Compact E-Cash from Bounded Accumulator
qianhong wu2007
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Known compact e-cash schemes are constructed from signature schemes with efficient protocols and verifiable random functions. In this paper, we introduce a different approach. We construct compact e-cash schemes from bounded accumulators. A bounded accumulator is an accumulator with a limit on the number of accumulated values. We show a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties and instantiate it using an existing pairing-based accumulator and a new signature scheme. Our scheme revokes the secret key of the double-spender directly and thus supports more efficient coin tracing. The new signature scheme has an interesting property that is has the message space of a cyclic group \(\mathbb{G}_1\) equipped with a bilinear pairing, with efficient protocol to show possession of a signature without revealing the signature nor the message. We show that the new scheme is secure in the generic group model. The new signature scheme may be of independent interest.
Related papers
A secure electronic cash based on a certificateless group signcryption scheme
Mathematical and Computer Modelling, 2013
Many certificateless schemes have been proposed for different purposes, but as for as their applications in any electronic cash schemes there is still a lot of potential for strengthening the security aspect, and this paper is an attempt towards this. In this paper we propose a new type certificateless scheme which is applied for group oriented signcryption rather than a signature without using bilinear pairing, then a new E-cash system has been presented based on the proposed scheme. The salient feature of the proposed scheme is that any signcrypter of a group can signcrypt a document with the group manager and send it to the verifier. The verifier verifies the authenticity of the signcrypted text by using the group's public parameters and cannot link a signcrypted text to the corresponding signcrypter. However, even the group manager or any signcrypter of that group alone cannot produce a valid signcrypted text. In case of any legal dispute, such as no repudiation of the signature, the group manager has the ability to reveal the identity of the signcrypter. The proposed scheme is secure against the indistinguishably chosen cipher text attack (IND-CCA). Unlinkability, unforgeability and traceability and its security are based on the two computationally hard problems, the Computational Diffie-Hellman Problem (CDHP) and Discrete Logarithmic Problem (DLP). The new scheme's security analysis clearly suggests that it is very reliable to be used in security vulnerable applications in real life.
Divisible E-Cash Made Practical
Lecture Notes in Computer Science, 2015
Divisible E-cash systems allow users to withdraw a unique coin of value 2 n from a bank, but then to spend it in several times to distinct merchants. In such a system, whereas users want anonymity of their transactions, the bank wants to prevent, or at least detect, doublespending, and trace the defrauders. While this primitive was introduced two decades ago, quite a few (really) anonymous constructions have been introduced. In addition, all but one were just proven secure in the random oracle model, but still with either weak security models or quite complex settings and thus costly constructions. The unique proposal, secure in the standard model, appeared recently and is unpractical. As evidence, the authors left the construction of an efficient scheme secure in this model as an open problem. In this paper, we answer it with the first efficient divisible E-cash system secure in the standard model. It is based on a new way of building the coins, with a unique and public global tree structure for all the coins. Actually, we propose two constructions: a very efficient one in the random oracle model and a less efficient, but still practical, in the standard model. They both achieve constant time for withdrawing and spending coins, while allowing the bank to quickly detect double-spendings by a simple comparison of the serial numbers of deposited coins to the ones of previously spent coins.
A Fair Electronic Cash System with Identity-Based Group Signature Scheme
Journal of Information Security, 2012
A fair electronic cash system is a system that allows customers to make payments anonymously. Furthermore the trusted third party can revoke the anonymity when the customers did illegal transactions. In this paper, a new fair electronic cash system based on group signature scheme by using elliptic curve cryptography is proposed, which satisfies properties of secure group signature scheme (correctness, unforgeability, etc.). Moreover, our electronic cash contains group members (users, merchants and banks) and trusted third party which is acted by central bank as group manager.
Practical Anonymous Divisible E-Cash from Bounded Accumulators
Copyright © by Springer-Verlag http://www.springer.de/comp/lncs/index.html
Formalizing Group Blind Signatures and Practical Constructions without Random Oracles
Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. Their applications include multi-authority e-voting and distributed e-cash systems. The primitive has been introduced with only informal definitions for its required security properties. We offer two main contributions: first, we provide foundations for the primitive where we present formal security definitions offering various flavors of anonymity relevant to this setting. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security definitions. Our second main contribution is a generic construction that yields practical schemes with round-optimal signing and constant-size signatures. Our constructions permit dynamic and concurrent enrollment of new members, satisfy strong security requirements, and do not rely on random oracles. In addition, we introduce some new building blocks which may be of independent interest.
Transferable conditional e-cash with optimal anonymity in the standard model
Transferable conditional electronic-cash (e-cash) allows the recipient of a coin in a transaction to transfer it in a later payment transaction to the third person based on the outcome not known in advance. Anonymity is a very important property for a transferable conditional e-cash. However, none of the existed transferable conditional e-cash achieve the optimal anonymity because of its special structure, that is, introducing transferability in the conditional e-cash. In this study, they novelly present a transferable conditional e-cash scheme using a totally different structure, that is, adding condition into the transferable e-cash. Thanks to employing Groth–Sahai proofs systems and commuting signatures, the new transferable conditional e-cash satisfies optimal anonymity. Accordingly, they present an extended security model by introducing a publisher who is responsible for publishing two outcomes of a condition. Then, they prove the new scheme's security in the standard model. Compared with the existing transferable conditional e-cash, the efficiency of the new scheme is also improved since the size of the computation and communication is constant.
Who Let the $$\mathcal {DOGS}$$ Out: Anonymous but Auditable Communications Using Group Signature Schemes with Distributed Opening
Lecture Notes in Computer Science, 2020
Over the past two decades, group signature schemes have been developed and used to enable authenticated and anonymous peerto-peer communications. Initial protocols rely on two main authorities, Issuer and Opener, which are given substantial capabilities compared to (regular) participants, such as the ability to arbitrarily identify users. AQ1 Building efficient, fast, and short group signature schemes has been the focus of a large number of research contributions. However, only a few dealt with the major privacy-preservation challenge of group signatures; this consists in providing user anonymity and action traceability while not necessarily relying on a central and fully trusted authority. In this paper, we present DOGS, a privacy-preserving Blockchain-supported group signature scheme with a distributed Opening functionality. In DOGS, participants no longer depend on the Opener entity to identify the signer of a potentially fraudulent message; they instead collaborate and perform this auditing process themselves. We provide a high-level description of the DOGS scheme and show that it provides both user anonymity and action traceability. Additionally, we prove how DOGS is secure against message forgery and anonymity attacks.
Achieving Optimal Anonymity in Transferable E-Cash with a Judge
Lecture Notes in Computer Science, 2011
Electronic cash (e-cash) refers to money exchanged electronically. The main features of traditional cash are usually considered desirable also in the context of e-cash. One such property is off-line transferability, meaning the recipient of a coin in a transaction can transfer it in a later payment transaction to a third person without contacting a central authority. Among security properties, the anonymity of the payer in such transactions has been widely studied. This paper proposes the first efficient and secure transferable e-cash scheme with the strongest achievable anonymity properties, introduced by Canard and Gouget. In particular, it should not be possible for adversaries who receive a coin to decide whether they have owned that coin before. Our proposal is based on two recent cryptographic primitives: the proof system by Groth and Sahai, whose randomizability enables strong anonymity, and the commuting signatures by Fuchsbauer, which allow one to sign values that are only given as encryptions.
Analysis of bilinear pairing-based accumulator for identity escrowing
IET Information Security, 2008
An accumulator based on bilinear pairings was proposed at CT-RSA'05. Here, it is first demonstrated that the security model proposed by Lan Nguyen does lead to a cryptographic accumulator that is not collision resistant. Secondly, it is shown that collision-resistance can be provided by updating the adversary model appropriately. Finally, an improvement on Nguyen's identity escrow scheme, with membership revocation based on the accumulator, by removing the trusted third party is proposed.
Related papers
Multiple Denominations in E-cash with Compact Transaction Data
Lecture Notes in Computer Science, 2010
We present a new construction of divisible e-cash that makes use of 1) a new generation method of the binary tree of keys; 2) a new way of using bounded accumulators. The transaction data sent to the merchant has a constant number of bits while spending a monetary value 2 ℓ . Moreover, the spending protocol does not require complex zero-knowledge proofs of knowledge such as proofs about double discrete logarithms. We then propose the first strongly anonymous scheme with standard unforgeability requirement and realistic generation parameters while improving the efficiency of the spending phase.
Divisible E-Cash Systems Can Be Truly Anonymous
Lecture Notes in Computer Science, 2007
This paper presents an off-line divisible e-cash scheme where a user can withdraw a divisible coin of monetary value 2 L that he can parceled and spend anonymously and unlinkably. We present the construction of a security tag that allows to protect the anonymity of honest users and to revoke anonymity only in case of cheat for protocols based on a binary tree structure without using a trusted third party. This is the first divisible e-cash scheme that provides both full unlinkability and anonymity without requiring a trusted third party.
Practical compact E-cash
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2007
Compact e-cash schemes allow a user to withdraw a wallet containing k coins in a single operation, each of which the user can spend unlinkably. One big open problem for compact e-cash is to allow multiple denominations of coins to be spent efficiently without executing the spend protocol a number of times. In this paper, we give a (partial ) solution to this open problem by introducing two additional protocols, namely, compact spending and batch spending. Compact spending allows spending all the k coins in one operation while batch spending allows spending any number of coins in the wallet in a single execution. We modify the security model of compact e-cash to accommodate these added protocols and present a generic construction. While the spending and compact spending protocol are of constant time and space complexities, complexities of batch spending is linear in the number of coins to be spent together. Thus, we regard our solution to the open problem as partial. We provide two instantiations under the q-SDH assumption and the LRSW assumption respectively and present security arguments for both instantiations in the random oracle model.
One-Way Signature Chaining: a new paradigm for group cryptosystems
International Journal of Information and Computer Security, 2008
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added to the chain. However, it is computationally infeasible to remove any intermediate links without removing all the links. The signatures so created are called chain signatures (CS). We give precise definitions of chain signatures and discuss some applications in trust transfer. We then present a practical construction of a CS scheme that is secure (in the random oracle model) under the Computational Diffie-Hellman (CDH) assumption in bilinear maps.
One-Way Signature Chaining - A New Paradigm For Group Cryptosystems And E-Commerce
2005
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by dierent users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added
Scalable Divisible E-cash
Lecture Notes in Computer Science, 2015
Divisible E-cash has been introduced twenty years ago but no construction is both fully secure in the standard model and efficiently scalable. In this paper, we fill this gap by providing an anonymous divisible E-cash construction with constant-time withdrawal and spending protocols. Moreover, the deposit protocol is constant-time for the merchant, whatever the spent value is. It just has to compute and store 2 l serial numbers when a value 2 l is deposited, compared to 2 n serial numbers whatever the spent amount (where 2 n is the global value of the coin) in the recent state-of-the-art paper. This makes a very huge difference when coins are spent in several times. Our approach follows the classical tree representation for the divisible coin. However we manage to build the values on the nodes in such a way that the elements necessary to recover the serial numbers are common to all the nodes of the same level: this leads to strong unlinkability and anonymity, the strongest security level for divisible E-cash.
Mis-representation of identities in e-cash schemes and how to prevent it
Lecture Notes in Computer Science, 1996
In Crypto '93, S. Brands presented a very e cient o-line electronic cash scheme based on the representation problem in groups of prime order. In Crypto '95 a very e cient o-line divisible e-cash scheme based on factoring Williams integers was presented by T. Okamoto. We demonstrate one e cient attack on Okamoto's scheme and two on Brands' scheme which allow users to misrepresent their identities and doublespend in an undetectable manner, hence defeating the most essential security aspect of the schemes. The attack on Brands' scheme (which we suspect, given his previous related results, was an inadvertent omission) is also applicable to T. Eng and T. Okamoto's divisible e-cash scheme (presented in Eurocrypt '94) which uses Brands' protocols as a building block. We present an e cient modular x which is applicable to any use of the Brands' idea, and we discuss how to counteract the attack on Okamoto's scheme. Hence the original results remain signi cant contributions to electronic cash.
A Novel Fair Tracing E-Cash System based on Elliptic Curve Discrete Logarithm Problem
2009
In this paper we have designed a fair e-cash system using Schnorr’s one-time signature and Okamoto-Schnoor blind signature. In addition, the proposed e-cash system is constructed using elliptic curve cryptosystems (ECC) under the limited-storage environment for mobile devices such as smart cards, PDA etc able to efficiently store the coin streams. Furthermore, this system prevents criminal’s activities by means of the two common cryptographic techniques double-spending detection and fair tracing.
Accumulators from Bilinear Pairings and Applications
2005
We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.
An Off-line E-Cash Scheme based on Group Blind Signature Scheme
2016
In this paper we have described the signature scheme inwhich an individual can sign a document ormessage onbehalf of entire group. Here, a group blind signaturescheme has been proposed. Our scheme combines the already existing notions of blind signatures and group signatures. It is an extension of Camenisch and Stadler'sGroup Signature Scheme [12] that adds the blindness property.One important requirement of electronic cash systems is the anonymity of customers.Unconditional anonymity is also very well suited to support criminals inblackmailing. Chen, Zhang and Wang suggested an offline electroniccash scheme[10] to prevent blackmailing by using the group blind signature. In their payment system, they used a group signature scheme of Camenisch and Stadler for large groups which is not secure.In this paper we improve these electronic cash systems to prevent blackmailing, money launderingand illegal purchases by using a secure coalitionresistant group blind signature scheme.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.