Untraceable Off-line Cash in Wallet with Observers

Extended abstract
  • Stefan Brands
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 773)


Incorporating the property of untraceability of payments into off-line electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against double-spending as can be trivially attained in systems with full traceability of payments.

The first of these, one-show blind signatures, ensures traceability of double-spenders after the fact. The realizations of this concept that have been proposed unfortunately require either a great sacrifice in efficiency or seem to have questionable security, if not both.

The second concept, wallets with observers, guarantees prior restraint of double-spending, while still offering traceability of double-spenders after the fact in case tamper-resistance is compromised. No realization of this concept has yet been proposed in literature, which is a serious problem. It seems that the known cash systems cannot be extended to this important setting without significantly worsening the problems related to efficiency and security.

We introduce a new primitive that we call restrictive blind signatures. In conjunction with the so-called representation problem in groups of prime order this gives rise to highly efficient off-line cash systems that can be extended at virtually no extra cost to wallets with observers under the most stringent of privacy requirements. The workload for the observer is so small that it can be performed by a tamper-resistant smart card capable of performing the Schnorr identification scheme.

We also introduce new extensions in functionality (unconditional protection against framing, anonymous accounts, multi-spendable coins) and improve some known constructions (computional protection against framing, electronic checks).

The security of our cash system and all its extensions can be derived directly from the security of the well-known Schnorr identification and signature schemes, and the security of our new primitive.


Smart Card Signature Scheme Prime Order Blind Signature Account Number 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, Micali, “How To Sign Given Any Trapdoor Function,” Proceedings of Crypto’ 88, Springer-Verlag, pages 200–215.Google Scholar
  2. 2.
    Brands, S., “An Efficient Off-line Electronic Cash System Based On The Representation Problem,” CWI Technical Report CS-R9323, April 11, 1993.Google Scholar
  3. 3.
    Brands, S., “Untraceable Off-Line Cash Based On The Representation Problem,” manuscript. To be published as a CWI Technical Report in Januari/Februari 1994.Google Scholar
  4. 4.
    Brickell, E. and McCurley, K., “An Interactive Identification Scheme Based On Discrete Logarithms And Factoring,” Journal of Cryptology, Vol. 5 no. 1 (1992), pages 29–39.CrossRefzbMATHGoogle Scholar
  5. 5.
    Chaum, D., “Achieving Electronic Privacy,” Scientific American, August 1992, pages 96–101.Google Scholar
  6. 6.
    Chaum, D., “Security Without Identification: Transaction Systems To Make Big Brother Obsolete,” Communications of the ACM, Vol. 28 no. 10, October 1985, pages 1020–1044.CrossRefGoogle Scholar
  7. 7.
    Chaum, D., “Card-computer moderated systems,” (unpublished), 1989.Google Scholar
  8. 8.
    Chaum, D., Fiat, A. and Naor, M., “Untraceable Electronic Cash,” Proceedings of Crypto’ 88, Springer-Verlag, pages 319–327.Google Scholar
  9. 9.
    Chaum, D. and Pedersen, T., “Wallet Databases With Observers,” Preproceedings of Crypto’ 92.Google Scholar
  10. 10.
    Cramer, R. and Pedersen, T., “Improved Privacy In Wallets With Observers’, Preproceedings of EuroCrypt’ 93.Google Scholar
  11. 11.
    Ferguson, N., “Single Term Off-Line Coins”, Preproceedings of EuroCrypt’ 93.Google Scholar
  12. 12.
    Ferguson, N., “Extensions Of Single-Term Off-Line coins,” these proceedings.Google Scholar
  13. 13.
    Fiat, A. and Shamir, A., “How To Prove Yourself: Practical Solutions To Identification And Signature Problems,” Proceedings of Crypto’ 86, Springer-Verlag, pages 186–194.Google Scholar
  14. 14.
    Okamoto, T., “Provably Secure And Practical Identification Schemes And Corresponding Signature Schemes,” Preproceedings of Crypto’ 92.Google Scholar
  15. 15.
    Schnorr, C.P., “Efficient Signature Generation By Smart Cards,” Journal of Cryptology, Vol. 4 no. 3 (1991), pages 161–174.CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    “No Hiding Place / Big Brother Is Clocking You,” The Economist, August 7th–13th 1993.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1994

Authors and Affiliations

  • Stefan Brands
    • 1
  1. 1.CWIAmsterdamThe Netherlands

Personalised recommendations