Advances in Cryptology — EUROCRYPT'98

Volume 1403 of the series Lecture Notes in Computer Science pp 561-575


Easy come — Easy go divisible cash

  • Agnes ChanAffiliated withCollege of Computer Science, Northeastern University
  • , Yair FrankelAffiliated withCertCo
  • , Yiannis TsiounisAffiliated withGTE Laboratories


Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto'95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) off-line e-cash scheme requiring only O(logN) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/ (smallest divisible unit) is the divisibility precision. However, the zero-knowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at set-up to make the system efficient. Incorporating “unlinkable” blinding only in the setup, however, limits the level of anonymity offered by allowing the linking of all coins withdrawn—rather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin.

In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous e-cash by presenting a solution where all procedures (set-up, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto's result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair” or “revokable” anonymous cash.