We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2^l coins in her wallet, all her spendings of these coins can be traced. We present two alternate constructions. One construction shares the same complexities with our first result but requires a strong bilinear map assumption that is only conjectured to hold on MNT curves. The second construction works on more general types of elliptic curves, but the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(lk) and O(lk + k^2) bits, respectively, and wallets take O(lk) bits of storage. All our schemes are secure in the random oracle model.
Category / Keywords: cryptographic protocols / Publication Info: An extended abstract of this paper appeared at Eurocrypt 2005. Date: received 25 Feb 2005, last revised 27 Mar 2006 Contact author: jca at zurich ibm com Available formats: PDF | BibTeX Citation Note: Fixed typo in Sum-Free DDH definition. Version: 20060327:171530 (All versions of this report) Discussion forum: Show discussion | Start new discussion