Blind Certification of Public Keys and Efficiently Revocable Cash: Secure Against Capable Attackers

Electronic cash should be revocable in order to nullify the effect of attacks mounted by a capable attacker (e.g., double spending by reverse-engineering tamper-resistant devices). For prudent engineering considerations, cash revocability forms a necessary complementary measure to using tamper-resistant devices, adding system security while lowering system cost by reducing the level of physical tamper resistance required. We propose a revocable cash scheme. Cash revocation is achieved efficiently via withdrawing an attacker's ability to further use the system. In several ways the new scheme improves from previous ones (including trustee-based tracing techniques, e.g., [5, 14, 19]), that identify the attacker and revoke cash in terms of publishing a blacklist of coins misused or robbered. Firstly, the new scheme can stop the attacker from further using the system without need of physical confiscation of him/her or his/her devices (physical confiscation is difficult over the network). Secondly, it will achieve a better performance due to avoiding real-time checking through a potentially big coin revocation list. Thirdly, without using trustee, the system serves unconditional privacy for honest users and uses simpler protocols for transactions.