Paper 2020/1400

Transferable E-cash: A Cleaner Model and the First Practical Instantiation

Balthazar Bauer, Georg Fuchsbauer, and Chen Qian


Transferable e-cash is the most faithful digital analog of physical cash, as it allows users to transfer coins between them in isolation, that is, without interacting with a bank or a “ledger”. Appropriate protection of user privacy and, at the same time, providing means to trace fraudulent behavior (double-spending of coins) have made instantiating the concept notoriously hard. Baldimtsi et al. (PKC'15) gave a first instantiation, but, as it relies on a powerful cryptographic primitive, the scheme is not practical. We also point out a flaw in their scheme. In this paper we revisit the model for transferable e-cash and propose simpler yet stronger security definitions. We then provide the first concrete construction, based on bilinear groups, give rigorous proofs that it satisfies our model, and analyze its efficiency in detail.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
transferableoffline e-cashstrong anonymity
Contact author(s)
balthazar bauer @ ens fr
georg fuchsbauer @ tuwien ac at
2020-11-15: revised
2020-11-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Balthazar Bauer and Georg Fuchsbauer and Chen Qian},
      title = {Transferable E-cash: A Cleaner Model and the First Practical Instantiation},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1400},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.