Digital cash describes a class of secure electronic payment protocols featuring value assignment in the form of a cryptographic token (coin), which is typically offline-verifiable and conditionally anonymous. These attributes respectively describe the non-necessity of an online connection between the payment recipient (merchant) and the coin issuer (bank), and the untraceability (under conditions of legitimate usage) between the coin and its owner (user). In this paper, we present a k-term extension of S. Brands' (1993) digital cash protocol, which, in its basic form, is single-term, thereby requiring computationally-intensive coin generation for each payment. A divisible digital coin can be split into a number of sub-coins, thereby allowing operational flexibility with respect to variable payment amounts. Various single-term digital cash protocols (including Brands' protocol) have been demonstrated to allow divisibility through the construction of modular square-root binary trees. On the other hand, the resultant sub-coins from such a method are somewhat awkward to use within the context of real-life decimal-basis monetary systems; hence the motivation for our work, which applies Shamir (1979) secret sharing (SS) and Feldman-Pedersen verifiable secret sharing (VSS) (P. Feldman, 1987; T.P. Pedersen, 1992) for the implementation of k-term digital coins. The presented digital cash protocol features zero knowledge (ZK) verification of coin-specific secret shares as an anti-fraud mechanism, with user anonymity revocation in the event of fraudulent usage, i.e. k+1 payments made using a k-term coin.
展开▼
