Balancing Accountability and Privacy Using E-Cash (Extended Abstract)

In an electronic cash (e-cash) system, a user can withdraw coins from the bank, and then spend each coin anonymously and unlinkably. For some applications, it is desirable to set a limit on the dollar amounts of anonymous transactions. For example, governments require that large transactions be reported for tax purposes. In this work, we present the first e-cash system that makes this possible without a trusted party. In our system, a user’s anonymity is guaranteed so long as she does not: (1) double-spend a coin, or (2) exceed the publicly-known spending limit with any merchant. The spending limit may vary with the merchant. Violation of either condition can be detected, and can (optionally) lead to identification of the user and discovery of her other activities. While it is possible to balance accountability and privacy this way using e-cash, this is impossible to do using regular cash. Our scheme is based on our recent compact e-cash system. It is secure under the same complexity assumptions in the random-oracle model. We inherit its efficiency: 2 coins can be stored in O(`+ k) bits and the complexity of the withdrawal and spend protocols is O(` + k), where k is the security parameter.