Results 1  10
of
20
Recruiting New Tor Relays with BRAIDS
"... Tor, a distributed Internet anonymizing system, relies on volunteers who run dedicated relays. Other than altruism, these volunteers have no incentive to run relays, causing a large disparity between the number of users and available relays. We introduce BRAIDS, a set of practical mechanisms that en ..."
Abstract

Cited by 29 (11 self)
 Add to MetaCart
(Show Context)
Tor, a distributed Internet anonymizing system, relies on volunteers who run dedicated relays. Other than altruism, these volunteers have no incentive to run relays, causing a large disparity between the number of users and available relays. We introduce BRAIDS, a set of practical mechanisms that encourages users to run Tor relays, allowing them to earn credits redeemable for improved performance of both interactive and noninteractive Tor traffic. These performance incentives will allow Tor to support increasing resource demands with almost no loss in anonymity: BRAIDS is robust to wellknown attacks. Using a simulation of 20,300 Tor nodes, we show that BRAIDS allows relays to achieve 75 % lower latency than nonrelays for interactive traffic, and 90 % higher bandwidth utilization for noninteractive traffic.
Improved Magic Ink Signatures Using Hints
 In Financial Cryptography ’99, LNCS 1648
, 1999
"... ..."
(Show Context)
Combating doublespending using cooperative p2p systems
 in ICDCS
, 2007
"... An electronic cash system allows users to withdraw coins, represented as bit strings, from a bank or broker, and spend those coins anonymously at participating merchants, so that the broker cannot link spent coins to the user who withdraws them. A variety of schemes with various security properties ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
An electronic cash system allows users to withdraw coins, represented as bit strings, from a bank or broker, and spend those coins anonymously at participating merchants, so that the broker cannot link spent coins to the user who withdraws them. A variety of schemes with various security properties have been proposed for this purpose, but because strings of bits are inherently copyable, they must all deal with the problem of doublespending. In this paper, we present an electronic cash scheme that introduces a new peertopeer system architecture to prevent doublespending without requiring an online trusted party or tamperresistant software or hardware. The scheme is easy to implement, computationally efficient, and provably secure. To demonstrate this, we report on a proofofconcept implementation for Internet vendors along with a detailed complexity analysis and selected security proofs. 1.
Divisible ECash in the Standard Model
"... Abstract. Offline ecash systems are the digital analogue of regular cash. One of the main desirable properties is anonymity: spending a coin should not reveal the identity of the spender and, at the same time, users should not be able to doublespend coins without being detected. Compact ecash sy ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Offline ecash systems are the digital analogue of regular cash. One of the main desirable properties is anonymity: spending a coin should not reveal the identity of the spender and, at the same time, users should not be able to doublespend coins without being detected. Compact ecash systems make it possible to store a wallet of O(2 L) coins using O(L + λ) bits, where λ is the security parameter. They are called divisible whenever the user has the flexibility of spending an amount of 2 ℓ, for some ℓ ≤ L, more efficiently than by repeatedly spending individual coins. This paper presents the first construction of divisible ecash in the standard model (i.e., without the random oracle heuristic). The scheme allows a user to obtain a wallet of 2 L coins by running a withdrawal protocol with the bank. Our construction is built on the traditional binary tree approach, where the wallet is organized in such a way that the monetary value of a coin depends on how deep the coin is in the tree.
Linkability in Practical Electronic Cash Design
, 2000
"... Designing a practical and complete electronic cash scheme has proved difficult. Designs must seek to optimise often conicting metrics such as efficiency, anonymity, the ability to make exact payments. Gains in one ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Designing a practical and complete electronic cash scheme has proved difficult. Designs must seek to optimise often conicting metrics such as efficiency, anonymity, the ability to make exact payments. Gains in one
More Compact ECash with Efficient Coin Tracing
, 2005
"... In 1982, Chaum [21] pioneered the anonymous ecash which finds many applications in ecommerce. In 1993, Brands [810] and Ferguson [30, 31] published on singleterm offline anonymous ecash which were the first practical ecash. Their constructions used blind signatures and were inefficient to impl ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
In 1982, Chaum [21] pioneered the anonymous ecash which finds many applications in ecommerce. In 1993, Brands [810] and Ferguson [30, 31] published on singleterm offline anonymous ecash which were the first practical ecash. Their constructions used blind signatures and were inefficient to implement multispendable ecash. In 1995, Camenisch, Hohenberger, and Lysyanskaya [12] gave the first compact 2 spendable ecash, using zeroknowledgeproof techniques. They left an open problem of the simultaneous attainment of O(1)unit wallet size and efficient coin tracing. The latter property is needed to revoke bad coins from overspenders. In this paper, we solve [12]'s open problem, and thus enable the first practical compact ecash. We use a new technique whose security reduces to a new intractability assumption: the Decisional HarmonicallyTipped DiffieHellman (DHTDH) Assumption.
Exact Analysis of Exact Change
, 1997
"... We consider the kpayment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, w ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We consider the kpayment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, while allowing the actual payments to be made online, namely without the need to know all payment requests in advance. The problem is motivated by the electronic cash model, where each coin is a long bit sequence, and typical electronic wallets have only limited storage capacity. The kpayment problem has additional applications in other resourcesharing scenarios. Our results include a complete characterization of the kpayment problem as follows. First, we prove a necessary and sufficient condition for a given set of coins to solve the problem. Using this characterization, we prove that the number of coins in any solution to the kpayment problem is at least kH N=k , where H n denotes the ...
Cryptanalysis of a Partially Blind Signature Scheme or How to Make $100 Bills with $1 and $2 Ones. Financial Cryptography 2006
, 2006
"... Abstract. Partially blind signature scheme is a cryptographic primitive mainly used to design efficient and anonymous electronic cash systems. Due to this attractive application, some researchers have focused their interest on it. Cao, Lin and Xue recently proposed such a protocol based on RSA. In t ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Partially blind signature scheme is a cryptographic primitive mainly used to design efficient and anonymous electronic cash systems. Due to this attractive application, some researchers have focused their interest on it. Cao, Lin and Xue recently proposed such a protocol based on RSA. In this paper we first show that this protocol does not meet the anonymous property since the bank is able to link a signature with a user. We then present a cryptanalysis of this scheme. In practical applications, a consequence would be the possibility for an attacker to forge, for example, valid $100 bills after the withdrawal of only two bank notes of $1 and $2.
Exact analysis of exact change: the kpayment problem
 SIAM Journal on Discrete Mathematics
"... Abstract. We introduce the kpayment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the kpayment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, while allowing the actual payments to be made online, namely without the need to know all payment requests in advance. The problem is motivated by the electronic cash model, where each coin is a long bit sequence, and typical electronic wallets have only limited storage capacity. The kpayment problem has additional applications in other resourcesharing scenarios. Our results include a complete characterization of the kpayment problem as follows. First, we prove a necessary and sufficient condition for a given set of coins to solve the problem. Using this characterization, we prove that the number of coins in any solution to the kpayment problem is at least kH N/k, where Hn denotes the nth element in the harmonic series. This condition can also be used to efficiently determine k (the maximal number of exact payments) which a given set of coins allows in the worst case. Secondly, we give an algorithm which produces, for any N and k, a solution with minimal number of coins. In the case that all denominations are available, the algorithm finds a coin allocation with at most (k+1)H N/(k+1) coins. (Both upper and lower bounds are the best possible.) Finally, we show how to generalize the algorithm to the case where some of the denominations are not available.