Retrofitting Fairness on the Original RSA-Based E-cash

  • Shouhuai Xu
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2742)


The notion of fair e-cash schemes was suggested and implemented in the last decade. It balances anonymity with the capability of tracing users and transactions in cases of crime or misbehavior. The issue was raised both, in the banking community and in the cryptographic literature. A number of systems were designed with an off-line fairness, where the tracing authorities get involved only when tracing is needed. However, none of them is based on the original RSA e-cash. Thus, an obvious question is whether it is possible to construct an efficient fair e-cash scheme by retrofitting the fairness mechanism on the original RSA-based scheme. The question is interesting from, both, a practical perspective (since investment has been put in developing software and hardware that implement the original scheme), and as a pure research issue (since retrofitting existing protocols with new mechanisms is, at times, harder than designing solutions from scratch). In this paper, we answer this question in the affirmative by presenting an efficient fair off-line e-cash scheme based on the original RSA-based one.


E-cash Fairness Conditional Anonymity RSA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BR93]
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In: ACM CCS 1993 (1993)Google Scholar
  2. [BNPS01]
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The Power of RSA Inversion Oracles and the Security of Chaum’s RSA-Based Blind Signature Scheme. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, p. 309. Springer, Heidelberg (2002)Google Scholar
  3. [BGK95]
    Brickell, E., Gemmell, P., Kravitz, D.: Trustee-based Tracing Extentions to Anonymous Cash and the Making of Anonymous Change. In: SODA 1995 (1995)Google Scholar
  4. [C82]
    Chaum, D.: Blind Signatures for Untraceable Payments. In: Crypto 1982 (1982)Google Scholar
  5. [CFN88]
    Chaum, D., Fiat, A., Naor, M.: Untraceable Electronic Cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  6. [CMS96]
    Camenisch, J., Maurer, U., Stadler, M.: Digital Payment Systems with Passive Anonymity-Revoking Trusrees. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146. Springer, Heidelberg (1996)Google Scholar
  7. [CP92]
    Chaum, D., Pedersen, T.: Wallet Databases with Observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  8. [E85]
    El Gamal, T.: A Public-Key Cryptosystem and a Signature Scheme Based on the Discrete Logarithm. IEEE Trans. IT 31(4), 469–472 (1985)CrossRefMATHGoogle Scholar
  9. [F87]
    Feldman, P.: A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In: FOCS 1987 (1987)Google Scholar
  10. [FS86]
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  11. [FTY96]
    Frankel, Y., Tsiounis, Y., Yung, M.: Indirect Discourse Proofs: Achieving Efficient Fair Off-Line E-Cash. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163. Springer, Heidelberg (1996)Google Scholar
  12. [FR95]
    Franklin, M., Reiter, M.: Verifiable Signature Scharing. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 50–63. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  13. [GJKR99]
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 295. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  14. [GMR88]
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure against Adaptive Chosen-message Attacks. SIAM J. Computing 17(2) (1988)Google Scholar
  15. [GMW87]
    Goldreich, O., Micali, S., Wigderson, A.: How to Play any Mental Game- A Completeness Theorem for Protocol with Honest Majority. In: STOC 1987 (1987)Google Scholar
  16. [JL00]
    Jarecki, S., Lysyanskaya, A.: Concurrent and Erasure-Free Models in Adaptively-Secure Threshold Cryptography. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 221. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. [JM99]
    Jakobsson, M., Mueller, J.: Improved Magic Ink Signatures Using Hints. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, p. 253. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  18. [JY96]
    Jakobsson, M., Yung, M.: Revokable and Versatile Electronic Money. In: ACM CCS 1996 (1996)Google Scholar
  19. [J99]
    Juels, A.: Trustee Tokens: Simple and Practical Tracing of Anonymous Digital Cash. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, p. 29. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. [MP98]
    M’Raihl, D., Pointcheval, D.: Distributed Trustees and Revocability: A Framework for Internet Payment. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 28–42. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  21. [P91]
    Pedersen, T.P.: Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  22. [PS00]
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. J. of Cryptology 13(3) (2000)Google Scholar
  23. [R98]
    Rabin, T.: A Simplified Approach to Threshold and Proactive RSA. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 89. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  24. [RSA78]
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. CACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  25. [S00]
    Shoup, V.: Practical Threshold Signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 207. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  26. [TY98]
    Tsiounis, Y., Yung, M.: On the Security of ElGamal Based Encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, p. 117. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  27. [vSN92]
    von Solms, S., Naccache, D.: On Blind Signatures and Perfect Crimes. Computer and Security 11, 581–583 (1992)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Shouhuai Xu
    • 1
  • Moti Yung
    • 2
  1. 1.Dept. of Information and Computer ScienceUniversity of California at IrvineUSA
  2. 2.Dept. of Computer ScienceColumbia UniversityUSA

Personalised recommendations