Divisible e-cash made practical

Sébastien Canard; David Pointcheval; Olivier Sanders; Jacques Traoré

Divisible e-cash made practical

View Fulltext

Author(s): Sébastien Canard ¹ ; David Pointcheval ² ; Olivier Sanders ^{1, 2} ; Jacques Traoré ¹
- Affiliations: 1: Orange Labs, Applied Crypto Group, Caen, France ;
  2: CNRS, ENS, INRIA, and PSL, Paris, France
Source: Volume 10, Issue 6, November 2016, p. 332 – 347
DOI: 10.1049/iet-ifs.2015.0485 , Print ISSN 1751-8709, Online ISSN 1751-8717

Received 31/10/2015, Accepted 05/07/2016, Revised 05/07/2016, Published 26/07/2016

Divisible e-cash systems allow users to withdraw a unique coin of value 2ⁿ units from a bank, but then to spend it in several times to distinct merchants. In such a system, whereas users want anonymity of their transactions, the bank wants to prevent, or at least detect, double-spending, and trace defrauders. While this primitive was introduced two decades ago, quite a few (really) anonymous constructions have been proposed. In addition, all but one were just proven secure in the random oracle model, but still with either weak security models or quite complex settings and thus costly constructions. The unique proposal, secure in the standard model, appeared recently and is unpractical. As evidence, the authors left the construction of an efficient scheme secure in this model as an open problem. In this study, the authors answer it with the first efficient divisible e-cash system secure in the standard model. It is based on a new way of building the coins, with a unique and public global tree structure for all the coins. Actually, they propose two constructions which offer a tradeoff between efficiency and security. They both achieve constant time for withdrawing and spending amounts of 2^ℓ units, while allowing the bank to quickly detect double-spendings by a simple comparison of the serial numbers of deposited coins to the ones of previously spent coins.

References

1. 1)
  - 15. Canard, S., Gouget, A.: ‘Divisible e-cash systems can be truly anonymous’. EUROCRYPT 2007, Barcelona, Spain, 20–24 May 2007 (LNCS, 4515), pp. 482–497.
2. 2)
  - 21. Galbraith, S.D., Paterson, K.G., Smart, N.P.: ‘Pairings for cryptographers’, Discrete Appl. Math., 2008, 156, (16), pp. 3113–3121.
3. 3)
  - 18. Bellare, M., Rogaway, P.: ‘Random oracles are practical: a paradigm for designing efficient protocols’. ACM CCS 93, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73.
4. 4)
  - 8. Stadler, M., Piveteau, J.-M., Camenisch, J.: ‘Fair blind signatures’. EUROCRYPT'95, Saint-Malo, France, 21–25 May 1995 (LNCS, 921), pp. 209–219.
5. 5)
  - 6. Bellare, M., Shi, H., Zhang, C.: ‘Foundations of group signatures: the case of dynamic groups’. CT-RSA 2005, San Francisco, CA, USA, 14–18 February 2005 (LNCS, 3376), pp. 136–153.
6. 6)
  - 11. Okamoto, T., Ohta, K.: ‘Universal electronic cash’. CRYPTO'91, Santa Barbara, CA, USA, 11–15 August 1992 (LNCS, 576), pp. 324–337.
7. 7)
  - 31. Pointcheval, D., Sanders, O., Traoré, J.: ‘Cut down the tree to achieve constant complexity in divisible E-cash’. IACR Cryptology ePrint Archive, 2015:972, 2015.
8. 8)
  - 3. Chaum, D.: ‘Blind signatures for untraceable payments’. CRYPTO'82, Santa Barbara, CA, USA, 1982, pp. 199–203.
9. 9)
  - 14. Nakanishi, T., Sugiyama, Y.: ‘Unlinkable divisible electronic cash’. Information Security, Third Int. Workshop, ISW 2000, Wollongong, NSW, Australia, December 20-21, 2000 (LNCS, 1975), pp. 121–134.
10. 10)
  - 30. Barreto, P.S.L.M., Naehrig, M.: ‘Pairing-friendly elliptic curves of prime order’. SAC 2005, Kingston, Ontario, Canada, 11–12 August 2006 (LNCS, 3897), pp. 319–331.
11. 11)
  - 13. Chan, A.H., Frankel, Y., Tsiounis, Y.: ‘Easy come – easy go divisible cash’. EUROCRYPT'98, Espoo, Finland, 31 May–4 June 1998 (LNCS, 1403), pp. 561–575.
12. 12)
  - 28. Abe, M., Groth, J., Haralambiev, K., et al: ‘Optimal structure-preserving signatures in asymmetric bilinear groups’. CRYPTO 2011, Santa Barbara, CA, USA, 14–18 August 2011 (LNCS, 6841), pp. 649–666.
13. 13)
  - 24. Ducas, L.: ‘Anonymity from asymmetry: New constructions for anonymous HIBE’. CT-RSA 2010, San Francisco, CA, USA, 1–5 March 2010 (LNCS, 5985), pp. 148–164.
14. 14)
  - 26. Goldwasser, S., Micali, S., Rivest, R.L.: ‘A digital signature scheme secure against adaptive chosen-message attacks’, SIAM J. Comput., 1988, 17, (2), pp. 281–308.
15. 15)
  - 23. Boneh, D., Boyen, X.: ‘Short signatures without random oracles and the SDH assumption in bilinear groups’, J. Cryptol., 2008, 21, (2), pp. 149–177.
16. 16)
  - 7. Brickell, E.F., Gemmell, P., Kravitz, D.W.: ‘Trustee-based tracing extensions to anonymous cash and the making of anonymous change’. 6th SODA, San Francisco, California, USA, 22–24 January 1995, pp. 457–466.
17. 17)
  - 25. Zippel, R.: ‘Probabilistic algorithms for sparse polynomials’. EUROSAM'79, Marseille, France, June 1979 (LNCS, 72), pp. 216–226.
18. 18)
  - 1. Canard, S., Pointcheval, P., Sanders, O., et al: ‘Divisible E-cash made practical’. PKC 2015, Gaithersburg, MD, USA, 30 March–1 April 2015 (LNCS, 9020), pp. 77–100.
19. 19)
  - 12. Okamoto, T.: ‘An efficient divisible electronic cash scheme’. CRYPTO'95, Santa Barbara, CA, USA, 27–31 August 1995 (LNCS, 963), pp. 438–451.
20. 20)
  - 22. Chatterjee, S., Menezes, A.: ‘On cryptographic protocols employing asymmetric pairings – the role of Ψ revisited’, Discrete Appl. Math., 2011, 159, (13), pp. 1311–1322.
21. 21)
  - 5. Bellare, M., Micciancio, D., Warinschi, B.: ‘Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions’. EUROCRYPT 2003, Warsaw, Poland, 4–8 May 2003 (LNCS, 2656), pp. 614–629.
22. 22)
  - 17. Canard, S., Gouget, A.: ‘Multiple denominations in e-cash with compact transaction data’. FC 2010, Tenerife, Canary Islands, Spain, 25–28 January 2010 (LNCS, 6052), pp. 82–97.
23. 23)
  - 27. Chabanne, H., Phan, D.H., Pointcheval, D.: ‘Public traceability in traitor tracing schemes’. EUROCRYPT 2005, Aarhus, Denmark, 22–26 May 2005 (LNCS, 3494), pp. 542–558.
24. 24)
  - 9. Camenisch, J., Hohenberger, S., Lysyanskaya, A.: ‘Compact e-cash’. EUROCRYPT 2005, Aarhus, Denmark, 22–26 May 2005 (LNCS, 3494), pp. 302–321.
25. 25)
  - 4. Chaum, D.: ‘Blind signature system’. CRYPTO'83, Santa Barbara, CA, USA, 1983, p. 153.
26. 26)
  - 29. Schnorr, C.-P.: ‘Efficient identification and signatures for smart cards’. CRYPTO'89, Santa Barbara, CA, USA, 20–24 August 1990 (LNCS, 435), pp. 239–252.
27. 27)
  - 19. Izabachène, M., Libert, B.: ‘Divisible E-cash in the standard model’. PAIRING 2012, Cologne, Germany, 16–18 May 2013 (LNCS, 7708), pp. 314–332.
28. 28)
  - 10. Chaum, D., Pedersen, T.P.: ‘Transferred cash grows in size’. EUROCRYPT'92, Balatonfüred, Hungary, 24–28 May 1993 (LNCS, 658), pp. 390–407.
29. 29)
  - 16. Au, M.H., Susilo, W., Mu, Y.: ‘Practical anonymous divisible e-cash from bounded accumulators’. FC 2008, Cozumel, Mexico, 28–31 January 2008 (LNCS, 5143), pp. 287–301.
30. 30)
  - 20. Groth, J., Sahai, A.: ‘Efficient non-interactive proof systems for bilinear groups’. EUROCRYPT 2008, Istanbul, Turkey, 13–17 April 2008 (LNCS, 4965), pp. 415–432.
31. 31)
  - 2. Canard, S., Pointcheval, P., Sanders, O., et al: ‘Scalable divisible e-cash’. Conference on Applied Cryptography and Network Security (ACNS'15), New York, NY, USA, 2–5 June 2015 (LNCS, 9092), pp. 287–306.

Login

Not registered yet?

Share

Tools

Login to add to favourites

Key

Divisible e-cash made practical

References

Related content