Results 1  10
of
54
An Efficient Offline Electronic Cash System Based On The Representation Problem
, 1993
"... We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some technique ..."
Abstract

Cited by 150 (3 self)
 Add to MetaCart
(Show Context)
We present a new offline electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than previously proposed systems. Another
Compact ecash
 In EUROCRYPT, volume 3494 of LNCS
, 2005
"... Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and s ..."
Abstract

Cited by 119 (20 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents efficient offline anonymous ecash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the yDDHI assumptions, where the complexity of the withdrawal and spend operations is O(ℓ + k) andtheuser’s wallet can be stored using O(ℓ + k) bits,wherek is a security parameter. The best previously known schemes require at least one of these complexities to be O(2 ℓ · k). In fact, compared to previous ecash schemes, our whole wallet of 2 ℓ coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has doublespent. We then extend our scheme to our second result, the first ecash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ℓ coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(ℓ · k) and O(ℓ · k + k 2) bits, respectively, and wallets take O(ℓ · k) bitsofstorage. All our schemes are secure in the random oracle model.
Trusteebased Tracing Extensions to Anonymous Cash and the Making of Anonymous Change
 In Proceedings of the Sixth Annual ACMSIAM Symposium on Discrete Algorithms
, 1995
"... Electronic cash is a subject of great economic, political, and research importance. With advances in computer networks, in processor speed, and in databases and with advances in note counterfeiting technology and with both individuals' and businesses' desire for remote and more convenient ..."
Abstract

Cited by 85 (0 self)
 Add to MetaCart
Electronic cash is a subject of great economic, political, and research importance. With advances in computer networks, in processor speed, and in databases and with advances in note counterfeiting technology and with both individuals' and businesses' desire for remote and more convenient financial transactions, some forms of electronic cash are likely to become widespread within 5 to 10 years. While unconditionally anonymous electronic cash systems have been proposed in the literature, governmental and financial institutions are unwilling to back a completely anonymous system. Instead, they have proposed systems with little or no protection for the users' privacy. Their reasons for opposing complete untraceability have to do with the containment of user fraud and the desire to restrict the new kinds of crime that unrestricted remotely withdrawable and spendable electronic cash could facilitate. We introduce the first electronic cash systems which incorporate trusteebased tracing but...
Proof Systems for General Statements about Discrete Logarithms
, 1997
"... Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about know ..."
Abstract

Cited by 77 (5 self)
 Add to MetaCart
Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimumdisclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...
ktimes anonymous authentication (Extended Abstract)
 IN ASIACRYPT, VOLUME 3329 OF LNCS
, 2004
"... We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the all ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
(Show Context)
We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features that allow 1) no one, not even an authority, identify users who have been authenticated within the allowable number, and that allow 2) anyone to trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Although identity escrow/group signature schemes allow users to be anonymously authenticated, the authorities in these schemes have the unnecessary ability to trace any user. Moreover, since it is only the authority who is able to trace users, one needs to make cumbersome inquiries to the authority to see how many times a user has been authenticated. Our scheme can be applied to evoting, ecash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users’ participation from protocols and guarantees that they will remain anonymous to everyone.
Towards Provably Secure Efficient Electronic Cash (Extended Abstract)
, 1992
"... An "electronic coin scheme" as defined by Chaum, Fiat, and Naor [5] is a collection of protocols to achieve untraceable, unforgeable coins with offline purchasing; this is the minimum set of properties to make electronic money useful. We give a new electronic coin scheme that is simple and ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
(Show Context)
An "electronic coin scheme" as defined by Chaum, Fiat, and Naor [5] is a collection of protocols to achieve untraceable, unforgeable coins with offline purchasing; this is the minimum set of properties to make electronic money useful. We give a new electronic coin scheme that is simple and practical. Withdrawal requires only two rounds of interaction, while purchase and deposit are noninteractive; all previous efficient cash schemes require interaction (cutandchoose) for purchases. Moreover, messages during purchase and deposit contain only a few encrypted values, independent of the tolerable probability of cheating. We present a security model for electronic coins, and prove the security of our scheme relative to certain specific cryptographic assumptions (hardness of Discrete Log and possibility of secure blind signature). TR CUCS01892 Partially supported by an AT&T Bell Laboratories Scholarship 1 Introduction Six desirable properties of electronic money are stated by Okamo...
Secure and Efficient OffLine Digital Money
 In Proceedings of ICALP'93, (LNCS 700
, 1993
"... An electronic (or "digital") coin scheme is a set of cryptographic protocols for withdrawal (by a customer from the bank), purchase (by a customer to a vendor), and deposit (by a vendor to the bank), such that the security needs of all participants are satisfied  money is unforgeable, un ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
(Show Context)
An electronic (or "digital") coin scheme is a set of cryptographic protocols for withdrawal (by a customer from the bank), purchase (by a customer to a vendor), and deposit (by a vendor to the bank), such that the security needs of all participants are satisfied  money is unforgeable, unreusable, and untraceable. A coin scheme is "offline" if the purchase protocol does not involve the bank. In this work, we present new techniques for offline coin schemes which are secure and efficient. (An earlier version of this work appeared in [16].)
Electronic Cash on the Internet
 IN PROCEEDINGS OF THE INTERNET SOCIETY 1995 SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY
, 1995
"... It is generally realized that the Internet will not be able to offer fullfledged electronic marketplace capabilities without a suitable electronic mechanism for processing payments. The electronic payment mechanism that is presented offers a variety of features that are believed to be particularl ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
It is generally realized that the Internet will not be able to offer fullfledged electronic marketplace capabilities without a suitable electronic mechanism for processing payments. The electronic payment mechanism that is presented offers a variety of features that are believed to be particularly appealing in this respect. To participate, an Internet user must interface to his computer a tamperresistant device with an ordinary 8bit microprocessor, typically a PCMCIA card, and install some software. Internet service providers do not need special hardware. Payments can be made offline, and are untraceable and unlinkable. Multiparty security is guaranteed without parties having to trust other parties. Transaction processing speeds are such that even modestly equipped computers will be...
Complexity and Security of Distributed Protocols
, 1993
"... This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the c ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graphtheoretic, and cryptographic techniques.
SelfDelegation with Controlled Propagation  or  What If You Lose Your Laptop
, 1998
"... We introduce delegation schemes wherein a user may delegate certain rights to himself, but may not safely delegate these rights to others. In our motivating application, a user has a primary (longterm) key that receives some personalized access rights, yet the user may reasonably wish to delegate t ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
We introduce delegation schemes wherein a user may delegate certain rights to himself, but may not safely delegate these rights to others. In our motivating application, a user has a primary (longterm) key that receives some personalized access rights, yet the user may reasonably wish to delegate these rights to new secondary (shortterm) keys he creates to use on his laptop when traveling, to avoid having to store his primary secret key on the vulnerable laptop. We propose several cryptographic schemes, both generic ones under general assumptions and more specific practical ones, that fulfill these somewhat conflicting requirements, without relying on specialpurpose (e.g., tamperproof) hardware. This is an extended abstract of our work [19].