Off-line electronic cash based on secret-key certificates

  • Stefan Brands
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 911)

Abstract

An off-line electronic coin system is presented that offers multi-party security and unconditional privacy of payments. The system improves significantly on the efficiency of the previously most efficient such system known in the literature, due to application of a recently proposed technique called secret-key certificates.

By definition of secret-key certificates, pairs consisting of a public key and a matching certificate can be simulated with indistinguishable probability distribution. This allows a variety of polynomial-time reductions from a well-known signature scheme to the cash system. In particular, the withdrawal protocol can be proved to be restrictive blind with respect to one account holder, relying only on a standard intractability assumption; no such result has been proved before in the literature.

Another consequence of the application of the secret-key certificate technique is that the withdrawal protocol is not a blind signature issuing protocol. This falsifies the popular belief that efficient privacy-protecting off-line electronic cash systems must be based on withdrawal protocols that are blind signature issuing protocols.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bellare, M., Goldreich, O., “On Defining Proofs of Knowledge,” Advances in Cryptology — CRYPTO '92, Lecture Notes in Computer Science, no. 740, Springer-Verlag, pp. 390–420.Google Scholar
  2. 2.
    Bos, J., Chaum, D., “SmartCash: A Practical Electronic Payment System,” Centrum voor Wiskunde en Informatica, Report CS-R9035, August 1990.Google Scholar
  3. 3.
    Brands, S., “Untraceable Off-Line Cash in Wallet with Observers,” Advances in Cryptology — CRYPTO '93, Lecture Notes in Computer Science, no. 773, Springer-Verlag, pp. 302–318. An extended pre-print appeared as: “An efficient off-line electronic cash system based on the representation problem,” Centrum voor Wiskunde en Informatica, Report CS-R9323, March 1993. Available by anonymous ftp from: ftp.cwi.nl:/pub/CWIreports/AA/CS-R9323.ps.Z.Google Scholar
  4. 4.
    Brands, S., manuscript (1993). The following parts have been submitted for publication, and are available as pre-prints: (i) “Secret-Key Certificates,” (ii) “Restrictive Blinding of Secret-Key Certificates,” [(iii) is this paper], (iv) “Extensions of Off-Line Cash,” and (v) “Privacy-protecting Digital Credentials Based on Restrictive Blinding.”Google Scholar
  5. 5.
    Brands, S., “Off-line Cash Transfer by Smart Cards,” Centrum voor Wiskunde en Informatica, Report CS-R9455, September 1994. Available by anonymous ftp from: ftp.cwi.nl:/pub/CWIreports/AA/CS-R9455.ps.Z. Also in: Proceedings of the First Smart Card Research and Advanced Application Conference, France, October 1994, pp. 101–117.Google Scholar
  6. 6.
    Brickell, E., McCurley, K., “An Interactive Identification Scheme Based on Discrete Logarithms and Factoring,” Journal of Cryptology, Vol. 5, No. 1 (1992), pp. 29–39.CrossRefGoogle Scholar
  7. 7.
    Brickell, E., Gemmell, P., Kravitz, D., “Trustee-based Tracing Extensions to Anonymous Cash and the Making of Anonymous Change,” Submitted to the Sixth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA '95), July 14, 1994.Google Scholar
  8. 8.
    Chaum, D., “Blind Signatures for Untraceable Payments,” Advances in Cryptology — CRYPTO '82, Lecture Notes in Computer Science, Springer-Verlag, pp. 199–203.Google Scholar
  9. 9.
    Chaum, D., “Achieving Electronic Privacy,” Scientific American, August 1992, pp. 96–101.Google Scholar
  10. 10.
    Chaum, D., Den Boer, B., Van Heijst, E., Mjolsnes, S., Steenbeek, A., “Efficient Offline Electronic Checks,” Advances in Cryptology —EUROCRYPT '89, Lecture Notes in Computer Science, no. 434, Springer-Verlag, pp. 294–301.Google Scholar
  11. 11.
    Chaum, D., Fiat, A., Naor, M., “Untraceable electronic cash,” Advances in Cryptology — CRYPTO '88, Lecture Notes in Computer Science, no. 403, Springer-Verlag, pp. 319–327.Google Scholar
  12. 12.
    Chaum, D., Pedersen, T., “Wallet databases with observers,” Advances in Cryptology — CRYPTO '92, Lecture Notes in Computer Science, no. 740, Springer-Verlag, pp. 89–105.Google Scholar
  13. 13.
    Chaum, D., Pedersen, T., “Transferred Cash Grows in Size,” Advances in Cryptology — EUROCRYPT '92, Lecture Notes in Computer Science, Springer-Verlag, pp. 357–367.Google Scholar
  14. 14.
    Chen, L., Damgard, I., Pedersen, T., “Parallel Divertibility of Proofs of Knowledge,” Pre-proceedings of EUROCRYPT '94, pp. 137–150.Google Scholar
  15. 15.
    Cramer, R., Pedersen, T., “Improved Privacy in Wallets with Observers,” Advances in Cryptology — EUROCRYPT '93, Lecture Notes in Computer Science, no. 765, Springer-Verlag, pp. 329–343.Google Scholar
  16. 16.
    Damgard, I., “Payment Systems and Credential Mechanisms With Provable Security Against Abuse by Individuals,” Advances in Cryptology — CRYPTO '88, Lecture Notes in Computer Science, no. 403, Springer-Verlag, pp. 328–335.Google Scholar
  17. 17.
    D'Amiano, S., Di Crescenzo, G., “Methodology for digital money based on general cryptographic tools,” Pre-proceedings of EUROCRYPT '94, pp. 151–162.Google Scholar
  18. 18.
    De Santis, A., Persiano, G., “Communication Efficient Zero-Knowledge Proofs of Knowledge Without Interaction,” Proceedings of the 33rd Annual IEEE Symposium on Foundations of Computer Science, 1992, pp. 427–436.Google Scholar
  19. 19.
    Eng, T., Okamoto, T., “Single-Term Divisible Electronic Coins,” Pre-proceedings of EUROCRYPT '94, pp. 311–323.Google Scholar
  20. 20.
    Feige, U., Shamir, A., “Witness Indistinguishable and Witness Hiding Protocols,” Proceedings of the 22nd Annual ACM Symposium on the Theory of Computing, 1990, pp. 416–426.Google Scholar
  21. 21.
    Feige, U., Fiat, A., Shamir, A., “Zero-Knowledge Proofs of Identity,” Journal of Cryptology, Vol. 1, No. 2 (1988), pp. 77–94.Google Scholar
  22. 22.
    Fiat, A. and Shamir, A., “How to prove yourself: practical solutions to identification and signature problems,” Advances in Cryptology — CRYPTO '86, Lecture Notes in Computer Science, Springer-Verlag, pp. 186–194.Google Scholar
  23. 23.
    Ferguson, N., “Single Term Off-Line Coins,” Advances in Cryptology — EUROCRYPT '93, Lecture Notes in Computer Science, no. 765, Springer-Verlag, pp. 318–328.Google Scholar
  24. 24.
    Ferguson, N., “Extensions Of Single-Term Off-Line Coins,” Advances in Cryptology — CRYPTO '93, Lecture Notes in Computer Science, no. 773, Springer-Verlag, pp. 292–301.Google Scholar
  25. 25.
    Franklin, M., Yung, M., “Secure and Efficient Off-Line Digital Money,” Proceedings of ICALP '93, Lecture Notes in Computer Science, no. 700, Springer-Verlag, pp. 265–276.Google Scholar
  26. 26.
    Goldwasser, S., Micali, S., Rackoff, C., “The Knowledge Complexity of Interactive Proof Systems,” SIAM Journal on Computing, Vol. 18, No. (1989), pp. 186–208.CrossRefGoogle Scholar
  27. 27.
    Guillou, L., Quisquater, J.-J., “A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory,” Advances in Cryptology-EUROCRYPT '88, Lecture Notes in Computer Science, no. 330, Springer-Verlag, pp. 123–128.Google Scholar
  28. 28.
    Hayes, B., “Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash,” Advances in Cryptology — AUSCRYPT '90, Springer-Verlag, pp. 294–305.Google Scholar
  29. 29.
    Hirschfeld, R., “Making Electronic Refunds Safer,” Advances in Cryptology — CRYPTO '92, Lecture Notes in Computer Science, no. 740, Springer-Verlag.Google Scholar
  30. 30.
    Okamoto, T., “Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes,” Advances in Cryptology — CRYPTO '92, Lecture Notes in Computer Science, no. 740, Springer-Verlag, pp. 31–53.Google Scholar
  31. 31.
    Okamoto, T., Ohta, K., “Divertible Zero-Knowledge Interactive Proofs and Commutative Random Self-Reducibility,” Advances in Cryptology — EUROCRYPT '89, Lecture Notes in Computer Science, no. 434, Springer-Verlag, pp. 481–496.Google Scholar
  32. 32.
    Okamoto, T., Ohta, K., “Disposable Zero-Knowledge Authentications and Their Applications to Untraceable Electronic Cash,” Advances in Cryptology — CRYPTO '89, Lecture Notes in Computer Science, no. 435, Springer-Verlag, pp. 481–496.Google Scholar
  33. 33.
    Okamoto, T., Ohta, K., “Universal Electronic Cash,” Advances in Cryptology — CRYPTO '91, Lecture Notes in Computer Science, no. 576, Springer-Verlag, pp. 324–337.Google Scholar
  34. 34.
    Pfitzmann, B., Waidner, M., “How To Break and Repair A ‘Provably Secure’ Untraceable Payment System,” Advances in Cryptology — CRYPTO '91, Lecture Notes in Computer Science, no. 576, Springer-Verlag, pp. 338–350.Google Scholar
  35. 35.
    Schnorr, C., “Efficient Signature Generation by Smart Cards,” Journal of Cryptology, Vol. 4, No. 3 (1991), pp. 161–174.CrossRefGoogle Scholar
  36. 36.
    Van Antwerpen, H., “Electronic Cash,” Eindhoven University of Technology, master's thesis, October 1990.Google Scholar
  37. 37.
    Veugen, T., “Some mathematical and computational aspects of electronic cash,” Eindhoven University of Technology, master's thesis, November 1991.Google Scholar
  38. 38.
    Veugen, T., “The Security of an RSA-based Cut-and-choose Protocol,” Submitted for publication, September 15, 1993.Google Scholar
  39. 39.
    Yacobi, Y., “Efficient electronic money,” To appear in: Proceedings of AUSCRYPT '94.Google Scholar

Copyright information

© Springer-Verlag 1995

Authors and Affiliations

  • Stefan Brands
    • 1
  1. 1.CWIGB AmsterdamThe Netherlands

Personalised recommendations