An Efficient Divisible Electronic Cash Scheme

  • Tatsuaki Okamoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 963)


Recently, several “divisible” untraceable off-line electronic cash schemes have been presented [8, 11, 19, 20]. This paper presents the first practical “divisible” untraceable1 off-line cash scheme that is “single-term”2 in which every procedure can be executed in the order of log N, where N is the precision of divisibility, i.e., N = (the total coin value)/(minimum divisible unit value). Therefore, our “divisible” off-line cash scheme is more efficient and practical than the previous schemes. For example, when N = 217 (e.g., the total value is about $ 1000, and the minimum divisible unit is 1 cent), our scheme requires only about 1 Kbyte of data be transfered from a customer to a shop for one payment and about 20 modular exponentiations for one payment, while all previous divisible cash schemes require more than several Kbytes of transfered data and more than 200 modular exponentiations for one payment.

In addition, we prove the security of the proposed cash scheme under some cryptographic assumptions. Our scheme is the first “practical divisible” untraceable off-line cash scheme whose cryptographic security assumptions are theoretically clarified.


  1. 1.
    Blum, M., “Coin flipping by telephone”, IEEE, COMPCON, pp.133–137 (1982).Google Scholar
  2. 2.
    Brands, S., “Untraceable Off-line Cash in Wallet with Observers”, Proceedings of Crypto 93, pp.302–318 (1994).Google Scholar
  3. 3.
    Bleumer, G., Pfitzmann, B. and Waidner, M., “A Remark on a Signature Scheme Where Forgery can be Proved”, Proceedings of Eurorypt 90, pp.441–445 (1991).Google Scholar
  4. 4.
    Chaum, D., “Security without Identification: Transaction Systems to Make Big Brother Obsolete,” Comm. of the ACM, 28,10, pp.1030–1044 (1985).CrossRefGoogle Scholar
  5. 5.
    Chaum, D., Fiat, A., and Naor, M., “Untraceable Electronic Cash,” Proceedings of Crypto 88, pp.319–327 (1990).Google Scholar
  6. 6.
    Chaum, D., van Heijst, E., and Pfitzmann, B., “Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer,” Proceedings of Crypto 91, pp.470–484 (1992).Google Scholar
  7. 7.
    Damgård, I., “Practical and Provably Secure Release of a Secret and Exchange of Signatures,” Proceedings of Eurocrypt 93 (1993).Google Scholar
  8. 8.
    D’amingo, S. and Di Crescenzo, G., “Methodology for Digital Money based on General Cryptographic Tools”, to appear in the Proceedings of Eurocrypt 94.Google Scholar
  9. 9.
    De Santis, A. and Persiano, G., “Communication Efficient Zero-Knowledge Proofs of Knowledge (with Applications to Electronic Cash)” Proceedings of STACS 92, pp. 449–460 (1992).Google Scholar
  10. 10.
    Even, S., Goldreich, O. and Yacobi, Y., “Electronic Wallet”, Proceedings of Crypto 83, pp.383–386 (1983).Google Scholar
  11. 11.
    Eng, T. and Okamoto, T. “Single-Term Divisible Coins,” to appear in the Proceedings of Eurocrypt 94.Google Scholar
  12. 12.
    Ferguson, N., “Single Term Off-line Coins”, Proceedings of Eurocrypt 93, pp.318–328 (1994).Google Scholar
  13. 13.
    Franklin, M. and Yung, M., “Secure and Efficient Off-Line Digital Money”, Proceedings of ICALP 93, pp. 449–460 (1993).Google Scholar
  14. 14.
    Goldreich, O., Goldwasser, S., and Micali, S., “How to Construct Random Functions,” Journal of ACM, Vol.33, No.4 (1986).Google Scholar
  15. 15.
    Goldwasser, S., Micali, S. and Rivest, R., “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM J. Comput., 17,2, pp.281–308 (1988).zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Hayes, B., “Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash,” Proceedings of Auscrypt 90, pp.294–305 (1990).Google Scholar
  17. 17.
    Knuth, D.E. The Art of Computer Programming, Vol.2, 2nd Ed. Addison-Wesley (1981).Google Scholar
  18. 18.
    Okamoto, T., and Ohta, K., “Disposable Zero-Knowledge Authentication and Their Applications to Untraceable Electronic Cash”, Proceedings of Crypto 89, pp. 481–496 (1990).Google Scholar
  19. 19.
    Okamoto, T., and Ohta, K., “Universal Electronic Cash”, Proceedings of Crypto 91, pp. 324–337 (1992).Google Scholar
  20. 20.
    Pailles, J.C., “New Protocols for Electronic Money”, Proceedings of Auscrypt 92, pp. 263–274 (1993).Google Scholar
  21. 21.
    Pedersen, T. P., “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing”, Proceedings of Crypto 91, pp. 129–140 (1992).Google Scholar
  22. 22.
    Pfitzmann, B. and Waidner, M., “How to Break and Repair a “Provably Secure” Untraceable Payment System,” Proceedings of Crypto 91 (1992).Google Scholar
  23. 23.
    Rabin, M.O., “Digitalized Signatures and Public-Key Functions as Intractable as Factorization,” Tech. Rep., MIT/LCS/TR-212, MIT Lab. Comp. Sci., (1979).Google Scholar
  24. 24.
    Vaudenay, S., “One-Time Identification with Low Memory,” Eurocodes 92 (1992).Google Scholar
  25. 25.
    Yacobi, Y., “Efficient electronic money”, to appear in the Proceedings of Asiacrypt 94.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • Tatsuaki Okamoto
    • 1
  1. 1.NTT LaboratoriesJapan

Personalised recommendations