Abstract
Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto'95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) off-line e-cash scheme requiring only O(logN) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/ (smallest divisible unit) is the divisibility precision. However, the zero-knowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at set-up to make the system efficient. Incorporating “unlinkable” blinding only in the setup, however, limits the level of anonymity offered by allowing the linking of all coins withdrawn—rather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin.
In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous e-cash by presenting a solution where all procedures (set-up, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto's result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair” or “revokable” anonymous cash.
Work partially performed when affiliated with the College of Computer Science, Northeastern University, Boston, MA.
Chapter PDF
References
E. F. Brickell, P. Gemmell, and D. Kravitz. Trustee-based tracing exten-sions to anonymous cash and the making of anonymous change. In Sympo-sium on Distributed Algorithms (SODA), Albuquerque, NM, 1995.
M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. First ACM journal on Com-puter and Communications security, 1993. Available at http://www-cse.ucsd.edu/users/mihir/crypto-papers.html.
S. Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI (Centre for Mathematics and Computer Science), Amsterdam, 1993. anonymous ftp://ftp.cwi.nl:/pub/CWIreports/AA/CS-R9323.ps.zip.
S. Brands. Untraceable off-line cash in wallets with observers. In Advances in Cryptology — Crypto '93, Proceedings (Lecture Notes in Computer Sci-ence 773), pages 302–318. Springer-Verlag, 1993. Available at http://www.cwi.nl/ftp/brands/crypto93.ps.Z.
A. Chan, Y. Frankel, P. MacKenzie, and Y. Tsiounis. Mis-representation of identities in e-cash schemes and how to prevent it. In Advances in Cryp-tology — Proceedings of Asiacrypt '96 (Lecture Notes in Computer Science 1163), pages 276–285, Kyongju, South Korea, November 3–7 1996. Springer-Verlag. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.
D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In Ad-vances in Cryptology —Crypto '88 (Lecture Notes in Computer Science), pages 319–327. Springer-Verlag, 1990.
D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R.L. Rivest, and A. T. Sherman, editors, Advances in Cryptology. Proc. Crypto '82, pages 199–203, Santa Barbara, 1983. Plenum Press N. Y.
D. Chaum. Security without identification: transaction systems to make Big Brother obsolete. Commun. ACM, 28(10):1030–1044, October 1985.
J. Camenisch, U. Maurer, and M. Stadler. Digital payment systems with passive anonymity-revoking trustees. In Esorics '96, Italy, 1996. To appear. Available at http://www.inf.ethz.ch/personal/camenisc/publications.html.
D. Chaum and T.P. Pedersen. Transferred cash grows in size. In Advances in Cryptology — Eurocrypt '92, Proceedings (Lecture Notes in Computer Science 658), pages 390–407. Springer-Verlag, 1993.
J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski, editor, Advances in Cryptology — CRYPTO '97 Proceedings, LLNCS 1294, pages 410–424, Santa Barbara, CA, August 17–21 1997. Springer-Verlag. Available at http://www.inf.ethz.ch/personal/camenisc/.
I. B. Damgård. Collision free hash functions and public key signature schemes. In D. Chaum and W. L. Price, editors, Advances in Cryptology — Eurocrypt '87 (Lecture Notes in Computer Science 304). Springer-Verlag, Berlin, 1988. Amsterdam, The Netherlands, April 13–15, 1987.
S. D'Amiano and G. Di Crescenzo. Methodology for digital money based on general cryptographic tools. In Advances in Cryptology, Proc. of Eurocrypt '94, pages 157–170. Springer-Verlag, 1994. Italy, 1994.
B. den Boer, D. Chaum, E. van Heyst, S. Mjolsnes, and A. Steenbeek. Ef-ficient off-line electronic checks. In J.-J. Quisquater and J. Vandewalle, editors, Advances in Cryptology, Proc. of Eurocrypt '89 (Lecture Notes in Computer Science 434), pages 294–301. Springer-Verlag, 1989. Houthalen, Belgium, April 10–13.
G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung. Anonymity control in e-cash. In Proceedings of the 1st Financial Cryptography conference (Lecture Notes in Computer Science 1318), Anguilla, BWI, February 24–28 1997. Springer-Verlag. To appear. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.
A. de Solages and J. Traore. An efficient fair off-line electronic cash system with extensions to checks and wallets with observers. In Proceedings of the 2nd Financial Cryptography conference, Anguilla, BWI, February 1998. Springer-Verlag. To appear.
T. Eng and T. Okamoto. Single-term divisible electronic coins. In Advances in Cryptology — Eurocrypt '94, Proceedings, pages 306–319, New York, 1994. Springer-Verlag.
Y. Frankel, P. Gemmell, and M. Yung. Witness-based cryptographic pro-gram checking and robust function sharing. In Proceedings of the twenty eighth annual ACM Symp. in Theory of Computing, STOC, 1996. To ap-pear. Available at http://www.cs.sandia.gov/~psgemme/.
Y. Frankel, B. Patt-Shamir, and Y. Tsiounis. Exact analysis of exact change. In Proceedings of the 5th Israeli Symposium on the Theory of Com-puting Systems (ISTCS), Ran-Gatan, Israel, June 17–19 1997. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html
Y. Frankel, Y. Tsiounis, and M. Yung. Indirect discourse proofs: achiev-ing fair off-line e-cash. In Advances in Cryptology, Proc. of Asi-acrypt '96 (Lecture Notes in Computer Science 1163), pages 286–300, Ky-ongju, South Korea, November 3–7 1996. Springer-Verlag. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.
M. Franklin and M. Yung. Secure and efficient off-line digital money. In Proceedings of the twentieth International Colloquium on Automata, Lan-guages and Programming (ICALP 1993), (Lecture Notes in Computer Science 700), pages 265–276. Springer-Verlag, 1993. Lund, Sweden, July 1993.
M. Jakobsson and M. Yung. Revokable and versatile e-money. In Proceedings of the third annual ACM Symp. on Computer and Communication Security, March 1996.
D. E. Knuth. The Art of Computer Programming, Vol. 2, Seminumerical Algorithms. Addison-Wesley, Reading, MA, 1981.
N. Koblitz. A course in number theory and cryptography, volume 114 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1987.
T. Okamoto. An efficient divisible electronic cash scheme. In Don Coppersmith, editor, Advances in Cryptology, Proc. of Crypto '95 (Lecture Notes in Computer Science 963), pages 438–451. Springer-Verlag, 1995. Santa Barbara, California, U.S.A., August 27–31.
E. Fujisaki and T. Okamoto, 1996. Unpublished manuscript. Personal com-munication with T. Okamoto.
T. Okamoto and K. Ohta. Universal electronic cash. In Advances in Cryp-tology — Crypto '91 (Lecture Notes in Computer Science), pages 324–337. Springer-Verlag, 1992.
T. Okamoto and M. Yung. Lower bounds on term-based divisible cash sys-tems. In International Workshop on Public Key Cryptography, Yokohama, Japan, February 5–6 1998. Springer-Verlag. To appear.
D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology, Proc. of Eurocrypt '96, pages 387–398, Zaragoza, Spain, May 11–16, 1996. Springer-Verlag. Available at http://www.ens.fr/dmi/equipes-dmi/grecc/pointche/pub.html.
B. Pfitzmann and M. Waidner. How to break and repair a ‘provably secure’ untraceable payment system. In J. Feigenbaum, editor, Advances in Cryp-tology, Proc. of Crypto '91 (Lecture Notes in Computer Science 576), pages 338–350. Springer-Verlag, 1992.
C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.
Y. Tsiounis. Efficient Electronic Cash: New Notions and Techniques. PhD thesis, College of Computer Science, Northeastern University, Boston, MA, 1997. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.
H. van Antwerpen. Electronic cash. Master's thesis, CWI, 1990.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chan, A., Frankel, Y., Tsiounis, Y. (1998). Easy come — Easy go divisible cash. In: Nyberg, K. (eds) Advances in Cryptology — EUROCRYPT'98. EUROCRYPT 1998. Lecture Notes in Computer Science, vol 1403. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0054154
Download citation
DOI: https://doi.org/10.1007/BFb0054154
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-64518-4
Online ISBN: 978-3-540-69795-4
eBook Packages: Springer Book Archive