In this work, we first provide a complete security model for divisible e-cash, and we study the links with constrained pseudo-random functions (PRFs), a primitive recently formalized by Boneh and Waters. We exhibit two frameworks of divisible e-cash systems from constrained PRFs achieving some specific properties: either key homomorphism or delegability. We then formally prove these frameworks, and address two main issues in previous constructions: two essential security notions were either not considered at all or not fully proven. Indeed, we introduce the notion of clearing, which should guarantee that only the recipient of a transaction should be able to do the deposit, and we show the exculpability, that should prevent an honest user to be falsely accused, was wrong in most proofs of the previous constructions. Some can easily be repaired, but this is not the case for most complex settings such as constructions in the standard model. Consequently, we provide the first construction secure in the standard model, as a direct instantiation of our framework.
Category / Keywords: cryptographic protocols / E-Cash, anonymity, Constrained PRF Original Publication (with major differences): IACR-ASIACRYPT-2019 Date: received 11 Feb 2019, last revised 13 Nov 2019 Contact author: Florian Bourse at ens fr, david pointcheval at ens fr, olivier sanders at orange com Available format(s): PDF | BibTeX Citation Note: correct some errors in the indices of the subsets in the delegatable framework Version: 20191113:123920 (All versions of this report) Short URL: ia.cr/2019/136