Untraceable Oo-line Cash in Wallets with Observers

Incorporating the property of untraceability of payments into oo-line electronic cash systems has turned out to be no easy matter. Two key concepts have been proposed in order to attain the same level of security against double-spending as can be trivially attained in systems with full traceability of payments. The rst of these, one-show blind signatures, ensures traceability of double-spenders after the fact. The realizations of this concept that have been proposed unfortunately require either a great sacriice in eeciency or seem to have questionable security, if not both. The second concept, wallets with observers, guarantees prior restraint of double-spending, while still ooering traceability of double-spenders after the fact in case tamper-resistance is compromised. No realization of this concept has yet been proposed in literature, which is a serious problem. It seems that the known cash systems cannot be extended to this important setting without signiicantly worsening the problems related to eeciency and security. We introduce a new primitive that we call restrictive blind signatures. In conjunction with the so-called representation problem in groups of prime order this gives rise to highly eecient oo-line cash systems that can be extended at virtually no extra cost to wallets with observers under the most stringent of privacy requirements. The workload for the observer is so small that it can be performed by a tamper-resistant smart card capable of performing the Schnorr identiication scheme. We also introduce new extensions in functionality (unconditional protection against framing, anonymous accounts, multi-spendable coins) and improve some known constructions (computional protection against framing, electronic checks). The security of our cash system and all its extensions can be derived directly from the security of two well-known digital signature schemes (Schnorr and Okamoto) and the security of the new primitive.