Scalable Divisible E-cash

Sébastien Canard; David Pointcheval; Olivier Sanders; Jacques Traoré

Paper 2015/300

Scalable Divisible E-cash

Sébastien Canard, David Pointcheval, Olivier Sanders, and Jacques Traoré

Abstract

Divisible E-cash has been introduced twenty years ago but no construction is both fully secure in the standard model and efficiently scalable. In this paper, we fill this gap by providing an anonymous divisible E-cash construction with constant-time withdrawal and spending protocols. Moreover, the deposit protocol is constant-time for the merchant, whatever the spent value is. It just has to compute and store $2^{l}$ serial numbers when a value $2^{l}$ is deposited, compared to $2^{n}$ serial numbers whatever the spent amount (where $2^{n}$ is the global value of the coin) in the recent state-of-the-art paper. This makes a very huge difference when coins are spent many times. Our approach follows the classical tree representation for the divisible coin. However we manage to build the values on the nodes in such a way that the elements necessary to recover the serial numbers are common to all the nodes of the same level: this leads to strong unlinkability and anonymity, the strongest security level for divisible E-cash.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Major revision. ACNS 2015
Keywords: divisible E-cash standard model
Contact author(s): olivier sanders @ orange com
History: 2016-12-23: last of 2 revisions; 2015-04-01: received; See all versions
Short URL: https://ia.cr/2015/300
License: CC BY

BibTeX

@misc{cryptoeprint:2015/300,
      author = {Sébastien Canard and David Pointcheval and Olivier Sanders and Jacques Traoré},
      title = {Scalable Divisible E-cash},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/300},
      year = {2015},
      url = {https://eprint.iacr.org/2015/300}
}