Practical Anonymous Divisible E-Cash From Bounded Accumulators

We present an efficient off-line divisible e-cash scheme which is truly anonymouswithout a trusted third party. This is the second scheme in the literature which achieves full unlinkability and anonymity, after the seminal work proposed by Canard and Gouget. The main trick of our scheme is the use of a bounded accumulator in combination with the classical binary tree approach. The aims of this paper are twofold. Firstly, we analyze Canard and Gouget's seminal work on the efficient off-line divisible e-cash. We point out some subtleties on the parameters generation of their scheme. Moreover, spending a coin of small value requires computation of several hundreds of multi-based exponentiations, which is very costly. In short, although this seminal work provides a new approach of achieving a truly anonymous divisible e-cash, unfortunately it is rather impractical. Secondly, we present our scheme that uses a novel approach of incorporating a bounded accumulator. In terms of time and space complexities, our scheme is 50 to 100 times more efficient than Canard and Gouget's work in the spend protocol at the cost of an 10 to 500 (the large range is due to whether pre-processing is taken into account and the probabilistic nature of our withdrawal protocol) times less efficient withdrawal protocol. We believe this trade-off between the withdrawal protocol and the spend protocol is reasonable as the former protocol is to be executed much less frequent than the latter. Nonetheless, while their scheme provides an affirmative answer to whether divisible e-cash can be truly anonymous, our result puts it a step further and we show that truly anonymous divisible e-cash can be practical.

[1]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[2]  Giovanni Di Crescenzo,et al.  Methodology for Digital Money based on General Cryptographic Tools , 1994, EUROCRYPT.

[3]  Sébastien Canard,et al.  Divisible E-Cash Systems Can Be Truly Anonymous , 2007, EUROCRYPT.

[4]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[5]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[6]  Lan Nguyen,et al.  Accumulators from Bilinear Pairings and Applications , 2005, CT-RSA.

[7]  Tatsuaki Okamoto,et al.  An Efficient Divisible Electronic Cash Scheme , 1995, CRYPTO.

[8]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[9]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[10]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[11]  Tatsuaki Okamoto,et al.  Single-Term Divisible Electronic Coins , 1994, EUROCRYPT.

[12]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[13]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[14]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[15]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[16]  Jean Claude Paillès New Protocols for Electronic Money , 1992, AUSCRYPT.

[17]  Ntt Laboratorics,et al.  Universal Electronic Cash , 1992 .

[18]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[19]  Toru Nakanishi,et al.  Unlinkable Divisible Electronic Cash , 2000, ISW.

[20]  Yi Mu,et al.  Practical Compact E-Cash , 2007, IACR Cryptol. ePrint Arch..

[21]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[22]  Sébastien Canard,et al.  On Fair E-cash Systems Based on Group Signature Schemes , 2003, ACISP.

[23]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[24]  Jan Camenisch,et al.  Untraceable RFID tags via insubvertible encryption , 2005, CCS '05.

[25]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[26]  Yi Mu,et al.  Compact E-Cash from Bounded Accumulator , 2007, CT-RSA.

[27]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.