Untraceable Electronic Cash
t
(Extended Abstract)
David
Chum
Amos
Fiat
*
Moni
Nmr3
Center for Mathematics and Computer Science
Kruislaan
413, 1098
SJ Amsterdam, The Netherlands
TelAviv University
TelAviv, Israel
IBM Almaden Research Center
650
Harry
Road,
San
Jose, CA
95120
Introduction
The use of credit cards today is
an
act of faith on the pat of
all
concerned. Each party
is vulnerable to fraud by the others, and the cardholder in particular has no protection
against surveillance.
Paper cash is considered to have a significant advantage over credit cards with
respect to privacy, although the serial numbers on cash make it traceable in principle.
Chaum has introduced unconditionally untraceable electronic money( [C85] and
[C88]).
But what is to prevent anyone from
making
several copies of an electronic coin and
using them at different shops? Online clearing
is
one possible solution though a rather
expensive one. Paper banknotes don't present this problem, since making exact copies
of them is thought to be infeasible. Nor do credit cards, because their unique identity
lets the bank take legal action to regain overdrawn balances, and the bank can add
cards to a blacklist.
Generating an electronic cash should be difficult for anyone, unless it is done in
cooperation with the bank. The RSA digital signature scheme can be used to realize
untraceable electronic money
as
proposed in
[C85
and
C88].
This money might be
of the form (~,f(z>'/~
(mod
n))
where
n
is some composite whose factorization is
known only to the bank and
f
is
a
suitable oneway function. The protocol for issuing
and spending such money can be summarized
follows:
1.
Alice chooses arandom
z
T,
and supplies the bank with
B
=
y3f(z)
(mod
n)).
t
Work done while the second and third authors
were
at the University of California
at Berkeley. The work of the second author was supported by a Weizmann Postdoctoral
Fellowship and by
NSF
Grants DCR
8411954
and DCR
8513926.
The work of the third
author was supported by NSF Grants DCR
8513926
and CCR
8813632.
S. Goldwasser (Ed.): Advances in Cryptology

CRYPT0
'88,
LNCS 403, pp. 319327, 1990.
0
SpringerVerlag Berlin Heidelberg 1990
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document320
2.
The bank returns the third root of
B
modulo
n:
r
.
f(2)ll3
(mod
n)
and with
draws one dollar from her account.
3.
Alice extracts
C
=
f(~)l/~
mod n from
B.
4.
To pay Bob one dollar, Alice gives him the pair
(z,~(z)'/~
5.
Bob immediately
calls
the bank, verifying that this electronic coin has not already
(mod
n)).
been deposited.
Everyone can easily verify that the coin has the right structure and has been signed by
the bank, yet the bank cannot link this specific coin to Alice's account.
Among other advantages, the new approach presented here removes the require
ment that the shopkeeper must contact the bank during every transaction. If Alice
uses a coin only once, her privacy is protected unconditionally. But if Alice reuses a
coin, the bank can trace it to her account and can prove that she has used it twice.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Fall '08
 Staff
 Computer Science, Cryptography, Alice, Alice reindexes

Click to edit the document details