Cryptology ePrint Archive: Report 2007/459

Practical Anonymous Divisible E-Cash From Bounded Accumulators

Man Ho Au and Willy Susilo and Yi Mu

Abstract: We present an efficient off-line divisible e-cash scheme which is \emph{truly anonymous} without a trusted third party. This is the second scheme in the literature which achieves full unlinkability and anonymity, after the seminal work proposed by Canard and Gouget. The main trick of our scheme is the use of a bounded accumulator in combination with the classical binary tree approach.

The aims of this paper are twofold. Firstly, we analyze Canard and Gouget's seminal work on the efficient off-line divisible e-cash. We point out some subtleties on the parameters generation of their scheme. Moreover, spending a coin of small value requires computation of several hundreds of multi-based exponentiations, which is very costly. In short, although this seminal work provides a new approach of achieving a truly anonymous divisible e-cash, unfortunately it is rather impractical. Secondly, we present our scheme that uses a novel approach of incorporating a bounded accumulator. In terms of time and space complexities, our scheme is $50$ to $100$ times more efficient than Canard and Gouget's work in the spend protocol at the cost of an $10$ to $500$ (the large range is due to whether pre-processing is taken into account and the probabilistic nature of our withdrawal protocol) times less efficient withdrawal protocol. We believe this trade-off between the withdrawal protocol and the spend protocol is reasonable as the former protocol is to be executed much less frequent than the latter. Nonetheless, while their scheme provides an affirmative answer to whether divisible e-cash can be \emph{truly anonymous}, our result puts it a step further and we show that truly anonymous divisible e-cash can be \emph{practical}.

Category / Keywords: cryptographic protocols / e-cash, electronic commerce and payment, bounded accumulators

Publication Info: This is the full version of the paper that is going to appear in FC 2008

Date: received 9 Dec 2007

Contact author: mhaa456 at uow edu au

Available format(s): PDF | BibTeX Citation

Version: 20071210:100722 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]