Results 1 
2 of
2
More Compact ECash with Efficient Coin Tracing
, 2005
"... In 1982, Chaum [21] pioneered the anonymous ecash which finds many applications in ecommerce. In 1993, Brands [810] and Ferguson [30, 31] published on singleterm offline anonymous ecash which were the first practical ecash. Their constructions used blind signatures and were inefficient to impl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
In 1982, Chaum [21] pioneered the anonymous ecash which finds many applications in ecommerce. In 1993, Brands [810] and Ferguson [30, 31] published on singleterm offline anonymous ecash which were the first practical ecash. Their constructions used blind signatures and were inefficient to implement multispendable ecash. In 1995, Camenisch, Hohenberger, and Lysyanskaya [12] gave the first compact 2 spendable ecash, using zeroknowledgeproof techniques. They left an open problem of the simultaneous attainment of O(1)unit wallet size and efficient coin tracing. The latter property is needed to revoke bad coins from overspenders. In this paper, we solve [12]'s open problem, and thus enable the first practical compact ecash. We use a new technique whose security reduces to a new intractability assumption: the Decisional HarmonicallyTipped DiffieHellman (DHTDH) Assumption.
TracingbyLinking Group Signatures
, 2005
"... Abstract. In a group signature [19], any group member can sign on behalf of the group while remaining anonymous, but its identity can be traced in an future dispute investigation. Essentially all stateoftheart group signatures implement the tracing mechnism by requiring the signer to escrow its id ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In a group signature [19], any group member can sign on behalf of the group while remaining anonymous, but its identity can be traced in an future dispute investigation. Essentially all stateoftheart group signatures implement the tracing mechnism by requiring the signer to escrow its identity to an Open Authority (OA) [2, 14, 4, 25, 5, 7, 24]. We call them TracingbyEscrowing (TbE) group signatures. One drawback is that the OA also has the unnecessary power to trace without proper cause. In this paper we introduce TracingbyLinking (TbL) group signatures. The signer’s anonymity is irrevocable by any authority if the group member signs only once (per event). But if a member signs twice, its identity can be traced by a public algorithm without needing any trapdoor. We initiate the formal study of TbL group signatures by introducing its security model, constructing the first examples, and give several applications. Our core construction technique is the successful transplant of the TbL technique from singleterm offline ecash from the blind signature framework [10, 22, 21] to the group signature framework. Our signatures have size O(1). 1