Lower Bounds on Term-based Divisible Cash Systems

Abstract. Electronic cash is one of the most important applications of public-key cryptosystems. This paper gives lower bounds for data size and computational complexity of divisible electronic cash based on the Chaum-Fiat-Naor (CFN) paradigm, with respect to the precision of divisibility, N, which is (the total coin value)/(minimum divisible denomination). Achieving computational lower bounds in the most general model of computations are extremely hard task. We therefore concentrate on a concrete model of computation where the computational unit (like a trapdoor one way function application) is atomic, and where some structure of the coin and its splits is assumed. All previous upper bounds in this area are within this general model. We show that the lower bound for computational complexity of generating a (divided) coin is log 2 N · Comp(term), and the lower bound for coin size is log 2 N ·|term | +log 2N,whereComp(term) is a computational complexity unit such as that of one modular exponentiation, and |term | is a unit size of a coin such as the size of a modulus. (Such a unit is called a term.) These bounds are optimal, since they are of the same order as the upper bounds in the previously proposed divisible cash systems.