Fairness realized with Observer

Transcription

1 Fairness realized with Observer Heike Neumann Mathematical Institute University of Giessen Arndtstr. 2 G Giessen Heike.B.Neumann@math.uni-giessen.de Thomas Schwarzpaul Mathematical Institute University of Giessen Arndtstrasse 2 G Giessen Thomas.Schwarzpaul@math.uni-giessen.de Abstract We examine the interference of fairness and observers in digital coin systems. Since copying of coins cannot be prevented cryptographically in anonymous off-line coin systems, double-spending detection is one of the major tasks. An observer is a tamper resistant device that prevents doublespending physically, i.e., Alice has no access to her coins and therefore she cannot copy them. Digital coin systems usually guarantee perfect anonymity. The bank cannot link views of the withdrawal and payments in order to determine wether or not a customer spents his money at a certain shop. Anonymity is one of the essentials of digital coins. The customer s privacy protection is the main difference of coin systems from credit card or cheque based systems. While privacy protection is a desirable property of cash systems, perfect anonymity is not. Perfect anonymity enables criminals to do perfect blackmailing or money laundry, [vsn92]. To prevent a perfect crime it has to be possible to revoke the anonymity of customers in case of need. Anonymity revocation is done by a trusted third party. Cash systems that allow anonymity revocation are called fair. We present a coin system which features both observer and fairness. This shows that both concepts do not interfere and can be implemented simultanously without loss of security. Unlike other fair off-line coin systems, fairness is realized with the help of the observer, which decreases the computational effort during the withdrawal. Keywords: Electronic cash, digital coins, observer, tamper resistant device, fairness. 1 Introduction Electronic commerce is one of the most important applications for the internet. The prerequisite for establishing an electronic marketplace is secure payment. Many protocols have been proposed to implement different kinds of payments: credit card payments, micropayments, and digital coins. Cryptographically, the most challenging task is the design of digital coins. For every payment system mentioned above we have the requirement that the payment token has to be unforgeable. Usually, we reach this goal by using digital signatures of the bank to validate a payment token. But in contrast to credit card payments and micropayments for digital coins we have an additional requirement: the anonymity of the currency, i.e., the bank is not able to link a purchase to a special user. In 1982 D. Chaum presented the notion of blind digital signatures that offer the possibility to design electronic coins. The bank signs blindly a set of data chosen by Alice which guarantees both the

2 unforgeability of the coins and their anonymity, since the bank does not get any information about the data it signed. But blind signatures solve only half of the problem: since digital data can be copied, a user can spend a valid coin several times (double-spending) if the deposit of coins is not done on-line. To validate each coin on-line means that the vendor has to contact the bank in every purchase. From the efficiency s point of view this is undesirable. Therefore, we restrict our attention to off-line systems, i.e., the vendor has to check the validity of coins without contacting the bank. But no vendor can distinguish an original coin from its copy, which implies that no cryptographic mechanism can prevent double-spending. In 1988 Chaum, Fiat, and Naor overcame the problem by presenting a double-spending detection mechanism. A coin is constructed in a way that allows its owner, Alice, to spend it anonymously once, but reveals her identity if she spent it twice. From a theoretic point of view this solution is quite elegant. But in practice it is unsatisfactory. A way to prevent the user physically from copying her coins is to store essential parts of a coin in a tamper resistant device called observer. Another drawback of the coin systems sketched so far is perfect anonymity of the system. A digital coin system is called perfectly anonymous if the bank s view of withdrawal and payment are independent (in a stochastical sense). In practice this implies that the bank can be no means trace a customer or his coins. The bank is not able to determine which customer performed a certain payment. Though perfect anonymity is a theoretically nice property it is not desirable in practice. In [vsn92], [BGK95], [SPC95] the authors described attacks on a perfect anonymous system: perfect anonymity allows perfect blackmailing or money laundry. In practice, we need some anonymity revocation mechanism to prevent criminal activities or to trace the criminals. Obviously, we need another party to perform this mechanism to protect the honest participants of the system. Since customers and the bank have to trust this party in revealing only suspicious identities we call this new party a TTP (=trusted third party). Digital coin systems that implement some kind of anonymity revocation method are called fair. Our concern is to modify a coin system with observers so that a TTP can revoke the anonymity of customers in case of need. Since crucial parts of the coins are stored by the observer and cannot be read by their owner, it is not obvious how to design a cash system which provides both properties: the physical line of defense against double-spending by an observer and the fairness of coins. Based on the works of [FTY98] and [Br93] we develope a coin system which provides both fairness and observer and prove the security of our construction (provided that the basic mechanism are secure). This shows that both concepts can be implemented in one protocol without loss of security. Through the use of the observer we can realize fairness in a more efficient way as [FTY98]. The paper is organized as follows: In section 2 we briefly sketch a coin system with observer, in section 3 we discuss fairness. In section 4 we present a system that features both observers and fairness and we analyze its security in section 5. 2 Coins in Wallets with Observers There are several proposals in literature to model the properties of conventional coins for digital purposes, e.g., [CFN88], [FY93] [Br93], [Fer93], [OO91], [ST99]. A digital coinsystem as a conventional one has to provide non-forgery, off-line verification, and untraceability. The non-forgery of digital coins is guaranteed by a digital signature of the bank. Hence, nobody

3 except for the bank can generate coins, but everyone is able to verify the correctness of the signature. Forging a coin is as difficult as breaking the digital signature scheme, thus in general we have computational security. To achieve the untraceability of coins the banks computes a blind signature instead of a conventional one. This means that the customer and the bank generate a set of data and a corresponding signature so that the bank cannot reconstruct the coin after the withdrawal. The central problem with off-line coins is the double-spending, i.e., the missing originality of the coins. Though a merchant can verify the validity of the bank s signature, he is not able to decide whether or not a coin has been double-spent. Since the coins provide the customer s unconditional anonymity, not even the bank knows who double-spent the coin. The basic idea to solve this problem came from Chaum, Fiat, and Naor,[CFN88], and consists in including the customer s identity in the coin in a way that enables the bank to compute it after a double-spending (and only in that case!). This implies that a payment cannot be simply sending a coin to the vendor, but the customer has to reveal a part of his identity. The coin systems proposed in [CFN88] and [OO91] cannot prevent double-spending, but detect it afterwards. This problem cannot be solved by cryptographic means. No one can prevent Alice from making copies of the information stored by her computer. This means that coins should not be stored by Alice s computer, but tamper resistent hardware device which erases them after Alice spent them. To assure Alice s anonymity the tamper resistant device is controlled by Alice s computer. This concept is often called an observer and was presented by Chaum and Pedersen in [CP92b]. The observers are distributed by the bank. To guarantee the prevention of double-spending the bank has to be sure that the observers cannot be tampered with by the users. This is twofold: It must not be possible for the user to construct valid coins from the information provided by the observer during the communication. It must be impossible to physically extract information from the observer which enables the user to construct valid coins. On the other hand Alice s anonymity should not be compromised by the observer. Even if the observer gets back to the bank, the bank must not be able to link Alice to her payments. The main idea how to reach this goal is to let Alice control all communication between the observer and the world. This enables Alice to control the information given by the observer. For our fair off-line coin scheme we restrict this model slightly. In our model the observer can not be returned to the bank. This prevents the banks ability to select the data stored in the observers memory. In practice this can be done by destroying the observer before its return to the bank. The use of an observer is a kind of first line of defense. If the user cannot manipulate the device the observer can prevent double-spending. If the user succeeds in tampering the observer, the doublespending detection identifies the user afterwards. The user has to break the observer physically and the electronic cash system mathematically to cheat the bank. To avoid the attacks described in [BDL97], the observer s internal memory has to be protected by adding some error detection bits. We demonstrate the double-spending detection and the use of an observer in the system of [Br93].

4 2.1 Preparations of the bank The bank chooses a group G of prime order q of length k, three generators g, g 1, g 2 of G, a secret key x Z q and two one-way hash functions H : G 5 Z q and H 0 : G 2 ID time Z q where ID is the set of vendor identification numbers. The bank computes its public key h := g x. All computations are done in G. 2.2 Opening an account To open an account Alice authenticates towards the bank. She chooses secretly and randomly u 1 Zq, sends g u 1 1 to the bank. The bank chooses o 1 Zq, stores it in the tamper resistant device, and hands the observer over to Alice. The observer computes A o := g o 1 1 and transmits A o to Alice. The bank stores I := A o g u 1 1 together with Alice s personal data. Note that Alice does not know the representation of I. 2.3 Withdrawal In principle, the withdrawal protocol is the generation of a Schnorr-signature by the bank on a set of data known only to Alice, [Sch89], as shown in figure 1. Observer Alice Bank o 2 R Zq w R Zq B o := g o 2 2 a := g w B o a, b b := (Ig 2) w s, u, v, e, y 1, y 2 R Zq A := (Ig 2) s z := z s B := g y 1 1 gy 2 2 Ase o B o a := a u g v b := b su A v c := H(A, B, a, b, z ) c := cu 1 mod q r := u r + v mod q r c r := c x + w mod q Figure 1: Withdrawal with observer The validity of a coin can be checked as follows: One computes c := H(A, B, z, a, b ) and checks A r = z,c b g r = h c a

5 2.4 Purchase In a purchase, Alice sends the coin (A, B, a, b, z, r ) to the merchant. Alice and the vendor perform a challenge-response-protocol: the vendor generates a challenge depending on the coin, the vendor s identification number and the time. Alice proves with the help of the observer that she knows a representation of A and B to the bases g 1 and g 2. Observer Alice Vendor A, B, a, b, z, r checks the signature d := H 0(A, B, I V, time) d d := s(d + e) mod q d o 2 stored r 1 := d o 1 + o 2 mod q erases o 2 r 1 r1 := r 1 + d s u 1 + y 1 mod q r 2 := ds + y 2 mod q r 1, r 2 checks = A d B g r 1 1 gr 2 2 Figure 2: Purchase with observer It is quite easy to see that Alice cannot compute o 1 and o 2 from the information provided by the observer under the assumption that she cannot compute discrete logarithm in G. This implies, that Alice is not able to perform the proof of knowledge without the interaction with the observer. And since the observer erases o 2 after the purchase, she cannot double-spend the coin. 2.5 Deposit To deposit the coin, the merchant sends the coin and the transcript of the challenge-response-protocol to the bank. The bank checks the correctness of the coin s signature, of the merchant s challenge d and of Alice s responses to the challenge. If everything is correct, the bank checks its database whether the coin has been already deposited. If it is not, the bank stores the coin, the merchant s challenge, and Alice s responses. If it is, the bank compares the values of the challenge and the responses. If the challenge is the same, the merchant tries to cheat by depositing the same coin twice. Thus, the bank rejects the deposit. If the challenges differ, so do Alice s responses, which enables the bank to compute Alice s identification number. Let d and d be the merchants challenges and r 1, r 2 and r 1, r 2 Alice s responses: 1 = g (r 1 +d s u 1+y 1 r 1 d s u 1 y 1 ) (d s+y 2 d s y 2 ) 1 g (r 1 r 1 ) (r 2 r 2 ) 1 1

6 = g (s (d+e) o 1+d u 1 s s ( d+e) o 1 d u 1 s) (s d s d) 1 1 = g o 1+u 1 1 = I 3 Fairness Perfect anonymity protects the privacy of customers in the sense that the bank is not able to decide whether or not customer performed a certain payment. Perfect refers to the fact that even a bank with unlimited computional power is not able to trace coins, i.e., the privacy protection is not based on any complexity assumptions. To implement an anonymity revocation mechanism one has to lose the requirement of perfect anonymity. Frankel, Tsiounis and Young showed in [FTY96] that anonymity in a fair coin systems can only be computational. Furthermore, [FTY96] shows that anonymity revocation has two different aspects: Identity tracing: After a payment the identity of the payer is revealed. Coin tracing: After a withdrawal the coins or some crucial parts of them are revealed. Identity tracing is needed if the bank gets suspicious money and wants to know who spent it. This can be necessary in case of money laundry. In case of blackmailing the bank has a protocol view of a suspicious withdrawal. The task is to find the withdrawn coins in order to publish them to prevent payments with these coins. Therefore, in this case coin tracing is needed. There are a lot of proposals how to implement identity and coin tracing, [BGK95], [FTY96], [FTY98], [SPC95]. The most efficient solution for a fair coin system is presented in [FTY98]. It is based on Brands coin system and guarantees the fairness by encryptions of the customer identity and parts of the coin. The customer has to prove the correctness of his encryptions by zero-knowledge-proofs of knowledge. We will give a short overview over the protocols: In principle, three non-interactive zero-knowledge proofs for the equality of discrete logarithms are additionally performed: two during withdrawal to provide the bank with the encryption of a part of the withdrawn coin to ensure coin tracing and the third one during payment to ensure identity tracing. Notation: EqLog[(A, a), G 1, (B, b), G 2 ] denotes the zero-knowledge proof presented in figure 3. The non-interactive variant is construct by the standard technique of replacing the random challenge c by a hash value c := H(A, B, A, B, a, b, G 1, G 2 ). Initialization of the bank As in the Brands system the bank chooses primes p and q, q (p 1). Computations are done in the subgroup G q of order q of Z p. Generators g, g 1,..., g 4 of G q, p, q and hash functions H, H 0, H 1,... are published. The bank s secret key is x B and the corresponding public keys are h := g x B, h 1 := g x B 1, h 2 := g x B 2, h 3 := g x B 3. Initialization of the TTP The TTP chooses a secret key x T and publishes f 2 := g x T 2, f 3 := g x T 3. Opening an account There is no difference to Brands system: the customer chooses u 1 Z q, g u 1 1 g 2 1, and computes I := g u 1 1. He proves in zero-knowledge the knowledge of u 1.

7 P EqLog[(A, a, G 1, (B, b), G 2 ] P proves A = a x G v 1, B = bx G w 2 V Withdrawal y, s 1, s 2, s 3 R Z q A := a y g s1 1, B = b y G s2 2 r := c x + y mod q r 1 = cv + s 1, r 2 = cw + s 2 A, B c Input A, B, G 1, G 2 c R Z q r, r 1, r 2 a r G r1 1 = A c A b r G r2 2 Figure 3: Proof of equality of logarithms In 4 the fair withdrawal is presented. = B c B The new protocol differs in two ways from the basic system. First, the customer has to transmit an ElGamal encrypted part of his coin, i.e., g2 s. In order to force him to use this term in the following withdrawal a new value I is needed. I encodes the user s identity. In V 1 the customer proofs the correctness of this encoding, in V 2 the correctness of the ElGamal encryption. The combination ensures that g2 s can only be used by the participating customer. Payment The payment contains an additional proof of equality of logarithms. The customer encrypts his identity under the public key of the TTP and proves that the encryption is a correct ElGamal encryption and that the cleartext is the identity number contained in A of his coin. Deposit As in the basic system the vendor deposits the coin by sending his protocol view of the payment to the bank. Remark keys. Note that the TTP does not register customers. Customers only need the TTP s public Analysis We have to consider three aspects of security: (i) security for the bank, i.e., the unforgeability of coins, (ii) fairness, i.e., the TTP is able to trace identities and coins, (iii) security for the customers, i.e., the privacy protection. (i) Unforgeability and unreusability are the same as in the basic system of Brands, [Br93]. (ii) The TTP can trace identities since it gets an ElGamal-Encryption A 1, A 2 of the customer s identity I. The correctness of the encryption is done by a zero-knowledge protocol, hence the customer s probability to cheat is negligible. The TTP can trace coins because it gets the ElGamal encryption E 1, E 2 of g2 s = A I 1. The customer. (iii) The customers anonymity is based on the Diffie-Hellman-Decision assumption. The proof is done in the random oracle model by a simulation technique. For details see [FTY98].

8 C B m, s, t R Z q I := g u1s 1 1 g3 s 1 g4 t E 1 := g2f s 3 m, E 2 := g3 m V 1 = EqLog[(E 1, f 3 ), g 2, (E 2, g 3 ), nil] V 2 = EqLog[(g 3, I ), (g 1, g 4 ), (E 1, g 2 ), f 3, (I, I ), (g 3, g 4 )] A = (I g 2 g4 t 1 ) s = g u1 1 gs 2g 3 z = h u1 1 hs 2h 3 = A x B x 1, x 2, u, v R Z q B = g x1 1 gx2 2 a = (a ) u g v b = (b b t 1 ) su A v = A wu+v c = H(A, B, z, a, b) c = cu 1 mod q r = r u + v mod q I, E 1, E 2, V 1, V 2 a, b, b c r E 2 1 verifies V 1, V 2 w R Z q a = g w, b = (I g 2 ) w b = g w 4 r := c x B + w mod q Figure 4: Fair Withdrawal 4 Fair Coins in Wallets with Observers To combine both concepts we have to carefully implement an observer in the fair system. In the previous section we saw that fairness is achieved by some zero-knowledge proofs, which increase the computational effort of the protocols. We now show how to eliminate the zero-knowledge proofs by replacing them with a signature of the observer. Initialization of the bank and the TTP In addition to the setup of [FTY98] another generator g 5 and two more hashfunctions H 2 and H 3 are published: H 2 : G q G q G q G q and H 3 : G q G q Z q The hashfunction H 3 as well as the generator g 5 are used for construction and verification of the Schnorr signatur generated by the observer.

9 C A 1 = g u1 1 gs 2 = A g3 1 A 2 = f2 s V 3 = EqLog[(A 1, g 2 ), g 1, (A 2, f 2 ), nil] uses B instead of A in V 3 A 1, A 2, A, B, z, a, b, r, V 3 V 1 A 1 g 3 = A sig(a, B) = (z, a, b, r) verifies V 3 A 1 Figure 5: Fair Payment Opening an account A customer opens an account in the same way as in [Br93]. In addition a signature key for the observer is created. A randomly chosen value X O is stored in its memory (ROM). X O, which is unknown to the user, is the observers private key. The public key h O = g X O 5 is stored by the bank and the user. Withdrawal The new withdrael protocol differs from the basic one in the way fairness is achieved. Instead of using zero-knowledge proofs to ensure tracing mechanisms, coin tracing is now guaranteed by the observer. Compared to the system [FTY98] the ElGamal encryption (E 1, E 2 ) and the value I are computed by the observer and signed afterwards using the Schnorr signature scheme. The signature σ O guarantees the correct construction of I and the ElGamal encryption (E 1, E 2 ). To avoid the use of a subliminal channel, as described in [Sim84], between observer and bank, all random values are chosen by the user. Thus the user gets to know the observer s private key if observer and bank use the signature as a subliminal channel. The user also verifies the signature as well as the correct construction of I and the ElGamal encryption (E 1, E 2 ) before transmitting these values to the bank. The protocol is presented in figure 6. Purchase The view of the vendor does not differ from that one in the basic protocol.. Since the customer does not know the discrete logarithm of his identity number I he has to perform the proof V 3 with the help of the observer. The protocol is presented in figure 7. We omit the deposit since it is the same as in the basic system. Efficiency In comparison to [FTY98] we save 17 exponentations, which is about a third of the exponentations made during withdrawal. 5 Discussion Again, we have to consider three aspects in order to show the security of our construction: (i) The unforgeability and unreuseability are proven by a standard simulation technique. (ii) identity tracing

10 O C B o 2 R Z q B o:=g o 2 1 m,s,t R Z q I :=(Ig 3 ) s 1 g t 4 E 1 :=g2 sf 3 m,e 2:=g3 m σ O σ(h 2 (I,E 1,E 2 )) E 1 =g2 sf 3 m I,E 1,E 2,B o,σ O E 2 =g m 3 I =(Ig 3 ) s 1 g4 t V erify σ O I,E 1,E 2,σ O E2 1 V erify σ O w R Z q a =g w,b =(I g 2 ) w a,b,b b =g w 4 A=(I g 2 g t 1 4 ) s =g u 1 +o 1 1 g s 2 g 3 z=h u 1 1 hs 2 h 3=A x B x 1,x 2,u,v,e R Z q B=g x 1 1 gx 2 2 Ase o B 0 a=(a ) u g v b=(b b t 1 ) su A v =A wu+v c=h(a,b,z,a,b) c =cu 1 mod q r=r u+v mod q c r r :=c x B +w mod q Figure 6: Fair Withdrawal with observer is achieved in the same way as in [FTY98] since the protocol view of the vendor remains the same. Coin tracing is now guaranteed through the observer. Its security is based on the unforgeability of Schnorr signatures. (iii) The most interesting part is the customers privacy protection. Theorem 1 Assuming that the observer is not returned to the bank and under the Diffie-Hellman- Decision assumption the customers privacy is computationally protected in the random oracle model. Proof We show that a machine M that can decide which coin came from which withdrawal can break the semantic security of the ElGamal encryption and hence breaks the Diffie-Hellman-Decision assumption. Let i, j {0, 1}, i = 1 j. M gets µ (i) := g2 s(i), µ (j) := g2 s(j), s (i), s (j) and the encryption (E (0) 1, E(1) 2 ) of µ(0) and (E (1) 1, E(1) 2 ) of µ(1) as an input. Choosing s (i) and s (j) uniformly on Z q implies a uniform distribution of µ (i) and µ (j) on G. M has to find out whether i equals 0 or 1. M simulates two withdrawals and two payments: M chooses x B and two random identity numbers u (i) 1, o(i) 1 and u (j) 1, o(j) 1.

11 O K H r 1 := d o 1 + o 2 d r 1 A 1 = g u1+o1 1 g2 s = A g3 1 A 2 = f2 s B := f x2 2 A 1, A 2, A, B, B, z, a, b, r A 1 1 A 1 g 3 = A sig(a, B) = (z, a, b, r) d := H(A, B, ID H ) d := d + e d r 1 := r 1 + du 1 + x 1 r 2 := ds + x 2 r 1, r 2 g r1 1 gr2 2 f r2 2 = A d 1B = A d 2B Figure 7: Payment in a fair system with observer M knows s (i) and s (j). Hence M can compute: A (i) 1 +o(i) 1 1 g2 s(i) A (j) 1 := g u(i) 1 := g u(j) A (i) 2 := f2 s(i) A (j) 2 := f2 s(j) A (i) := A (i) 1 g 3 A (j) := A (j) 1 g 3 M randomly chooses x (i) 1, x(i) 2, d(i) and x (j) 1, x(j) 2, d(j). 1 +o(j) 1 1 g2 s(j) M simulates the payments: B (i) := g (x(i) 1 1 g x(i) 2 2 A d(i) 1 and B (j) := g (x(j) 1 1 g x(j) 2 2 A d(j) 1. Since all computations are done in the random oracle model, M can set H(A (i), B (i), ID (i) H ) =: d(i) and H(A (j), B (j), ID (j) H ) =: d(j). M chooses r (i) 1 := x (i) 1, r(i) 2 := x (i) 2 and r (j) 1 := x (j) 1, r(j) 2 := x (J) 2 as the responses to these challenges. M randomly chooses o (i) 2, d (i), r (i) 1 and o (j) 2, d (j), r (j) 1. Therefore, M gets two payment views: A (i), A (i) 1, A(i) 2, B(i), ID (i) H, d(i), o (i) 2, r (i) 1, r(i) 1, r(i) 2 A (j), A (j) 1, A(j) 2, B(j), ID (j) H, d(j), o (j) 2, r (j) 1, r(j) 1, r(j) 2 Analogously, M generates the withdrawal views. (Since M knows the secret key x B it can compute valid signatures. Since M can link payments and withdrawals (by assumption) it can determine the value of i and j - hence,m can distinguish ElGamal encryptions contradicting the Diffie-Hellman-Decision assumption.

12 6 Conclusion We presented a digital coin system which provides a physical defense against double-spending additionally to a double-spending detection in case the observer is tampered by its owner and identity and coin tracing mechanism. We proved that both concepts carefully implemented does not interfere with respect to security, i.e., our construction is as secure as the building blocks. References [BGK95] E. Brickell, P. Gemmell, D. Kravitz, Trustee-based tracing extensions to anonymous cash and the making of anonymous change, Symposium on Distributes Algorithms (SODA), 1995 [BDL97] D. Boneh, R.A. DeMillo, R.J. Lipton, On the Importance of Checking Cryptographic Protocols for Faults, Proc. of Eurocrypt 97, Lecture Notes in Computer Science 1233, Springer Verlag [Br93] S. Brands, Untraceable off-line cash in wallets with observers, Proc. of Crypto 93, Lecture Notes in Computer Science 773, Springer-Verlag [CFN88] D. Chaum, A. Fiat, M. Naor, Untraceable Electronic Cash, Proc. of Crypto 88, Lecture Notes in Computer Science 403, Springer-Verlag [Ch82] D. Chaum, Blind signatures for untraceable payments, Proc. of Crypto 82, Plenum Publishing, New York 1982 [CP92b] D. Chaum, T.P. Pedersen, Wallet Databases with Obsersers, Proc. of Crypto 92, Lecture Notes in Computer Science 740, Springer-Verlag [CP93] R. Cramer, T.P. Pedersen, Improved Privacy in Wallets with Observers, Proc. of Eurocrypt 93, Lecture Notes in Computer Science 765, Springer-Verlag [Fer93] N. Ferguson, Extensions of Single-term Coins, Proc. of Crypto 93, Lecture Notes in Computer Science 773, Springer-Verlag [FTY96] Y. Frankel, Y. Tsiounis, M. Yung, Indirect Discourse Proofs: Achieving Efficient Fair Off-Line E-Cash, Proc. of Asiacrypt 96, Lecture Notes in Computer Science 1163, Springer- Verlag [FTY98] Y. Frankel, Y. Tsounis, M. Yung, Fair Off-Line e-cash made easy, Proc. of Asiacrypt 98, Lecture Notes in Computer Science, Springer-Verlag [FY93] M. Franklin, M. Yung, Secure and efficient off-line digital money, Proc. of Automata, Languages and Programming, ICAPL 93, Lecture Notes in Computer Science 700, Springer- Verlag [OO91] T. Okamoto, K. Ohta, Universal Electronic Cash, Proc. of Crypto 91, Lecture Notes in Computer Science 576, Springer-Verlag [SPC95] M. Stadler, J.-M. Piveteau, J. Camenisch, Fair Blind Signatures, Proc. of Eurocrypt 95, Lecture Notes in Computer Science 921, Springer-Verlag

13 [ST99] T. Sander, A. Ta-Shma, Auditable, Anonymous Electronic Cash,, Proc. of Crypto 99, Lecture Notes in Computer Science 1666, Springer-Verlag [Sch89] C. Schnorr, Efficient signature generation by smart cards, Proc. of Crypto 89,Lecture Notes in Computer Science, Springer-Verlag [Sim84] G. J. Simmons The Subliminal Channel in Digital Signatur, Proc. of Eurocrypt 84, Lecture Notes in Computer Science, Springer-Verlag [vsn92] B. von Solms, D. Naccache, On blind signatures and perfect crimes, Computers and Security, 11(6), October 1992