DOCSLIB.ORG

Achieving Electronic Privacy a Cryptographicinvention Known As a Blind Signature Permits Numbers to Serve As Electronic Cash Or to Replace Conventional Identification

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Achieving Electronic Privacy A cryptographic invention known as a blind signature permits numbers to serve as electronic cash or to replace conventional identification. The author hopes it may return control of personal information to the individual by David Chaum very time you make a telephone murderers have tracked down their tar­ cessors capable of carrying out the nec­ call, purchase goods using a cred­ gets by consulting government-main­ essary algorithms have already been it card, subscribe to a magazine tained address records. On another lev­ embedded in pocket computers the size or pay your taxes, that information goes el, the U.S. Internal Revenue Service has and thickness of a credit card. Such sys­ intoE a data base somewhere. Further­ attempted to single out taxpayers for tems have been tested on a small scale more, all these records can be linked audits based on estimates of house­ and could be in widespread use by the so that they constitute in effect a sin­ hold income compiled by mailing-list middle of this decade. gle dossier on your life-not only your companies. medical and financial history but also The growing amounts of information he starting point for this ap­ what you buy, where you travel and that different organizations collect proach is the digital Signature, whom you communicate with. It is al­ about a person can be linked because first proposed in 1976 by Whit­ most impossible to learn the full extent all of them use the same key-in the field Diffie, then at Stanford University. of the files that various organizations U.S. the sodal security number-to iden­ AT digital signature transforms the mes­ keep on you, much less to assure their tify the individual in question. This iden­ sage that is signed so that anyone who accuracy or to control who may gain ac­ tifier-based approach perforce trades reads it can be sure of who sent cess to them. off security against individual liberties. it [see "The Mathematics of Public-Key Organizations link records from dif­ The more information that organiza­ Cryptography," by Martin E. Hellman; ferent sources for their own protec­ tions have (whether the intent is to pro­ SCIENTIFIC AMERICAN, August 1979l. tion. Certainly it is in the interest of tect them from fraud or simply to tar­ These signatures employ a secret key a bank looking at a loan application get marketing efforts), the less privacy used to sign messages and a public one to know that John Doe has defaulted and control people retain. used to verify them. Only a message on four similar loans in the past two Over the past eight years, my col­ signed with the private key can be ver­ years. The bank's possession of that leagues and I at CWI (the Dutch na­ ified by means of the public one. Thus, information also helps its other cus­ tionally funded Center for Mathemat­ if Alice wants to send a signed message tomers, to whom the bank passes on ics and Computer Science in Amster­ to Bob (these two are the cryptographic the cost of bad loans. In addition, these dam) have developed a new approach, community's favorite hypothetical char­ records permit Jane Roe, whose pay­ based on fundamental theoretical and acters), she transforms it using her pri­ ment history is impeccable, to establish practical advances in cryptography, vate key, and he applies her public key a charge account at a shop that has that makes this trade-off unnecessary. to make sure that it was she who sent never seen her before. Transactions employing these tech­ it. The best methods known for produc­ That same information in the wrong niques avoid the possibility of fraud ing forged signatures would require hands, however, provides neither pro­ while maintaining the privacy of those many years, even using computers bil­ tection for businesses nor better service who use them. lions of times faster than those now for consumers. Thieves routinely use a In our system, people would in ef­ available. stolen credit card number to trade on fect give a different (but definitively To see how digital signatures can their victims' good payment records; verifiable) pseudonym to every organi­ provide all manner of unforgeable cre­ zation they do business with and so dentials and other services, consider make dossiers impossible. They could how they might be used to provide an pay for goods in untraceable electronic electronic replacement for cash. The DAVII) CHAUM is head of the Cryptog­ cash or present digital credentials that First Digital Bank would offer electron­ raphy Group at the Center for Mathe­ serve the function of a banking pass­ ic bank notes: messages signed using matics and Computer Science (CWI) in Amsterdam. He is also a founder of Digi­ book, driver's license or voter registra­ a particular private key. All messages Cash, which develops electronic payment tion card without revealing their iden­ bearing one key might be worth a dol­ systems. Chaum received his Ph.D. in tity. At the same time, organizations lar, all those bearing a different key five computer science from the University of would benefit from increased security dollars, and so on for whatever denom­ California, Berkeley, in 1982 and joined and lower record-keeping costs. inations were needed. These electronic CWI in 1984. He helped to found the Recent innovations in microelectron­ bank notes could be authenticated using International Association for Cryptolog­ ics make this vision practical by pro­ the corresponding public key, which the ic Research and remains active on its board; he also consults internationally viding personal "representatives" that bank has made a matter of record. First on cryptology. store and manage their owners' pseud­ Digital would also make public a key onyms, credentials and cash. Micropro- to authenticate electronic documents 96 SCIENTIFIC AMERICAN August 1992 © 1992 SCIENTIFIC AMERICAN, INC sent from the bank to its customers. When Alice wants to pay for a pur­ This system is secure, but it has no . To withdraw a dollar from the bank, chase at Bob's shop, she connects her privacy. If the bank keeps track of note Alice generates a note number (each "smart" card with his card reader and numbers, it can link each shop's de­ note bears a different number, akin to transfers one of the signed note num­ posit to the corresponding withdrawal the serial number on a bill); she choos­ bers the bank has given her. After veri­ and so determine precisely where and es a lOO-digit number at random so fying the bank's digital signature, Bob when Alice (or any other account hold­ that the chance anyone else would gen­ transmits the note to the bank, much as er) spends her money. The resulting erate the same one is negligible. She a merchant verifies a credit card trans­ dossier is far more intrusive than those signs the number with the private key action today. The bank reverifies its now being compiled. Furthermore, rec­ corresponding to her "digital pseud­ signature, checks the note against a list ords based on digital signatures are onym" (the public key that she has pre­ of those already spent and credits Bob's more vulnerable to abuse than conven­ viously established for use with her ac­ account. It then transmits a "deposit tional files. Not only are they self-au­ count). The bank verifies Alice's signa­ slip," once again unforgeably signed thenticating (even if they are copied, ture and removes it from the note with the appropriate key. Bob hands the information they contain can be number, signs the note number with its the merchandise to Alice along with his verified by anyone), but they also per­ worth-one-dollar signature and debits own digitally signed receipt, complet­ mit a person who has a particular kind her account. It then returns the signed ing the transaction. of information to prove its existence note along with a digitally signed with­ This system provides security for all without either giving the information drawal receipt for Alice's records. In three parties. The signatures at each away or revealing its source. For exam­ practice, the creation, signing and trans­ stage prevent any one from cheating ple, someone might be able to prove in­ fer of note numbers would be carried either of the others: the shop cannot controvertibly that Bob had telephoned out by Alice's card computer. The pow­ deny that it received payment, the bank Alice on 12 separate occasions without er of the cryptographic protocols, how­ cannot deny that it issued the notes or having to reveal the time and place of ever, lies in the fact that they are se­ that it accepted them from the shop any of the calls. cure regardless of physical medium: for deposit, and the customer can nei­ I have developed an extension of digi­ the same transactions could be carried ther deny withdrawing the notes from tal signatures, called blind signatures, out using only pencil and paper. her account nor spend them twice. that can restore privacy. Before send- CREDIT MERCH ANT'S ACCOUNT $1; BALANCE $100.001 �613rc0375293 7349432 02693154J MERCHANT'S7 390621 ACCOUNT43616 NO. 040682759 5 �734613rc' 31540375 j3 7 3906219432 436160269 DIGITAL CASH flows tracelessly from bank through con­ signature indicating its value. The bank credits the merchant's sumer and merchant before returning to the bank. Using a account when the note is presented for payment. A technique small computer "representative," a person creates a random known as a blind signature prevents the bank from seeing the number to serve as a bank note.
Recommended publications
  • Anonymous Credentials and E-Cash

    Anonymous Credentials and E-Cash

    Anonymous Credentials and e-Cash Jan Camenisch Principle Researcher; TL Cryptography & Privacy IBM Research – Zurich @JanCamenisch ibm.biz/jancamenisch Facts 33% of cyber crimes, including identity theft, take less time than to make a cup of tea. Facts 10 Years ago, your identity information on the black market was worth $150. Today…. Facts $15'000'000'000 cost of identity theft worldwide (2015) Attackers hide easily in the vast of cyberspace ᄅ Houston, we have a problem! The Problem is This: Computers Never Forget # Data is stored by default # Data mining gets ever better # Apps built to use & generate (too much) data # New (ways of) businesses using personal data # Humans forget most things too quickly # Paper collects dust in drawers # But that’s how we design and build applications! Where's all my data? The ways of data are hard to understand # Devices, operating systems, & apps are getting more complex and intertwined # Mashups, Ad networks # Machines virtual and realtime configured # Not visible to users, and experts # Data processing changes constantly → No control over data and far too easy to loose them IoT makes this even worse! The problem is this… Learnings from Snowden – Take Aways NSA collects massive amounts of data Not by breaking encryption schemes! But by openness & insecurity of systems, infiltration, ... # However, Snowden had limited access to docs (no crypt-analysis reports) Many things doable by ordinary hackers or somewhat sophisticated crooks # CA compromise # Stealing data at rest # Extortion, system manipulations,.
  • A Technical Overview of Digital Credentials

    A Technical Overview of Digital Credentials

    A Technical Overview of Digital Credentials Dr. Stefan Brands Credentica [email protected] February 20, 2002 Abstract Applications that involve the electronic transfer of credentials, value tokens, profiles, and other sensitive information are quickly gaining momentum. Traditional attempts to introduce electronic authentication, such as PKI and biometric verification, expose organizations to po- tentially unlimited liability, lead to consumer fear, and stifle the adoption of new systems. To overcome these barriers, innovative solutions are needed that address the entire spectrum of security and privacy interests for all parties involved. This paper is a technical overview of Digital Credentials. Digital Credentials are the digital equivalent of paper documents, plastic tokens, and other tangible objects issued by trusted parties. At the same time, they are much more powerful than their physical counterparts. For example, individuals can selectively disclose properties of the data fields in their Digital Credentials while hiding any other information. Digital Credentials also provide much greater security. As a result, they can be used to securely implement objects that traditionally are made identifiable in order to deal with certain kinds of fraud. Examples are diplomas, work permits, access cards, and drivers’ licenses. 1 Introduction Around the world, influential organizations are rushing to provide individuals with digital identity certificates that will be the sole means of participating in their systems. Among the front-runners are telecommunication organizations, health care providers, mobile service providers, financial institutions, and state and federal governments. A digital identity certificate is just a sequence of zeros and ones, and so it can be transferred electronically and can be verified with 100 percent accuracy by computers.
  • Conditional Blind Signatures

    Conditional Blind Signatures

    Conditional Blind Signatures Alexandros Zacharakis, Panagiotis Grontas, and Aris Pagourtzis School of Electrical and Computer Engineering National Technical University of Athens, 15780 Athens, Greece [email protected], [email protected], [email protected] Abstract. We propose a novel cryptographic primitive called condi- tional blind signatures. Our primitive allows a user to request blind sig- natures on messages of her choice. The signer has a secret Boolean input which determines if the supplied signature is valid or not. The user should not be able to distinguish between valid and invalid signatures. A desig- nated verifier, however, can tell which signatures verify correctly, and is in fact the only entity who can learn the secret input associated with the (unblinded) signed message. We instantiate our primitive as an extension of the Okamoto-Schnorr blind signature scheme and provide variations to fit different usage scenarios. Finally, we analyze and prove the security properties of the new scheme and explore potential applications. Keywords: digital signatures, blind signatures, designated verifier sig- natures 1 Introduction Digital signatures, proposed in [1], are one of the most successful public key cryptographic primitives. A user U submits a message to a signer S, who ap- plies a function of his secret signing key sk and generates a signature that can be verified by everybody that possesses the corresponding public verification key vk. They allow message integrity, authenticity and non repudiation in a publicly verifiable manner. A digital signature scheme is secure if no probabilistic adver- sary A, running in polynomial time (PPT), can output a forgery of a signature, i.e.
  • Crush Crypto Educational Series

    Crush Crypto Educational Series

    The History of Digital Currency Educational Series November 26, 2018 Digital Currency Before Bitcoin • The creation of Bitcoin in 2009 marked the birth of the first digital currency to achieve widespread adoption across the globe. However, the concept of a secure digital currency has been around since the 1980s. • Previous attempts that inspired Satoshi Nakamoto’s creation of Bitcoin include: • DigiCash • Bit Gold • Hashcash • B-money For additional resources, please visit www.CrushCrypto.com. 2 Copyright © Crush Crypto. All Rights Reserved. DigiCash • Computer scientist David Chaum released the paper Blind Signatures for Untraceable Payments (1982) in which he outlined an alternative to the electronic transactions hitting retail stores at the time. His paper is considered one of the first proposals of digital currency in history. • He continued working on his proposal and eventually launched a company called DigiCash in 1990 to commercialize the ideas in his research. In 1994 the company put forth their first electronic cash transaction over the internet. For additional resources, please visit www.CrushCrypto.com. 3 Copyright © Crush Crypto. All Rights Reserved. DigiCash (continued) • DigiCash transactions were unique for the time considering their use of protocols like blind signatures and public key cryptography to enable anonymity. As a result, third parties were prevented from accessing personal information through the online transactions. • Despite the novel technology, DigiCash was not profitable as a company and filed a chapter 11 bankruptcy in 1998 before being sold for assets in 2002. • Chaum thought that DigiCash entered the market before e-commerce was fully integrated with the internet and that lead to a chicken-and-egg problem.
  • On the Security of One-Witness Blind Signature Schemes

    On the Security of One-Witness Blind Signature Schemes

    On the Security of One-Witness Blind Signature Schemes Foteini Baldimtsi and Anna Lysyanskaya? Department of Computer Science, Brown University, Providence, RI, USA [email protected], [email protected] Abstract. Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., elec- tronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his fa- mous identification scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the random- oracle model. In this paper, we show that current techniques for proving security in the random oracle model do not work for the Schnorr blind signature by providing a meta-reduction which we call \personal neme- sis adversary". Our meta-reduction is the first one that does not need to reset the adversary and can also rule out reductions to interactive assumptions. Our results generalize to other important blind signatures, such as the one due to Brands. Brands' blind signature is at the heart of Microsoft's newly implemented UProve system, which makes this work relevant to cryptographic practice as well. Keywords: Blind signatures, meta-reduction technique, unforgeability, random oracle model. 1 Introduction In a blind signature scheme, first introduced by Chaum in 1982 [16], a user can have a document signed without revealing its contents to the signer, and in such a way that the signer will not be able to recognize it later, when he sees the signature. Blind signatures have proven to be a very useful building block in applications requiring both anonymity and unforgeability, such as e-cash and anonymous credentials [12{15, 27].
  • HOW to REALLY CIRCULATE ELECTRONIC CASH on the INTERNET by Katsuhito Iwai

    HOW to REALLY CIRCULATE ELECTRONIC CASH on the INTERNET by Katsuhito Iwai

    HOW TO REALLY CIRCULATE ELECTRONIC CASH ON THE INTERNET by Katsuhito Iwai Professor of Economics, The University of Tokyo 7-3-1 Hongo, Bunkyo-ku, Tokyo, Japan 113 [email protected] or [email protected] August 28, 1995 (Japanese version: March 30, 1995) 1. An introductory remark The recent world-wide explosion of the Internet community has encouraged many individuals and groups to propose a variety of electronic payment systems that can be used safely and efficiently for the economic transactions on computer networks. Some proposals are mere variations on the traditional credit card system. But the more ambitious ones are aiming at an electronic cash system which turns an electronic stream of numbers, the only "thing" moving on lines, into 'electronic cash', or 'e-cash', that can be spent directly on on-line commercial wares. One such attempt is the DigiCash system of David Chaum.1 Since any message transmitted through the Internet is accessible to anyone who cares to look, and since any copied number is as good a number as the original one, the basic problem is to devise a copy-proof and cheat-proof transmission procedure among computer users. The DigiCash system has solved this by adopting the public-key cryptography for digital signatures that can secure the privacy of communicated messages as well as the authenticity of their communicators. It has also incorporated a device of blind signatures which assures the complete anonymity of its users. The DigiCash system (and other schemes based on similar principles) perhaps comes closest to the ideal of e-cash.
  • Single Term Off-Line Coins

    Single Term Off-Line Coins

    Single Term Off-Line Coins Niels Ferguson CWI, P.O. Box 94079, 1090 GB Amsterdam, Netherlands. e-mail: nielsacwi .nl Abstract. We present a new construction for off-line electronic coins that is both far more efficient and much simpler than pre- vious systems. Instead of using many terms, each for a single bit of the challenge, our system uses a single term for a large number of possible challenges. The withdrawal protocol does not use a cut- and-choose methodology as with earlier systems, but uses a direct construction. 1 Introduction The main requirements for an electronic cash system are the following: - Security. Every party in the electronic cash system should be protected from a collusion of all other parties (multi-party security). - Off-line. There should be no need for communication with a central authority during payment. - Fake Privacy. The bank and all the shops should together not be able to derive any knowledge from their protocol transcripts about where a user spends her money. - Privacy (untraceable). The bank should not be able to determine whether two payments were made by the same payer, even if all shops cooperate. The privacy requirement is obviously stronger then the fake privacy one. Under real-world circumstances, a payer is identified during some of the payments by means outside the electronic cash system. If two payments can be recognised as originating from the same payer, then knowing the identity of the payer during a single payment anywhere allows the tracing of all other payments made by that payer. Therefore, fake privacy provides no privacy at all in practice.
  • Desperately Seeking Satoshi; from Nowhere, Bitcoin Is Now Worth Billions

    Desperately Seeking Satoshi; from Nowhere, Bitcoin Is Now Worth Billions

    Title: Desperately seeking Satoshi; From nowhere, bitcoin is now worth billions. Where did it come from? Andrew Smithset off to find Satoshi Nakamoto, the mysterious genius behind the hit e-currency Source: Sunday Times (London, England). (Mar. 2, 2014): News: p16. Document Type: Article Copyright : COPYRIGHT 2014 NI Syndication Limited. Sunday Times http://www.sunday-times.co.uk Full Text: it's late 2013; a converted brewery in hip east London, with bare-brick walls and double-espresso musk. For days, online forums have churned with plans for this unlikely 800-strong agglomeration of trend- seekers, geeks and the merely curious to converge from all corners of Britain, and they look a little shocked to be here, as if the focus of their shared fervour only now seems real. The focus is bitcoin, the bizarre electronic "cryptocurrency" that appeared out of nowhere at the start of 2009 and slowly, strangely, began to attract followers. With no clear reason to be worth anything, it was traded for pennies at the end of the first year, but after two years had achieved dollar parity, then more and as the price began to levitate, extraordinary things happened around it, with exchanges and odd frontier-style businesses grown, robbed, scammed as if in some free-market libertarian fantasy. Vexed economists cried "Bubble!" and predicted the end more loudly with each turn of bad news, after which bitcoin's value would crash, then simply continue its rise, until by the end of 2013 a single "coin" would cost you $1,000. Some investors predicted it would eventually reach $1m; others that it would be spam by the end of this year.
  • A New Blind ECDSA Scheme for Bitcoin Transaction Anonymity

    A New Blind ECDSA Scheme for Bitcoin Transaction Anonymity

    A New Blind ECDSA Scheme for Bitcoin Transaction Anonymity Xun Yi 1;2, Kwok-Yan Lam 2 and Dieter Gollmann 2;3 1RMIT University, Australia, E-mail: [email protected] 2Nanyang Technological University, Singapore, E-mail: [email protected] 3Hamburg University of Technology, Germany, E-mail: [email protected] Abstract. In this paper, we consider a scenario where a bitcoin liquid- ity provider sells bitcoins to clients. When a client pays for a bitcoin online, the provider is able to link the client's payment information to the bitcoin sold to that client. To address the clients' privacy concern, it is desirable for the provider to perform the bitcoin transaction with blind signatures. However, existing blind signature schemes are incom- patible with the Elliptic Curve Digital Signature Algorithm (ECDSA) which is used by most of the existing bitcoin protocol, thus cannot be applied directly in Bitcoin. In this paper, we propose a new blind signa- ture scheme that allows generating a blind signature compatible with the standard ECDSA. Afterwards, we make use of the new scheme to achieve bitcoin transaction anonymity. The new scheme is built on a variant of the Paillier cryptosystem and its homomorphic properties. As long as the modified Paillier cryptosystem is semantically secure, the new blind signature scheme has blindness and unforgeability. Keywords: Blind signature, ECDSA, Paillier cryptosystem, Bitcoin, Blockchain 1 Introduction Bitcoin is a peer-to-peer payment system and digital currency introduced as open source software by pseudonymous developer Satoshi Nakamoto [14]. In January 2009, the bitcoin network came into existence with the release of the first bitcoin client and the issuance of the first bitcoins.
  • A GOST-Like Blind Signature Scheme Based on Elliptic Curve Discrete Logarithm Problem

    A GOST-Like Blind Signature Scheme Based on Elliptic Curve Discrete Logarithm Problem

    1 A GOST-like Blind Signature Scheme Based on Elliptic Curve Discrete Logarithm Problem Hossein Hosseini, Behnam Bahrak* and Farzad Hessar** *Electrical Engineering Department, Virginia Tech University **Electrical Engineering Department, University of Washington h [email protected], *[email protected], **[email protected] Abstract In this paper, we propose a blind signature scheme and three practical educed schemes based on elliptic curve discrete logarithm problem. The proposed schemes impart the GOST signature structure and utilize the inherent advantage of elliptic curve cryptosystems in terms of smaller key size and lower computational overhead to its counterpart public key cryptosystems such as RSA and ElGamal. The proposed schemes are proved to be secure and have less time complexity in comparison with the existing schemes. Index Terms Blind Signature, Elliptic Curve, GOST Signature, Unforgeability, Blindness. I. INTRODUCTION Blind signature is a form of digital signature in which the message is blinded before it is signed, in order to allow the requester to get a signature without giving the signer any information about the actual message or the resulting signature. Blind signatures are used to build practical offline and online untraceable electronic cash schemes [1]–[4] and widely employed in privacy-related cryptographic protocols, such as electronic election systems [5]. The paper arXiv:1304.2094v1 [cs.CR] 8 Apr 2013 analogy to the blind signature is enclosing a ballot in a carbon paper lined envelope; In this way, the signer does not view the message content, and also everyone can later check the validity of the signature. Several blind signature schemes are proposed in the literature.
  • E-Cash Payment Protocols and Systems

    E-Cash Payment Protocols and Systems

    E-CASH PAYMENT PROTOCOLS AND SYSTEMS * MRS. J. NIMALA, Assistant Professor, PG and Research Department of Commerce with CA, Hindusthan College of Arts and Science, Coimbatore. TN INDIA ** MRS. N. MENAGA, Assistant Professor, PG and Research Department of Commerce with CA, Hindusthan College of Arts and Science, Coimbatore. TN INDIA Abstract E-cash is a payment system intended and implemented for making purchases over open networks such as the Internet. Require of a payment system which provides the electronic transactions are emergent at the similar moment that the exploit of Internet is budding in our daily life. Present days electronic payment systems have a major dilemma, they cannot switch the security and the user’s secrecy and at the same time these systems are secure on the cost of their users ambiguity. This paper shows the payment protocols for digital cash and discusses how a digital cash system can be fashioned by presenting a few of the recent day’s digital cash systems in details. We also offer a comparison and determine them mutually to see which one of them fulfils the properties for digital cash and the mandatory security level. Keywords: E-cash; Payment Protocol; Double Spending; Blind Signature. Introduction DigiCash is a private company founded in 1989 by Dr David Chaum. It has created an Internet money product, now patented, and called ‘ecash’. DigiCash’s ecash has been used for many different types of transactions. It is a stored-value cryptographic coin system that facilitates Internet-based commerce using software that runs on personal computers. It provides a way to implement anonymous electronic payments in an environment of mutual mistrust between the bank and the system users.
  • Group Blind Digital Signatures: a Scalable Solution to Electronic Cash

    Group Blind Digital Signatures: a Scalable Solution to Electronic Cash

    Group Blind Digital Signatures: A Scalable Solution to Electronic Cash Anna Lysyanskaya1 and Zulfikar Ramzan1 Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge MA 02139, {anna, zulfikar}@theory.lcs.mit.edu Abstract. In this paper we construct a practical group blind signature scheme. Our scheme combines the already existing notions of blind signa- tures and group signatures. It is an extension of Camenisch and Stadler’s Group Signature Scheme [5] that adds the blindness property. We show how to use our group blind signatures to construct an electronic cash system in which multiple banks can securely distribute anonymous and untraceable e-cash. Moreover, the identity of the e-cash issuing bank is concealed, which is conceptually novel. The space, time, and com- munication complexities of the relevant parameters and operations are independent of the group size. 1 Introduction 1.1 Distributed Electronic Banking Consider a scheme in which there is a large group of banks, monitored by the country’s Central Bank (e.g. the US Treasury), where each bank can dispense electronic cash. We want such a scheme to have the following properties: 1. No bank should be able to trace any e-cash it issues. Therefore, just as with paper money, people can spend their e-cash anonymously. 2. A vendor only needs to invoke a single universal verification procedure, based on the group public key, to ensure the validity of any e-cash he receives. This procedure works regardless of which bank issued the e-cash. This makes the vendor’s task much easier since he only needs to know the single group public key.