Public-Key Cryptography -- PKC 2015

Volume 9020 of the series Lecture Notes in Computer Science pp 101-124


Anonymous Transferable E-Cash

  • Foteini BaldimtsiAffiliated withBoston University Email author 
  • , Melissa ChaseAffiliated withMicrosoft Research
  • , Georg FuchsbauerAffiliated withInstitute of Science and Technology Austria
  • , Markulf KohlweissAffiliated withMicrosoft Research

* Final gross prices may vary according to local VAT.

Get Access


Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash.

“Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction.


Electronic payments Transferable e-cash Malleable signatures Double-spending detection