We divide the proof into two parts in terms of the correctness with regards to clients and the server. 1. We start by proving ∀c∈G pay(c) = Cost r (c). Suppose client c pays fewer tolls, i.e., pay(c) < Cost rP (c). It follows that Cost(c) < Cost r (c). From Lemma 1, we can infer that (ℓ,t,fee,G)∈L′ fee = P ′ ′ ′ ′ c′ ∈G Cost r (c ) and ∀c ∈G T (c ) = Cost r (c ). As no clients pay more than their tolls, the server starts the dispute resolving protocol. The authority computes T (c) and compares it with Cost(c). As T (c) = Cost r (c) and Cost(c) < Cost r (c), the authority returns the tolls client c still needs to pay, i.e., Cost r (c) − Cost(c). The final payment of c (pay(c)) is Cost(c) + (Cost r (c) − Cost(c)) = Cost P r (c). Contradiction. 2. We prove that toll(G) = c∈G Cost r (c). From the above proof, we get all clients pay their P tolls correctly. Thus, we have ∀c∈GP pay(c) = Costr (c). From toll(G) = c∈G pay(c) we can conclude toll(G) = c∈G Cost r (c). Accountability. We prove accountability is secured against misbehaviors in B. 1. Assume attack α = (β1 , c) happens, i.e.,Cost(c) < Cost r (c). Then after phase 4, the server can receive two messages from communication with client c in phase 3 and with the authority in phase 4: Sigc (Cost(c), SigS (L′ , sid)) and SigA (c, Cost r (c) − Cost(c)). The first message proves that client c sent Cost(c) as his payment commitment for session sid. The second message proves that after the server sends m1 and other correct data to the authority, the authority concludes that Cost(c) < Cost r (c). With the perfect cryptographic assumption and the assumption of the trusted authority, c is counted as the originator. 2. Assume either (β2 , c) or (β5 , S) happens. In both cases, the authority issues signed resolution results – SigA (c, Costr (c)). In the first case, client c does not have the response from the server – SigS (Cost(c), sid, c) which can prove c has sent his payment. Thus, c is found to refuse to pay his tolls. However, in the second case, client c has the response from the server, which proves it is the server who did not send in c’s commitment. 3. Assume (β3 , S) happens. There are two cases. First, the server sends a set of fee tuples with mistakes L′ to clients. Clients would terminate the toll calculation protocol as soon as they find the mistakes. In this case, the set of evidences is {SigS (L′ , sid)}. With the perfect cryptography assumption, the server is determined as the originator. Second, the server sends L′ with mistakes to the authority. According to Alg. 1, the authority issues a signed message M – ‘Incorrect location fee computation’. With the evidences {SigS (L′ , sid), SigA (M, sid)}, the server is counted as the originator. 4. Assume (β4 , S) happens. Let (ℓ, t, G) be one of the faked location tuples and gsign be the corresponding faked group signature. From the property of Exculpability of the group signature scheme we have that the server cannot sign the location tuples on behalf of any group member. Thus, according to Alg. 1, the operation Verify(gsign, ℓ, t, G) outputs f alse. A signed message
– SigA (‘Faked location signatures’, sid) is issued by the authority. As the communication channels in driving phase is assumed to be reliable, the data transmitted is integral. Together with the trust in the authority, the server is counted as the originator who fakes group signatures.