DOI QR코드

DOI QR Code

Compact E-Cash with Practical and Complete Tracing

  • Lian, Bin (Ningbo Institute of Technology, Zhejiang University) ;
  • Chen, Gongliang (School of Information Security Engineering, Shanghai Jiao Tong University) ;
  • Cui, Jialin (Ningbo Institute of Technology, Zhejiang University) ;
  • He, Dake (School of information science and technology, Southwest Jiaotong University)
  • Received : 2018.08.14
  • Accepted : 2019.01.20
  • Published : 2019.07.31

Abstract

E-cash has its merits comparing with other payment modes. However, there are two problems, which are how to achieve practical/complete tracing and how to achieve it in compact E-cash. First, the bank and the TTP (i.e., trusted third party) have different duties and powers in the reality. Therefore, double-spending tracing is bank's task, while unconditional tracing is TTP's task. In addition, it is desirable to provide lost-coin tracing before they are spent by anyone else. Second, compact E-cash is an efficient scheme, but tracing the coins from double-spender without TTP results in poor efficiency. To solve the problems, we present a compact E-cash scheme. For this purpose, we design an embedded structure of knowledge proof based on a new pseudorandom function and improve the computation complexity from O(k) to O(1). Double-spending tracing needs leaking dishonest users' secret knowledge, but preserving the anonymity of honest users needs zero-knowledge property, and our special knowledge proof achieves it with complete proofs. Moreover, the design is also useful for other applications, where both keeping zero-knowledge and leaking information are necessary.

Keywords

1. Introduction

 Nowadays, e-Commerce system [1, 2] is common, and e-payment is the core module. Some e-payments guarantee the anonymity of users, but sometimes it is abused for crimes. Over the past years, quite some research effort has been put in design of E-cash [3] based on blind signature [4, 5] or knowledge signature [6, 7]. To prevent user from abusing anonymity, the tracing function is necessary. Fig. 1 shows a typical E-cash model.

Fig. 1. Typical E-cash model

 In general, an E-cash system has the following properties:

 • Anonymity: No one can identify the spender or link the spending behaviors.

 • Unreusability: The owner of e-cash will be identified if he spends one coin twice. 

 • Unforgeability: No one except the bank can generate valid e-cash.

 • Offline mode: There is no the third party participating in the payment process.

 • Environmental independence: System security depends on the cryptographic scheme.

 Some interesting E-cash schemes such as divisible E-cash, transferable E-cash and changeable denomination E-cash, etc., are put forward. And compact E-cash [8] is the important scheme. In such system, user withdraws 2l e-coins by performing the withdrawal protocol one time and stores the coins in O(l) bits.

2. Related Work

 Our goal is to construct a compact E-cash system with practical and complete tracing, so we present two parts of the related work.

 Part I: the Practical tracing and the Complete tracing

 “Practical” means that different tracings should be provided by the appropriate entity, and “Complete” means that the tracings should meet the demand from real-world applications.

 To prevent customer from reusing a coin, double-spending tracing is the basic function. Since it is related to the bank’s business, double-spending tracing should be performed by bank.

 Sometimes, the anonymity of users may provide the convenience for crimes, such as money laundering and blackmailing. Therefore, S. von Solms and D. Naccache [9] suggested that the anonymity of users should be revoked when necessary, and then [10] and [11] put forward a new E-cash scheme, i.e., fair E-cash. In such a system, the user remains anonymous if he honestly spends the legal e-coins, but if crimes occur so that the related transaction is illegal, the e-coins and the owner can be traced unconditionally. Here “unconditionally” means that the coins and the owner can be traced when the user does not double-spend coins In reality, the authorities are usually the trusted third parties, who have the power to perform unconditional tracing only when the E-cash is involved in crimes.

 Therefore, it is not practical that the TTP is indispensable to double-spending tracing [1, 10, 12, 13, 14, 15, 16, 17, 18]. But the tracing function is not complete if the system does not provide unconditional tracing [2, 8, 19, 20, 21, 22, 23, 24, 25, 26, 27].

 In our opinion, for crime prevention, the unconditional tracing is necessary, however, the existence of TTP unavoidably threatens the anonymity of honest users. So it is reasonable that the system can be independent of TTP, but at the same time, the scheme can easily be slightly modified to select the available tracings depending on the actual circumstances.

 In addition, if the user loses E-cash, he should find some way to get his money back if the lost E-cash cannot be spent by anyone. And it could be achieved if bank provides lost-coin tracing (in the validity period of coins), which is ignored by almost all schemes.

 There are 2l coins in the customer’s wallet in compact E-cash system. So in such system, double-spending tracing and unconditional tracing should include coin-tracing. Table 1 shows the property of the practical and complete tracing.

Table 1. The property of the practical and complete tracing

  In fact, the “practical” and “complete” tracing is not easy for existing schemes. Moreover, the recoverable E-cash scheme is presented in [20, 28, 29] for sloving the coin-lost problem, but there were some unsolved problems. In our [30], we clarify all there problems and provide a solution. But to achieve the practical and complete tracing in compact E-cash, there is a new problem.

 Part II: the Efficiency problem in compact E-cash

 The significant contribution of compact E-cash [8] is that the computation complexity of withdrawing 2l coins is O(1), and the storage space of the 2l e-coins is just O(l) bits, while before it is proposed, the E-cash schemes have to withdraw 2l coins or store them with O(2l ) complexity. Then some other interesting compact E-cash schemes [21, 23, 31] are designed based on different cryptographic techniques. But good efficiency, which is the very important for compact E-cash, does not attract enough attention in the designing. After all, achieving efficient system is the main goal of compact E-cash.

 The main efficiency problem is that tracing coins without TTP results in poor efficiency [8, 21, 23, 31]. When the user double-spends E-cash, tracing him is necessary. However, tracing his coins is very important, since the doulbe-spender has at least 2l coins so that he can cheat more times if system cannot trace his remaining coins. As we discussed, double-spending tracing is the bank’s task, not the TTP’s. Obviously, if TTP performs every tracing, it seriously threatens the anonymity of honest users. However, when double-spending, it is not easy for existing schemes that bank traces double-spender’s coins without TTP.

 [21, 23] and the system 1 of [8] only provide the double-spender tracing. The system 2 of [8] and [31] provide coin-tracing. However, when adding this coin-tracing without TTP, their systems [8, 31] become inefficient. For example, when the system 2 of [8] adds coin-tracing, the inefficiency is pronounced —— in the system 1, the withdrawal uses 12 multi-based exponentiations, while in the system 2, it uses 810 multi-based exponentiations and 300 bilinear pairings. At the same time, in the system1, spending one coin uses 40 multi-based exponentiations, while in the system 2, it uses 778 multi-based exponentiations.

 In existing compact E-cash schemes [8, 21, 23, 31], there are some difficulties in designing coin-tracing without TTP for doulbe-spending. And we will clarify it. All compact E-cash schemes are constructed based on zero-knowledge proof. In short, when spending a coin from the compact E-cash wallet, the customer shows the shop a pseudorandom function with the wallet parameters and proves the pseudorandom function is constructed correctly using zero-knowledge proof. So when the customer doulbe-spends a coin, the bank needs the wallet parameters as the input of the pseudorandom function so as to trace the remaining coins from the double-spender. But without a TTP, for recovering the secret wallet parameters, [8] uses the verifiable encryption and [31] uses the accumulator. Unfortunately, these cryptographic techniques result in poor efficiency.

 Tacing without TTP implies that the information of secret parameters is leaked when double-spending. But for the anonymity of honest customers, the knowledge of secret parameters is proven using zero-knowledge proof. Therefore, to solve the problem of recovering secret parameter, our idea is reconstructing the zero-knowledge proof [32]. And the new zero-knowledge proof can leak the information of the proven parameters when it is used twice to prove the same knowledge (double-spending), but it has the perfect zero-knowledge property when it is used once (normal-spending). That is to say, it guarantees the anonymity in normal case and revokes the anonymity in abnormal case.

 To the best of our knowledge, when the customer double-spends a coin, the efficiency problem caused by tacing coins without TTP had not been solved in existing compact E-cash schemes. And we solve it —— achieving coin-tracing without TTP, our computation complexity of withdrawing E-cash is O(1), while it is O(k) in [8] and it is O(22n ) in [31].

 Our main contributions:

 ♦ We present a compact E-cash scheme with practical and complete tracing.

 ♦ We provide a solution to the efficiency problem in compact E-cash system when tracing double-spender’s coins without TTP.

 ♦ The new knowledge proof is zero-knowledge to verifier in normal-spending, while it leaks the proven knowledge in double-spending.

 In the following parts, Section 3 provides preliminaries. Section 4 presents the system model. In section 5, we describe the tracing mode. Section 6 provides the details of the proposed scheme. The key security proofs are presented in section 7. And in section 8, we compare the system efficiency of schemes. Finally, the conclusion is provided in section 9.

3. Preliminaries

3.1 Assumptions

 Assumption 1 (S-RSA Assumption) [33]. Let n=pq be an RSA-like modulus and z∈Z* n. It is hard to compute u∈Z* n and integer e>1 such that z ≡ ue (mod n).

 Assumption 2 (DDH Assumption) [34]. Let G=〈g〉 be a cyclic group generated by g of order u=#G with log2(u)=lG. Given (g, gx , gy , gz ) ∈G4 , it is hard to decide whether gz and gxy are equal.

 Assumption 3 (q-DDHI Assumption) [8]. Let G=〈g〉 be a cyclic group generated by g. Given the elements (g, gx ,…, g(xq) ) ∈ (G* ) q+1 , it is still hard to decide whether g 1/x and a random element in G are equal.

 The (t, q, ε)-DDHI assumption means that there is no t-time algorithm which has the advantage at least ε to break the q-DDHI assumption.

3.2 Zero-knowledge Proof [35, 36]

 Definition 1. Let A={A(x)}x∈L and B={B(x)}x∈L be two ensembles of variables indexed by strings x∈L, where L∈{0,1}*. A and B are statistically indistinguishable, if for any polynomial p(.) and any x∈L it holds that∑t∈{0,1}*|Prob(A(x)=t)-Prob(B(x)=t)|<1/p(|x|).

 Definition 2. Protocol (P,V) is statistical zero-knowledge, if {[P, V](x)}x∈L and {S[P,V](x)}x∈L are statistically indistinguishable, where V can be any probabilistic polynomial-time verifier and S[P,V] is a probabilistic polynomial-time simulator which can simulate the protocol (P,V).

 Definition 3. (c,s) ∈{0,1}k × ±{0,1}ε(l G+k)+1 satisfying c=H(y║g║gs y c ║m) is a signature of knowledge (SPK) on the message m, which uses the knowledge of discrete logarithm of y to the base g. And SPK(α: y=gα ) (m) denotes it.

 Using the knowledge of discrete logarithm, i.e., x=loggy, SPK(α: y=gα ) (m) is computed as follows. After choosing r∈±{0,1}ε(l G+k) , the signer computes c=H(y║g║gr ║m) (i.e., challenge) and s=r-cx (i.e., challenge-response), and gr is the commitment to prove that the signer knows x=loggy. Here H( ): {0,1}* → {0,1}k denotes a hash function. The interactive protocol of SPK performed by prover and verifier is the zero-knowledge proof of the knowledge of x=loggy provided by prover, which is denoted by PK( ) [8].

3.3 Pseudorandom Function [37]

 Generating Key: Choose the secret key SK∈R Zp * , and the public key PK = g SK.

 Verifiable Random Function: FSK(x) = e(g, g) 1/(x+SK) is a verifiable random function and pSK(x) = g1/(x+SK) is the proof of correctness of it.

 Verification: Verify e(gx ·PK, pSK(x)) = e(g, g) and FSK(x) = e(g, pSK(x)). If it is true, FSK(x) is proven to be generated correctly. So FSK(x) = h1/(x+SK) is viewed as a pseudorandom function (PRF) [37]. FSK(x) is an (s'(k), ε'(k)) secure PRF if no one can break the pseudo randomness property with ε'(k) advantage in s'(k) time.

4. Security Model of the E-cash System

4.1 Syntax

 There are four kinds of entities: C (customer), B (bank), S (shop) and T (TTP or trusted authorities). There are the polynomial time algorithms or protocols: B/T/C Setup, Withdraw, Pay, Deposit, UnconditionallyTrace, LossCoinTrace, DoubleSpendTrace. P(E1(x1), E2(x2)) denotes a protocol between E1 and E2, and E1’s input is x1 and E2’s is x2.

 ♦ B/T/C Setup(params). The algorithm outputs B/T/C’s private/public key pair (PKB,SKB)/(PKT,SKT)/(PKC,SKC), here C includes S.

 ♦ Withdraw(C(SKC, PKB), B(PKC, SKB)). It allows C to withdraw a certain amount of E-cash. C receives X (E-cash), i.e. an identifier I and a proof of validity Π, or one error message ⊥. B receives the view of the protocol (we call this VPKC) or one error message ⊥ if VPKC is not proven from C with PKC.

 ♦ Spend(C(X, PKB, SKC), S(PKS)). It allows C to pay e-coin from X to S. S receives the proof π of payment with aux (auxiliary information) or one error message ⊥ if π is invalid. C receives the updated wallet X' if the payment is accepted by S. 

 ♦ Deposit(S(PKS, π, aux), B(PKB)). It allows S to send (PKS, π, aux) to B for deposit. After verifying (PKS, π, aux), B adds (π, aux) to spent records. But B outputs one error message ⊥ if (PKS, π, aux) is invalid or B executes the DoubleSpendTrace algorithm if the coin is double-spent.

 ♦ UnconditionallyTrace(B(VPKC, π, aux), T(SKT)). It is an algorithm which allows T to trace any e-coin from X and any owner when the transaction is involved in crimes. T outputs particular e-coin tracing information Ie-coin, owner tracing information Iowner and proof P1 which proves the connection between the e-coin from X and C, but if the input is illegal, T outputs an error message ⊥.

 ♦ LossCoinTrace(C(SKC), B(PKC, VPKC)). It allows C to register his lost coin/wallet in system. B outputs loss tracing information Iloss and a proof P2 which proves the validity of the loss register without T, but if the proof of owning the lost-coin/wallet can’t be provided, B outputs an error message ⊥; If the lost coin was spent, B outputs the spent proof Pspent.

 ♦ DoubleSpendTrace(π1, π2). With double-spending proofs related to one coin, B executes the algorithm and outputs PKC of the double-spender, the tracing information IX of the coins from X and the proof P3 which proves that C with PKC is the double-spender and the traced coins with IX is owned by the double-spender, but if π1=π2, the algorithm outputs an error message ⊥.

4.2 Security Definitions

Balance. In the Withdraw protocol, Withdrawm is the middle of the protocol. m1 is the first message sent by C and b1 is B’s state information when m1 is received. The balance property indicates that:

 • There are the efficiently decidable language lS and the extractor Ɛ X-Y (A) (params, auxext, PKC, m1, b1) [8] such that for all b1 and m1, which extracts w = (Θ1, …, Θn, secw) such that (m1, b1, w) ∈ lS whenever the probability that B accepts in the Withdrawm part of the protocol is non-negligible, where Θ is the serial number of E-cash (e-coin). In the case, the extractor outputs (m1, b1, w)∈ lS.

 • With (params, PKB), the adversary A plays the game as follows: A performs Withdraw/Deposit protocols with B polynomial times. (A simulates running Spend protocol with itself.) (m1,i, b1,i, wi)∈ lS is the output of Ɛ X-Y (A) (params, auxext, PKCi, m1,i, b1,i) if the ith Withdraw protocol is successful, where wi = (Θi,1, …, Θi,n, secwi) are 2l serial numbers belonging to PKCi. Af = {Θi,j | 1≤ i ≤ f, 1≤ j≤ n} is the set of all serial numbers after performing Withdraw protocol f times. A wins this game if for some f, B accepts a coin with one Θ ∉ Af in Deposit protocol. The secure E-cash scheme requires that no probabilistic polynomial-time (PPT) A can win the game with non-negligible probability.

Complete-Tracing. It guarantees that no PPT A has a non-negligible probability of winning the following game:

On input (params, PKB), A performs Withdraw/Deposit protocols with B polynomial times. (A also simulates running Spend protocol with itself.) Ai be the set of serial numbers which belong to Ci with PKCi. A wins the game if any of the following cases occurs.

 • On input (B(VPKCi, π, aux), T(SKT)), the algorithm UnconditionallyTrace can not output e-coin tracing information Ie-coin-i, owner tracing information Iowner-i or proof P1i which proves the coins from Xi owned by Ci; 

 • On input (Ci(SKCi), B(PKCi, VPKCi)), the protocol LossCoinTrace can not output loss tracing information Iloss-i or a proof P2i which proves the validity of the loss register;

 • On input (π1, π2) of the same coin, in some Deposit protocol, B accepts the same coin spent twice with serial number Θi,j ∈ Ai twice, i.e., B accepts (Θi,j, π1, j) and (Θi,j, π2, j) and cannot find the double-spending behavior;

 • On input (π1, π2) of the same coin, DoubleSpendTrace cannot output double-spender’s public key or the related information of the coins in Xi from double-spender for tracing;

 • On input (π1, π2) of the same coin, DoubleSpendTrace cannot output the proof P3i, which proves that Ci with PKCi is double-spender or all the traced coins are owned by the double-spender Ci.

 — Anonymity of customer. A generates B’s pulic key PKB and then plays the following games arbitrarily:

Game R1

 • (1) PK of Ci In the phase, A can request and receive any PKCi (public key) of Ci, that is generated in Setup phase.

 • (2) Withdrawing with Ci A performs Withdraw protocol with Ci: Withdraw(C(SKCi, PKB, n), A(state, n)); Xj is Ci’s output after the j’th withdrawing, and Xj could be the error message, e.g., Xj is invalid.

 • (3) Spending from Xj A performs Spend protocol with Ci if Xj is valid: Spend(C(Xj, PKB, SKCi), A(state)). And A cannot request Ci to spend the same coin more than once.

 Game R2 The phases (1) and (2) are the same as them in Game R1, but in the phase (3), A performs Spend protocol with a simulator S X-Y (A) (params, auxsim, PKB).

 Without the knowledge of x about Game Rx, A guesses x' of Game Rx' , where x, x'∈{0,1}. Anonymity of customer means that δ = (Prob(x' = x) - 1/2) is negligible for the PPT A.

 — Strong Exculpability. A has the knowledge of secret key SKB and SKC of collusive C and can act as B or S or collusive C in sytem protocols. A can choose any honest Ci with public key PKCi and perform system protocols with him arbitrarily. If any of the following cases occurs, A wins this game.

 • Case1: If Ci is honest, i.e., Ci never double-spends one coin, DoubleSpendTrace algorithm outputs (P3i, PKCi, IXi);

 • Case2: If Ci is honest, A gets some valid spending proof (πi, auxi, Θi) where Θi is the serial number of some coin, but Ci has not spent the related coin;

 • Case3: If Ci spends one coin twice, A gets (π1i, aux1i, Θdi) and (π2i, aux2i, Θdi) respectively. Then (P3i, PKCi, IXi) is the output of DoubleSpendTrace algorithm on input (π1i, π2i). Then DoubleSpendTrace algorithm outputs (P3i', PKCi, IXi′, Θ'di), but Ci does not spend the coin with Θ'di twice;

 • Case4: If Ci spends one coin twice, A gets (π1i, aux1i, Θdi) and (π2i, aux2i, Θdi) respectively. Then (P3i, PKCi, IXi) is the output of DoubleSpendTrace algorithm on input (π1i, π2i). Then A gets some valid spending proof (π′i, aux′i, Θ′i), but Ci has not spent the related coin.

 Strong Exculpability means the probability that the PPT A wins the above game is negligible.

5. Tracing Mode of the Proposed Compact E-cash Scheme

 In the proposed scheme, only when crimes occur, TTP has the power to execute unconditional coin-tracing (according to the information from withdrawal protocol provided by bank) and unconditional owner-tracing (according to the information from deposit provided by shop). When customer registers for his lost coins, bank executes the lost-coin tracing without TTP. When customer spends a coin twice, bank executes the double-spender/coin tracing without TTP. From Fig. 2, we can see that the system with the basic tracing functions can be independent of TTP, that is to say, unconditional tracing is optional in our system.

Fig. 2. Compact E-cash system providing complete and practical tracing

6. Compact E-cash with Practical and Complete Tracing

6.1 Overview of the Proposed Scheme

 ♦ Withdrawal Protocol

 C and B generate the wallet parameters (e1, e2, x) which are used to generate 2l coins, and B signs them using CL signature [38]. Then to achieve loss tracing and unconditional tracing, C provides two ElGamal encryptions—— ElGamalPKC(ge2 ) encrypts ge2 using C’s public key PKC and ElGamalPKT(ge2 ) encrypts ge2 using T’s public key PKT. Also, C provides the knowledge proof (SPK) to prove the encryptions are generated correctly.

 ♦ Payment Protocol

 C performs the protocol with S to spend one of coins from C’s wallet.

 (1) To prove the validity of coin, C provides the zero-knowledge proof of (e1,e2,x) to prove that the coin spent in this protocol is from some signed wallet.

 (2) To achieve loss tracing and unconditional tracing, C computes T2 = g H(J║r)e2 (mod nT) with the random input r, where nT is RSA modulus and T has its factor knowledge, integer J∈[0, 2l -1]. C also provides the zero-knowledge proof to prove that T2 is generated correctly.

 (3) To prevent double-spending, C provides the serial number of coin, i.e., Θ = PRF(e2, J), where PRF( ) is a pseudorandom function with the secret seed e2 and the public input J. The Θ records the spent coins for B and the integer J∈[0, 2l -1] records the spent coins for C. So C’s wallet contains 2l coins. Also, C provides the zero-knowledge proof to prove that Θ is generated correctly.

 (4) To efficiently achieve double-spending tracing without TTP, C constructs a special knowledge proof of e1, i.e., PKΘ(e1), which is related to Θ. The special property of PKΘ(e1) is that if showing PKΘ(e1) with the same Θ twice, i.e., spending the same coin twice, the knowledge of (e1,e2) is leaked. The details of PKΘ(e1) are provided in the following part.

 ♦ Deposit Protocol

 S sends B the information generated by C in the above payment protocol. B verifies it as S does in payment protocol and makes sure that the coin is spent only once. 

 ♦ Loss Register Protocol

 For registering to trace his lost coins, C sends B the information of remaining coins, i.e., LRx, which is just shown in loss register protocol so that it does not affect C’s anonymity when spending the remaining coins. Then B sends C the ElGamalPKC(ge2 ) and the related zero-knowledge proof of it. After verifying the related zero-knowledge proof, C believes that the ElGamalPKC(ge2 ) was generated by himself in withdrawal protocol and then uses his private key to decrypt ElGamalPKC(ge2 ) so as to get the ge2 . 

 ♦ Practical Complete Tracing

  • Unconditional tracing

  Unconditional coin-tracing : Getting the information of withdrawal from bank, T uses the private key to decrypt ElGamalPKT(ge2 ) and publishes ge2 . In payment protocol, T2 = g H(J║r)e2 (mod nT) will be provided to S with the shown J and r, so T2 can be identified if ge2 is known, that is to say, all the coins can be traced.

 Unconditional owner-tracing : Getting the information of deposit from shop, T uses the factor knowledge of nT to compute the inverse of H(J║r) so as to get ge2 from T2, then T can identify the owner according to withdrawal database.

 Double-spending tracing

 Double-spender-tracing : If C double-spends a coin, he has to use the same J more than once, that is, he has to show the same Θ = PRF(e2, J) more than once, so it can be found out by B. As mentioned earlier, if showing the special knowledge proof PKΘ(e1) with the same Θ twice, (e1,e2) will be leaked. Since e1 is used as tracing information of customer in withdrawal protocol, the double-spender can be traced.

 Double-spender’s coin-tracing : With the leaked e2, every Θ=PRF(e2, J) is computed and published for J∈[0, 2l -1] so that the coins from double-spender cannot be spent anymore.

 • Lost-coin tracing

 After loss register, B publishes ge2 . In payment protocol, T2 = g H(J║r)e2 (mod nT) is provided to S with the shown J and r, S can identify T2 after ge2 is published so that the lost coins cannot be spent by others.

 Then, we provide the detailed scheme.

6.2 System Setup

 Let ε>1, k, ls, lp and lps be security parameters. λ1, λ2, γ1 and γ2 denote bit-length satisfying λ1>ε(λ2+k)+2, γ1=lps+2, γ1>ε(γ2+k)+2, γ2,λ2>k. And Λ = [2λ1 -2λ2 , 2λ1 +2λ2 ] and Γ = [2γ1 -2γ2 , 2γ1 +2γ2 ]. H( ) is a hash function: {0, 1}*→ {0, 1}k .

 B (bank)’s Setup :

 Select random secret lp-bits primes p′ and q′, and p = 2p′+1, q = 2q′+1 are primes. Provide the zero-knowledge proof to prove that n = pq is the product of two safe primes [39].

 T (trusted authority)’s Setup :

 Select a random lps-bits prime ns, and lps=ε(λ2+k)+2k+2>λ1. Select two secret lp-bits primes p″ and q″ such that pT = 2p″+1 and qT = 2q″+1 are primes. Prove that nT = pTqT is the product of two safe primes [39] with the zero-knowledge proof. Choose the elements a, a0, a1, a2 of QR(n) of order p′q′, g of QR(nT) of order p″q″ [35]. K1∈R Ils and set h=g K1 (mod nT).

 C (customer)’s Setup :

 SKC∈R Ils and set PKC = g SKC (mod nT). The system public parameters are PK=(n,ns,nT,a,a0,a1,a2,g,h), B’s private key is p′, T’s private key is (p″,K1), and C’s private key is SKC.

6.3 Withdrawal Protocol

 As Fig. 3 presents, C and B generate cash parameters (x, e1, e2) together, then B computes the CL signature [38] (i.e., (A, e)). As mentioned in section 6.1, (A1, A2) is ElGamalPKC(ge2 ) which encrypts ge2 using C’s public key PKC for loss tracing and (A2, A3) is ElGamalPKT(ge2 ) which encrypts ge2 using T’s public key h for unconditional tracing. Then C gets (x, e1, e2, A, e, rC) satisfying Ae ≡ a0ax a1 e1 a2 e2 (mod n), and rC is the series number of wallet. W and W1 guarantee the correctness of computations, and W uses the method in [35] to prove the value range of e1.

Fig. 3. Withdrawal protocol (∈R denotes choosing at random)

6.4 Payment Protocol

 As we sketched in the section 6.1,

 (1) To prove the validity of coin anonymously, C conceals the wallet T1=Ahw (mod n) [8] and provides the zero-knowledge proof of it—— since Ae ≡ a0ax a1 e1 a2 e2 (mod n), C provides PK1(e, x, e1, e2, ew: a0 = T1 e ∕(ax a1 e1 a2 e2 hew )) as the zero-knowledge proof of the wallet ownership. For simplifying denotation, we directly use the parameter name in PK( ).

 (2) To achieve loss tracing and unconditional tracing, C computes T2 = g H(J║r)e2 (mod nT) with the random r. C also provides the zero-knowledge proof PK2(e2: T2 = g H(J║r)e2 ).

 (3) To prevent double-spending, C provides the serial number of coin Θ =a1J (J+e2) -1 (mod ns ) (mod n) with J∈[0,2l -1] and PK3(e2: Θ=a1J (J+e2) -1 (mod ns ) ) proving the correctness of Θ.

 Since Θ(J+e2) = a1J (J+e2) -1 (mod ns ) (J+e2) = a1J tns +1 (mod n) t∈Z Θe2 = a1J tns +1/ΘJ (mod n)

 That is to say, PK3(e2: Θ=a1J (J+e2) -1 (mod ns ) ) = PK(t, e2: T=a1J tns +1 ∧ Θe2 =T/ΘJ ).

 (4) To achieve double-spending-tracing without TTP, C constructs a special knowledge proof PKΘ(e1). It leaks (e1,e2) if showing PKΘ(e1) with the same Θ twice. Now we clarify it.

 According to Definition 3, to prove the discrete logarithm knowledge in y=gα , first, prover shows verifier the commitment gr with a random integer r, after receiving the random tr from verifier, gets the challenge c=H(y║g║gr ║tr) and then computes the challenge-response s=r-cx. Therefore, gr =gs y c (or c=H(y║g║gs y c ║tr)) is the knowledge proof of y=gα .

 The idea of constructing PKΘ(e1) is to replace r with (J+e2) -1 (mod ns) in the knowledge proof of e1. If showing PKΘ(e1) with the same Θ twice, there are two challenge-response equations: sσ = (J+e2) -1 (mod ns)−c(e1−2λ1 ) and s'σ = (J+e2) -1 (mod ns)−c'(e1−2λ1 ), so it is easy to compute (e1,e2) from the two challenge-response equations. For achieving it, C computes d1=T1 r1 ∕[ar2 a1 (J+e2)-1(mod ns ) a2 r3 hr4 ] as the commitment of PK1(e,x,e1,e2,ew: a0=T1 e ∕(ax a1 e1 a2 e2 hew )), that is to say, (J+e2) -1 (mod ns) replaces r in d1. And C must provide the zero-knowledge proof PK4(δ: Θ=a1J δ ∧d1=T1 r1 ∕(ar2 a1 δ a2 r3 hr4 )). So PK3 and PK4 guarantee that one challenge-response of PK1 is sσ = (J+e2) -1 (mod ns) −c(e1−2λ1 ).

 The special design changes the construction of zero-knowledge proof. So we must prove:

 • the security of construction of zero-knowledge proof is preserved;

 • (J+e2) -1 (mod ns) can be used as a pseudorandom function in this construction;

 • the special knowledge proof has the zero-knowledge property.

 The proofs of the above security properties are provided in the section 7.

Fig. 4. Payment protocol (Id denotes {0,1}d )

 For presenting our idea clearly, only the commitment and challenge-response of PK1( ) are provided, since PKΘ(e1) is embedded in it. And PK2( )~PK4( ) are common zero-knowledge proofs, so the commitment and challenge-response of them are omitted in Fig. 4 (we just use PK2-4 to denote the process). In fact, all the commitments are provided in the commitment stage and all the challenge-responses are computed in the challenge-response stage.

6.5 Loss Register Protocol

 When C loses the E-wallet with the series number rCx, he sends (rC1,…,rCx-1, rCx+1,…,rCn) of his remaining E-wallet to B, and it is shown in Fig. 5. As rCi is not shown when C spends E-cash, the anonymity of C and the unlinkablity of spending will not be influenced. Note that only after B confirms the quantity of all unspent coins in system, that is to say, after a period, C gets the refund from B. In addition, B cannot refuse to perform loss-tracing unless B can provide the payment proof generated before B publishes loss-tracing information in system.

Fig. 5. Loss Register Protocol

6.6 Deposit Protocol

 S sends B the payment proof (i.e., Proofpayment =(T1,T2,J,r,Θ,tr,c,s1,s2,sσ,s3,s4,PK2-4)). B verifies Proofpayment as S does in Fig. 4, then B searches Θ in database. If there is the same Θ with the same J and a different c, it indicates that the Proofpayment is generated by some double-spender. Therefore, it results in Double-spending tracing. However, if there is the same (Θ, J, c) in B’s database, it indicates that S deposits this coin twice, and B will abort it. Otherwise, B records the Proofpayment and terminates this protocol.

 6.7 Complete Tracing

 Double-spending tracing

 If C spends the same coin twice, B can trace the double-spender and his coins.

 ♦ Double-spender tracing from Bank

\(\left\{\begin{array}{l} s_{\sigma}=\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c\left(e_{1}-2^{\lambda_{1}}\right) \\ s_{\sigma}^{\prime}=\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c^{\prime}\left(e_{1}-2^{\lambda_{1}}\right) \end{array}\right.\)

 B can compute e1 and e2 from the equation set.

\(\left\{\begin{array}{l} e_{1}=\left(s_{\sigma}-s_{\sigma}^{\prime}\right) /\left(c^{\prime}-c\right)+2^{\lambda_{1}} \\ e_{2}=\left[s_{\sigma}+c\left(s_{\sigma}-s_{\sigma}^{\prime}\right) /\left(c^{\prime}-c\right)\right]^{-1}\left(\bmod n_{s}\right)-J \end{array}\right.\)

 Since A2= ge1 (mod nT), A2= g(sσ-s'σ)/(c'-c) + 2λ1 (mod nT)……………(e1)

 Therefore, the double-spender with PKC will be found according to A2 stored in withdrawal database. Wdouble = (Θ, J, tr, trʹ) proves that some C double-spends, and (Wdouble,(e1),W,W1) prove that C with PKC double-spends.

 ♦ Double-spender’s coin tracing from Bank

 Since Θ = a1J (J+e2)-1 (mod ns ) (mod n), Θ* = a1J {J*+ [sσ+c(sσ-s'σ)/(c'-c)]-1 (mod ns )−J}-1 (mod ns ) (mod n) …(e2) So B can compute Θ* for every J* and identify all e-coins in the double-spender’s e-wallet And (Wdouble , (e2)) prove that the coins belong to a double-spender.

 Unconditional tracing

 When E-cash is connected with crimes, T can do the following tracing.

 ♦ Unconditional owner-tracing from T

 T gets J, r and T2 from payment, and T2 = g H(J║r)e2 (mod nT). Then T uses the private key p″ to compute H(J║r) -1 (mod p″q″), T2 H(J║r)-1 = g H(J║r)e2 H(J║r)-1 = ge2 = Ω (mod nT) ………(e3) Searching for (A2, A3) in withdrawal database, if A3/A2 K1= Ω (mod nT), T finds the coin owner. W2 = (J, r, T2, (e3)), and (W, W1, W2) prove that C with PKC is the coin owner.

 ♦ Unconditional coin-tracing from T

 T gets A2 and A3 from withdrawal. Since A2= ge1 (mod nT), A3= ge2 he1 (mod nT), ge2 = A3 / A2 K1 (mod nT). Then in payment protocol, T2 = g H(J║r)e2 = (A3/A2 K1 ) H(J║r) (mod nT).

 So the coin from the wallet will be identified when it is spent. W3 = SPK (α: ge2 =A3/A2 α ∧ h=gα ∧T2=(A3/A2 α ) H(J║r) ), and (W1, T2, W3) prove that the e-coins are from the traced wallet.

 Lost-coin tracing

 ♦ Lost-coin tracing from B

 After Loss Register, all coins in the lost e-wallet will be traced if T2x = ge2 (mod nT) is published in system. That is to say, T2 = g H(J║r)e2 = (T2x) H(J║r) (mod nT) in payment.

 So the coin from the lost wallet will be identified when it is spent. And (Wloss, W, W1) prove that the spending coin has been registered for lost-coin tracing by the actual owner with PKC.

7. Security of the Proposed Scheme

 As we analyzed in section 6.4, the main idea of the proposed scheme is to construct the special knowledge proof. To achieve it, replacing random r with (J+e2) -1 (mod ns) to construct the special challenge-response sσ=(J+e2) -1 (mod ns)−c(e1−2λ1 ). Therefore, the key issues of security are:

 • the security of construction of zero-knowledge proof is preserved; (Theorem 1)

 • (J+e2) -1 (mod ns) can be used as a pseudorandom function in this construction; (Theorem 2)

 • the special knowledge proof has the zero-knowledge property. (Theorem 3) Then we provide the proofs of the key issues first.

 Theorem 1. When each serial number of coin Θ is used only once, none of proven parameters can be computed from challenge-response equations under discrete logarithm assumption.

 Proof . In the payment protocol, PK3 proves that Θ is generated correctly, and PK3 and PK4 guarantee that one challenge-response of PK1 is sσ=(J+e2) -1 (mod ns)−c(e1−2λ1 ) ……(e4). So using a Θ only once indicate that there is only one equation set (E1) for each Θ, (e4) is the only one that is not a standard challenge-response. Because the other knowledge proofs are the standard knowledge proofs, the related proven parameters cannot be computed from challenge-response equation set. In addition, the single (e4) has arbitrary solutions in their value ranges of e1 and e2. When K coins from the same wallet are spent, (e4) from the respective equation sets (E1) constitute (E2), and the coefficient matrix M1 of (E2) is as follows:

(E2)\(\left\{\begin{aligned} \left(J_{1}+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c_{1} e_{1} &=s_{\sigma 1}-c_{1} 2^{\lambda_{1}} \\ \left(J_{2}+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c_{2} e_{1} &=s_{\sigma 2}-c_{2} 2^{\lambda_{1}} \\ \vdots \\ \left(J_{K-1}+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c_{K-1} e_{1} &=s_{\sigma(K-1)}-c_{K-1} 2^{\lambda_{1}} \\ \left(J_{K}+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c_{K} e_{1} &=s_{\sigma K}-c_{K} 2^{\lambda_{1}} \end{aligned}\right.\)

\(\left(J_{1}+e_{2}\right)^{-1} \quad\left(J_{2}+e_{2}\right)^{-1} \ldots \quad\left(J_{K-1}+e_{2}\right)^{-1} \quad\left(J_{K}+e_{2}\right)^{-1} \quad e_1\)

\(\left(\begin{array}{cccccc} 1 & 0 & \ldots & 0 & 0 & c_{1} \\ 0 & 1 & \ldots & 0 & 0 & c_{2} \\ & & \vdots & & & \\ 0 & 0 & \ldots & 1 & 0 & c_{K-1} \\ 0 & 0 & \ldots & 0 & 1 & c_{K} \end{array}\right)\)

The row vectors of M1 are:

\(\begin{array}{c} \alpha_{1}=\left(\begin{array}{cccccc} 1 & 0 & \ldots & 0 & 0 & c_{1} \end{array}\right) & \alpha_{K-1}=\left(\begin{array}{cccccc} 0 & 0 & \ldots & 1 & 0 & c_{K-1} \end{array}\right) \end{array}\)

\(\alpha_{2}=\left(\begin{array}{cccccc} 0 & 1 & \ldots & 0 & 0 & c_{2} \end{array}\right) \ldots \ldots \ldots \ldots \quad \alpha_{K}=\left(\begin{array}{cccccc} 0 & 0 & \ldots & 0 & 1 & c_{K} \end{array}\right)\)

 If want to compute (J1+e2) -1 , it indicates that there is the matrix as below (the constant Δ≠0) after elementary transformation, but it will be proven to be infeasible.

\(\left(J_{1}+e_{2}\right)^{-1} \quad\left(J_{2}+e_{2}\right)^{-1} \ldots \quad\left(J_{K-1}+e_{2}\right)^{-1} \quad\left(J_{K}+e_{2}\right)^{-1} \quad e_1\)

\(\left(\begin{array}{cccccc} \Delta & 0 & \ldots & 0 & 0 & 0 \\ 0 & 1 & \ldots & 0 & 0 & c_{2} \\ & & \vdots & & & \\ 0 & 0 & \ldots & 1 & 0 & c_{K-1} \\ 0 & 0 & \ldots & 0 & 1 & c_{K} \end{array}\right)\)

 So there are (k1,k2,…,kK-1,kK) satisfying (Δ 0 … 0 0 0) = k1⋅α1+k2⋅α2+…+ kK-1⋅αK-1+ kK⋅αK. That is to say,

\(\left\{\begin{array}{l} k_{1}+0 +\ldots+0+0=\Delta \\ 0+k_{2} +\ldots+0+0=0 \\ \quad \quad \quad \quad \vdots\\ 0+0 +\ldots+k_{K-1}+0=0\\ 0+0 +\ldots+0+k_{K}=0\\ k_{1} c_{1}+k_{2} c_{2}+\ldots+k_{K-1} c_{K-1}+k_{K} c_{K}=0 \end{array}\right.\)

 We have k2= k3=…=kK-1=kK =0, k1=Δ≠0, so c1=0. However, it will be found by the customer when spending the coin if c=0. Therefore, computing (J1+e2) -1 (mod ns) is infeasible. And for the same reason, (Ji+e2) -1 (mod ns) can not be figured out, where 2≤ i ≤ K.

 Anyone who tries to compute e1 must get the following coefficient matrix (Δ≠0).

\(\left(J_{1}+e_{2}\right)^{-1} \quad\left(J_{2}+e_{2}\right)^{-1} \ldots \quad\left(J_{K-1}+e_{2}\right)^{-1} \quad\left(J_{K}+e_{2}\right)^{-1} \quad e_1\)

\(\left(\begin{array}{cccccc} 0 & 0 & \ldots & 0 & 0 & \Delta \\ 0 & 1 & \ldots & 0 & 0 & c_{2} \\ & & \vdots & & & \\ 0 & 0 & \ldots & 1 & 0 & c_{K-1} \\ 0 & 0 & \ldots & 0 & 1 & c_{K} \end{array}\right)\)

 So there are (k1,k2,…,kK-1,kK) satisfying (0 0 … 0 0 Δ) = k1⋅α1+k2⋅α2+…+ kK-1⋅αK-1+ kK⋅αK. That is to say,

\(\left\{\begin{array}{ll} k_{1}+0+\ldots+0 +0=0 \\ 0+k_{2}+\ldots+0 +0=0 \\ \quad \quad \quad \quad \vdots \\ 0+0+\ldots+k_{K-1}+0 =0 \\ 0+0+\ldots+0 +k_{K}=0 \\ k_{1} c_{1}+k_{2} c_{2}+\ldots+k_{k-1} c_{K-1}+k_{K} c_{K} =\Delta \end{array}\right.\)

 We have k1= k2=…=kK-1=kK =0, and it contradicts Δ≠0, so figuring out e1 is also infeasible.

 So e1 and e2 cannot be computed from (E1) or (E2). Therefore, none of proven parameters can be computed if the customer never spends the same coin twice.

 Theorem 2. Suppose (s(k), 2a(k), ε(k)) -DDHI assumption holds. (i) f1e2(J)=a(J+e2) -1 is the (s'(k), ε'(k)) pseudo-random function for the one who has no knowledge of e2, and s'(k)= s(k)/[2a(k)·poly(k)], ε'(k) = 2a(k)∙ ε(k). (ii) If the one who has no knowledge of e2 cannot use the extended Euclidean algorithm to compute inverse of f2e2(J), f2e2(J)=(J+e2) -1 (mod ns) is the (s"(k), ε"(k)) pseudorandom function, and s"(k) = s(k)/[2a(k)·poly(k)], ε"(k) = 2a(k)· ε(k).

 Proof . For the sake of contradiction, suppose there exists the algorithm A, which (s'(k), q, ε'(k))-breaks the pseudorandom function, i.e., runs in s'(k) time, and can identify f1e2(J0) = a'(J0+e2)-1 with the probability at least 1/2+ε'(k), where (J0, a'(J0+e2)-1 ) is any unseen point of the function f1e2(J). Then we can construct the algorithm B, which interacts with A to break the q-DDHI assumption —— based on a random instance (a, aα , … , a(αq ) ) of the q-DHI problem, the goal of algorithm B is to identify a 1/α . Let J0 = α − e2 where e2 and α are unknown to A and B. And the error probability could be decreased by changing J0 and executing this algorithm sufficiently many times. Note that (a, ae2 , … , a(e2 q ) ) can be computed from (a, aα , … , a(αq ) ) according to Binomial Theorem.

 Input to the reduction: (a, aα , … , a(αq ) , Γ) ∈ Gq+2, where Γ is either a 1/α or a random element in G. Its goal is to output 1 if Γ = a 1/α and 0 otherwise.

 Then B interacts with A as follows:

 Query: A outputs a list of distinct qs serial numbers J1, …, Jqs, and qs < q. Because A reveals the queries in advance, we could assume A outputs q-1 serial numbers to be responded (if the number is less, reduce the value of q to satisfy q=qs+1).

 Response: B computes the polynomial f(y)=∏ i=1 (y+Ji).

 Then we have f(y) = ∑ i=0 αi y i by expanding f(y), where α0, …, αq−1∈Zn are the coefficients of the polynomial f(y).

\(a^{\prime}=\prod_{i=0}^{q-1} a^{\alpha_{i} e_{2}^{i}}=a^{f\left(e_{2}\right)}\)      \(\prod_{i=1}^{q} a^{\alpha_{i-1} e_{2}^{i}}=a^{e_{2} f\left(e_{2}\right)}=\left(a^{\prime}\right)^{e_{2}}\)

 Then give a' to A. Ans we can assume that f(e2) ≠ 0, because otherwise, e2 = -Ji for some i means B has got the secret e2. Then for each i = 1, …, q-1, B computes Ri and responds it to A as follows: let fi(y) be the polynomial fi (y) = f(y)/(y + Ji) = ∏ j=1,j≠i (y + Ji). We can expand it as fi(y) = ∑ j=0 βj y j .

\(R_{i}=\prod_{j=0}^{q-2} a^{\beta_{j} e_{2} j}=a^{f_{i}\left(e_{2}\right)}=\left(a^{\prime}\right)^{1 /\left(e_{2}+J_{i}\right)}\)

 So B can give A the q-1 responses R1, …, Rq-1 without the knowledge of e2.\

 Challenge: A claims that he can distinguish a' 1/(e2+J*) = a f(e2)/(e2+J*) from a random element in G. If J* ≠ J0, then repeats the algorithm again. Otherwise, A claims that he can distinguish a' 1/(e2+J0) = a f(e2)/(e2+J0) from a random element in G where J0 ∉ {J1, …, Jq-1}. Now compute

\(f(y) /\left(y+J_{0}\right)=\sum_{i=0}^{q-2} \gamma_{i} y^{i}+\gamma_{-1} /\left(y+J_{0}\right)\)

 where γ-1≠ 0 since f(y) = ∏ i=1 (y+Ji) and J0 ∉ {J1, …, Jq-1}. So

\(a^{\prime} 1 /\left(e_{2}+J_{0}\right)=a^{f\left(e_{2}\right) /\left(e_{2}+J_{0}\right)}=a^{\sum_{i=0}^{q-2}} \gamma_{i} e_{2}^{i+\gamma_{-1} /\left(e_{2}+J_{0}\right)}=\Gamma_{0} \cdot a^{\gamma_{-1} /\left(e_{2}+J_{0}\right)}=\Gamma_{0} \cdot\left(a^{1 / \alpha}\right)^{\gamma_{-1}}\)

 Because Γ0 = ∏(a e2 i ) γi is computed from this algorithm, if Δ=a' 1/(e2+J0) and Γ=a 1/α , Δ=Γ0∙Γ γ-1 .

 So B can distinguish a 1/α from (a,aα ,…,aαq ) according to the guess about Δ=a' 1/(e2+J0) from A.

 Guess: A outputs a guess b∈{0, 1} for Δ, and then B outputs a guess b'∈{0, 1} for Γ.

 The main running time of the reduction is the time of simulating oracle queries. Since Acan make at most s'(k) queries, the running time of B is s'(k)∙[2a(k)·poly(k)]. And the advantage of B is ε'(k)/2a(k). So s'(k) = s(k)/[2a(k)·poly(k)], and ε'(k) = 2a(k)∙ ε(k).

 Challenge and Guess following C: Algorithm C, which (s"(k), ε"(k))-breaks the pseudo-randomness of f2'e2(J)=(J+e2) -1 , claims to be able to distinguish P* =(J0+e2) -1 from a random element without the knowledge of e2 (Theorem 1 guarantees the extended Euclidean algorithm cannot be used). If Γ = a 1/α , aʹ P*=aʹ 1/(e2+J0) =Γ0∙Γγ-1 ……(e5). Giving P* to algorithm C, C outputs a guess dguess ∈{0, 1} for P* =(J0+e2) -1 . Then B outputs d'guess for Γ according to (e5).

 Therefore, without the knowledge of e2, the pseudorandom property of f2'e2(J)=(J+e2) -1 is proven if no one can use extended Euclidean algorithm to compute inverse of it, so the pseudorandom property of f2e2(J)=(J+e2) -1 (mod ns) is proven. Likewise, f2e2(J)=(J+e2) -1 (mod ns) is a (s"(k), ε"(k)) pseudo-random function, and s"(k)=s(k)/[2a(k)·poly(k)] and ε"(k)= 2a(k)∙ ε(k).

 Theorem 3. If customer never spends the same coin twice, the knowledge proof in payment protocol has the statistical zero-knowledge property under q-DDHI assumption.

 Proof . We only need to prove that (c, sσ)∈{0,1}k ×{-2 k+λ2 +2 λ2 +1,…, ns+2 k+λ2 -2 λ2 -1} from the non-standard knowledge proof has the statistical zero- knowledge property (it will be proven in Theorem 6 that the special knowledge proof is the knowledge proof of e1). To be concise, suppose y=a1 e1 , (c, sσ)∈ {0,1}k ×{-2 k+λ2 +2 λ2 +1,…, ns+2 k+λ2 -2 λ2 -1} satisfying c = H(y c ·a1 sσ-c2λ1 ).

 According to Theorem 2, (Ji+e2) -1 in the construction of payment is a random element to the one who has no knowledge of e2. The generating mode in the withdrawal protocol guarantees that (Ji+e2) (mod ns) uniformly distributes over [1, ns-1], and so does (Ji+e2) -1 (mod ns), since every inverse of (Ji+e2) (mod ns) is unique and distinct from each other in [1, ns-1].

 To prove statistical zero-knowledge property of the knowledge proof, let us show that the simulator which uniformly chooses the challenge, can simulate this protocol-conversation which is statistically indistinguishable from the protocol-conversation with C.
 The simulator randomly chooses c̅from {0,1}k and s̅σ from {-2 k+λ2 +2 λ2 +1,…, ns+2 k+λ2 -2 λ2 -1} satisfying uniform distribution. Using the values, the simulator computes Δ̅= y c̅ a1 s̅σ-c̅2λ1 (mod n) [40]. For proving that the values are statistical indistinguishable from a view of a protocol run with C, we will show the probability distribution PSσ (sσ) of response sσ from C and the probability distribution PS̅σ (s̅σ). 

 In payment protocol, sσ = (J+e2) -1 (mod ns)−c(e1−2λ1 ), where 0<(J+e2) -1 and (J+e2) -1 uniformly distributes over [1, ns-1] as we analyze above. The e1 is chosen from [2 λ1 -2 λ2 , 2 λ1 +2λ2 ], and c (i.e., the output of H( )) can be any distribution over {0,1}k . And lps = ε(λ2+k)+2k+2.

\(P_{S_{o}}\left(s_{\sigma}\right)\left\{\begin{array}{l} =0 & for & s_{\sigma}<-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1\\ \leq\left(n_{s}-1\right)^{-1} & for & -2^{k+\lambda_{2}}+2^{\lambda_{2}}+1 \leq s_{\sigma}<2^{k+\lambda_{2}}-2^{\lambda_{2}}+1\\ =\left(n_{s}-1\right)^{-1} & for & 2^{k+\lambda_{2}}-2^{\lambda_{2}}+1 \leq s_{\sigma} \leq n_{s}-2^{k+\lambda_{2}}+2^{\lambda_{2}}-1\\ \leq\left(n_{s}-1\right)^{-1} & for & n_{s}-2^{k+2}+2^{\lambda_{2}}-1

 Let us provide a brief explanation of PSσ (sσ).

\(\begin{array} P\left(s_{\sigma}=2^{k+\lambda_{2}}-2^{\lambda_{2}}+1\right)=\sum P\left(\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c\left(e_{1}-2^{\lambda_{1}}\right)=2^{k+\lambda_{2}}-2^{\lambda_{2}}+1\right) \\ =P\left(\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)=1, c\left(e_{1}-2^{\lambda_{1}}\right)=-2^{k+\lambda_{2}}+2^{\lambda_{2}}\right)+P\left(\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)=2, c\left(e_{1}-2^{\lambda_{1}}\right)=-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1\right) \\ +\ldots+P\left(\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)=n_{s}-1, c\left(e_{1}-2^{\lambda_{1}}\right)=n_{s}-2^{k+\lambda_{2}}+2^{\lambda_{2}}-2\right) \\ =\left(n_{s}-1\right)^{-1}\left[P\left(c\left(e_{1}-2^{\lambda_{1}}\right)=-2^{k+\lambda_{2}}+2^{\lambda_{2}}\right)+P\left(c\left(e_{1}-2^{\lambda_{1}}\right)=-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1\right)+\ldots+P\left(c\left(e_{1}-2^{\lambda_{1}}\right)=n_{s}-2^{k+\lambda_{2}}+2^{\lambda_{2}}-2\right)\right] \\ =\left(n_{s}-1\right)^{-1}\left[P\left(c\left(e_{1}-2^{\lambda_{1}}\right)=-2^{k+\lambda_{2}}+2^{\lambda_{2}}\right)+P\left(c\left(e_{1}-2^{\lambda_{1}}\right)=-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1\right)+\ldots+P\left(c\left(e_{1}-2^{\lambda_{1}}\right)=2^{k+\lambda_{2}}-2^{\lambda_{2}}\right)\right]\\ =\left(n_{s}-1\right)^{-1} \cdot 1=\left(n_{s}-1\right)^{-1} \end{array} \)

 The Fig. 6 presents the distribution of PS̅σ (s̅σ) and PSσ (sσ).

Fig. 6. The Distribution of PS̅σ (s̅σ) and PSσ(sσ)

 Then we have

\(\begin{array}{ll} \sum\left|P_{S}(\alpha)-P_{S}(\bar{\alpha})=\sum | P_{S}(\alpha)-\left[n_{s}+2^{k+\lambda_{2}+1}-2^{\lambda_{2}+1}-2\right]^{-1}\right|\\ \alpha \in Z \quad\quad\quad\quad\quad\quad\quad \alpha \in\left\{-2^{k+\lambda _2}+2^{\lambda _2}+1, \ldots, n_{s}+2^{k+\lambda_ 2}-2^{\lambda_ 2}-1\right\} \\ <\left(z_{6}-z_{5}\right)\left(z_{3}-z_{2}+1\right)+z_{6} \cdot\left[\left(z_{4}-z_{3}\right)+\left(z_{2}-z_{1}\right)\right]\\ =\left\{\left(n_{s}-1\right)^{-1}-\left[n_{s}+2^{k+\lambda_{2}+1}-2^{\lambda_{2}+1}-2\right]^{-1}\right\}\cdot\left(n_{s}-2^{k+\lambda_{2}+1}+2^{\lambda_{2}+1}-2\right)+\left(n_{s}-1\right)^{-1}\left[\left(2^{k+\lambda_{2}+1}-2^{\lambda_{2}+1}\right)+\left(2^{k+\lambda_{2}+1}-2^{\lambda_{2}+1}\right)\right] \\ <\left(n_{s}-1\right)^{-1} \cdot\left(2^{k+\lambda_{2}+1}-2^{\lambda_2+1}-1\right)+\left(n_{s}-1\right)^{-1}\left(2^{k+\lambda_{2}+2}-2^{\lambda_2+2}\right) \\ =\left(n_{s}-1\right)^{-1} \cdot\left(2^{k+\lambda_{2}+1}-2^{\lambda_{2}+1}-1+2^{k+\lambda_{2}+2}-2^{\lambda_{2}+2}\right)<\left(n_{s}-1\right)^{-1} \cdot\left(2^{k+\lambda_{2}+3}-2^{\lambda_{2}+3}\right)<\left(n_{s}-1\right)^{-1} \cdot 2^{k+\lambda_{2}+3}<1 / 2^{(\varepsilon-1)\left(\lambda_{2}+k\right)+2 k-2} \end{array}\)

 For ε>1, the denominator of last term of the above computation is over a polynomial in input length, so the distributions of sσ and s̅σ are statistical indistinguishable. Therefore, according to the Definition 2, the interactive protocol of payment is the honest-verifier statistical zero-knowledge proof.

 Theorem 4. Under Discrete Logarithm assumption, the non-standard challenge-response sσ=(J+e2) -1 (mod ns)−c(e1−2λ1 ) is computed correctly in the challenge-response equation set (E1).

 Proof . In payment protocol, PK3(e2: Θ=a1J (J+e2) -1 (mod ns ) ) and PK4(δ: Θ=a1J δ ∧d1=T1 r1 ∕(ar2 a1 δ a2 r3 hr4 )) prove that d1=T1 r1 ∕[ar2 a1 (J+e2)-1(mod ns ) a2 r3 hr4 ], which is used as a commitment of zero-knowledge proof about the discrete logarithm knowledge of a0=T1 e ∕(ax a1 e1 a2 e2 hew ), C shows sσ satisfying

\(d_{1}=a_{0}^{c} T_{1}^{s_{1}-c 2_{\lambda1}}/\left(a^{s_{2}-c 2_{\lambda1}} a_{1}^{s_{\sigma}-c 2_{\lambda1}} a_{2}^{s_{3}} h^{s_{4}}\right)(\bmod n)=T_{1}^{r_{1}}/\left[a^{r_{2}} a_{1}^{\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)} a_{2}^{r_{3}} h^{r_{4}}\right]\)

 Without the discrete logarithm knowledge of (a0,T1,a,a1,a2,h) to each other, the exponents of a1 are equal: sσ+c(e1−2λ1 ) = (J+e2) -1 (mod ns) + k0∙ns……(e6), where (J+e2) -1 (mod ns) denotes the value of the inverse of (J+e2) is in [1, ns-1] and k0 is any integer. If k0=0, sσ=(J+e2) -1 (mod ns)−c(e1−2λ1 ) so that the tracing can be performed correctly. We present how to guarantee k0=0.

 ( 1 ) If C executes payment protocol honestly, k0=0. From c∈[1,2k -1], (e1-2λ1 )∈[-2λ2 ,2λ2 ], and (J+e2) -1 (mod ns)∈[1, ns-1], the probability of sσ∈[-2 k+λ2 +2 λ2 +1, ns+2 k+λ2 -2 λ2 -1] is 1. And S verifies whether sσ∈[-2 k+λ2 +2 λ2 +1, ns+2 k+λ2 -2 λ2 -1] or not in payment protocol.

 ( 2 ) If C is dishonest and computes (e6) choosing k0 ≠ 0

 ○ If C computes (e6) choosing k0 = 1, i.e., sσ=(J+e2) -1 (mod ns)+ns−c(e1−2λ1 ). In this case, if sσ∈[-2 k+λ2 +2 λ2 +1, ns+2 k+λ2 -2 λ2 -1], it means -ns-2 k+λ2 +2 λ2 +1 ≤ (J+e2) -1 (mod ns)-c(e1-2λ1 ) ≤ 2 k+λ2 -2 λ2 -1. We use Probk0=1 to denote the probability that S cannot find the deceit,

\(\begin{aligned} {Prob}_{k_{0}=1} &={Prob} \left\{-n_{s}-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1 \leq\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c\left(e_{1}-2^{\lambda_{1}}\right) \leq 2^{k+\lambda_{2}}-2^{\lambda_{2}}-1\right\}\\ &={Prob} \left\{-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1 \leq\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right)-c\left(e_{1}-2^{\lambda_{1}}\right) \leq 2^{k+\lambda_{2}}-2^{\lambda_{2}}-1\right\} \\ &={Prob}\left\{1 \leq\left(\underline{J}+e_{2}\right)^{-1}\left(\bmod n_{s}\right) \leq c\left(e_{1}-2^{\lambda_{1}}\right)+2^{k+\lambda_{2}}-2^{\lambda_{2}}-1\right\} \end{aligned}\)

 (J+e2) -1 (mod ns) uniformly distributes over [1, ns-1] since (J+e2)(mod ns) uniformly distributes over [1, ns-1] according to the withdrawal protocol, e1∈[2λ1 -2 ε(λ2+k) , 2 λ1 +2ε(λ2+k) ] according to W.

Then we have (e1−2λ1 )∈ [-2 ε(λ2+k) , 2 ε(λ2+k) ]. Therefore,

\({Pro}_{k_{0}=1}<\left\{\left(2^{k}-1\right) \cdot 2^{\varepsilon\left(\lambda_{2}+{k}\right)}+2^{k+\lambda_{2}}-2^{\lambda_{2}}-1\right\}/\left(n_{s}-1\right)<2^{\varepsilon\left(\lambda_{2}+k\right)+k+1} /\left(n_{s}-1\right)\)

 Because ns is a lps-bits prime, and lps = ε(λ2+k)+2k+2,

 Prok0=1 < 2 ε(λ2+k)+k+1/(ns-1) < 1/2k , and it is negligible (usually, bit-length of hash function k =128 or 160).

 ○ If C computes (e6) choosing k0 = -1, i.e., sσ=(J+e2) -1 (mod ns)−ns−c(e1−2λ1 ). In this case, if sσ∈[-2 k+λ2 +2 λ2 +1,ns+2 k+λ2 -2 λ2 -1], it means ns-2 k+λ2 +2 λ2 +1 ≤ (J+e2) -1 (mod ns) -c(e1-2λ1 ) ≤ 2ns+2 k+λ2 -2 λ2 -1.

\(\begin{array}{ll} {Prob}_{k_{0}=1} = {Prob} \left\{c\left(e_{1}-2^{\lambda_{1}}\right)+n_{s}-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1 \leq\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right) \leq n_{s}-1\right\}\\ <{Prob} \left\{\left(2^{k}-1\right) \cdot 2^{\varepsilon\left({\lambda_2+k}\right)}+n_{s}-2^{k+\lambda_{2}}+2^{\lambda_{2}}+1 \leq\left(J+e_{2}\right)^{-1}\left(\bmod n_{s}\right) \leq n_{s}-1\right\}\\ <\left[2^{\varepsilon\left(\lambda_{2}+k\right)+k}+2^{k+\lambda_{2}}-2^{\lambda_{2}}-2\right]/\left(n_{s}-1\right)<2^{\varepsilon\left(\lambda_{2}+k\right)+k+1} /\left(n_{s}-1\right)<1 / 2^{k} \end{array}\)

 ○ If C computes (e6) with |k0|>1, it is easy to see that sσ∉ [-2 k+λ2 +2 λ2 +1, ns+2 k+λ2 -2 λ2 -1].

 As above, Prob|k0|=1 is negligible and Prob|k0|>1= 0. Therefore, C has to computes (e6) choosing k0=0, i.e., it guarantees that sσ=(J+e2) -1 (mod ns)−c(e1−2λ1 ) is computed correctly.

 The proposed scheme is based on our previous work [30]. Considering the similar proofs of Theorem 5-Theorem 8 had been provided in [30], we just present Theorem 5-Theorem 8.

 Theorem 5. Under S-RSA assumption, any PPT adversary except B, can not, with nonnegligible probability, computes (e1,e2,x,[A,e],a0) s.t. Ae =a0ax a1 e1 a2 e2 (mod n) with e1,x∈Λ, e2∈[0, 2ns-2] and e∈Γ which is different from wallets generated in withdrawal protocol.

 Theorem 6. The knowledge proof in the proposed payment protocol is the proof of C’s knowledge of his wallet parameters (e1,e2,x,[A,e]) under S-RSA assumption.

 Theorem 7. No PPT adversary except C can, with non-negligible probability, generate the spending proof that is not actually generated by C, but the spending proof is proven to be generated by C under the Discrete Logarithm assumption.

 Theorem 8. Our compact E-cash scheme with (BSetup, TSetup, CSetup, Withdraw, Spend, Deposit, UnconditionallyTrace, LossCoinTrace, DoubleSpendTrace) guarantees Balance, Complete-tracing, Anonymity of customer, Strong Exculpability under S-RSA assumption and q-DDHI assumption in random oracle model.

8. Efficiency Analysis

8.1 Storage Space of some E-cash Systems

 To compare clearly, Table 2 presents the storage space of each stage in some E-cash systems. For achieving comparable secure level, the bit-length of order of cyclic group G is 1024 [17, 16, 8, 20, 19, 41, 26, 30] and our scheme, and the prime order p of G1 and G2 in bilinear map is 160 bits in [8, 21, 22, 31, 23]. We select L=10 in [22, 26] and select l=10 in [8, 21, 23] and our scheme accordingly, which make these schemes provide the similar functions.

Table 2. Storage space for 1 coin in E-cash schemes

 The space complexity for 2n coins is O(n) in compact E-cash, that is to say, in [8, 21, 23] and our scheme, the storage space for 2n coins is the same as it (shown in Table 2) for 1 coins.

8.2 Computation Cost of some E-cash Systems

 Since multi-based exponentiations and bilinear pairings are the main computations of the protocols in the systems, they are presented in Table 3, while the slight computations, such as modular addition computations and hash computations, are all neglected.

Table 3. Computation cost for 1 coin in E-cash schemes

 In compact E-cash system, to withdraw 2n coins, the user performs the withdrawal protocol only once, so [8, 21, 23] and our scheme achieve better efficiency for 2n coins. Note that in divisible e-cash, the user can withdraw the coin with the value of 2n coins and use O(n) space to store it, but for spending one coin with 1/2n of total value, the preparation work is costly.

8.3 Our solution to two problems

 Our main work is to solve two problems, one is achieving the complete and practical tracing, and the other one is solving the efficiency problem caused by tracing customer’s coins if he double-spends a coin. Table 4 presents our solution to the practical and complete tracing, that is to say, it presents the available tracing functions in the E-cash schemes.

Table 4. The available tracings in the E-cash systems

 According to Table 4, the system 2 of [8], [31] and ours are compact E-cash systems which can trace double-spender’s coins (providing it without TTP), and to the best of our knowledge, they include all compact E-cash systems providing this function. Then Table 5 presents the solution to the efficiency problem caused by this tracing. And for achieving the comparable secure level, l=10, k=100, x=1024 (the meanings of the parameters are in Table 2 and Table 3).

Table 5. Compact E-cash with double-spender’s coin-tracing

9. Conclusion

 Anonymity is good, but it could be abused for crimes or cause trouble when E-cash is lost. Complete tracing can solve this problem. However, it also threatens the honest user’s privacy. The reasonable solution is to separate different tracing functions provided by different entities and choose the available ones according to the circumstances. Practical tracing can achieve it. To achieve the practical and complete tracing, another serious problem must be solved, i.e., how to trace double-spender’s coins efficiently. For solving it, we propose the particular knowledge proof, and using it honestly keeps perfect zero-knowledge property, while using it dishonestly leaks the information of proven knowledge. Since it changes the inner construction of standard zero-knowledge proof, we provide the complete proofs of it. Consequently, the practical and complete tracing is also efficient.

 

References

  1. Y. Chen, J. S. Chou, H. M. Sun, and M. H. Cho, "A novel electronic cash system with trustee-based anonymity revocation from pairing," Electronic Commerce Research and Applications. vol.10, no.6, pp. 673-682, 2011. https://doi.org/10.1016/j.elerap.2011.06.002
  2. Z. Tan, "An Off-line Electronic Cash Scheme Based on Proxy Blind Signature," The Computer Journal, vol. 54, no. 4, pp. 505-512, 2011. https://doi.org/10.1093/comjnl/bxq078
  3. D. Chaum, "Blind signatures for untraceable payments," in Proc. of CRYPTO'82, pp. 199-203, 1983.
  4. Pin-Chang Su and Chien-Hua Tsai, "New Proxy Blind Signcryption Scheme for Secure Multiple Digital Messages Transmission Based on Elliptic Curve Cryptography," KSII Transactions on Internet and Information Systems, vol. 11, no. 11, pp. 5537-5555, 2017. https://doi.org/10.3837/tiis.2017.11.020
  5. Md. Abdullah Al Rahat Kutubi, Kazi Md. Rokibul Alam, Rafaf Tahsin, G. G. Md. Nawaz Ali, Peter Han Joo Chong and Yasuhiko Morimoto, "An Offline Electronic Payment System Based on an Untraceable Blind Signature Scheme," KSII Transactions on Internet and Information Systems, vol. 11, no. 5, pp. 2628-2645, 2017. https://doi.org/10.3837/tiis.2017.05.018
  6. Zhen Zhao, Jie Chen, Yueyu Zhang and Lanjun Dang, "An Efficient Revocable Group Signature Scheme in Vehicular Ad Hoc Networks," KSII Transactions on Internet and Information Systems, vol. 9, no. 10, pp. 4250-4267, 2015. https://doi.org/10.3837/tiis.2015.10.027
  7. Run Xie, Chunxiang Xu, Chanlian He and Xiaojun Zhang, "An Efficient Dynamic Group Signature with Non-frameability," KSII Transactions on Internet and Information Systems, vol. 10, no. 5, pp. 2407-2426, 2016. https://doi.org/10.3837/tiis.2016.05.025
  8. J. Camenisch, S. Hohenberger, and A. Lysyanskaya, "Compact e-cash," in Proc. of Advances in Cryptology- EUROCRYPT 2005, pp. 302-321, 2005.
  9. S. von Solms and D. Naccache, "On blind signatures and perfect crimes," Computers & Security, vol. 11, pp.581-583, 1992. https://doi.org/10.1016/0167-4048(92)90193-U
  10. E. Brickell, P. Gemmell, and D. Kravitz, "Trustee-based tracing extensions to anonymous cash and the making of anonymous change," in Proc. of 6th annual ACM-SIAM symposium on Discrete algorithms, pp. 457-466 ,1995.
  11. M. Stadler, J. Piveteau, and J. Camenisch, "Fair blind signatures," in Proc. of Advances in Cryptology Eurocrypt'95, pp. 209-219, 1995.
  12. A. Lysyanskaya and Z. Ramzan, "Group blind digital signatures: A scalable solution to electronic cash," in Proc. of FC'98, pp. 184-197, 1998.
  13. G. Maitland and C. Boyd, "Fair electronic cash based on a group signature scheme," Information and Communications Security, pp. 461-465, 2001.
  14. H. Oros and C. Popescu, "A Secure and Efficient Off-line Electronic Payment System for Wireless Networks," Intl. J. of Computers, Comm. and Control, Suppl. Issue Vol. V, No. 4, pp. 551-557, 2010.
  15. J. Zhang, L. Ma, and Y. Wang, "Fair E-Cash System without Trustees for Multiple Banks," in Proc. of CISW 2007, pp. 585-587, 2007.
  16. S. Canard, C. Delerablee, A. Gouget, E. Hufschmitt, F. Laguillaumie, H. Sibert, J. Traore, and D. Vergnaud, "Fair E-Cash: Be Compact, Spend Faster," in Proc. of ISC 2009: Information Security, pp. 294-309, 2009.
  17. S. Canard and J. Traore, "On fair e-cash systems based on group signature schemes," in Proc. of ACISP2003, pp. 237-248, 2003.
  18. W. Qiu, K. Chen"A new offline privacy protecting e-cash system with revokable anonymity," Information Security, pp.177, 2002.
  19. H. Wang, J. Cao, and Y. Zhang, "A flexible payment scheme and its role-based access control," IEEE Transactions on Knowledge and Data Engineering, vol. 17, no. 3, pp. 425-436, 2005. https://doi.org/10.1109/TKDE.2005.35
  20. J. Liu, P. Tsang, and D. Wong, "Recoverable and untraceable e-cash," in Proc. of PKI, pp. 206-214, 2005.
  21. M. Au, W. Susilo, and Y. Mu, "Practical compact e-cash," in Proc. of the 12th Australasian conference on Information security and privacy 2007, pp. 431-445, 2007.
  22. M. Au, W. Susilo, and Y. Mu, "Practical anonymous divisible e-cash from bounded accumulators," Financial Cryptography and Data Security, pp. 287-301, 2008.
  23. M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya, "Compact e-cash and simulatable VRFs revisited," in Proc. of Pairing-Based Cryptography-Pairing 2009, pp. 114-131, 2009.
  24. S. Brands, "Untraceable off-line cash in wallet with observers," in Proc. of CRYPTO'93, pp. 302-318, 1993.
  25. S. Brands and C. v. W. e. Informatica, "An efficient off-line electronic cash system based on the representation problem," CWI Technical Report CS-R9323, Citeseer, 1970.
  26. S. Canard and A. Gouget, "Divisible e-cash systems can be truly anonymous," in Proc. of Advances in Cryptology-EUROCRYPT 2007, pp. 482-497, 2007.
  27. Z. Eslami and M. Talebi, "A new untraceable off-line electronic cash system," Electronic Commerce Research and Applications, vol. 10, no. 1, pp. 59-66, 2011. https://doi.org/10.1016/j.elerap.2010.08.002
  28. Schoenmakers, B., "Security aspects of the $E-cash^{TM}$ payment system," State of the Art in Applied Cryptography, pp. 338-352, 1998.
  29. W. S. Juang, "RO-cash: An efficient and practical recoverable pre-paid offline e-cash scheme using bilinear pairings," Journal of Systems and Software, vol. 83, pp. 638-645, 2010. https://doi.org/10.1016/j.jss.2009.11.006
  30. B. Lian, G. L. Chen and J. H. Li, "Provably secure E-cash system with practical and efficient complete tracing," International Journal of Information Security, vol. 13, no. 3, pp. 271-289, Apr. 2014. https://doi.org/10.1007/s10207-014-0240-2
  31. M. Au, Q Wu, W Susilo, Y Mu, "Compact E-Cash from Bounded Accumulator," in Proc. of CT-RSA'07. LNCS, vol. 4377, pp. 178-195, 2007.
  32. B. Lian, G. Chen, M. Ma, J. Li, "Periodic K-Times Anonymous Authentication with Efficient Revocation of Violator's Credential," IEEE Transactions on Information, Forensics and Security, VOL. 10, NO. 3, pp. 543-557. 2015. https://doi.org/10.1109/TIFS.2014.2386658
  33. E. Fujisaki and T. Okamoto, "Statistical zero knowledge protocols to prove modular polynomial relations," in Proc. of Advances in Cryptology-CRYPTO'97, pp. 16-30, 1997.
  34. D. Boneh, "The decision diffie-hellman problem," Algorithmic Number Theory, pp. 48-63, 1998.
  35. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, "A practical and provably secure coalition-resistant group signature scheme," in Proc. of Advances in Cryptology-CRYPTO 2000, pp. 255-270, 2000.
  36. J. Camenisch, "Group signature schemes and payment systems based on the discrete logarithm problem," PhD thesis, vol. 2 of ETH Series in Information Security an Cryptography, Hartung-Gorre Verlag, Konstanz. ISBN 3-89649-286-1, 1998.
  37. Y. Dodis and A. Yampolskiy, "A Verifiable Random Function With Short Proofs and Keys," in Proc. of Public Key Cryptography, vol. 3386 of LNCS, pp. 416-431, 2005.
  38. J. Camenisch and Anna Lysyanskaya, "A signature scheme with efficient protocols," in Proc. of Security in Communication Networks'02, vol. 2576 of LNCS, pages 268-289. 2002.
  39. J. Camenisch and M. Michels, "Proving in zero-knowledge that a number is the product of two safe primes," in Proc. of Advances in Cryptology-EUROCRYPT'99, pp. 107-122, 1999.
  40. C.P. Schnorr, "Efficient Signature Generation by Smart Cards," Journal of Cryptology, vol 4, pp. 161-174, 1991. https://doi.org/10.1007/BF00196725
  41. B. Lian, GL. Chen, JH. Li, " A Provably Secure and Practical Fair E-cash Scheme," in Proc. of 2010 IEEE International Conference on Information Theory and Information Security, 2010.