Easy come — Easy go divisible cash

  • Agnes Chan
  • Yair Frankel
  • Yiannis Tsiounis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1403)

Abstract

Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of exact amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto'95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) off-line e-cash scheme requiring only O(logN) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/ (smallest divisible unit) is the divisibility precision. However, the zero-knowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at set-up to make the system efficient. Incorporating “unlinkable” blinding only in the setup, however, limits the level of anonymity offered by allowing the linking of all coins withdrawn—rather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin.

In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous e-cash by presenting a solution where all procedures (set-up, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto's result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair” or “revokable” anonymous cash.

References

  1. [BGK95]
    E. F. Brickell, P. Gemmell, and D. Kravitz. Trustee-based tracing exten-sions to anonymous cash and the making of anonymous change. In Sympo-sium on Distributed Algorithms (SODA), Albuquerque, NM, 1995.Google Scholar
  2. [BR93]
    M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. First ACM journal on Com-puter and Communications security, 1993. Available at http://www-cse.ucsd.edu/users/mihir/crypto-papers.html.Google Scholar
  3. [Bra93a]
    S. Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI (Centre for Mathematics and Computer Science), Amsterdam, 1993. anonymous ftp://ftp.cwi.nl:/pub/CWIreports/AA/CS-R9323.ps.zip.Google Scholar
  4. [Bra93b]
    S. Brands. Untraceable off-line cash in wallets with observers. In Advances in Cryptology — Crypto '93, Proceedings (Lecture Notes in Computer Sci-ence 773), pages 302–318. Springer-Verlag, 1993. Available at http://www.cwi.nl/ftp/brands/crypto93.ps.Z.Google Scholar
  5. [CFMT96]
    A. Chan, Y. Frankel, P. MacKenzie, and Y. Tsiounis. Mis-representation of identities in e-cash schemes and how to prevent it. In Advances in Cryp-tology — Proceedings of Asiacrypt '96 (Lecture Notes in Computer Science 1163), pages 276–285, Kyongju, South Korea, November 3–7 1996. Springer-Verlag. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.Google Scholar
  6. [CFN90]
    D. Chaum, A. Fiat, and M. Naor. Untraceable electronic cash. In Ad-vances in Cryptology —Crypto '88 (Lecture Notes in Computer Science), pages 319–327. Springer-Verlag, 1990.Google Scholar
  7. [Cha83]
    D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R.L. Rivest, and A. T. Sherman, editors, Advances in Cryptology. Proc. Crypto '82, pages 199–203, Santa Barbara, 1983. Plenum Press N. Y.Google Scholar
  8. [Cha85]
    D. Chaum. Security without identification: transaction systems to make Big Brother obsolete. Commun. ACM, 28(10):1030–1044, October 1985.CrossRefGoogle Scholar
  9. [CMS96]
    J. Camenisch, U. Maurer, and M. Stadler. Digital payment systems with passive anonymity-revoking trustees. In Esorics '96, Italy, 1996. To appear. Available at http://www.inf.ethz.ch/personal/camenisc/publications.html.Google Scholar
  10. [CP93a]
    D. Chaum and T.P. Pedersen. Transferred cash grows in size. In Advances in Cryptology — Eurocrypt '92, Proceedings (Lecture Notes in Computer Science 658), pages 390–407. Springer-Verlag, 1993.Google Scholar
  11. [CS97]
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski, editor, Advances in Cryptology — CRYPTO '97 Proceedings, LLNCS 1294, pages 410–424, Santa Barbara, CA, August 17–21 1997. Springer-Verlag. Available at http://www.inf.ethz.ch/personal/camenisc/.Google Scholar
  12. [Dam88]
    I. B. Damgård. Collision free hash functions and public key signature schemes. In D. Chaum and W. L. Price, editors, Advances in Cryptology — Eurocrypt '87 (Lecture Notes in Computer Science 304). Springer-Verlag, Berlin, 1988. Amsterdam, The Netherlands, April 13–15, 1987.Google Scholar
  13. [DC94]
    S. D'Amiano and G. Di Crescenzo. Methodology for digital money based on general cryptographic tools. In Advances in Cryptology, Proc. of Eurocrypt '94, pages 157–170. Springer-Verlag, 1994. Italy, 1994.Google Scholar
  14. [dCv+89]
    B. den Boer, D. Chaum, E. van Heyst, S. Mjolsnes, and A. Steenbeek. Ef-ficient off-line electronic checks. In J.-J. Quisquater and J. Vandewalle, editors, Advances in Cryptology, Proc. of Eurocrypt '89 (Lecture Notes in Computer Science 434), pages 294–301. Springer-Verlag, 1989. Houthalen, Belgium, April 10–13.Google Scholar
  15. [DFTY97]
    G. Davida, Y. Frankel, Y. Tsiounis, and M. Yung. Anonymity control in e-cash. In Proceedings of the 1st Financial Cryptography conference (Lecture Notes in Computer Science 1318), Anguilla, BWI, February 24–28 1997. Springer-Verlag. To appear. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.Google Scholar
  16. [dST98]
    A. de Solages and J. Traore. An efficient fair off-line electronic cash system with extensions to checks and wallets with observers. In Proceedings of the 2nd Financial Cryptography conference, Anguilla, BWI, February 1998. Springer-Verlag. To appear.Google Scholar
  17. [EO94]
    T. Eng and T. Okamoto. Single-term divisible electronic coins. In Advances in Cryptology — Eurocrypt '94, Proceedings, pages 306–319, New York, 1994. Springer-Verlag.Google Scholar
  18. [FGY96]
    Y. Frankel, P. Gemmell, and M. Yung. Witness-based cryptographic pro-gram checking and robust function sharing. In Proceedings of the twenty eighth annual ACM Symp. in Theory of Computing, STOC, 1996. To ap-pear. Available at http://www.cs.sandia.gov/~psgemme/.Google Scholar
  19. [FPST97]
    Y. Frankel, B. Patt-Shamir, and Y. Tsiounis. Exact analysis of exact change. In Proceedings of the 5th Israeli Symposium on the Theory of Com-puting Systems (ISTCS), Ran-Gatan, Israel, June 17–19 1997. Available at http://www.ccs.neu.edu/home/yiannis/pubs.htmlGoogle Scholar
  20. [FTY96]
    Y. Frankel, Y. Tsiounis, and M. Yung. Indirect discourse proofs: achiev-ing fair off-line e-cash. In Advances in Cryptology, Proc. of Asi-acrypt '96 (Lecture Notes in Computer Science 1163), pages 286–300, Ky-ongju, South Korea, November 3–7 1996. Springer-Verlag. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.Google Scholar
  21. [FY93]
    M. Franklin and M. Yung. Secure and efficient off-line digital money. In Proceedings of the twentieth International Colloquium on Automata, Lan-guages and Programming (ICALP 1993), (Lecture Notes in Computer Science 700), pages 265–276. Springer-Verlag, 1993. Lund, Sweden, July 1993.Google Scholar
  22. [JY96]
    M. Jakobsson and M. Yung. Revokable and versatile e-money. In Proceedings of the third annual ACM Symp. on Computer and Communication Security, March 1996.Google Scholar
  23. [Knu81]
    D. E. Knuth. The Art of Computer Programming, Vol. 2, Seminumerical Algorithms. Addison-Wesley, Reading, MA, 1981.Google Scholar
  24. [Kob87]
    N. Koblitz. A course in number theory and cryptography, volume 114 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1987.Google Scholar
  25. [Oka95]
    T. Okamoto. An efficient divisible electronic cash scheme. In Don Coppersmith, editor, Advances in Cryptology, Proc. of Crypto '95 (Lecture Notes in Computer Science 963), pages 438–451. Springer-Verlag, 1995. Santa Barbara, California, U.S.A., August 27–31.Google Scholar
  26. [Oka96]
    E. Fujisaki and T. Okamoto, 1996. Unpublished manuscript. Personal com-munication with T. Okamoto.Google Scholar
  27. [OO92]
    T. Okamoto and K. Ohta. Universal electronic cash. In Advances in Cryp-tology — Crypto '91 (Lecture Notes in Computer Science), pages 324–337. Springer-Verlag, 1992.Google Scholar
  28. [OY98]
    T. Okamoto and M. Yung. Lower bounds on term-based divisible cash sys-tems. In International Workshop on Public Key Cryptography, Yokohama, Japan, February 5–6 1998. Springer-Verlag. To appear.Google Scholar
  29. [PS96]
    D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology, Proc. of Eurocrypt '96, pages 387–398, Zaragoza, Spain, May 11–16, 1996. Springer-Verlag. Available at http://www.ens.fr/dmi/equipes-dmi/grecc/pointche/pub.html.Google Scholar
  30. [PW92]
    B. Pfitzmann and M. Waidner. How to break and repair a ‘provably secure’ untraceable payment system. In J. Feigenbaum, editor, Advances in Cryp-tology, Proc. of Crypto '91 (Lecture Notes in Computer Science 576), pages 338–350. Springer-Verlag, 1992.Google Scholar
  31. [Sch91]
    C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.MATHMathSciNetCrossRefGoogle Scholar
  32. [Tsi97]
    Y. Tsiounis. Efficient Electronic Cash: New Notions and Techniques. PhD thesis, College of Computer Science, Northeastern University, Boston, MA, 1997. Available at http://www.ccs.neu.edu/home/yiannis/pubs.html.Google Scholar
  33. [vA90]
    H. van Antwerpen. Electronic cash. Master's thesis, CWI, 1990.Google Scholar

Copyright information

© Springer-Verlag 1998

Authors and Affiliations

  • Agnes Chan
    • 1
  • Yair Frankel
    • 2
  • Yiannis Tsiounis
    • 3
  1. 1.College of Computer ScienceNortheastern UniversityBoston
  2. 2.CertCoNY
  3. 3.GTE LaboratoriesWaltham

Personalised recommendations