Fair Off-Line e-Cash made easy

. The major considerations in designing a secure system are (1) simplicity of the algorithms involved, (2) efficiency of the implementation, and (3) provable security; these attributes contribute to the "elegance" of a system, easing its implementation (and limiting the possibility of errors) and the burden on system resources. Anonymous off-line electronic cash (e-cash) systems provide transactions that retain the anonymity of the payer, similar to physical cash exchanges, without requiring the issuing bank to be on-line at payment. Fair off-line e-cash extend this capability to allow a qualified third party (a "trustee") to revoke this anonymity under a warrant or other specified "suspicious" activity. In fair off-line e-cash, simplicity and efficiency are of high importance, as the systems are inherently complex and prone to design and implementation errors. Security must also be guaranteed yet, to date, there have been no systems that offer provable security. In this work we make a..

"Indirect Discourse Proofs": Achieving Efficient Fair Off-Line E-Cash

Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced. Here we suggest the notion of Indirect Discourse Proofs with which one can prove indirectly yet efficiently that a third party has a certain future capability (i.e., assure Trustees can trace). The efficient proofs presented here employ algebraic properties of exponentiation (or functions of similar homomorphic nature). Employing this idea we present the concept of "Fair Off-Line e-Cash" (FOLC) system which enables tracing protocols for identifying either the coin or its owner. Recently, the need to trace and identify coins with owners/withdrawals was identified (to av..

Traceable Signatures

We present, implement and apply a new privacy primitive that we call "Traceable Signatures." To this end we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its security proof. Traceable signatures support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signature mechanism. We demonstrate that this extended function is needed for proper operation and adequate level of privacy in various settings and applications. For example, the new notion allows (distributed) tracing of all signatures by a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implemented by a state of the art group signature system, such wide opening of all signatures of a single user is a (centralized) operation that requires the opening of all anonymous signatures and revealing the users associated with them, an act that violates the privacy of all users

Exact Analysis of Exact Change

We consider the k-payment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, while allowing the actual payments to be made on-line, namely without the need to know all payment requests in advance. The problem is motivated by the electronic cash model, where each coin is a long bit sequence, and typical electronic wallets have only limited storage capacity. The k-payment problem has additional applications in other resource-sharing scenarios. Our results include a complete characterization of the k-payment problem as follows. First, we prove a necessary and sufficient condition for a given set of coins to solve the problem. Using this characterization, we prove that the number of coins in any solution to the k-payment problem is at least kH N=k , where H n denotes the ..

Mis-representation of Identities in E-cash Schemes and how to Prevent it

. In Crypto '93, S. Brands presented a very efficient off-line electronic cash scheme based on the representation problem in groups of prime order. In Crypto '95 a very efficient off-line divisible e-cash scheme based on factoring Williams integers was presented by T. Okamoto. We demonstrate one efficient attack on Okamoto's scheme and two on Brands' scheme which allow users to mis-represent their identities and doublespend in an undetectable manner, hence defeating the most essential security aspect of the schemes. The attack on Brands' scheme (which we suspect, given his previous related results, was an inadvertent omission) is also applicable to T. Eng and T. Okamoto's divisible e-cash scheme (presented in Eurocrypt '94) which uses Brands' protocols as a building block. We present an efficient modular fix which is applicable to any use of the Brands' idea, and we discuss how to counteract the attack on Okamoto's scheme. Hence the original results remain significant contributions to ..