Divisible E-Cash in the Standard Model

Izabachène, Malika; Libert, Benôıt

doi:10.1007/978-3-642-36334-4_20

Cited by 8 publications

(35 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Remark 3 The e‐cash systems from [15–17, 19] considered the balance property, requiring that no coalition of users can spend (and then later be accepted for deposit) more than they have withdrawn, and the identification property, requiring that no coalition of users can double‐spend a coin without revealing their identity. We argue that traceability is enough.…”

Section: Divisible E‐cash Systemmentioning

confidence: 99%

“…Remark 4 An entity knowing the random scalars ( r s , l f ) used to generate the public parameters will be able to break the anonymity of our scheme. This problem already appears when generating the CRS from Groth–Sahai proofs (whose construction is not specified in [19]). To avoid the need of a trusted entity (although this last one would intervene only during the Setup phase) the public parameters can be cooperatively generated by the bank and a set of users.…”

Section: First Constructionmentioning

confidence: 99%

“…All these schemes were proven secure in the random oracle model (ROM) [18]. More recently, Izabachène and Libert [19] provided the first construction with security proven in the standard model. However, their construction is rather inefficient, especially the deposit phase whose computational cost for the bank depends on the number of previously deposited coins with a pairing computation between every new coin and every past coin.…”

Section: Introductionmentioning

confidence: 99%

“…Our main contribution is a new way for building the serial numbers. As noticed in [19], the use of serial numbers is indeed the best approach for the bank to quickly detect double‐spending.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Divisible e‐cash made practical

Canard

Pointcheval

Sanders

et al. 2016

IET Information Security

View full text Add to dashboard Cite

International audienceDivisible e-cash systems allow users to withdraw a unique coin of value 2 n units from a bank, but then to spend it in several times to distinct merchants. In such a system, whereas users want anonymity of their transactions, the bank wants to prevent, or at least detect, double-spending, and trace defrauders. While this primitive was introduced two decades ago, quite a few (really) anonymous constructions have been proposed. In addition, all but one were just proven secure in the random oracle model, but still with either weak security models or quite complex settings and thus costly constructions. The unique proposal, secure in the standard model, appeared recently and is unpractical. As evidence, the authors left the construction of an efficient scheme secure in this model as an open problem. In this study, the authors answer it with the first efficient divisible e-cash system secure in the standard model. It is based on a new way of building the coins, with a unique and public global tree structure for all the coins. Actually, they propose two constructions which offer a tradeoff between efficiency and security. They both achieve constant time for withdrawing and spending amounts of 2ℓ units, while allowing the bank to quickly detect double-spendings by a simple comparison of the serial numbers of deposited coins to the ones of previously spent coins

show abstract

Section: Divisible E‐cash Systemmentioning

confidence: 99%

Section: First Constructionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Divisible e‐cash made practical

Canard

Pointcheval

Sanders

et al. 2016

IET Information Security

View full text Add to dashboard Cite

show abstract

“…Moreover, we give the rigid security proof of the new scheme in the standard model. 3. As an additional result, we solve the open problem presented by Blanton [13] that the identity of the last payee is linkable in the spending and deposit protocol.…”

Section: Introductionmentioning

confidence: 95%

Transferable conditional e‐cash with optimal anonymity in the standard model

Zhang

Guo

et al. 2015

IET Information Security

View full text Add to dashboard Cite

Transferable conditional electronic-cash (e-cash) allows the recipient of a coin in a transaction to transfer it in a later payment transaction to the third person based on the outcome not known in advance. Anonymity is a very important property for a transferable conditional e-cash. However, none of the existed transferable conditional e-cash achieve the optimal anonymity because of its special structure, that is, introducing transferability in the conditional e-cash. In this study, they novelly present a transferable conditional e-cash scheme using a totally different structure, that is, adding condition into the transferable ecash. Thanks to employing Groth-Sahai proofs systems and commuting signatures, the new transferable conditional e-cash satisfies optimal anonymity. Accordingly, they present an extended security model by introducing a publisher who is responsible for publishing two outcomes of a condition. Then, they prove the new scheme's security in the standard model. Compared with the existing transferable conditional e-cash, the efficiency of the new scheme is also improved since the size of the computation and communication is constant.

show abstract

Multiple-Bank E-Cash without Random Oracles

Zhang

Guo

2013

Cyberspace Safety and Security

View full text Add to dashboard Cite

Divisible E-Cash in the Standard Model

Cited by 8 publications

References 40 publications

Divisible e‐cash made practical

Divisible e‐cash made practical

Transferable conditional e‐cash with optimal anonymity in the standard model

Multiple-Bank E-Cash without Random Oracles

Contact Info

Product

Resources

About