Cryptology ePrint Archive: Report 2015/972

Cut Down the Tree to Achieve Constant Complexity in Divisible E-Cash

David Pointcheval and Olivier Sanders and Jacques Traoré

Abstract: Divisible e-cash, proposed in 1991 by Okamoto and Ohta, addresses a practical concern of electronic money, the problem of paying the exact amount. Users of such systems can indeed withdraw coins of a large value $N$ and then divide it into many pieces of any desired values $V\leq N$. Such a primitive therefore allows to avoid the use of several denominations or change issues. Since its introduction, many constructions have been proposed but all of them make use of the same framework: they associate each coin with a binary tree, which implies, at least, a logarithmic complexity for the spendings.

In this paper, we propose the first divisible e-cash system without such a tree structure, and so without its inherent downsides. Our construction is the first one to achieve constant-time spendings while offering a quite easy management of the coins. It compares favorably with the state-of-the-art, while being provably secure in the standard model.

Category / Keywords: cryptographic protocols / Divisible E-Cash, Anonymity, Bilinear Groups

Original Publication (with minor differences): IACR-PKC-2017

Date: received 9 Oct 2015, last revised 22 Dec 2016

Contact author: oliviersanders at live fr

Available format(s): PDF | BibTeX Citation

Note: Anonymity now relies on a slightly weaker assumption.

Version: 20161222:191337 (All versions of this report)

Short URL: ia.cr/2015/972

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]