{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

chaum_fiat_naor_ecash

# chaum_fiat_naor_ecash - Untraceable Electronic...

This preview shows pages 1–3. Sign up to view the full content.

Untraceable Electronic Cash t (Extended Abstract) David Chum Amos Fiat * Moni Nmr3 Center for Mathematics and Computer Science Kruislaan 413, 1098 SJ Amsterdam, The Netherlands Tel-Aviv University Tel-Aviv, Israel IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120 Introduction The use of credit cards today is an act of faith on the pat of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance. Paper cash is considered to have a significant advantage over credit cards with respect to privacy, although the serial numbers on cash make it traceable in principle. Chaum has introduced unconditionally untraceable electronic money( [C85] and [C88]). But what is to prevent anyone from making several copies of an electronic coin and using them at different shops? On-line clearing is one possible solution though a rather expensive one. Paper banknotes don't present this problem, since making exact copies of them is thought to be infeasible. Nor do credit cards, because their unique identity lets the bank take legal action to regain overdrawn balances, and the bank can add cards to a blacklist. Generating an electronic cash should be difficult for anyone, unless it is done in cooperation with the bank. The RSA digital signature scheme can be used to realize untraceable electronic money as proposed in [C85 and C88]. This money might be of the form (~,f(z>'/~ (mod n)) where n is some composite whose factorization is known only to the bank and f is a suitable one-way function. The protocol for issuing and spending such money can be summarized follows: 1. Alice chooses arandom z T, and supplies the bank with B = y3f(z) (mod n)). t Work done while the second and third authors were at the University of California at Berkeley. The work of the second author was supported by a Weizmann Postdoctoral Fellowship and by NSF Grants DCR 84-11954 and DCR 85-13926. The work of the third author was supported by NSF Grants DCR 85-13926 and CCR 88-13632. S. Goldwasser (Ed.): Advances in Cryptology - CRYPT0 '88, LNCS 403, pp. 319-327, 1990. 0 Springer-Verlag Berlin Heidelberg 1990

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
320 2. The bank returns the third root of B modulo n: r . f(2)ll3 (mod n) and with- draws one dollar from her account. 3. Alice extracts C = f(~)l/~ mod n from B. 4. To pay Bob one dollar, Alice gives him the pair (z,~(z)'/~ 5. Bob immediately calls the bank, verifying that this electronic coin has not already (mod n)). been deposited. Everyone can easily verify that the coin has the right structure and has been signed by the bank, yet the bank cannot link this specific coin to Alice's account. Among other advantages, the new approach presented here removes the require- ment that the shopkeeper must contact the bank during every transaction. If Alice uses a coin only once, her privacy is protected unconditionally. But if Alice reuses a coin, the bank can trace it to her account and can prove that she has used it twice.
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### Page1 / 9

chaum_fiat_naor_ecash - Untraceable Electronic...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online