# An Efficient Divisible Electronic Cash Scheme

## Abstract

Recently, several “divisible” untraceable off-line electronic cash schemes have been presented [8, 11, 19, 20]. This paper presents the first practical “divisible” untraceable^{1} off-line cash scheme that is “single-term”^{2} in which every procedure can be executed in the order of log *N*, where *N* is the precision of divisibility, i.e., *N* = (the total coin value)/(minimum divisible unit value). Therefore, our “divisible” off-line cash scheme is more efficient and practical than the previous schemes. For example, when *N* = 2^{17} (e.g., the total value is about $ 1000, and the minimum divisible unit is 1 cent), our scheme requires only about 1 Kbyte of data be transfered from a customer to a shop for one payment and about 20 modular exponentiations for one payment, while all previous divisible cash schemes require more than several Kbytes of transfered data and more than 200 modular exponentiations for one payment.

In addition, we prove the security of the proposed cash scheme under some cryptographic assumptions. Our scheme is the first “practical divisible” untraceable off-line cash scheme whose cryptographic security assumptions are theoretically clarified.

## References

- 1.Blum, M., “Coin flipping by telephone”, IEEE, COMPCON, pp.133–137 (1982).Google Scholar
- 2.Brands, S., “Untraceable Off-line Cash in Wallet with Observers”, Proceedings of Crypto 93, pp.302–318 (1994).Google Scholar
- 3.Bleumer, G., Pfitzmann, B. and Waidner, M., “A Remark on a Signature Scheme Where Forgery can be Proved”, Proceedings of Eurorypt 90, pp.441–445 (1991).Google Scholar
- 4.Chaum, D., “Security without Identification: Transaction Systems to Make Big Brother Obsolete,” Comm. of the ACM, 28,10, pp.1030–1044 (1985).CrossRefGoogle Scholar
- 5.Chaum, D., Fiat, A., and Naor, M., “Untraceable Electronic Cash,” Proceedings of Crypto 88, pp.319–327 (1990).Google Scholar
- 6.Chaum, D., van Heijst, E., and Pfitzmann, B., “Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer,” Proceedings of Crypto 91, pp.470–484 (1992).Google Scholar
- 7.Damgård, I., “Practical and Provably Secure Release of a Secret and Exchange of Signatures,” Proceedings of Eurocrypt 93 (1993).Google Scholar
- 8.D’amingo, S. and Di Crescenzo, G., “Methodology for Digital Money based on General Cryptographic Tools”, to appear in the Proceedings of Eurocrypt 94.Google Scholar
- 9.De Santis, A. and Persiano, G., “Communication Efficient Zero-Knowledge Proofs of Knowledge (with Applications to Electronic Cash)” Proceedings of STACS 92, pp. 449–460 (1992).Google Scholar
- 10.Even, S., Goldreich, O. and Yacobi, Y., “Electronic Wallet”, Proceedings of Crypto 83, pp.383–386 (1983).Google Scholar
- 11.Eng, T. and Okamoto, T. “Single-Term Divisible Coins,” to appear in the Proceedings of Eurocrypt 94.Google Scholar
- 12.Ferguson, N., “Single Term Off-line Coins”, Proceedings of Eurocrypt 93, pp.318–328 (1994).Google Scholar
- 13.Franklin, M. and Yung, M., “Secure and Efficient Off-Line Digital Money”, Proceedings of ICALP 93, pp. 449–460 (1993).Google Scholar
- 14.Goldreich, O., Goldwasser, S., and Micali, S., “How to Construct Random Functions,” Journal of ACM, Vol.33, No.4 (1986).Google Scholar
- 15.Goldwasser, S., Micali, S. and Rivest, R., “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM J. Comput., 17,2, pp.281–308 (1988).zbMATHCrossRefMathSciNetGoogle Scholar
- 16.Hayes, B., “Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash,” Proceedings of Auscrypt 90, pp.294–305 (1990).Google Scholar
- 17.Knuth, D.E.
*The Art of Computer Programming*, Vol.2, 2nd Ed. Addison-Wesley (1981).Google Scholar - 18.Okamoto, T., and Ohta, K., “Disposable Zero-Knowledge Authentication and Their Applications to Untraceable Electronic Cash”, Proceedings of Crypto 89, pp. 481–496 (1990).Google Scholar
- 19.Okamoto, T., and Ohta, K., “Universal Electronic Cash”, Proceedings of Crypto 91, pp. 324–337 (1992).Google Scholar
- 20.Pailles, J.C., “New Protocols for Electronic Money”, Proceedings of Auscrypt 92, pp. 263–274 (1993).Google Scholar
- 21.Pedersen, T. P., “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing”, Proceedings of Crypto 91, pp. 129–140 (1992).Google Scholar
- 22.Pfitzmann, B. and Waidner, M., “How to Break and Repair a “Provably Secure” Untraceable Payment System,” Proceedings of Crypto 91 (1992).Google Scholar
- 23.Rabin, M.O., “Digitalized Signatures and Public-Key Functions as Intractable as Factorization,” Tech. Rep., MIT/LCS/TR-212, MIT Lab. Comp. Sci., (1979).Google Scholar
- 24.Vaudenay, S., “One-Time Identification with Low Memory,” Eurocodes 92 (1992).Google Scholar
- 25.Yacobi, Y., “Efficient electronic money”, to appear in the Proceedings of Asiacrypt 94.Google Scholar