Easy come-easy go divisible cash

Recently, there has been an interest in making electronic cash protocols more practical for electronic commerce by developing e-cash which is divisible (e.g., a coin which can be spent incrementally but total purchases are limited to the monetary value of the coin). In Crypto`95, T. Okamoto presented the first practical divisible, untraceable, off-line e-cash scheme, which requires only O(log N) computations for each of the withdrawal, payment and deposit procedures, where N = (total coin value)/(smallest divisible unit). However, Okamoto`s set-up procedure is quite inefficient (on the order of 4,000 multi-exponentiations and depending on the size of the RSA modulus). The authors formalize the notion of range-bounded commitment, originally used in Okamoto`s account establishment protocol, and present a very efficient instantiation which allows one to construct the first truly efficient divisible e-cash system. The scheme only requires the equivalent of one (1) exponentiation for set-up, less than 2 exponentiations for withdrawal and around 20 for payment, while the size of the coin remains about 300 Bytes. Hence, the withdrawal protocol is 3 orders of magnitude faster than Okamoto`s, while the rest of the system remains equally efficient, allowing for implementation in smart-cards. Similar to Okamoto`s, the scheme is based on proofs whose cryptographic security assumptions are theoretically clarified

Theoretical examination and practical implementation on cryptography algorithms, digital money protocols and related applications.

by Shek Wong.Thesis submitted in: December 1997.Thesis (M.Phil.)--Chinese University of Hong Kong, 1998.Includes bibliographical references (leaves 90-[94]).Abstract also in Chinese.Chapter 1 --- Introduction --- p.1Chapter 1.1 --- Electronic Commerce --- p.3Chapter 1.2 --- Electronic Cash --- p.7Chapter 1.3 --- What This Report Contains --- p.9Chapter 2 --- Cryptographic Background --- p.11Chapter 2.1 --- Euler Totient Function --- p.12Chapter 2.2 --- Fermat's Little Theorem --- p.12Chapter 2.3 --- Quadratic Residues --- p.12Chapter 2.4 --- Legendre Symbol --- p.13Chapter 2.5 --- Jacobi Symbol --- p.14Chapter 2.6 --- Blum Integer --- p.16Chapter 2.7 --- Williams Integer --- p.18Chapter 2.8 --- The Quadratic Residuosity Problem --- p.19Chapter 2.9 --- The Factorization Problem --- p.20Chapter 2.10 --- The Discrete Logarithm Problem --- p.20Chapter 2.11 --- One-way Functions --- p.21Chapter 2.12 --- Blind Signature --- p.22Chapter 2.13 --- Cut-and-choose Methodology --- p.24Chapter 3 --- Anatomy and Panorama of Electronic Cash --- p.26Chapter 3.1 --- Anatomy of Electronic Cash --- p.26Chapter 3.1.1 --- Three Functions and Six Criteria --- p.28Chapter 3.1.2 --- Untraceable --- p.29Chapter 3.1.3 --- Online and Off-line --- p.30Chapter 3.1.4 --- Security --- p.32Chapter 3.1.5 --- Transferability --- p.33Chapter 3.2 --- Panorama of Electronic Cash --- p.34Chapter 3.2.1 --- First Model of Off-line Electronic Cash --- p.34Chapter 3.2.2 --- Successors --- p.35Chapter 3.2.3 --- Binary Tree Based Divisible Electronic Cash --- p.36Chapter 4 --- Spending Limit Enforced Electronic Cash --- p.37Chapter 4.1 --- Introduction to Spending Limit Enforced Electronic Cash --- p.37Chapter 4.2 --- The Scheme --- p.41Chapter 4.3 --- An Example --- p.44Chapter 4.4 --- Techniques --- p.47Chapter 4.5 --- Security and Efficiency --- p.51Chapter 5 --- Interest-bearing Electronic Cash --- p.53Chapter 5.1 --- Introduction to Interest-bearing Electronic Cash --- p.53Chapter 5.2 --- An Example --- p.55Chapter 5.3 --- The Scheme --- p.55Chapter 5.4 --- Security --- p.57Chapter 5.5 --- An Integrated Scheme --- p.58Chapter 5.6 --- Applications --- p.59Chapter 6 --- Abacus Type Electronic Cash --- p.61Chapter 6.1 --- Introduction --- p.61Chapter 6.2 --- Abacus Model --- p.63Chapter 6.3 --- Divisible Abacus Electronic Coins --- p.66Chapter 6.3.1 --- Binary Tree Abacus Approach --- p.66Chapter 6.3.2 --- Multi-tree Approach --- p.57Chapter 6.3.3 --- Analysis --- p.69Chapter 6.4 --- Abacus Electronic Cash System --- p.71Chapter 6.4.1 --- Opening Protocol --- p.71Chapter 6.4.2 --- Withdrawal Protocol --- p.74Chapter 6.4.3 --- Payment and Deposit Protocol --- p.75Chapter 6.5 --- Anonymity and System Efficiency --- p.78Chapter 7 --- Conclusions --- p.80Chapter A --- Internet Payment Systems --- p.82Chapter A.1 --- Bare Web FORM --- p.82Chapter A.2 --- Secure Web FORM Payment System --- p.85Chapter A.3 --- Membership Type Payment System --- p.86Chapter A.4 --- Agent Based Payment System --- p.87Chapter A.5 --- Internet-based POS --- p.87B Papers derived from this thesis --- p.89Bibliography --- p.9

Identification Protocols in Cryptography

In this paper we examine the role of Identification Protocols in the field of Cryptography. Firstly, the rationale behind the need for Identification Protocols is discussed. Secondly, we examine, in detail, challenge-response protocols, based upon zero-knowledge proofs, that form a subset of Identification Protocols in general. Thirdly, the mathematical tools necessary for the understanding of how these protocols work is given. Finally, we discuss four main Identification Protocols: Fiat-Shamir, Feige-Fiat-Shamir, Schnorr and Guillou- Quisquater. This discussion includes the theory, practical examples and the security aspects of each protocol

Privacy-Preserving Incentive Systems with Highly Efficient Point-Collection

Incentive systems (such as customer loyalty systems) are omnipresent nowadays and deployed in several areas such as retail, travel, and financial services. Despite the benefits for customers and companies, this involves large amounts of sensitive data being transferred and analyzed. These concerns initiated research on privacy-preserving incentive systems, where users register with a provider and are then able to privately earn and spend incentive points. In this paper we construct an incentive system that improves upon the state-of-the-art in several ways: – We improve efficiency of the Earn protocol by replacing costly zero-knowledge proofs with a short structure-preserving signature on equivalence classes. – We enable tracing of remainder tokens from double-spending transactions without losing backward unlinkability. – We allow for secure recovery of failed Spend protocol runs (where usually, any retries would be counted as double-spending attempts). – We guarantee that corrupt users cannot falsely blame other corrupt users for their double-spending. We propose an extended formal model of incentive systems and a concrete instantiation using homomorphic Pedersen commitments, ElGamal encryption, structure-preserving signatures on equivalence classes (SPS-EQ), and zero-knowledge proofs of knowledge. We formally prove our construction secure and present benchmarks showing its practical efficiency

Transferable Constant-Size Fair E-Cash

International audienceWe propose a new blind certification protocol that provides interesting properties while remaining efficient. It falls in the Groth-Sahai framework for witness-indistinguishable proofs, thus extended to a certified signature it immediately yields non-frameable group signatures. We then use it to build an efficient (offline) e-cash system that guarantees user anonymity and transferability of coins without increasing their size. As required for fair e-cash, in case of fraud, anonymity can be revoked by an authority, which is also crucial to deter from double spending

The Chopstick Auction: A Study of the Exposure Problem in Multi-Unit Auctions

Multi-unit auctions are sometimes plagued by the so-called exposure problem. In this paper, we analyze a simple game called the ‘chopstick auction’ in which bidders are confronted with the exposure problem. We analyze the chopstick auction with incomplete information both in theory and in a laboratory experiment. In theory, the chopstick auction has an efficient equilibrium and is revenue equivalent with the second-price sealed-bid auction in which the exposure problem is not present. In the experiment, however, we find that the chopstick auction is slightly less efficient but yields far more revenue than the second-price sealed-bid auction.Chopstick auction, Exposure problem, Laboratory experiment, Second-price sealed-bid auction