Paper 2014/785

Divisible E-Cash Made Practical

Sébastien Canard, David Pointcheval, Olivier Sanders, and Jacques Traoré


Divisible E-cash systems allow users to withdraw a unique coin of value $2^n$ from a bank, but then to spend it in several times to distinct merchants. In such a system, whereas users want anonymity of their transactions, the bank wants to prevent, or at least detect, double-spending, and trace the defrauders. While this primitive was introduced two decades ago, quite a few (really) anonymous constructions have been introduced. In addition, all but one were just proven secure in the random oracle model, but still with either weak security models or quite complex settings and thus costly constructions. The unique proposal, secure in the standard model, appeared recently and is unpractical. As evidence, the authors left the construction of an efficient scheme secure in this model as an open problem.

Note: Minor revisions - Full version of the PKC extended abstract

Available format(s)
Public-key cryptography
Publication info
A major revision of an IACR publication in PKC 2015
Divisible E-cashUntraceabilityAnonymity.
Contact author(s)
olivier sanders @ orange com
2015-03-23: last of 2 revisions
2014-10-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Sébastien Canard and David Pointcheval and Olivier Sanders and Jacques Traoré},
      title = {Divisible E-Cash Made Practical},
      howpublished = {Cryptology ePrint Archive, Paper 2014/785},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.