Lower bounds on term-based divisible cash systems

  • Tatsuaki Okamoto
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1431)


Electronic cash is one of the most important applications of public-key cryptosystems. This paper gives lower bounds for data size and computational complexity of divisible electronic cash based on the Chaum-Fiat-Naor (CFN) paradigm, with respect to the precision of divisibility, N, which is (the total coin value)/(minimum divisible denomination). Achieving computational lower bounds in the most general model of computations are extremely hard task. We therefore concentrate on a concrete model of computation where the computational unit (like a trapdoor one way function application) is atomic, and where some structure of the coin and its splits is assumed. All previous upper bounds in this area are within this general model. We show that the lower bound for computational complexity of generating a (divided) coin is log2 N · Comp(term), and the lower bound for coin size is log2 N · ¦term¦ + log2N, where Comp(term) is a computational complexity unit such as that of one modular exponentiation, and ¦term¦ is a unit size of a coin such as the size of a modulus. (Such a unit is called a term). These bounds are optimal, since they are of the same order as the upper` bounds in the previously proposed divisible cash systems.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brands, S., “Untraceable Off-line Cash in Wallet with Observers”, Proceedings of Crypto 93, LNCS 773, Springer-Verlag, pp.302–318 (1994).Google Scholar
  2. 2.
    Chaum, D., Fiat, A., and Naor, M., “Untraceable Electronic Cash,” Proceedings of Crypto 88, LNCS 403, Springer-Verlag, pp.319–327 (1990).Google Scholar
  3. 3.
    D'amingo, S. and Di Crescenzo, G., “Methodology for Digital Money based on General Cryptographic Tools”, Proceedings of Eurocrypt 94, LNCS 950, Springer-Verlag, pp.156–170 (1995).Google Scholar
  4. 4.
    De Santis, A. and Persiano, G., “Communication Efficient Zero-Knowledge Proofs of Knowledge (with Applications to Electronic Cash)” Proceedings of STACS 92, pp.449–460 (1992).Google Scholar
  5. 5.
    Even, S., Goldreich, O. and Yacobi, Y., “Electronic Wallet”, Proceedings of Crypto 83, Plenum Press, pp.383–386 (1984).Google Scholar
  6. 6.
    Eng, T. and Okamoto, T. “Single-Term Divisible Coins,” Proceedings of Eurocrypt 94, LNCS 950, Springer-Verlag, pp.306–319 (1995).Google Scholar
  7. 7.
    Ferguson, N., “Single Term Off-line Coins”, Proceedings of Eurocrypt 93, LNCS 765, Springer-Verlag, pp.318–328 (1994).Google Scholar
  8. 8.
    Franklin, M. and Yung, M., “Secure and Efficient Off-Line Digital Money”, Proceedings of ICALP 93, pp. 449–460 (1993).Google Scholar
  9. 9.
    Hayes, B., “Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash,” Proceedings of Auscrypt 90, LNCS 453, Springer-Verlag, pp.294–305 (1990).Google Scholar
  10. 10.
    Okamoto, T., and Ohta, K., “Universal Electronic Cash”, Proceedings of Crypto 91, LNCS 576, Springer-Verlag, pp.324–337 (1992).Google Scholar
  11. 11.
    Okamoto, T., “An Efficient Divisible Electronic Cash Scheme”, Proceedings of Crypto 95, LNCS 963, Springer-Verlag, pp.438–451 (1995).Google Scholar
  12. 12.
    Pailles, J.C., “New Protocols for Electronic Money”, Proceedings of Auscrypt 92, LNCS 718, Springer-Verlag, pp.263–274 (1993).Google Scholar
  13. 13.
    Vaudenay, S., “One-Time Identification with Low Memory,” Proceedings of Eurocodes 92 (1992).Google Scholar
  14. 14.
    Yacobi, Y., “Efficient electronic money”, Proceedings of Asiacrypt 94, LNCS 917, Springer-Verlag, pp. 153–163 (1994).Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Tatsuaki Okamoto
    • 1
  • Moti Yung
    • 2
  1. 1.NTT LaboratoriesKanagawa-kenJapan
  2. 2.CertCoNew YorkUSA

Personalised recommendations