Efficient transferable e-cash – EfTrEC

The virtualisation of financial transactions is ubiquitous. While payment cards do not offer anonymity, electronic cash does, but despite extensive research it has hardly ever been deployed. Instead, users are increasingly turning to ``crypto\-currencies" like Bitcoin, which provide online payments and promise users privacy. This is undesirable from an ecological point of view, as Bitcoin's security relies on wasting electricity; but even more so from an economical point of view, since taking the control over the money supply out of the hands of central banks is not a viable economic model.

Cryptographic e-cash aims at mimicking the properties of physical cash. A bank issues coins which can be withdrawn by users and then spent in a completely anonymous way. So far, all proposed schemes that are practical lack one property of physical cash, which Bitcoin lacks as well, namely the possibility to exchange coins without involving the bank nor requiring users to be online. While classical e-cash must be deposited at the bank once spent, transferable e-cash goes one step further in emulating physical cash. However, achieving the desirable anonymity properties has turned out challenging and so far no practical schemes have been proposed; changing this is one of the goals of the EfTrEC proposal for the ANR JCJC Award.

In more detail, we will first (i) revisit the formal model for transferable e-cash, as currently all formal security definitions are of considerable complexity, which makes them hard to work with. We will introduce simple clean definitions and analyse their relations to existing notions; our model can then serve as the basis for analysing proposed schemes. Next we will (ii) develop new and more efficient tools based on which we will construct transferable e-cash schemes with practical efficiency, which we will then analyse by giving rigorous security proofs. We will also aim at reducing the necessary trust by proposing the first schemes that do not require a trusted setup. Our most long-term goal is (iii) the development of schemes that go beyond current techniques in order to counter attacks even on quantum computers. Therefor we will first port tools and techniques from elliptic-curve cryptography that have proved useful for constructing privacy-preserving protocols to the lattice-based world.