Our work presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2^l coins each of which she can spend unlinkably [1]. Our first result is a scheme, secure under the strong RSA and the y-DDHI (Decisional Diffie-Hellman Inversion) assumptions, where the complexity of the withdrawal and spend operations is O(l+k) and the user's wallet can be stored using O(l+k) bits, where k is a security parameter. The best previously known schemes require at least one of these complexities to be O(2^l * k). In fact, compared to previous e-cash schemes, our whole wallet of 2^l coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent.

We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2^l coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(l* k) and O(l * k + k^2) bits, respectively, and wallets take O(l * k) bits of storage.

All our schemes are secure in the random oracle model. Furthermore, in the model where the bank completely trusts the merchant (this applies to, for example, a subscription service where the entity creating and verifying the coins is one and the same), we have solutions based on the same set of assumptions but in the standard model.

References

[1] Jan Camenisch, Susan Hohenberger and Anna Lysysanskaya. Compact E-Cash. In Ronald Cramer, editor, Advances in Cryptology -- EUROCRYPT, volume 3494 of LNCS, pp. 302-321, Aarhus, Denmark, May 2005.