RECIPIENT SPECIFIC ELECTRONIC CASH

A Scheme for Recipient Speciﬁc Yet Anonymous and Tranferable Electronic Cash

Chittaranjan Mandal

School of Information Technology

IIT Kharagpur, WB 721302, India

Chris Reade

Kingston Business School

Kingston University

Keywords:

Electronic cash, anonymous payments, double payments, zero-knowledge proof.

Abstract:

A new scheme for electronic money is described where e-cash is created for a speciﬁc recipient in any trans-

action. This has beneﬁts for the efﬁciency of implementing measures against double spending. Details of

the scheme are provided to show that anonymity and transferability are still possible with recipient speciﬁc

e-cash. The scheme ensures both authentication and integrity of the electronic instrument. A method for giro

payments based on the scheme is also discussed.

1 INTRODUCTION

We will describe a new scheme for electronic cash

to be used for electronic payments. Electronic pay-

ments may be classiﬁed as either notational in which

electronic communication is used to access nota-

tional money stored in bank accounts to effect trans-

fers or token-based where digital tokens representing

stored value are transferred directly between payer

and payee. The former covers credit card and debit

card transactions and payment orders initiated over

the Internet, whilst the later group includes use of to-

kens stored on prepayment cards or in electronic wal-

lets. The scheme introduced here is for token-based

(stored value) payments where the terms electronic

money /electronic cash/ e-cash refer to the digital to-

kens that are stored and exchanged in transactions.

A key rationale for electronic cash schemes is that

they can provide privacy and anonymity of payments

as is the case with conventional cash. In contrast, no-

tational payments allow the identity of the payer to

be traced and a person’s transactional history can be

kept by their bank. With the combination of a rapid

rise in electronic commerce and in the use of mo-

bile devices, heavy reliance on notational electronic

payments, is becoming a serious problem for privacy.

Another reason for preferring electronic cash is to re-

duce the cost of transactions. It is desirable that the

cost (often the time taken) of the transaction should be

commensurate with the value being transferred. Usu-

ally the cost is determined by the particular payment

scheme being used and is independent of the value

being transferred. This makes many existing payment

schemes unsuitable for transferring small amounts of

electronic money.

A recent survey of developments in electronic

money and internet and mobile payments(on Payment

and Systems”, 2004) shows that there are a large num-

ber of different electronic payment systems either in

use or under development, and several reported in ear-

lier surveys (see e.g (Pilioura, 1998) ) that are now

discontinued.

After considering the context of this work by re-

viewing related work in the next section, the mecha-

nisms for cash generation, payment and encashment

are introduced in section 3. Subsequent sections ad-

dress transferability (section 5) and double spending

prevention (section 5.4) before concluding.

2 RELATED WORK

There is a considerable body of work on elec-

tronic cash mechanisms since the pioneering work of

Chaum (Chaum, 1983; Chaum et al., 1990). Okamoto

and Ohta (Okamoto and Ohta, 1992) list the key

required properties as (i) independence (cash is se-

204

Mandal C. and Reade C. (2007).

RECIPIENT SPECIFIC ELECTRONIC CASH - A Scheme for Recipient Speciﬁc Yet Anonymous and Tranferable Electronic Cash.

In Proceedings of the Third International Conference on Web Information Systems and Technologies - Society, e-Business and e-Government /

e-Learning, pages 204-209

DOI: 10.5220/0001264702040209

 SciTePress

cure wherever it resides), (ii) security against dou-

ble spending, (iii) privacy (keeping anonymity or un-

traceability of spenders), (iv) off-line payment, (v)

transferability, and (vi) divisibility. Cryptographic

techniques have been developed for many of the de-

sired properties. In addition to common uses of cryp-

tography for authentication, integrity and conﬁden-

tiality of information, it also plays a part in ensuring

anonymity of electronic money and untraceability of

payers.

The key problems of independenceand anonymity

were addressed in the early papers (Chaum, 1983;

Chaum et al., 1990). In particular, Chaum introduced

the use of blind signature techniques (Chaum, 1983)

for anonymity and he has several patents for these.

Double spending is a problem only for off-line

payments since, for purely online systems, double

spending can be detected immediately through banks

keeping records of spent cash. In the latter case, dou-

ble spending can be prevented rather than just de-

tected. For partially off-line systems, a method for

either preventing or at least detecting and tracing dou-

ble spenders is required. This can be done easily by

compromising anonymity and using a spender’s cre-

dentials when cash is spent, but solutions which retain

anonymity (for honest spenders) also exist. Prevent-

ing double spending with off-line systems requires

hardware such as electronic purses (wallets with ob-

servers (Chaum and Pedersen, 1993b; Brands, 1994))

to control the transfer of electronic cash. However,

even in these situations, it is necessary to have trace-

ability of double spenders in case the hardware is

compromised. The ﬁrst approaches to traceability in-

volved use of one-show blind signatures [8] but were

problematic for efﬁcient implementation. Stephen

Brands (Brands, 1993; Brands, 1994) introduced a

new technique of restrictive blind signatures to re-

solve the efﬁciency problem. This involves a method

of blinding which ensures that certain information

is retained in the blinded cash. This information is

enough to reveal the credentials of a spender if and

only if they spend more than once. Our mechanism

is similar in nature, but uses different techniques to

identify the double spender.

A general method for adding transferability to

electronic cash systems was considered in (Chaum

and Pedersen, 1993a). The latter paper showed that

all proposals for transferring money must inevitably

grow the size of the money and it was also proved that

recognising cash that has been seen before is always

theoretically possible.

Divisibility was addressed in (Okamoto and Ohta,

1992) with a more efﬁcient mechanism proposed in

(Okamoto, 1995).

This paper introduces an alternative approach to

handling double spending to that proposed in previous

work (e.g. (Brands, 1994)). Current schemes effec-

tively identify double spenders but do not block dou-

ble spending. This scheme of recipient-speciﬁc cash

is designed with a view to blocking double spending.

We do not consider divisibility techniques in this pa-

per.

3 GENERATING e-cash FOR

PAYMENT

We describe details of a payment where A is to pay a

sum of money v to B.

Apart from an account number a

(which may not

be conﬁdential), we assume B shares a secret key x

with his bank B

⋆

. For a new payment, B ﬁrst creates

a nonce n, from which he can compute the following

data:

= H(a

||x

||n) (1)

where H is a suitable one-way hash function cho-

sen for the scheme. (It must at least be collision-

intractable). The value u

will be used in the creation

of e-cash. Note that the bank B

⋆

will also be able to

calculate this value once it is provided with knowl-

edge of n, but no-one else can whilst the secret key

remains a secret to all but these two parties. The pair

of values n and u

thus act as credentials for B to the

bank without direct transmission of the secret x

In the sequel, however, we need a more compli-

cated form for u

to cater for zero-knowledge proofs

used for off-line payments and discussed later in sec-

tion 5.3. For the new version, we additionally assume

that two numbers number g and h are publicly avail-

able where g is a suitably chosen base for a group and

h is a suitably chosen modulus to enable use of dis-

crete logarithm problems (Odlyzko, 1984). Then,

= H(g

||x

||n)

(mod h)) (2)

For ofﬂine and giro payments considered later, it is

convenient to assume that B has a supply of signed

values of the form u

(each with a different nonce

n). These do not have any intrinsic monetary value

on their own.

To receive a payment, B (the recipient) creates a

new secret for the payment (s

) and uses it along with

to compute a serial number for the e-cash p =

H(u

||s

)

The serial number then needs to be signed by A’s

bank (A

⋆

) with a signature associating a monetary

value of v. First we consider the unblinded case.

The signing process uses the bank’s private key

(d = KR

⋆

) appropriate for the chosen amount.

RECIPIENT SPECIFIC ELECTRONIC CASH - A Scheme for Recipient Specific Yet Anonymous and Tranferable

Electronic Cash

205

A corresponding amount is deducted from A’s bank

account. B then receives the payment from A which

is P = hp, {p}

i. The payment P is thus a a pair

of a serial number p and a signature of that number

{p}

, signed using the private key (d = KR

⋆

) of

the bank A

⋆

for the denomination of v. [We assume

a digital signature is always accompanied by a certiﬁ-

cate which both identiﬁes the owner of the key used

in the signature and validates the ownership.]

An important property of P is that anyone can

check the signature with the bank’s public key and

hence verify that it has a valid form for e-cash. An-

other property that we will discuss later (in section

4) is that encashing P will also require knowledge of

, s

, x

and n. The use of nonces (n) ensures that

different values of u

are used for each payment to B.

3.1 Blinding the Payment

A technique for obtaining blind signatures and then

unblinding them was ﬁrst introduced by David

Chaum (Chaum, 1983; Chaum et al., 1990).

Anonymity of the e-cash collected from the bank by

A can be ensured if the bank A

⋆

does not get to know

the serial number of the money. Similarly anonymity

can be maintained for the e-cash paid to B.

The blinding technique for RSA is essentially a

transform. For any RSA private key d and an ap-

propriate random blinding number r there is a func-

tion blind

and an inverse unblind

(derived from the

public key used to check signatures made with d) with

the additional property that

unblind

({blind

(p)}

) = {p}

This means that a signature of p (namely {p}

) can be

obtained indirectly by ﬁrst blinding p, then getting a

signature of the blinded value {blind

(p)}

and then

unblinding. RSA blindings can also be chained using

the further property that unblind

◦ unblind

is an

unblinding inverse for blinding with blind

◦ blind

In the payment, the bank can sign a, possibly mul-

tiple, blinded version of p using the key d = KR

⋆

so it does not get to see p. That is, B ﬁrst blinds p to

′

and passes p

′

on to A. A in turn blinds p

′

to p

′′

(optionally) and then gets her bank (A

⋆

) to sign this

serial number to create the blinded payment P

′′

. A

(optionally) unblinds P

′′

to P

′

and returns that to B.

B in turn unblinds P

′

to get P = hp, {p}

4 SIMPLE ENCASHMENT OF

THE PAYMENT

A sends the payment P to B. B would now like to

encash/deposit the payment by sending P to his bank

⋆

for deposit into account a

Recall that

P = hp, {p}

i, where (3)

d = KR

⋆

and

p = H(u

||s

)

= H(a

||x

||n) (4)

B is also required to send the followingtuple to his

bank B

⋆

to establish his own identity and knowledge

of the secret used in the cash as well as to let the bank

know the value n.

hH(x

), {u

||n||s

}

, H(u

||n||s

||x

The reasoning behind this choice is discussed below.

The hash value H(x

) is used by B

⋆

to identify

B, which assumes the bank maintains a sorted table of

the hashes of the secret numbers of account holders.

B needs to communicate n and u

(encrypted) to the

bank so the bank can verify knowledge of (a

||x

||n)

and thus establish his credentials. Furthermore, B

needs to pass the secret value s

(encrypted). The

quantity {u

||n||s

}

uses x

as a symmetric key

to encrypt the secret associated with the payment be-

fore passing it to the bank. The ﬁnal element of the

tuple is essentially a digest to ensure integrity of the

other components of the tuple. Note that H(x

) is

susceptible to the birthday attack (Bellare and Kohno,

2004). It can be made resistant to this attack by choos-

ing x

as a preﬁx of a longer string X

. When hash

functions are computed, X

in lieu of x

would be

used.

At the bank, the value u

is checked then the de-

crypted value s

is used with this to verify the serial

number p. The bank then veriﬁes the signature in the

payment and goes on to perform its clearing.

If A

⋆

6= B

⋆

, then B

⋆

needs to send the informa-

tion s

and u

to A

⋆

to request the transfer of money

of value v to itself. The generating bank (A

⋆

) needs

to keep track of whether a payment has already been

honoured (and check this when a request is made).

Time limits are needed to avoid banks storing this in-

formation indeﬁnitely and this is achieved easily by

assigning a “use-by date” to the e-cash, using a signa-

ture (d = KR

⋆

, above) with a ﬁnite expiry date.

If A

⋆

= B

⋆

, then the transfer step is redundant.

The generating bank only veriﬁes p = H(u

||s

)

and its signature of p in P . It needs to be supplied

with u

and s

separately rather than just p because

simply checking the signature of an arbitrary serial

number directly is unsafe. For example, the number

could be chosen so that its signature can be computed

easily. If RSA signatures are used, then choosing p =

(mod h

RSA

), where e = KU

⋆

(using a proper

WEBIST 2007 - International Conference on Web Information Systems and Technologies

206

RSA modulus h

RSA

), ensures that it will have s as its

RSA signature.

After successful veriﬁcation, the required amount

of money is transferred from the generating bank to

the receiving account. Note that encashment nec-

essarily associates the e-cash with the receiving ac-

count, but the payer remains anonymous to the bank

because of blinding.

5 TRANSFER PAYMENTS

Here B wishes to transfer the payment to C instead of

encashing it.

The transfer currency serial has the form

q = H(u

||s

), (5)

C blinds q to q

′

and passes that on to B.

The essence of the transfer operation is to mark

P as transferred and then to stamp Q as bearing the

value of P (where Q is the signed version of q).

5.1 Online Transfer Payments

Here we assume that B is online with his bank B

⋆

. In

this case the following operations can be performed.

The bank B

⋆

is given P , the currency from which

Q is being derived. It ﬁrst checks that P has not

already been encashed or transferred and then veri-

ﬁes a proof of the knowledge of either (u

||s

) or

||x

||n) from B. The quantity (u

||s

) is enough

to verify knowledgable possession of the currency P.

This could be treated as sufﬁcient for the bank to

transfer the value of the currency to Q, in which case

the transfer takes place without the bank learning the

identity of B. If it should be desirable to identify the

payer B, then the second set of values ((a

||x

||n)

from B) need to be veriﬁed by the bank. Identiﬁca-

tion of the payer could, for example, be a governmen-

tal regulation.

After the above step, the bank knows that P has

not yet been used and that the payer has the required

knowledge of the currency. It can then update its

database to indicate that P has been transferred and

then sign q with its signature for the denomination of

the currency P. Q is the resulting signed serial num-

ber.

Note that if P bears the signature of a bank dif-

ferent to B

⋆

, then B

⋆

can approach the bank that had

signed P to get the value of P which it is transferring

to Q.

Two important characteristics of this online trans-

fer process are: (i) that the payer and the payee

achieve the transfer without getting to know the serial

numbers of each other’s currencies (Thus anonymity

of both the payer and the payee is well preserved); (ii)

that there is no possibility of double spending taking

place as the bank ensures that the currency is marked

as transferred.

5.2 Ofﬂine Transfer Payments

If the payer is not online with the bank at the time

of transfer, then the above online scheme cannot be

used. In general, ofﬂine schemes cannot prevent dou-

ble spending but the scheme described below ensures

that the double spender can be detected and identi-

ﬁed after the act. In this scheme the payee will learn

the serial number of the payer’s currency but not his

identity. The bank of the payer will get to know the

identity of the payer. Neither the payer nor the payer’s

bank will learn the serial number of the payee’s cur-

rency.

If B is not online with B

⋆

when transferring the

currency to C, it is not enough for B to just pass on u

and s

to C because these parameters are not enough

to identify B. Such identiﬁcation is needed in case B

double spends P . The quantity u

for p should be of

the form u

= H(g

||x

||n)

(mod h)) as in equa-

tion (2). A certiﬁed version of u

was mentioned in

section 3. A certiﬁed version of u

was mentioned

in section 3 which we will denote U

here. The need

for these will be explained further in section 5.5. B

now passes on q, U

, s

and also a zero-knowledge

proof

(Goldreich et al., 1991) of (a

||x

||n) to C.

This proof enables C to verify the validity of the para-

menters of the currency he is receiving. Later, when

C is online, he can pass on P, s

and this proof to the

bank (B

⋆

) to get q signed by the bank as before to ob-

tain Q. The zero-knowledge proof mentioned above

can be made unique easily (with very high probabil-

ity), so that if B were to double spend a copy of his

money to C

′

, then that zero-knowledge proof would

be a distinct one. Without this property the double

spender could blame the payees for colluding to show

up copies of a proof constructed for a bonaﬁde pay-

ment. The way in which double spending can be iden-

tiﬁed is discussed in section 5.4. For now we assert

that if B were to double spend in trying to transfer the

payment ofﬂine, then he could be identiﬁed. Also, it

is necessary to link up p to q. The necessity for doing

this and the method employed are explained in section

5.5.

There is evidently an asymmetry between the way

the ﬁrst payment and then subsequent transfer pay-

In cryptography, a zero-knowledge proof is an interac-

tive method for one party to prove to another that an asser-

tion is true, without actually revealing it.

RECIPIENT SPECIFIC ELECTRONIC CASH - A Scheme for Recipient Specific Yet Anonymous and Tranferable

Electronic Cash

207

ments are made. This asymmetry is easily removed

by considering the ﬁrst payer in the chain as making

the ﬁrst payment to herself (A). Thus, A ﬁrst gen-

erates electronic money payable to A’s own account.

In order to pay B, A transfers this money to B using

the methods described above. All the actual payments

then work out as transfer payments.

5.3 Zero-knowledge Proof

The zero-knowledge proof scheme utilizes the hard-

ness of the discrete logarithm problem (Odlyzko,

1984), using a suitable (publicly known) base g and

a modulus h.

Consider a line y = mx + e, where m is a secret

and e is a uniquely chosen intercept. If the owner of

the secret is challenged with x

, then he can respond

with y

= mx

+ e. In this case the challenger can

only verify y

knowing m and e. However, if the ex-

ponents M = g

(mod h) and E = g

(mod h) are

made known to the challenger, the challenger can ver-

ify that Y

= g

= M

E (mod h), without needing

to know m (or e).

For the transfer payment, we need a zero-

knowledge proof for m where m = (a

||x

||n). Let

′

= a

||x

and let n be represented in l bits, then

||x

||n) = (a

||x

+ n = m

′

k + n, (6)

where k = 2

, a constant. We have y

= (m

′

k +

n)x

+ e = m

′

(kx

) + (nx

+ e). Thus,

= M

′

)

E (mod h) where

′

= g

′

(mod h) (7)

′

, g

, E and d are disclosed to C for use in check-

ing zero-knowledge proofs. In addition, we can re-

quire M

′

to be signed by the bank B

⋆

. This is pos-

sible because m

′

is a ﬁxed quantity known to both B

and his bank B

⋆

. This allows the recipient C to ver-

ify B’s knowledge of (a

||x

||n) and then to verify

p = H(u

||s

). C can pass on this proof to B

⋆

a later stage when he is online with B

⋆

to get the re-

quired special signature.

Everything that is done in the online transfer

method also needs to be done in the ofﬂine transfer

method. The only difference is that that transfer sig-

nature from the bank is taken later, when the bank

becomes online and then veriﬁcation of the knowl-

edge of (a

||x

||n) is done by replaying the zero-

knowledge proof to the bank, in the absence of the

payer (B).

5.4 Identiﬁcation of the Double Spender

The online process requires the bank (B

⋆

) to iden-

tify the party (B) transferring the currency and to

check that there is not an attempt at double spend-

ing. Thus B cannot commit double spending without

taking recourse to the ofﬂine transfer mechanism. In

the latter case, we noted in the explanation above, that

′

= a

||x

is ﬁxed for B and M

′

= g

′

(mod h)

is required in the zero-knowledge proof which is es-

sential to the ofﬂine transfer process. Now, for all the

account holders (X ), the bank can enforce a one-to-

one correspondence between their m

′

(X ) = a

||x

′

(X ) = g

′

(X )

(mod h) and a

values. The

bank can, therefore, efﬁciently associate a received

′

(X ) with the corresponding a

and hence, the ac-

count holder X . Double spending occurs if the bank

is called upon to honour a credit request for a cur-

rency with a serial number that it has already either

credited or transferred (by the online process). In ei-

ther case the bank has the M

′

(X ) (or additionally the

) value of the double spender X , for the u

and

also p values of the doubly spent currency. Thus, if a

double payment does occur then this scheme will def-

initely identify the culprit with the help of his bank.

This is an improvement on some other double pay-

ment prevention schemes that only identify the cul-

prit with high probability (Tewari et al., 1998). Those

schemes often have a high computation penalty or a

reliance on tamper resistant devices which is not the

case with this scheme.

5.5 Safety of Ofﬂine Transfer Payments

In section 5.2 it was noted that the value of u

, as

deﬁned in equation (2) needs to be properly signed.

This is because anyone who has received a transfer

payment from B (say) knows M

′

(in equation (7))

and can generate new values of u

. This enables the

recepient to now manufacture serial numbers for cur-

rency which can be used for spurious payments that

can be traced back to B. This is prevented as follows.

is signed by B (with a special signature key d

T,B

for such transfers). This signature is again signed by

⋆

. While signing the bank needs to be sure that it is

signing u

for B. The bank cannot be shown n, until

the time the money is encashed. Therefore, B

⋆

injects

the idenity of B by signing {u

}

T,B

)

′

, where M

′

is deﬁned in equation (7). It was discussed in section

5.3 that M

′

embeds the identity of B. To prevent re-

plays of this signature B now ties up the serial number

p of the currency to be transferred to the blinded value

of serial number q

′

of thenewcurrency, by signing pq

′

as {pq

′

}

T,B

)

. C unblinds this to get {pq}

T,B

)

. This

signature from B certiﬁes that q was derived from p.

No one else can produce such a signature and so this

preventsspurious transfer currencies from being man-

ufactured and circulated.

WEBIST 2007 - International Conference on Web Information Systems and Technologies

208

At the time of accepting a transfer payment the

payee should verify the signature of {u

}

T,B

)

′

and {pq}

T,B

)

from B

⋆

. B

⋆

signs the transfer cur-

rency q only if all the signatures and expressions

checkout correctly.

6 CONCLUSIONS

A new scheme for electronic money has been pro-

posed that differs from existing schemes in that e-cash

is created for a speciﬁc recipient in any transaction.

Details of the scheme were provided to demonstrate

that both anonymity and transferability are possible

with recipient speciﬁc e-cash using variations of well

established mechanisms such as blinding (Chaum,

1983). Although the basic scheme is an online one,

an ofﬂine version was also discussed along with de-

tails of how this would work. The mechanisms dis-

cussed ensure both authentication and integrity of the

electronic instrument and support transferability both

ofﬂine and online. Details of how payment conﬁden-

tiality, anonymity and untracebility can be maintained

by both variants were also discussed.

The online scheme naturally prevents double

spending while the ofﬂine scheme identiﬁes the dou-

ble spender. Details were provided to indicate how

such an identiﬁcation can be made. Zero-knowledge

proofs were employed as a mechanism to enable

ofﬂine transfers without revealing information that

could compromise anonymity. The schemes do not

rely on secret splitting as discussed in (Chaum et al.,

1990) and are computationally more efﬁcient than

schemes that do use secret splitting.

REFERENCES

Bellare, M. and Kohno, T. (2004). Hash function balance

and its impact on birthday attacks. In EUROCRYPT,

pages 401–418.

Brands, S. (1994). Untraceable off-line cash in wallets with

observers (extended abstract). In Stinson, D. R., ed-

itor, CRYPTO ’93: Proceedings of the 13th Annual

International Cryptology Conference on Advances in

Cryptology, volume 773 of Lecture Notes in Computer

Science, pages 302–318, Santa Barbara, California,

USA. Springer.

Brands, S. A. (1993). An efﬁcient off-line electronic

cash system based on the representation problem. In

246, page 77. Centrum voor Wiskunde en Informatica

(CWI), Amsterdam.

Chaum, D. (1983). Blind signatures for untraceable pay-

ments. In CRYPTO ’82, pages 199–203, New York,

USA. Plenum Press.

Chaum, D., Fiat, A., and Naor, M. (1990). Untraceable

electronic cash. In CRYPTO ’88: Proceedings on Ad-

vances in cryptology, pages 319–327, Santa Barbara,

California, USA. Springer.

Chaum, D. and Pedersen, T. P. (1993a). Transferred cash

grows in size. In CRYPTO ’92: Proceedings of the

12th Annual International Cryptology Conference on

Advances in Cryptology, volume 658, pages 390–407,

Santa Barbara, California, USA. Springer.

Chaum, D. and Pedersen, T. P. (1993b). Wallet databases

with observers. In CRYPTO ’92: Proceedings of the

12th Annual International Cryptology Conference on

Advances in Cryptology, volume 658, pages 89–105,

Santa Barbara, California, USA. Springer.

Goldreich, O., Micali, S., and Wigderson, A. (1991). Proofs

that yield nothing but their validity or all languages

in np have zero-knowledge proof systems. J. ACM,

38(3):690–728.

Odlyzko, A. M. (1984). Discrete logarithms in ﬁnite

ﬁelds and their cryptographic signiﬁcance. In Theory

and Application of Cryptographic Techniques, volume

209, pages 224–314. Springer-Verlag, Berlin.

Okamoto, T. (1995). An efﬁcient divisible electronic

cash scheme. Lecture Notes in Computer Science,

963:438–451.

Okamoto, T. and Ohta, K. (1992). Universal electronic

cash. In CRYPTO ’91: Proceedings of the 11th Annual

International Cryptology Conference on Advances in

Cryptology, pages 324–337, Santa Barbara, Califor-

nia, USA. Springer.

on Payment, C. and Systems”, S. (2004). Bank for Interna-

tional Settlements.

Pilioura, T. (1998). Electronic payment systems on open

computer networks: a survey. In Tsichritzis, D., ed-

itor, Electronic Commerce Objects, pages 197–228.

Centre Universitaire d’Informatique, University of

Geneva.

Tewari, H., O’Mahony, D., and Peirce, M. (1998). Reusable

off-line electronic cash using secret splitting. Techni-

cal report, Trinity College, Department of Computer

Science, Trinity College, Dublin.

RECIPIENT SPECIFIC ELECTRONIC CASH - A Scheme for Recipient Specific Yet Anonymous and Tranferable

Electronic Cash

209