3.3 Summary of Proposed Implementations We can now present summaries of the main off-line cash schemes from the academic literature. There are three: those of Chaum-Fiat-Naor [4], Brands [1], and Ferguson [9]. Chaum-Fiat-Naor. This was the first electronic cash scheme, and is the simplest conceptually. The Bank creates an electronic coin by performing a blind RSA signature to Alice's withdrawal request, after having verified interactively that Alice has included her identifying information on the coin. The prevention of multiple spending is accomplished by the cut-and-choose method. For this reason, this scheme is relatively inefficient. Brands. Brands' scheme is Schnorr-based.8 Indeed, a Schnorr protocol is used twice: at withdrawal, the Bank performs a blind Chaum-Pederson signature, and then Alice performs a Schnorr possession proof as the challenge-and-response part of the spending protocol. The withdrawal step produces a coin which contains the Bank's signature, authenticating both Alice's identifying information and the shadow of the line to be used for the possession proof. This commits Alice to using that particular line in the spending step. If she re-spends the coin, she must use the same line twice, enabling the Bank to identify her. The Brands scheme is considered by many to be the best of the three, for two reasons. First, it avoids the awkward cut-and-choose technique. Second, it is based only on the Schnorr protocols, and so it can be implemented in various settings such as elliptic curves. Ferguson. Ferguson's scheme is RSA-based like Chaum-Fiat-Naor, but it uses the "two-points-on-a-line" principle like Brands. The signature it uses is not the blind RSA signature as described above, but a variant called a randomized blind RSA signature. The ordinary blind RSA scheme has the drawback that the Bank has absolutely no idea what it is signing. As mentioned above, this is not a problem in the cut-and-choose case, but in this case it can allow a payer to defeat the mechanism for identifying multiple spenders. The randomized version avoids this problem by having both Alice and the Bank contribute random data to the message. The Bank still doesn't know what it is signing, but it knows that the data was not chosen maliciously. The rest of the protocol is conceptually similar to Brands' scheme. The message to be signed by the Bank contains, in addition to the random data, the shadow of a line whose slope and intercept reveal Alice's identity. During payment, Alice reveals a point on this line; if she does so twice, the Bank can identify her. Although Ferguson's scheme avoids the cut-and-choose technique, it is the most complicated of the three (due largely to the randomized blind RSA signature). Moreover, it cannot be implemented over elliptic curves since it is RSA-based. __________ 8 For ease of exposition, we give a simplified account of Brands' protocol. 4. OPTIONAL FEATURES OF OFF-LINE CASH Much of the recent literature on off-line cash has focused on adding features to make it more convenient to use. In this chapter we will discuss two of these features. 4.1 Transferability Transferability is a feature of paper cash that allows a user to spend a coin that he has just received in a payment without having to contact the Bank in between. We refer to a payment as a transfer if the payee can use the received coin in a subsequent payment. A payment system is transferable if it allows at least one transfer per coin. Figure 2 shows a maximum length path of a coin in a system which allows two transfers. The final payment is not considered a transfer because it must be deposited by the payee. Transferability would be a convenient feature for an off-line cash system because it requires less interaction with the Bank. (A transferable electronic cash system is off-line by definition, since on-line systems require communication with the Bank during each payment.) Figure 2. A maximum length path of a coin in a system which allows 2 transfers per coin. Transferable systems have received little attention in academic literature. The schemes presented in 3.3 are not transferable because the payee cannot use a received coin in another payment - his only options are to deposit or to exchange it for new coins at the Bank. Any transferable electronic cash system has the property that the coin must "grow in size" (i.e., accumulate more bits) each time it is spent. This is because the coin must contain information about every person who has spent it so that the Bank maintains the ability to identify multiple spenders. (See [5].) This growth makes it impossible to allow an unlimited number of transfers. The maximum number of transfers allowed in any given system will be limited by the allowable size of the coin. There are other concerns with any transferable electronic cash system, even if the number of transfers per coin is limited, and we remove the anonymity property. Until the coin is deposited, the only information available to the Bank is the identity of the individual who originally withdrew the coin. Any other transactions involving that withdrawal can only be reconstructed with the cooperation of each consecutive spender of that coin. This poses the same problems that paper cash poses for detecting money laundering and tax evasion: no records of the transactions are available. In addition, each transfer delays detection of re-spent or forged coins. Multiple spending will not be noticed until two copies of the same coin are eventually deposited. By then it may be too late to catch the culprit, and many users may have accepted counterfeit coins. Therefore, detection of multiple spending after the fact may not provide a satisfactory solution for a transferable electronic cash system. A transferable system may need to rely on physical security to prevent multiple spending. (See 5.1.) 4.2 Divisibility Suppose that Alice is enrolled in a non-transferable, off-line cash system, and she wants to purchase an item from Bob that costs, say, $4.99. If she happens to have electronic coins whose values add up to exactly $4.99 then she simply spends these coins. However, unless Alice has stored a large reserve of coins of each possible denomination, it is unlikely that she will have the exact change for most purchases. She may not wish to keep such a large reserve of coins on hand for the some of the same reasons that one doesn't carry around a large amount of cash: loss of interest and fear of the cash being stolen or lost. Another option is for Alice to withdraw a coin of the exact amount for each payment, but that requires interaction with the Bank, making the payment on-line from her point of view. A third option is for Bob to pay Alice the difference between her payment and the $4.99 purchase price. This puts the burden of having an exact payment on Bob, and also requires Alice to contact the Bank to deposit the "change." A solution to Alice's dilemma is to use divisible coins: coins that can be "divided" into pieces whose total value is equal to the value of the original coin. This allows exact off-line payments to be made without the need to store a supply of coins of different denominations. Paper cash is obviously not divisible, but lack of divisibility is not as much of an inconvenience with paper cash because it is transferable. Coins that are received in one payment can be used again in the next payment, so the supply of different denominations is partially replenished with each transaction. (Imagine how quickly a cashier would run out of change if paper cash were not transferable and each payment was put in a separate bin set aside for the next bank deposit!) Three divisible off-line cash schemes have been proposed, but at a cost of a longer transaction time and additional storage. Eng and Okamoto's divisible scheme [7] is based on the "cut and choose" method. Okamoto [11] is much more efficient and is based on Brands' scheme but will also work on Ferguson's scheme. Okamoto and Ohta [12] is the most efficient of the three, but also the most complicated. It relies on the difficulty of factoring and on the difficulty of computing discrete logarithms. Figure 3. A binary tree for a divisible coin worth $4.00, with a minimum unit of $1.00. A $3.00 payment can be made by spending the shaded nodes. Node 1I cannot be used in a subsequent payment because it is an ancestor of nodes 2 and 6. Nodes 4 and 5 cannot be used because they are descendants of node 2. Node 3 cannot be used because it is an ancestor of node 6. Nodes 2 and 6 cannot be used more than once, so node 7 is the only node which can be spent in a subsequent payment. All three of these schemes work by associating a binary tree with each coin of value $w. (See Figure 3). Each node is assigned a monetary value as follows: the unique root node (the node at level 0) has value $w, the two nodes at level 1 each have value $w/2, the four nodes at level 2 each have value $w/4, etc. Therefore, if w = 21, then the tree has l+ 1 levels, and the nodes at level j each have value $w/2j. The leaves of the tree are the nodes at level l, and have the minimum unit of value. To spend the entire amount of value $w, the root node is used. Amounts less than $w can be spent by spending a set of nodes whose values add up to the desired amount. Initially, any whole dollar amount of up to $w can be spent. Subsequent payments are made according to the following rules: 1. Once a node is used, all its descendant and ancestor9 nodes cannot be used. 2. No node can be used more than once. These two rules insure that no more than one node is used on any path from the root to a leaf. If these two rules are observed, then it will be impossible to spend more than the original value of the coin. If either of these rules are broken, then two nodes on the same path are used, and the information in the two corresponding payments can be combined to reveal the identity of the individual that over-spent in the same way that the identity of a multiple spender is revealed. More specifically, in the Eng/Okamoto and Okamoto schemes, each user has a secret value, s, which is linked to their identity (uncovering s will uncover their identity, but not vice-versa.) Each node i is assigned a secret value, t i . Hence, each node i corresponds to a line y = sx + t i When a payment is made using a particular node n, t i will be revealed for all nodes i that are ancestors of node n. Then the payee sends a challenge x i and the payer responds with y 1 = sx 1 + t n . This reveals a point (x 1 , y 1 ) on the line y = sx + t n , but does not reveal the line itself. If the same node is spent twice, then responses to two independent challenges, x 1 and x 2 , will reveal two points on the same line: (x 1 , y 1 ) and (x 2 , y 2 ). Then the secret value s can be recovered using the two-points-on-a-line principle described in 3.2. If someone tries to overspend a coin, then two nodes in the same path will be used. Suppose that nodes n and m are in the same path, and node n is farther from the root on this path. Spending node n will reveal t m , since node m is an ancestor of node n. Now if node m is also spent, then the response to a challenge x 1 will be y 1 = sx 1 + t m . But t m was revealed when t n was spent, so sx 1 and hence s will be revealed. Therefore, spending two nodes in the same path will reveal the identity of the over-spender. The Okamoto/Ohta divisible scheme also uses a binary tree with the same rules for using nodes to prevent multiple and over-spending, but when nodes are used improperly, a different technique is used to determine the identity of the spender. Instead of hiding the user's identifying secret in a line for which a point is revealed when a coin is spent, the user's identifying secret is hidden in the factorization of an RSA modulus. Spending the same node twice, or spending two nodes on the same path will provide enough information for the Bank to factor the modulus (which is part of the coin) and then compute the user's secret identifying information. Although these three divisible schemes are untraceable, payments made from the same initial coin may be "linked" to each other, meaning that it is possible to tell if two payments came from the same coin and hence the same person. This does not reveal the payer's identity if both payments are valid (follow Rules 1 and 2, above), but revealing the payer's identity for one purchase would reveal that payer's identity for all other purchases made from the same initial coin. These are three examples of off-line cash schemes that have divisible coins. Although providing divisibility complicates the protocol, it can be accomplished without forfeiting untraceability or the ability to detect improper spenders. The most efficient divisible scheme has a transaction time and required memory per coin proportional to the logarithm of N, where N is the total coin value divided by the value of the minimum divisible unit. More improvements in the efficiency of divisible schemes are expected, since the most recent improvement was just presented in 1995. __________ 9 A descendant of a node n is a node on a path from node n to a leaf. An ancestor of node n is a node on the path from node n to the root node. 5. SECURITY ISSUES In this section we discuss some issues concerning the security of electronic cash. First, we discuss ways to help prevent multiple spending in off-line systems, and we describe the concept of wallet observers. We also discuss the consequences of an unexpected failure in the system's security. Finally, we describe a solution to some of the law enforcement problems that are created by anonymity. 5.1 Multiple Spending Prevention In 1.3, we explained that multiple spending can be prevented in on-line payments by maintaining a database of spent electronic coins, but there is no cryptographic method for preventing an off-line coin from being spent more than once. Instead, off-line multiple spending is detected when the coin is deposited and compared to a database of spent coins. Even in anonymous, untraceable payment schemes, the identity of the multiple-spender can be revealed when the abuse is detected. Detection after the fact may be enough to discourage multiple spending in most cases, but it will not solve the problem. If someone were able to obtain an account under a false identity, or were willing to disappear after re-spending a large sum of money, they could successfully cheat the system. One way to minimize the problem of multiple spending in an off-line system is to set an upper limit on the value of each payment. This would limit the financial losses to a given merchant due to accepting coins that have been previously deposited. However, this will not prevent someone from spending the same small coin many times in different places. In order to prevent multiple spending in off-line payments, we need to rely on physical security. A "tamper-proof" card could prevent multiple spending by removing or disabling a coin once it is spent. Unfortunately, there is no such thing as a truly "tamper-proof" card. Instead, we will refer to a "tamper-resistant" card, which is physically constructed so that it is very difficult to modify its contents. This could be in the form of a smart card, a PC card10, or any storage device containing a tamper-resistant computer chip. This will prevent abuse in most cases, since the typical criminal will not have the resources to modify the card. Even with a tamper-resistant card, it is still essential to provide cryptographic security to prevent counterfeiting and to detect and identify multiple spenders in case the tamper-protection is somehow defeated. Also, setting limits on the value of off-line payments would reduce the cost-effectiveness of tampering with the card. Tamper-resistant cards can also provide personal security and privacy to the cardholder by making it difficult for adversaries to read or modify the information stored on the card (such as secret keys, algorithms, or records). __________ 10 Formerly PCMCIA, or Personal Computer Memory Card International Association. 5.2 Wallet Observers All of the basic off-line cash schemes presented in 3.3 can cryptographically detect the identity of multiple spenders, but the only way to prevent off-line multiple spending is to use a tamper-resistant device such as a smart card. One drawback of this approach is that the user must put a great deal of trust in this device, since the user loses the ability to monitor information entering or leaving the card. It is conceivable that the tamper-resistant device could leak private information about the user without the user's knowledge. Chaum and Pedersen [6] proposed the idea of embedding a tamper-resistant device into a user-controlled outer module in order to achieve the security benefits of a tamper-resistant device without requiring the user to trust the device. They call this combination an electronic wallet (see Figure 4). The outer module (such as a small hand-held computer or the user's PC) is accessible to the user. The inner module which cannot be read or modified is called the "observer." All information which enters or leaves the observer must pass through the outer module, allowing the user to monitor information that enters or leaves the card. However, the outer module cannot complete a transaction without the cooperation of the observer. This gives the observer the power to prevent the user from making transactions that it does not approve of, such as spending the same coin more than once. Figure 4. An electronic wallet. Brands[1] and Ferguson[8] have both shown how to incorporate observers into their respective electronic cash schemes to prevent multiple spending. Brands' scheme incorporates observers in a much simpler and more efficient manner. In Brands' basic scheme, the user's secret key is incorporated into each of his coins. When a coin is spent, the spender uses his secret to create a valid response to a challenge from the payee. The payee will verify the response before accepting the payment. In Brands' scheme with wallet observers, this user secret is shared between the user and his observer. The combined secret is a modular sum of the two shares, so one share of the secret reveals no information about the combined secret. Cooperation of the user and the observer is necessary in order to create a valid response to a challenge during a payment transaction. This is accomplished without either the user or the observer revealing any information about its share of the secret to the other. It also prevents the observer from controlling the response; hence the observer cannot leak any information about the spender. An observer could also be used to trace the user's transactions at a later time, since it can keep a record of all transactions in which it participates. However, this requires that the Bank (or whoever is doing the tracing) must be able to obtain the observer and analyze it. Also, not all types of observers can be used to trace transactions. Brands and Ferguson both claim that they can incorporate observers into their schemes and still retain untraceability of the users' transactions, even if the observer used in the transactions has been obtained and can be analyzed. 5.3 Security Failures Types of failures. In any cryptographic system, there is some risk of a security failure. A security failure in an electronic cash system would result in the ability to forge or duplicate money. There are a number of different ways in which an electronic cash system could fail. One of the most serious types of failure would be that the cryptography (the protocol or the underlying mathematics) does not provide the intended security.11 This could enable someone to create valid looking coins without knowledge of an authorized bank's secret key, or to obtain valid secret keys without physical access to them. Anyone who is aware of the weakness could create coins that appear to come from a legitimate bank in the system. Another serious type of failure could occur in a specific implementation of the system. For example, if the bank's random number generator is not a good one, one may be able to guess the secret random number and use it to compute the secret keys that are used to create electronic money. Even if the cryptography and the implementation are secure, the security could fail because of a physical compromise. If a computer hacker, thief, dishonest bank employee, or a rogue state were to gain access to the bank's secret key they could create counterfeit money. If they gain access to a user's secret key they could spend that user's money. If they could modify the user or bank's software they could destroy the security of the system. The above failure scenarios apply, not only to the electronic cash system, but also to the underlying authentication infrastructure. Any form of electronic commerce depends heavily on the ability of users to trust the authentication mechanisms. So if, for example, an attacker could demonstrate a forgery of the certification authority's digital signature, it would undermine the users' trust in their ability to identify each other. Thus the certification authorities need to be secured as thoroughly as do the banks. Consequences of a failure. All three of the basic schemes described in this paper are anonymous, which makes it impossible for anyone to connect a deposited coin to the originating banks withdrawal record of that coin. This property has serious consequences in the event of a security failure leading to token forgery. When a coin is submitted for deposit, it is impossible to determine if it is forged. Even the originating bank is unable to recognize its own coins, preventing detection of the compromise. It is conceivable that the compromise will not be detected until the bank realizes that the total value of deposits of its electronic cash exceeds the amount that it has created with a particular key. At this point the losses could be devastating. After the key compromise is discovered, the bank will still be unable to distinguish valid coins from invalid ones since deposits and withdrawals cannot be linked. The bank would have to change its secret key and invalidate all coins which were signed with the compromised key. The bank can replace coins that have not yet been spent, but the validity of untraceable coins that have already been spent or deposited cannot be determined without cooperation of the payer. Payment untraceability prevents the Bank from determining the identity of the payer, and payer anonymity prevents even the payee from identifying the payer. It is possible to minimize this damage by limiting the number of coins affected by a single compromise. This could be done by changing the Bank's public key at designated time intervals, or when the total value of coins issued by a single key exceeds a designated limit. However, this kind of compartmentation reduces the anonymity by shrinking the pool of withdrawals that could correspond to a particular deposit and vice versa. __________ 11 We are unaware of anything in the literature that would suggest this type of failure with the protocols discussed in this paper. 5.4 Restoring Traceability The anonymity properties of electronic cash pose several law enforcement problems because they prevent withdrawals and deposits from being linked to each other. We explained in the previous section how this prevents detection of forged coins. Anonymity also makes it difficult to detect money laundering and tax evasion because there is no way to link the payer and payee. Finally, electronic cash paves the way for new versions of old crimes such as kidnapping and blackmail (see [13]) where money drops can now be carried out safely from the criminal's home computer.12 One way to minimize these concerns is to require large transactions or large numbers of transactions in a given time period to be traceable. This would make it more difficult to commit crimes involving large sums of cash. However, even a strict limit such as a maximum of $100 a day on withdrawals and deposits can add up quickly, especially if one can open several accounts, each with its own limit. Also, limiting the amount spent in a given time period would have to rely on a tamper-resistant device. Another way to minimize these concerns is to provide a mechanism to restore traceability under certain conditions, such as a court order. Traceability can be separated into two types by its direction. For~ard traceability is the ability to identify a deposit record (and hence the payee), given a withdrawal record (and hence the identity of the payer). In other words, if a search warrant is obtained for Alice, forward tracing will reveal where Alice has spent her cash. Back~ard traceability is the ability to identify a withdrawal record (and hence the payer), given a deposit record (and hence the identity of the payee). Backward tracing will reveal who Alice has been receiving payments from. A solution that conditionally restores both forward and backward traceability into the cut-and-choose scheme is presented by Stadler, Piveteau, and Camenisch in [14]. In the basic cut-and choose scheme, an identifying number is associated with each withdrawal record and a different identifying number is associated with each deposit record, although there is no way to link these two records to each other. To provide a mechanism for restoring backward traceability, the withdrawal number (along with some other data which cannot be associated with the withdrawal) is encrypted with a commonly trusted entity's public key and incorporated into the coin itself. This encrypted withdrawal number is passed to the payee as part of the payment protocol, and then will be passed along to the bank when the coin is deposited by the payee. The payer performs the encryption during the withdrawal transaction, but the bank can insure that the encryption was done properly. If the required conditions for tracing are met, the payment or deposit can be turned over to the trusted entity holding the secret key to decrypt the withdrawal number. This withdrawal number will allow the bank to access its withdrawal records, identifying the payer. To provide a mechanism for restoring forward traceability, the payer must commit to a deposit number at the time that the coin is withdrawn. The payer encrypts this deposit number with a commonly trusted entity's public key (along with some other data that cannot be associated with the deposit) and must send this value to the bank as part of the withdrawal protocol. The bank is able to determine that the payer has not cheated, although it only sees the deposit number in encrypted form. If the required conditions for tracing are met, the withdrawal record can be turned over to the trusted entity holding the secret key to decrypt the deposit number. The bank can use this deposit number to identify the depositor (the payee). Stadler et al. have shown that it is possible to provide a mechanism for restoring traceability in either or both directions. This can be used to provide users with anonymity, while solving many of the law enforcement problems that exist in a totally untraceable system. The ability to trace transactions in either direction can help law enforcement officials catch tax evaders and money launderers by revealing who has paid or has been paid by the suspected criminal. Electronic blackmailers can be caught because the deposit numbers of the victim's ill-gotten coins could be decrypted, identifying the blackmailer when the money is deposited. The ability to restore traceability does not solve one very important law enforcement problem: detecting forged coins. Backwards tracing will help identify a forged coin if a particular payment or deposit (or depositor) is under suspicion. In that case, backwards tracing will reveal the withdrawal number, allowing the originating bank to locate its withdrawal record and verify the validity of the coin. However, if a forged coin makes its way into the system it may not be detected until the bank whose money is being counterfeited realizes that the total value of its electronic cash deposits using a particular key exceeds the values of its withdrawals. The only way to determine which deposits are genuine and which are forged would require obtaining permission to decrypt the withdrawal numbers for each and every deposit of electronic cash using the compromised key. This would violate the privacy that anonymous cash was designed to protect. Unfortunately, the scheme of [14] is not efficient because it is based on the bulky cut-and-choose method. However, it may be possible to apply similar ideas to restore traceability in a more efficient electronic cash scheme. __________ 12 We will not focus on such crimes against individuals, concentrating instead on crimes against the Government, the banking system, and the national economy. CONCLUSION This report has described several innovative payment schemes which provide user anonymity and payment untraceability. These electronic cash schemes have cryptographic mechanisms in place to address the problems of multiple spending and token forgery. However, some serious concerns about the ability of an electronic cash system to recover from a security failure have been identified. Concerns about the impact of anonymity on money laundering and tax evasion have also been discussed. Because it is simple to make an exact copy of an electronic coin, a secure electronic cash system must have a way to protect against multiple spending. If the system is implemented on-line, then multiple spending can be prevented by maintaining a database of spent coins and checking this list with each payment. If the system is implemented off-line, then there is no way to prevent multiple spending cryptographically, but it can be detected when the coins are deposited. Detection of multiple spending after-the-fact is only useful if the identity of the offender is revealed. Cryptographic solutions have been proposed that will reveal the identity of the multiple spender while preserving user anonymity otherwise. Token forgery can be prevented in an electronic cash system as long as the cryptography is sound and securely implemented, the secret keys used to sign coins are not compromised, and integrity is maintained on the public keys. However, if there is a security flaw or a key compromise, the anonymity of electronic cash will delay detection of the problem. Even after the existence of a compromise is detected, the Bank will not be able to distinguish its own valid coins from forged ones. Since there is no way to guarantee that the Bank's secret keys will never be compromised, it is important to limit the damage that a compromise could inflict. This could be done by limiting the total value of coins issued with a particular key, but lowering these limits also reduces the anonymity of the system since there is a smaller pool of coins associated with each key. The untraceability property of electronic cash creates problems in detecting money laundering and tax evasion because there is no way to link the payer and payee. To counter this problem, it is possible to design a system that has an option to restore traceability using an escrow mechanism. If certain conditions are met (such as a court order), a deposit or withdrawal record can be turned over to a commonly trusted entity who holds a key that can decrypt information connecting the deposit to a withdrawal or vice versa. This will identify the payer or payee in a particular transaction. However, this is not a solution to the token forgery problem because there may be no way to know which deposits are suspect. In that case, identifying forged coins would require turning over all of the Bank's deposit records to the trusted entity to have the withdrawal numbers decrypted. We have also looked at two optional features of off-line electronic cash: transferability and divisibility. Because the size of an electronic coin must grow with each transfer, the number of transfers allowed per coin must be limited. Also, allowing transfers magnifies the problems of detecting counterfeit coins, money laundering, and tax evasion. Coins can be made divisible without losing any security or anonymity features, but at the expense of additional memory requirements and transaction time. In conclusion, the potential risks in electronic commerce are magnified when anonymity is present. Anonymity creates the potential for large sums of counterfeit money to go undetected by preventing identification of forged coins. Anonymity also provides an avenue for laundering money and evading taxes that is difficult to combat without resorting to escrow mechanisms. Anonymity can be provided at varying levels, but increasing the level of anonymity also increases the potential damages. It is necessary to weigh the need for anonymity with these concerns. It may well be concluded that these problems are best avoided by using a secure electronic payment system that provides privacy, but not anonymity. REFERENCES 1. Stefan Brands, Untraceable Off-Line Cash in Wallets with Observers, Advances in Cryptology CRYPTO '93, Springer-Verlag, pp. 302-318. 2. David Chaum, Achieving Electronic Privacy, Scientific American (August 1992), 96-101. 3. David Chaum, Security without Identification: Transaction Systems to make Big Brother Obsolete, ACM 28 no. 10 (Oct 1985), 1030-1044. 4. David Chaum, Amos Fiat, and Moni Naor, Untraceable Electronic Cash, Advances in Cryptology CRYPTO '88, Springer-Verlag, pp. 319-327. 5. David Chaum and Torben Pedersen, Transferred Cash Grows in Size, Advances in Cryptology - EUROCRYPT '92, Springer-Verlag, pp. 390-407. 6. David Chaum and Torben Pedersen, Wallet Databases with Observers, Advances in Cryptology CRYPTO '92, Springer-Verlag, pp. 89-105. 7. Tony Eng and Tatsuaki Okamoto, Single-Term Divisible Electronic Coins, Advances in Cryptology EUROCRYPT '94, Springer-Verlag, pp. 311-323. 8. Niels Ferguson, Extensions of Single-term Coins, Advances in Cryptology - CRYPTO '93, Springer-Verlag, pp. 292-301. 9. Niels Ferguson, Single Term Off-Line Coins, Advances in Cryptology - EUROCRYPT '93, Springer-Verlag, pp. 318-328. 10. Alfred J. Menezes, Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston, 1993. 11. Tatsuaki Okamoto, An Efficient Divisible Electronic Cash Scheme, Advances in Cryptology - CRYPTO '95, Springer-Verlag, pp. 438-451. 12. Tatsuaki Okamoto and Kazuo Ohta, Universal Electronic Cash, Advances in Cryptology - CRYPTO '91, Springer-Verlag, pp. 324-337. 13. Sebastiaan von Solms and David Naccache, On Blind Signatures and Perfect Crimes, Computers & Security 11 (1992), 581-583. 14. Markus Stadler, Jean-Marc Piveteau, and Jan Camenisch, Fair Blind Signatures, Advances in Cryptology - EUROCRYPT '95, Springer-Verlag, pp. 209-219. [End] Thanks to the authors, Thomas Vartanian and anonymous others. See Mr. Vartanian's Technology and the Payments System: How Banks Will Fit Into The Brave New World of Banking, February 15, 1996. Report any transcription mistakes in equations to <jya[at]pipeline.com>.