Progress in Cryptology – AFRICACRYPT 2011

Volume 6737 of the series Lecture Notes in Computer Science pp 206-223

Achieving Optimal Anonymity in Transferable E-Cash with a Judge

  • Olivier BlazyAffiliated withÉcole Normale Supérieure – CNRS – INRIA
  • , Sébastien CanardAffiliated withOrange Labs – Applied Crypto Group
  • , Georg FuchsbauerAffiliated withDept. Computer Science, University of Bristol
  • , Aline GougetAffiliated withGemalto – Security Lab
  • , Hervé SibertAffiliated withST-Ericsson
  • , Jacques TraoréAffiliated withOrange Labs – Applied Crypto Group

* Final gross prices may vary according to local VAT.

Get Access


Electronic cash (e-cash) refers to money exchanged electronically. The main features of traditional cash are usually considered desirable also in the context of e-cash. One such property is off-line transferability, meaning the recipient of a coin in a transaction can transfer it in a later payment transaction to a third person without contacting a central authority. Among security properties, the anonymity of the payer in such transactions has been widely studied. This paper proposes the first efficient and secure transferable e-cash scheme with the strongest achievable anonymity properties, introduced by Canard and Gouget. In particular, it should not be possible for adversaries who receive a coin to decide whether they have owned that coin before. Our proposal is based on two recent cryptographic primitives: the proof system by Groth and Sahai, whose randomizability enables strong anonymity, and the commuting signatures by Fuchsbauer, which allow one to sign values that are only given as encryptions.


Transferable e-cash anonymity Groth-Sahai proofs commuting signatures