This paper proposes a mechanism for anonymous credit card systems without assuming any absolutely trustworthy entity. Here, an anonymous credit card system is a one that satisfies the following requirements (in the following, the credit card company and card holders are denoted as the server and clients, respectively), i.e. 1) the server can neither identify clients that execute individual transactions, nor link transactions executed by same clients, 2) the server can calculate the total expenditures of individual clients at the end of its every service period, 3) the server can identify dishonest clients and charge them for correct amounts without information about other clients, 4) clients can detect dishonest operations of the server, and 5) no absolutely trustworthy entity is assumed. The proposed mechanism is based on three existing mechanisms, i.e. anonymous authentication (2) , blind signature (1) and secure statistical data gathering (2) , together with implicit transaction links proposed in this paper. Functions of the mechanism are executed through three phases, i.e. transaction, account calculation and state recovery phases. Here, the server and clients execute their individual transactions in the transaction phase, and the account calculation phase is invoked at the end of every service period, so that the server can calculate total expenditures of individual clients. When inconsistent states are detected in these phases, the state recovery phase begins to find dishonest clients to charge them for their correct expenditures. Before entering transaction phase, the server authenticates clients through the anonymous authentication mechanism to protect itself from invalid accesses without knowing identities of clients. At the same time, to ensure that all transaction results are reported to the server, the one to one correspondences between consecutive transactions of same clients are established. This is achieved by checking transaction-IDs (TR-IDs), which are attached to individual transactions. Namely, the server issues a new TR-ID to a client for its next transaction in exchange for the current one, and confirms that the TR-ID attached to the request is the one it issued and it is not used repeatedly. However, the server issues the new TR-ID by authorizing the one designated by the client without knowing the content based on the blind signature mechanism, and correspondences between old and new TR-IDs are recorded as implicit transaction links, in which new TR-IDs are encrypted by keys secret from the server. Therefore, the server cannot trace consecutive transactions executed by the same client.Concerning the account calculation phase, to maintain anonymity of transaction records, the server stores individual records without knowing clients, and linkages between consecutive transactions are encrypted as implicit transaction links. Therefore, the server cannot calculate total expenditures of clients, and individual clients are responsible to calculate their total expenditures by themselves. In order ...
