This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Compact E-Cash Jan Camenisch IBM Research Zurich Research Laboratory CH-8803 R¨uschlikon [email protected] Susan Hohenberger CSAIL Massachusetts Inst. of Technology Cambridge, MA 02139, USA [email protected] Anna Lysyanskaya Computer Science Department Brown University Providence, RI 02912, USA [email protected] March 27, 2006 Abstract This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 ` coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and spend operations is O ( ` + k ) and the user’s wallet can be stored using O ( ` + k ) bits, where k is a security parameter. The best previously known schemes require at least one of these complexities to be O (2 ` · k ). In fact, compared to previous e-cash schemes, our whole wallet of 2 ` coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent. We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ` coins in her wallet, all her spendings of these coins can be traced. We present two alternate constructions. One construction shares the same complexities with our first result but requires a strong bilinear map assumption that is only conjectured to hold on MNT curves. The second construction works on more general types of elliptic curves, but the price for this is that the complexity of the spending and of the withdrawal protocols becomes O ( ` · k ) and O ( ` · k + k 2 ) bits, respectively, and wallets take O ( ` · k ) bits of storage. All our schemes are secure in the random oracle model. 1 Introduction Electronic cash was invented by Chaum [27, 28], and extensively studied since [31, 40, 32, 11, 24, 12, 54, 39, 55, 5]. The main idea is that, even though the same party (a bank B ) is responsible for giving out electronic coins, and for later accepting them for deposit, the withdrawal and the spending protocols are designed in such a way that it is impossible to identify when a particular coin was spent. I.e., the withdrawal protocol does not reveal any information to the bank that would later enable it to trace how a coin was spent. As a coin is represented by data, and it is easy to duplicate data, an electronic cash scheme requires a mechanism that prevents a user from spending the same coin twice (double-spending). There are two scenarios. In the on-line scenario [28, 29, 30], the bank is on-line in each transaction to ensure that no coin is spent twice, and each merchant must consult the bank before accepting a payment. In the off-line  scenario, the merchant accepts a payment autonomously, and later submits the payment to the bank; the merchant is guaranteed that such a payment will be either...
View Full Document
This note was uploaded on 01/18/2012 for the course CIS 4930 taught by Professor Staff during the Fall '08 term at University of Florida.
- Fall '08
- Computer Science