**Practical Compact E-Cash**

*Man Ho Au and Willy Susilo and Yi Mu*

**Abstract: **Compact e-cash schemes allow a user to withdraw a wallet
containing $k$ coins in a single operation, each of which the user
can spend unlinkably. One big open problem for compact e-cash is
to allow multiple denominations of coins to be spent efficiently
without executing the spend protocol a number of times. In this
paper, we give a (\emph{partial}) solution to this open problem by
introducing two additional protocols, namely, compact spending and
batch spending. Compact spending allows spending all the $k$ coins
in one operation while batch spending allows spending any number
of coins in the wallet in a single execution.

We modify the security model of compact e-cash to accommodate these added protocols and present a generic construction. While the spending and compact spending protocol are of constant time and space complexities, complexities of batch spending is linear in the number of coins to be spent together. Thus, we regard our solution to the open problem as {\it partial}.

We provide two instantiations under the $q$-SDH assumption and the LRSW assumption respectively and present security arguments for both instantiations in the random oracle model.

**Category / Keywords: **public-key cryptography / E-Cash, constant-size, compact, bilinear pairings

**Publication Info: **This is the full version of the paper that is going to appear in ACISP 2007

**Date: **received 24 Apr 2007

**Contact author: **mhaa456 at uow edu au

**Available format(s): **PDF | BibTeX Citation

**Version: **20070425:081325 (All versions of this report)

**Short URL: **ia.cr/2007/148

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]