## An Efficient Off-line Electronic Cash System Based On The Representation Problem (1993)

Citations: | 136 - 3 self |

### BibTeX

@MISC{Brands93anefficient,

author = {Stefan Brands},

title = {An Efficient Off-line Electronic Cash System Based On The Representation Problem},

year = {1993}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a new off-line electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than previously proposed systems. Another

### Citations

2714 | New directions in cryptography, in - Diffie, Hellman |

1766 | How to share a secret - Shamir |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... and only if h c a = g r and z c b = m r . Note that the only difference so far with the scheme of [36] is that, in Step 1, two extra numbers z and b are sent along. Using the technique introduced in =-=[21]-=-, the receiver can transform this minimum-knowledge protocol into a signature scheme by computing c as H(m; z; a; b), with H(\Delta) a suitable (see [15]) one-way hash-function. Since this c can just ... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...k any pair (m; sign(m)) to any specific execution of the protocol. The blind signature scheme we use is actually a signature scheme of [15] (an adaptation from the three-move identification scheme of =-=[36]-=-), although we need some extra features of it. Namely, [15] is not concerned with knowledge 24 of representations of the transformed number, merely with the fact that the blinding (for unconditional u... |

493 |
Undeniable signature
- Chaum, Antwerpen
- 1990
(Show Context)
Citation Context ...ould have the property of restrictive blinding. From this point of view, it would be beneficial for our cash system (and for discrete log based cryptography in general) if the undeniable signature of =-=[9, 10]-=- were actually a digital signature. To this end, we here observe that there is an intimate relation between this undeniable signature and the Diffie-Hellman problem, which as far as we know has been o... |

372 | Non-interactive and information-theoretic secure verifiable secret sharing - Pedersen - 1991 |

310 | Zero-knowledge Proof of Identity - Feige, Fiat, et al. - 1988 |

260 | Untraceable electronic cash
- Chaum, Fiat, et al.
(Show Context)
Citation Context ... sense to discuss the features of our cash system before we have given an overview of the standard cryptographic model for off-line electronic cash systems that can guarantee anonymity (introduced by =-=[8]-=-), together with a discussion of what has, and has not, been achieved in this field. We therefore in Section 2 first give a general, rather detailed discussion of off-line electronic cash systems. In ... |

248 | New directions in cryptography - e, Hellman - 1976 |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ..., it has been put to use for signatures unconditionally secure for the signer in [13] and [24] (fail-stop signatures, k = 2), and for an identification scheme unconditionally secure for the prover in =-=[32]-=- (k = 2). The protocol in this latter article has a striking similarity to the fail-stop signature in [24], the difference being that in the identification scheme one of the two numbers of the public ... |

99 |
K.: Universal Electronic Cash
- Okomato, Ohta
- 1991
(Show Context)
Citation Context ...eems to fit the model (although the nature of the system is such that very little can be proven about this). Since then quite some other systems have been proposed using basically the same ideas (see =-=[1, 7, 8, 22, 23, 29, 30, 35]-=-). In that sense, our system is no exception. In the model of [8], there are three distinct types of participant: a set of users fU 1 ; : : : ; U k g, a set of shops fS 1 ; : : : ; S l g and a bank B.... |

70 | Cryptographically strong undeniable signatures, unconditionally secure for the signer,” Interner Bericht, Fakultät für Informatik
- Chaum, Heijst, et al.
- 1990
(Show Context)
Citation Context ...edge of a representation (see Section 8). Since then, the representation problem has been used in literature surprisingly little, and no reference is made to [8] anywhere. Corollary 8 can be found in =-=[13]-=-, together with a sketch of (a different) proof. To the best of our knowledge, the representation problem for groups of prime order has furthermore been used as a tool in a handful of articles. For co... |

51 |
One-Time Zero-Knowledge Authentications and Their Applications to Untraceable Electronic Cash
- Okamoto
- 1998
(Show Context)
Citation Context ...eems to fit the model (although the nature of the system is such that very little can be proven about this). Since then quite some other systems have been proposed using basically the same ideas (see =-=[1, 7, 8, 22, 23, 29, 30, 35]-=-). In that sense, our system is no exception. In the model of [8], there are three distinct types of participant: a set of users fU 1 ; : : : ; U k g, a set of shops fS 1 ; : : : ; S l g and a bank B.... |

39 |
An Interactive Identification Scheme Based on Discrete Logarithms and Factoring
- Brickell, McCurley
- 1991
(Show Context)
Citation Context ...nk can for example generate a prime p such that p \Gamma 1 = qr, with q; r primes of approximately equal length, and take G q to be the subgroup of Z p of order q. One can then apply the technique of =-=[5]-=- in the payment protocol. This consists of the responses being taken modulo p \Gamma 1 instead of modulo q. In order to attack the payment protocol (not using the withdrawal protocol), one is faced wi... |

28 | Towards provably secure efficient electronic cash
- Franklin, Yung
- 1993
(Show Context)
Citation Context ...eems to fit the model (although the nature of the system is such that very little can be proven about this). Since then quite some other systems have been proposed using basically the same ideas (see =-=[1, 7, 8, 22, 23, 29, 30, 35]-=-). In that sense, our system is no exception. In the model of [8], there are three distinct types of participant: a set of users fU 1 ; : : : ; U k g, a set of shops fS 1 ; : : : ; S l g and a bank B.... |

26 |
The discrete logarithm problem
- McCurley
- 1990
(Show Context)
Citation Context ... known to determine equality of elements, test membership, compute inverses, multiply, and to randomly select elements. There is a vast variety of groups known to satisfy these requirements (see e.g. =-=[27]-=-). The advantages of working in such a group are that it is hard to distinguish between elements because they are all (except the unity element) generators of the group, and manipulating with indices ... |

22 |
An improved protocol for demonstrating possession of discrete logarithms and some generalizations", Eurocrypt '87, LNCS 304
- Chaum, Evertse, et al.
(Show Context)
Citation Context ... J. Komlos) to determine how rapidly the sequence of differences collapses. 7 An overview of the literature using the representation problem The nucleus of Proposition 7 is mentioned without proof in =-=[6]-=- which, as far as we know, is the first article to clarify the status of the representation problem for groups of prime order. In the same paper the authors, as a variation of their basic protocol for... |

22 |
Improved Privacy in Wallets with Observers
- Cramer, Pedersen
- 1994
(Show Context)
Citation Context ...outflow. This implies for example that all random numbers chosen in the protocol by the observer or the outside party (i.c. the shop) are moderated by the user-module before they are sent through. In =-=[17]-=- the privacy aspect of the wallet setting has been investigated under the most stringent requirement one can think of: even if each observer were to store all information it receives during the period... |

19 |
Divertible Zero Knowledge Interactive Proofs and Commutative Random SelfReducibility
- Okamoto, Ohta
- 1990
(Show Context)
Citation Context ...tographic assumptions also have to break a tamper-resistant device (i.e. we have security in a very strong sense). Due to the representation problem, most of our protocols can easily be diverted (see =-=[31]-=-). As a consequence, the entire cash system can be incorporated in the wallet setting fairly straightforward even under the strong privacy requirement that no shared information arise. In contrast, pr... |

15 |
Seminumerical Algorithms, Volume 1 of The Art
- Knuth
- 1968
(Show Context)
Citation Context ...can overwrite the old ones. In the full paper, we fill in all the details we are vague about here, and give an analysis of the running time which for obvious reasons is quite similar to that given in =-=[26]-=- of Euclid's algorithm. We note that the action of first sorting the indices a i and then forming sequence of successive differences is strongly related to a statistical test for randomness known as t... |

14 | signatures for untraceable payments, Crypto'82 - Chaum, Blind - 1983 |

13 |
On vectorial addition chains
- Olivos
- 1981
(Show Context)
Citation Context ... this representation as being "the representation" of the user, or "his" representation. 6 Efficiency of computing with the representation problem Using vector addition chain techn=-=iques (see [16] and [28]-=-), one can compute Q k i=1 g a i i even for large k almost as efficiently as computing a single exponentiation. We investigate here a new algorithmic idea. The basic steps are as follows: [Step 1] Rec... |

12 |
Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash
- Hayes
(Show Context)
Citation Context |

11 |
Achieving Electronic Privacy", Scientific American
- Chaum
- 1992
(Show Context)
Citation Context ...protocols (see [31]). For further information about the cryptographic techniques used to prevent inflow, outflow and, if desirable, shared information while retaining security, we refer the reader to =-=[3, 4, 12, 15, 17]-=-. 7 We note that prevention of shared information may in reality not always be that important an issue, since, in contrast to inflow and outflow, shared information cannot affect the privacy of the us... |

9 |
Zero-knowledge undeniable signatures", Eurocrypt '90, LNCS 473
- Chaum
(Show Context)
Citation Context ...em for groups of prime order has furthermore been used as a tool in a handful of articles. For commitment purposes, it was used in [33], [2] and in the confirmation protocol of undeniable signatures (=-=[9, 10]-=-), all with k = 2. Furthermore, it has been put to use for signatures unconditionally secure for the signer in [13] and [24] (fail-stop signatures, k = 2), and for an identification scheme uncondition... |

8 |
Communication Efficient Zero-Knowledge Proofs of Knowledge (with Applications to Electronic Cash
- Santis, Persiano
(Show Context)
Citation Context |

7 |
How to make efficient failstop signatures
- Heijst, Pedersen
- 1992
(Show Context)
Citation Context ... in [33], [2] and in the confirmation protocol of undeniable signatures ([9, 10]), all with k = 2. Furthermore, it has been put to use for signatures unconditionally secure for the signer in [13] and =-=[24]-=- (fail-stop signatures, k = 2), and for an identification scheme unconditionally secure for the prover in [32] (k = 2). The protocol in this latter article has a striking similarity to the fail-stop s... |

6 | Distributed Provers and Verifiable Secret Sharing Based on the Discrete Logarithm Problem - Pedersen - 1992 |

5 |
Electronic Cash
- Antwerpen
- 1990
(Show Context)
Citation Context ... that includes electronic checks is discussed. The extension to divisibility is outlined in Section 14. Since transferability can be achieved in our system using the standard technique described 3 in =-=[1, 14]-=-, we skip a description of this extension. In Section 15 we analyze the efficiency of our system (including the extensions), and compare it to the efficiency of other systems appearing in literature. ... |

5 |
New constructions of fail-stop signatures and lower bounds
- Heijst, Pedersen, et al.
- 1993
(Show Context)
Citation Context ...ts (g l+1 ; : : : ; g k ) and h, find a representation (X 1 ; : : : ; X l ; a l+1 ; : : : ; a k ) such that Q l i=1 X v i i Q k i=l+1 g a i i = h mod n. The problem with l = 1, k = 2 has been used in =-=[25, 32]-=- and is equivalent to factoring. For a similar result to Corollary 8 to hold, the elements v i must be pairwise co-prime. We remark that in [25, 32] a scheme is discussed that is suitable for the paym... |

5 | New constructions of fail-stop signatures and lower bounds", Crypto '92 - Heijst, Pedersen, et al. |

5 | Achieving electronic privacy", Scienti c American - Chaum - 1992 |

4 |
Wallet databases with observers", Preproceeding of Crypto '92
- Chaum, Pedersen
(Show Context)
Citation Context ...it (say, the same as could be achieved in a high-value payment when spending the same information twice) before being identified. 2.2 Electronic cash systems using wallets with observers Recently, in =-=[15]-=-, a new kind of transaction setting was proposed which, when used for off-line electronic cash purposes, can prevent double-spending, rather than detect it after the fact. That is, this setting can of... |

4 | Provably secure and practical identi cation schemes and corresponding signature schemes - Okamoto |

3 |
Transaction systems with observers
- Brands, Chaum, et al.
(Show Context)
Citation Context ...protocols (see [31]). For further information about the cryptographic techniques used to prevent inflow, outflow and, if desirable, shared information while retaining security, we refer the reader to =-=[3, 4, 12, 15, 17]-=-. 7 We note that prevention of shared information may in reality not always be that important an issue, since, in contrast to inflow and outflow, shared information cannot affect the privacy of the us... |

3 |
Blind signatures for untraceable payments", Crypto '82
- Chaum
(Show Context)
Citation Context ... from B during the withdrawal protocol. Since the withdrawn information in some way has to be digitally signed with a secret key of B, at the withdrawal phase a suitable blind signature protocol (see =-=[11]-=-) must be used. Usually the bank sets the security parameters, and users have no influence over this, so it is customary in cryptographic literature to assume that the bank and the shops have unbounde... |

3 | Some algorithms on addition chains and their complexity", TR CS-R9024, Centrum voor Wiskunde en Informatica - Coster - 1990 |

3 | How toprove yourself: practical solutions to identi cation and signature problems", Crypto '86 - Fiat, Shamir - 1987 |

2 |
Efficient off-line electronic checks", Eurocrypt '89, LNCS 434
- Chaum, Boer, et al.
(Show Context)
Citation Context |

2 | A voting scheme. Rump session of CRYPTO 88. Does not appear in proceedings - BOS, PURDY |

2 | An interactive identi cation scheme based on discrete logarithms and factoring - Brickell, McCurley - 1992 |

2 | Zero-knowledge undeniable signatures", Eurocrypt '90, LNCS 473 - Chaum |

2 | Towards provably secure e cient electronic cash - Franklin, Yung - 1992 |

2 | Anonymous one-time signatures and exible untraceable electronic cash - Hayes |

1 |
A voting scheme", Rump session of Crypto '88 (does not appear in the proceedings
- Bos, Purdy
(Show Context)
Citation Context ...) proof. To the best of our knowledge, the representation problem for groups of prime order has furthermore been used as a tool in a handful of articles. For commitment purposes, it was used in [33], =-=[2]-=- and in the confirmation protocol of undeniable signatures ([9, 10]), all with k = 2. Furthermore, it has been put to use for signatures unconditionally secure for the signer in [13] and [24] (fail-st... |

1 |
How to prevent the mafia-fraud by using distance-bounding protocols
- Brands, Chaum
(Show Context)
Citation Context ...protocols (see [31]). For further information about the cryptographic techniques used to prevent inflow, outflow and, if desirable, shared information while retaining security, we refer the reader to =-=[3, 4, 12, 15, 17]-=-. 7 We note that prevention of shared information may in reality not always be that important an issue, since, in contrast to inflow and outflow, shared information cannot affect the privacy of the us... |

1 |
Transferred money grows in size", presented at Eurocrypt '92
- Chaum, Pedersen
(Show Context)
Citation Context ... that includes electronic checks is discussed. The extension to divisibility is outlined in Section 14. Since transferability can be achieved in our system using the standard technique described 3 in =-=[1, 14]-=-, we skip a description of this extension. In Section 15 we analyze the efficiency of our system (including the extensions), and compare it to the efficiency of other systems appearing in literature. ... |

1 |
Which new RSA-signatures can be computed from given RSA-signatures
- Evertse, Heijst
- 1992
(Show Context)
Citation Context ... : ; v k ) and h, find a representation (X 1 ; : : : ; X k ) such that Q k i=1 X v i i = h mod n. As far as we know, this problem is equivalent in computational difficulty to computing RSA-roots (see =-=[19]-=- for a discussion that is of interest in this matter). ffl This is a combination of the previous two variations. Given l distinct exponents (v 1 ; : : : ; v l ), k \Gamma l distinct elements (g l+1 ; ... |

1 | How toprevent the ma a-fraud by using distance-bounding protocols - Brands, Chaum |

1 | E cient o -line electronic checks", Eurocrypt '89, LNCS 434 - Chaum, Boer, et al. |