How to Break and Repair a “Provably Secure” Untraceable Payment System

Extended Abstract
  • Birgit Pfitzmann
  • Michael Waidner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 576)


On Crypto’ 88, an untraceable payment system with provable security against abuse by individuals was presented by Damgård. We show how to break the untraceability of that system completely.

Next, an improved version of the system is presented. We also augment the system by security for the individuals against loss of money, and we introduce the possibility of receipts for payments. Finally, whereas all this concerned an on-line system, we present a similar construction for untraceable electronic cash.


  1. BeMi.
    88 Mihir Bellare, Silvio Micali: How to sign given any trapdoor function; 20th Symposium on Theory of Computing (STOC) 1988, ACM, New York 1988, 32–42.Google Scholar
  2. BlPW.
    91 Gerrit Bleumer, Birgit Pfitzmann, Michael Waidner: A Remark on a Signature Scheme where Forgery can be Proved; Eurocrypt’ 90, LNCS 473, Springer-Verlag, Berlin 1991, 441–445.Google Scholar
  3. BüPf.
    89 Holger Bürk, Andreas Pfitzmann: Digital Payment Systems Enabling Security and Unobservability; Computers & Security 8/5 (1989) 399–416.CrossRefGoogle Scholar
  4. CBHM.
    90 David Chaum, Bert den Boer, Eugène van Heijst, Stig Mjølsnes, Adri Steenbeek: Efficient offline electronic checks; Eurocrypt’ 89, LNCS 434, Springer-Verlag, Berlin 1990, 294–301.Google Scholar
  5. Chau.
    81 David Chaum: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms; Communications of the ACM 24/2 (1981) 84–88.CrossRefGoogle Scholar
  6. Chau.
    83 David Chaum: Blind Signatures for untraceable payments; Crypto’ 82, Plenum Press, New York 1983, 199–203.Google Scholar
  7. Chau.
    85 David Chaum: Security without Identification: Transaction Systems to make Big Brother Obsolete; Communications of the ACM 28/10 (1985) 1030–1044.CrossRefGoogle Scholar
  8. Chau.
    88 David Chaum: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability; Journal of Cryptology 1/1 (1988) 65–75.MathSciNetGoogle Scholar
  9. Chau.
    89 David Chaum: Privacy Protected Payments — Unconditional Payer and/or Payee Untraceability; SMART CARD 2000: The Future of IC Cards, Proc. of the IFIP WG 11.6 International Conference; North-Holland, Amsterdam 1989, 69–93.Google Scholar
  10. Chau.
    90 David Chaum: Showing credentials without identification: Transferring signatures between unconditionally unlinkable pseudonyms; Auscrypt’ 90, LNCS 453, Springer-Verlag, Berlin 1990, 246–264.Google Scholar
  11. Chau3.
    90 David Chaum: Online cash checks; Eurocrypt’ 89, LNCS 434, Springer-Verlag, Berlin 1990, 288–293.Google Scholar
  12. ChDG.
    88 David Chaum, Ivan Bjerre Damgård, Jeroen van de Graaf: Multiparty Computations ensuring privacy of each party’s input and correctness of the result; Crypto’ 87, LNCS 293, Springer-Verlag, Berlin 1988, 87–119.Google Scholar
  13. ChEv.
    87 David Chaum, Jan-Hendrik Evertse: A secure and privacy-protecting protocol for transmitting personal information between organizations; Crypto’ 86, LNCS 263, Springer-Verlag, Berlin 1987, 118–167.Google Scholar
  14. ChFN.
    90 David Chaum, Amos Fiat, Moni Naor: Untraceable Electronic Cash; Crypto’ 88, LNCS 403, Springer-Verlag, Berlin 1990, 319–327.Google Scholar
  15. ChRo.
    90 David Chaum, Sandra Roijakkers: Unconditionally Secure Digital Signatures; Crypto’ 90, 11–15 August 1990, Abstracts, 209–217.Google Scholar
  16. Damg.
    90 Ivan Bjerre Damgård: Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals; Crypto’ 88, LNCS 403, Springer-Verlag, Berlin 1990, 328–335.Google Scholar
  17. Damg.
    91 Ivan Bjerre Damgård: Private communication, Brighton, April 10th 1991.Google Scholar
  18. Gold.
    87 Oded Goldreich: Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme; Crypto’ 86, LNCS 263, Springer-Verlag, Berlin 1987, 104–110.Google Scholar
  19. GoMR.
    88 Shafi Goldwasser, Silvio Micali, Ronald L. Rivest: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks; SIAM J. Comput. 17/2 (1988) 281–308.CrossRefMathSciNetGoogle Scholar
  20. NaYu.
    89 Moni Naor, Moti Yung: Universal One-way Hash Functions and their Cryptographic Applications; 21st STOC, ACM, New York 1989, 33–43.Google Scholar
  21. OkOh.
    90 Tatsuaki Okamoto, Kazuo Ohta: Divertible zero-knowledge interactive proofs and commutative random self-reducibility; Eurocrypt’ 89, LNCS 434, Springer-Verlag, Berlin 1990, 134–149.Google Scholar
  22. OkOh1.
    90 Tatsuaki Okamoto, Kazuo Ohta: Disposable zero-knowledege authentications and their applications to untraceable electronic cash; Crypto’ 89, LNCS 435, Springer-Verlag, Heidelberg 1990, 481–496.Google Scholar
  23. OkOh.
    91 Tatsuaki Okamoto, Kazuo Ohta: Universal Electronic Cash; Crypto’ 91, Santa Barbara, CA, 11.–15. August 1991, Abstracts, 8.7–8.13.Google Scholar
  24. PfWa.
    91 Birgit Pfitzmann, Michael Waidner: Fail-stop Signatures and their Application; Securicom 91, Paris 1991, 145–160.Google Scholar
  25. PWP.
    87 Birgit Pfitzmann, Michael Waidner, Andreas Pfitzmann: Rechtssicherheit trotz Anonymität in offenen digitalen Systemen; Computer und Recht 3/10,11,12 (1987) 712–717, 796–803, 898–904; Revision: DuD 14/5–6 (1990) 243–253, 305–315.Google Scholar
  26. WaPf.
    85 Michael Waidner, Andreas Pfitzmann: Betrugssicherheit trotz Anonymität. Abrechnung und Geldtransfer in Netzen; Proc. Datenschutz und Datensicherung im Wandel der Informationstechnologien, IFB 113, Springer-Verlag, Berlin 1985, 128–141; Revision: DuD/1 (1986) 16–22.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1992

Authors and Affiliations

  • Birgit Pfitzmann
    • 1
  • Michael Waidner
    • 2
  1. 1.Institut für InformatikUniversität HildesheimHildesheimFRG
  2. 2.Institut für Rechnerentwurf und FehlertoleranzUniversität KarlsruheKarlsruhe 1FRG

Personalised recommendations