Cut Down the Tree to Achieve Constant Complexity in Divisible E-cash
Divisible e-cash, proposed in 1991 by Okamoto and Ohta, addresses a practical concern of electronic money, the problem of paying the exact amount. Users of such systems can indeed withdraw coins of a large value N and then divide it into many pieces of any desired values \(V\le N\). Such a primitive therefore allows to avoid the use of several denominations or change issues. Since its introduction, many constructions have been proposed but all of them make use of the same framework: they associate each coin with a binary tree, which implies, at least, a logarithmic complexity for the spendings.
In this paper, we propose the first divisible e-cash system without such a tree structure, and so without its inherent downsides. Our construction is the first one to achieve constant-time spendings while offering a quite easy management of the coins. It compares favorably with the state-of-the-art, while being provably secure in the standard model.
We thank the anonymous reviewers for their useful remarks. This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 – CryptoCloud).
- 12.Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, pp. 199–203. Plenum Press, New York (1982)Google Scholar
- 19.GSMA: White paper: mobile NFC in transport (2012). http://www.gsma.com/digitalcommerce/wp-content/uploads/2012/10/Transport_White_Paper_April13_amended.pdf
- 20.Märtens, P.: Practical divisible E-cash. Cryptology ePrint Archive, Report 2015/318 (2015). http://eprint.iacr.org/2015/318
- 22.Pointcheval, D., Sanders, O., Traoré, J.: Cut down the tree to achieve constant complexity in divisible E-cash. Cryptology ePrint Archive, Report 2015/972 (2015). http://eprint.iacr.org/2015/972