Untraceable Off-line Cash in Wallet with Observers
Incorporating the property of untraceability of payments into off-line electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against double-spending as can be trivially attained in systems with full traceability of payments.
The first of these, one-show blind signatures, ensures traceability of double-spenders after the fact. The realizations of this concept that have been proposed unfortunately require either a great sacrifice in efficiency or seem to have questionable security, if not both.
The second concept, wallets with observers, guarantees prior restraint of double-spending, while still offering traceability of double-spenders after the fact in case tamper-resistance is compromised. No realization of this concept has yet been proposed in literature, which is a serious problem. It seems that the known cash systems cannot be extended to this important setting without significantly worsening the problems related to efficiency and security.
We introduce a new primitive that we call restrictive blind signatures. In conjunction with the so-called representation problem in groups of prime order this gives rise to highly efficient off-line cash systems that can be extended at virtually no extra cost to wallets with observers under the most stringent of privacy requirements. The workload for the observer is so small that it can be performed by a tamper-resistant smart card capable of performing the Schnorr identification scheme.
We also introduce new extensions in functionality (unconditional protection against framing, anonymous accounts, multi-spendable coins) and improve some known constructions (computional protection against framing, electronic checks).
The security of our cash system and all its extensions can be derived directly from the security of the well-known Schnorr identification and signature schemes, and the security of our new primitive.
KeywordsSmart Card Signature Scheme Prime Order Blind Signature Account Number
- 1.Bellare, Micali, “How To Sign Given Any Trapdoor Function,” Proceedings of Crypto’ 88, Springer-Verlag, pages 200–215.Google Scholar
- 2.Brands, S., “An Efficient Off-line Electronic Cash System Based On The Representation Problem,” CWI Technical Report CS-R9323, April 11, 1993.Google Scholar
- 3.Brands, S., “Untraceable Off-Line Cash Based On The Representation Problem,” manuscript. To be published as a CWI Technical Report in Januari/Februari 1994.Google Scholar
- 5.Chaum, D., “Achieving Electronic Privacy,” Scientific American, August 1992, pages 96–101.Google Scholar
- 7.Chaum, D., “Card-computer moderated systems,” (unpublished), 1989.Google Scholar
- 8.Chaum, D., Fiat, A. and Naor, M., “Untraceable Electronic Cash,” Proceedings of Crypto’ 88, Springer-Verlag, pages 319–327.Google Scholar
- 9.Chaum, D. and Pedersen, T., “Wallet Databases With Observers,” Preproceedings of Crypto’ 92.Google Scholar
- 10.Cramer, R. and Pedersen, T., “Improved Privacy In Wallets With Observers’, Preproceedings of EuroCrypt’ 93.Google Scholar
- 11.Ferguson, N., “Single Term Off-Line Coins”, Preproceedings of EuroCrypt’ 93.Google Scholar
- 12.Ferguson, N., “Extensions Of Single-Term Off-Line coins,” these proceedings.Google Scholar
- 13.Fiat, A. and Shamir, A., “How To Prove Yourself: Practical Solutions To Identification And Signature Problems,” Proceedings of Crypto’ 86, Springer-Verlag, pages 186–194.Google Scholar
- 14.Okamoto, T., “Provably Secure And Practical Identification Schemes And Corresponding Signature Schemes,” Preproceedings of Crypto’ 92.Google Scholar
- 16.“No Hiding Place / Big Brother Is Clocking You,” The Economist, August 7th–13th 1993.Google Scholar