Lattice-Based E-Cash, Revisited

Deo, Amit; Libert, Benoît; Nguyen, Khoa; Sanders, Olivier

doi:10.1007/978-3-030-64834-3_11

Lattice-Based E-Cash, Revisited

Amit Deo^10,12,
Benoît Libert^10,11,
Khoa Nguyen¹³ &
…
Olivier Sanders¹⁴

Conference paper
First Online: 05 December 2020

1636 Accesses
5 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12492))

Abstract

Electronic cash (e-cash) was introduced 40 years ago as the digital analogue of traditional cash. It allows users to withdraw electronic coins that can be spent anonymously with merchants. As advocated by Camenisch et al. (Eurocrypt 2005), it should be possible to store the withdrawn coins compactly (i.e., with logarithmic cost in the total number of coins), which has led to the notion of compact e-cash. Many solutions were proposed for this problem but the security proofs of most of them were invalidated by a very recent paper by Bourse et al. (Asiacrypt 2019). The same paper describes a generic way of fixing existing constructions/proofs but concrete instantiations of this patch are currently unknown in some settings. In particular, compact e-cash is no longer known to exist under quantum-safe assumptions. In this work, we resolve this problem by proposing the first secure compact e-cash system based on lattices following the result from Bourse et al. Contrarily to the latter work, our construction is not only generic, but we describe two concrete instantiations. We depart from previous frameworks of e-cash systems by leveraging lossy trapdoor functions to construct our coins. The indistinguishability of lossy and injective keys allows us to avoid the very strong requirements on the involved pseudo-random functions that were necessary to instantiate the generic patch proposed by Bourse et al.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

The last decades have witnessed major changes in consumer habits, with a gradual shift to credit/debit cards for payments. Since 2016, the total amount of card payment transactions worldwide has indeed exceeded that of cash transactions,^{Footnote 1} as card transactions simply make spending easier and enable online purchases.

However, the benefits of electronic payments come at a price. Each transaction indeed leaks very sensitive information (at least to the entity managing the payment system), such as the identity of the recipient, the amount, the location of the spender, etc. For example, a patient paying his cardiologist with his card implicitly reveals to his bank that he probably has a heart condition, which is far from insignificant.

One could argue that, in some cases, the users’ or recipients’ identities can be masked through pseudonyms, but the concrete privacy benefits of this solution are questionable. Indeed, even for systems without central authority such as Bitcoin, pseudonymity only provides limited anonymity guarantees as shown for example by Ron and Shamir [32]. A natural question in this context is whether we can achieve the best of the two worlds. Namely, can we combine the features of electronic payments together with the anonymity of traditional cash?

Related Work. A first answer to this question was provided by Chaum in 1982 [13] when he introduced the notion of electronic cash (e-cash). Concretely, an electronic coin is the digital analogue of a standard coin/banknote that is issued by an authority, called a bank, to users. The authenticity of coins can be checked publicly, which allows users to spend them anonymously with any merchant who knows the bank public key. Unfortunately, the comparison stops there, as there is a major difference between physical and electronic coins. In the first case, the physical support is assumed to be unclonable, unless for extremely powerful adversaries. Obviously, the same assumption does not hold for digital data, and it is thus necessary to deter multiple spendings of the same coin.

However, detecting multiple uses of the same coin without affecting the anonymity of honest users is challenging. Chaum achieved this using blind signatures [13], by associating each coin with a serial number that remains hidden until the coin is spent. At this time, the serial number is added to a register that can be public, preluding crypto-currency ledgers. Using this register, anyone can detect the reuse of a coin, which leads to two families of e-cash systems.

The first one allows detecting frauds but does not enable the identification of perpetrators. In this case, detection must be performed before accepting payments. These systems are thus inherently online, as any recipient must be able to check the ledger at any time. This entails incompressible latencies to process payments that can be prohibitive in some situations, such as payments at tollgates, or at turnstiles for public transport.

The second family allows for the identification of defrauders. In this case, it is no longer necessary to check the coin upfront, as the defrauders know that they will ultimately be identified and then prosecuted. This simplifies the whole payment process as the e-cash system can now work offline. In 2020, the ability to process transactions offline might seem less appealing but it is still necessary today as mentioned in recent Visa [33] or Mastercard [28] technical documentations. Indeed, offline payments are inevitable in situations with no (or very limited) internet connections (aboard a plane, a boat, etc) and are still preferred in some regions. For example, a study by the french central bank [15] shows that, in 2013, less than 10 % of credit/debit cards in use in France are exclusively online (such cards being usually attributed to financially fragile persons); for the other cards, online checks are only performed on a random basis of for relatively large amounts.

It is hard today to discuss e-cash without mentioning crypto-currencies such as Bitcoin, or even post-quantum ones such as MatRiCT [19]. The distinction between the two families above highlights the first difference between such systems. Crypto-currencies are indeed necessarily online whereas e-cash can be offline. However the main difference between these two systems rather lies in the trust model. The main strength of crypto-currencies is probably the absence of a central authority. This helps them circumvent the traditional reluctance of banks to novelties because a crypto-currency can be launched (almost) from scratch. In contrast, an e-cash system requires the support of a financial institution. Nevertheless, the absence of a central authority is also the main drawback of crypto-currencies. It indeed means that, in case of theft or loss of secret keys, the users lose everything, which is a major issue that we believe to be unacceptable for the general public. In the e-cash setting, where some authority manages the system, handling these situations is quite easy (corresponding procedures already exist for current payments systems such as debit/credit cards). There are also differences such as compliance with legislation, etc. In all cases, the very different features of both systems mean that they cannot be opposed. The reality is in fact the opposite and we should rather see crypto-currencies and e-cash systems as complementary solutions for privacy-preserving payments. From now on, we will only consider offline e-cash.

Following Chaum’s seminal work, blind signatures were the first cornerstone of e-cash systems. Unfortunately, this design strategy comes with some limitations, such as the need to withdraw and store coins one by one, which quickly becomes cumbersome (see, e.g., [9]). This problem was addressed by Camenisch et al. [11] who proposed the notion of compact e-cash, where users withdraw and store N coins (that constitute a wallet) with constant, or at least logarithmic, complexity. The core idea of their construction – which has become the blueprint of most following works – is to associate each wallet with two seeds k and t for a pseudo-random function (PRF) family. These two seeds are then used to generate N pairs of pseudo-random values $(\mathsf {PRF}_k(i), \mathsf {PRF}_t(i))$. The former (i.e., $\mathsf {PRF}_k(i)$) serves as the coin serial number whereas $\mathsf {PRF}_t(j)$ essentially acts as a one-time pad on the spender’s identity, resulting in a so-called double-spending tag. In case a coin is spent more than once, the same mask $ \mathsf {PRF}_t(j) $ is used twice and can thus be cancelled out to reveal the defrauder’s identity.

This elegant construction underlies many subsequent systems, including a candidate based on lattices [26]. Unfortunately, a recent result by Bourse et al. [9] has shown the limitations of this framework. In particular, they highlighted that systems based on it may fail to provably achieve exculpability, i.e., the property that honest users cannot be wrongly accused of double-spending a coin, even when the bank and other users conspire against them. As this issue underlies most of our design choices, we need to recall some details on it.

In the CHL construction [11], the serial number and the double-spending tag are constructed from the PRF outputs mentioned above but also from the spender’s public key and some public data that can be seen as the unique identifier of a transaction. In case of double-spendings, it can be shown that the perpetrator will necessarily be identified. Unfortunately, Bourse et al. pointed out that the opposite is not true, except in some very specific settings excluding lattices, as carefully crafted serial numbers and double-spending tags might lead the identification process to output a public key that was not even involved in the fraudulent transactions. Actually, two spendings from different users may even be considered as a double-spending by the system. As a consequence, the security proofs of the e-cash construction of Libert et al. [26] and of a subsequent improvement by Yang et al. [35] (the only schemes relying on quantum-resistant computational assumptions) are invalid and there is no known simple fix.

Before accusing a user, it is therefore necessary to perform additional verifications on the serial number occurring in a double-spending, in particular to ensure that it was constructed from the same seed and the same identity. This unfortunately seems infeasible given only $\mathsf {PRF}_k(i)$, as in [11]. To overcome this problem, the authors of [9] extended the serial number with new elements, each one being protected by a fresh PRF output. To ensure exculpability, it is then necessary to exclude collisions that could result from the PRF, leading to strong and non-standard requirements on the latter in [9]. Indeed, Bourse et al. need a notion of collision-resistance where, given the public parameters of a PRF family, the adversary should be unable to output two seeds ${k},{k}'$ and inputs $x,x'$ such that $\mathsf {PRF}_{{k}}(x)=\mathsf {PRF}_{{k}'}(x')$. This might seem achievable by using a PRF based on symmetric primitives or by applying the techniques of Farshim et al. [20] to key-injective PRFs [24]. However, this would result in extremely inefficient e-cash constructions. Indeed, achieving security against cheating spenders requires to have them prove in zero-knowledge that they behaved honestly and correctly evaluated these PRFs, using certified seeds with valid inputs, etc. Such complex relations hardly coexist with the two solutions above. In particular, the Kim-Wu PRF [24] relies on a complex encoding of inputs into matrices which is hardly compatible with zero-knowledge techniques in lattices (recall that the PRF inputs should be part of witnesses). These rather require PRFs with a simpler algebraic structure, in the spirit of [3, 4, 7]. Unfortunately, the latter are not known to achieve collision-resistance. As of today, instantiating the Bourse et al. framework [9] from lattices would thus require to translate all statements to be proved into Boolean circuits. This would be much more expensive (by several orders of magnitude) than what we can hope for by leveraging the most efficient zero-knowledge techniques in standard lattices [8, 35].

Our Contribution. In this paper, we show that we can dispense with the need for strong collision-resistance requirements by significantly departing from previous frameworks [9, 11]. Our core idea is to perform only one standard PRF evaluation and use the resulting output to mask all the components of the serial number and double-spending tag, thanks to the use of a lossy trapdoor function $F_{\mathsf {LTF}}$ [30]. Recall that these are function families where injective evaluation keys are computationally indistinguishable from lossy evaluation keys, for which image elements reveal very little information on their preimages. In our construction, during a spending, we reveal $F_{\mathsf {LTF}}(\mathsf {PRF}_k(i))$ instead of $\mathsf {PRF}_k(i)$ and then extract randomness from the remaining entropy of $\mathsf {PRF}_k(i)$ in order to mask the spender’s public key. This masked public key constitutes the second part of our serial number. When $F_{\mathsf {LTF}}$ is set up in its lossy mode in the proof of anonymity, we can show that the resulting serial number is indistinguishable from random and does not leak any sensitive information on the spender. Moreover, as $F_{\mathsf {LTF}}$ can be generated in injective mode in the real scheme, in case of colliding serial numbers, we are guaranteed that the same value $\mathsf {PRF}_k(i)$ is used in all the corresponding transactions. Together with the equality of serial numbers, this implies that the involved public keys necessarily coincide.

At this stage, we are ensured that a double-spending alert can only be generated by two transactions involving the same user. Then, it only remains to adapt the same technique to our double-spending tags, which is fairly simple. We can then prove security of our construction based only on the standard security properties of the pseudo-random function and the lossy trapdoor function.

However, as we intend to provide concrete constructions and not just frameworks, we still have to realise the missing component of the coin, namely the non-interactive zero-knowledge (NIZK) proofs that both the serial number and the double-spending tag are well-formed. Indeed, NIZK proofs are notoriously hard to produce in the lattice setting, at least compared to their counterparts in cyclic groups. We start from a very recent result by Yang et al. [35] which provides a protocol capturing many interesting lattice-related relations and show that it can be used to prove the statements required by our e-cash system. This is far from trivial as, in particular, spenders need to prove their correct composed evaluation of a pseudo-random function and a lossy trapdoor function using different parameters for the two primitives. We nevertheless manage to propose such NIZK arguments for two different PRF constructions [4, 7], leading to two different instantiations. Notably, the GGM-based PRF [23] of Banerjee et al. [4] allows for the use of a polynomial modulus.

However, despite this nice asymptotic complexity, one should keep realistic expectations about the concrete performances of our scheme according to the current lattices state-of-the-art. We indeed note that, as of writing, most of our building blocks (zero-knowledge proofs, PRFs, etc) remain complex tools that can hardly compete with their pairing-based counterparts. This is highlighted by the recent paper by Yang et al. [35] showing that existing (insecure) lattice e-cash constructions [26, 35], which use building blocks similar to ours, generate transactions ranging from 260 MB to 720 TB. Fortunately, any future improvements of these tools could easily be leveraged by our construction. This is particularly true for our zero-knowledge proofs that we manage to represent as a standard instance of the powerful framework from [35].

Eventually, we propose the first concrete e-cash systems based on quantum-resistant hardness assumptions, following the reset of the state-of-the art resulting from [9]. Unlike [9] that modifies the CHL framework [11] by requiring stronger properties on the original building blocks, we upgrade it by considering alternative building blocks that are instantiable from standard lattice assumptions. Our work does not only lead to concrete constructions, but it also sheds new lights on e-cash by implicitly relying on a new framework which differs from [9, 11] and does not require PRFs with non-standard security properties.

2 Preliminaries

We use lower-case bold characters (e.g. $ \mathbf {x} $) to denote vectors and upper-case bold characters (e.g. $ \mathbf {M} $) to denote matrices. The $ (n \times n) $ identity matrix is denoted by $ \mathbf {I}_n $. A superscript $ \top $ for a vector or matrix denotes its transpose (e.g. $ \mathbf {M}^\top $ is the transpose of $ \mathbf {M} $). For any integer $ q>0 $, $ \mathbb {Z}_q $ denotes the integers modulo q. For integers $ a<b $, [a, b] denotes the set $ \{a, a+1 ,\dots , b\}. $ Alternatively if $ b>1 $, we define $ [b] := \{1,\dots ,b\} $. For any real x, we denote by $ \lfloor x \rfloor $ the greatest integer smaller than or equal to x. In addition, for positive integers n, p, q such that $ q>p $, we define the rounding operation $ \left\lfloor \cdot \right\rfloor _{p}: \mathbb {Z}_q^n \rightarrow \mathbb {Z}_p^n $ as $ \left\lfloor \mathbf {x} \right\rfloor _{p} := \lfloor (p/q) \cdot \mathbf {x} \rfloor $. For probability distribution $ \mathcal {D} $, we write to denote that s is a sample of the distribution $ \mathcal {D} $. If X is a set, then represents the sampling of a uniform element of X. We also define the min-entropy of a discrete distribution $ \mathcal {D} $ as . The statistical distance between two distributions $ \mathcal {D}_1 $ and $ \mathcal {D}_2 $ is denoted $ \varDelta (\mathcal {D}_1, \mathcal {D}_2) $. Throughout, we let denote a security parameter and use standard asymptotic notation $ \mathcal {O}, \varTheta , \varOmega , \omega $ etc. We also use the standard notion of a pseudo-random function ($\mathsf {PRF}$) and a zero-knowledge argument of knowledge (ZKAoK).

Binary Decompositions. We use the same decompositions as those in [26] as explained next. Firstly, for any positive integer B and $ \delta _B := \lfloor \log (B) \rfloor +1 $, we define the sequence $ B_1, \dots , B_{\delta _B} $ where $ B_j := \lfloor \frac{B+2^{j-1}}{2^j} \rfloor $ for $ j \in [1,\delta _B] $. It can be verified that $ \sum _{j \in [1,\delta _B]} B_j =B $. For any integer $ x \in [0,B] $, there is an efficiently computable deterministic function $ \mathsf {idec}_B : [0,B] \rightarrow \{0,1\}^{\delta _B} $ outputting a vector $ \textsf {idec}_{B}\left( x\right) =: \mathbf {y} \in \{0,1\}^{\delta _B} $ satisfying $ \sum _{j \in [1,\delta _B]} B_j \cdot y_j = x. $ The function $ \mathsf {idec}_B $ can be extended to handle vector inputs, resulting in $ \mathsf {vdec}_{m,B}: [0,B]^m \rightarrow \{0,1\}^{m \cdot \delta _B} $, for any integer $m>0$. Explicitly, for any $ \mathbf {x} \in [0,B]^m $, $ \textsf {vdec}_{m,B}\left( \mathbf {x}\right) := (\textsf {idec}_{B}\left( x_1\right) ^\top , \dots , \textsf {idec}_{B}\left( x_m\right) ^\top )^\top $. In order to invert $ \mathsf {vdec}_{m,B} $, we define the matrix $ \mathbf {H}_{m,B}:=(B_1,\dots , B_{\delta _B}) \otimes \mathbf {I}_m $. It is easy to see that $ \mathbf {H}_{m,B} \cdot \textsf {vdec}_{m,B}\left( \mathbf {y}\right) =\mathbf {x} $. In addition, for any $ x \in [0,B] $, we denote by $ \mathsf {ibin}_B(x) $ the standard binary decomposition of x that fits into $ \lfloor \log (B) \rfloor +1 $ bits. We define the binary representation of a vector to be the concatenation of the binary representations of its entries. Concretely, for any vector $ \mathbf {x} \in [0,B]^m $, we define its binary representation to be $ \mathsf {bin}_B(\mathbf {x})^\top := (\mathsf {ibin}(x_1), \dots , \mathsf {ibin}(x_m)) $.

2.1 Lattice Preliminaries

An m-dimensional lattice is a discrete subgroup of $ \mathbb {R}^m $. For any integers n and q, $ \mathbf {A} \in \mathbb {Z}_q^{n \times m} $ and $ \mathbf {u} \in \mathbb {Z}_q^n $ we define the full-rank lattice $ \varLambda ^{\bot }_{q}(\mathbf {A}) := \{ \mathbf {x} \in \mathbb {Z}^m : \mathbf {A} \cdot \mathbf {x} = 0 \bmod q \} $ and the lattice coset $ \varLambda ^{\mathbf {u}}_{q}(\mathbf {A}) := \{ \mathbf {x} \in \mathbb {Z}^m : \mathbf {A} \cdot \mathbf {x} = \mathbf {u} \bmod q \}$. Defining $ \rho _{\sigma }: \mathbb {R}^m \rightarrow \mathbb {R}$ as $ \rho _{\sigma }(\mathbf {x}) := \exp (-\pi \Vert \mathbf {x}\Vert ^2/\sigma ^2) $, the discrete Gaussian distribution over a lattice coset L with parameter $ \sigma $ (denoted as $ D_{L,\sigma } $) is the distribution with support L and mass function proportional to $ \rho _{\sigma } $.

Hardness Assumptions. We will be assuming that both the learning with errors (LWE) and short integer solution (SIS) problems (as defined next) are hard for appropriate parameter settings.

Definition 1

Let $m,n,q \in \mathbb {N}$ with $m>n$ and $\beta >0$. The short integer solution problem , find a non-zero $\mathbf {x} \in \varLambda _q^{\perp }(\mathbf {A})$ with $0 < \Vert \mathbf {x}\Vert \le \beta $.

Definition 2

Let $q, \alpha $ be functions of a parameter n. For a secret $\mathbf {s} \in \mathbb {Z}_q^n$, the distribution $A_{q,\alpha ,\mathbf {s}}$ over $\mathbb {Z}_q^n \times \mathbb {Z}_q$ is obtained by sampling and a noise $e \hookleftarrow D_{\mathbb {Z}, \alpha q}$, and returning $(\mathbf {a},\langle \mathbf {a},\mathbf {s}\rangle +e)$. The learning with errors problem $\textsf {LWE} _{n,m,q,\alpha }$ is, for , to distinguish between m independent samples from $U(\mathbb {Z}_q^n \times \mathbb {Z}_q)$ and the same number of samples from $A_{q,\alpha ,{\mathbf {s}}}$.

If m is omitted in the $\textsf {LWE}$ problem, it is assumed that $ m = \mathsf {poly}(n) $. If $q \ge \beta n^{\delta }$ for any constant $ \delta >0 $ and $m,\beta = \mathsf {poly}(n)$, then standard worst-case lattice problems with approximation factors $\gamma = \max \{1,\beta ^2/q\} \cdot \tilde{\mathcal {O}}(\beta \sqrt{n})$ reduce to $\textsf {SIS} _{n,m,q,\beta }$ [29]. Alternatively, if $q \ge \sqrt{n} \beta $ and $m,\beta = \mathsf {poly}(n)$, then standard worst-case lattice problems with approximation factors $\gamma = \mathcal {O}(\beta \sqrt{n})$ reduce to $\textsf {SIS} _{m,q,\beta }$ (see, e.g., [22, Sec. 9]). Similarly, if $\alpha q = \varOmega (\sqrt{n})$, standard worst-case lattice problems with approximation factors $\gamma = \tilde{\mathcal {O}}(n/\alpha )$ reduce to $\textsf {LWE} _{n,q,\alpha }$[10, 31].

2.2 Lossy Trapdoor Functions

We will be using the notion of lossy trapdoor function ($\mathsf {LTF}$) families from [30]. Informally, a lossy trapdoor function family can be used in one of two modes: a lossy mode and an injective mode. In the lossy mode, functions lose information on their inputs and cannot be inverted whereas in the injective mode, a trapdoor enables efficient inversion. In addition, there are generation algorithms that sample functions in either the lossy or injective mode. A crucial requirement is that no efficient adversary can distinguish whether a generation algorithm is outputting lossy functions or injective functions. We now recall the formal syntax and definition of an $ \mathsf {LTF}$ family.

Definition 3

An (m, k) lossy trapdoor function family with security parameter is a 4-tuple of PPT algorithms $ (\mathsf {G}_0, \mathsf {G}_1, \mathsf {F}, \mathsf {F}^{-1}) $ such that:

$\mathbf {{(Injective~Mode)}}$ outputs a function index u and trapdoor $ \tau $. For any pair $ (u,\tau ) $ output by $ \mathsf {G}_0 $, $ \mathsf {F}(u,\cdot ) $ computes an injective function $f_u:\{0,1\}^m \rightarrow \{0,1\}^* $ and $ \mathsf {F}^{-1}(\tau ,\mathsf {F}(u,x))=x $.
$\mathbf {{(Lossy~Mode)}}$ outputs a function index u. For any u output by $ \mathsf {G}_1 $, $ \mathsf {F}(u,\cdot ) $ computes a lossy function $ f_u:\{0,1\}^m \rightarrow \{0,1\}^* $, whose image is of size at most $ 2^{m-k} $.
$\mathbf {{(Indistinguishability)}}$ Let and . Then the distributions of u and $ u' $ are computationally indistinguishable.

We will use the algorithms of the $ \mathsf {LTF}$ family given in [30]. This family was reconstructed by Wee [34] where $ n,m,q,\alpha $ are functions of , $ p \le q/(4n) $ and $ \bar{n} = m/{\log }\,p $. In the following, $ \mathbf {G} \in \mathbb {Z}_q^{m \times \bar{n}} $ is a special public matrix that allows to efficiently solve the bounded error decoding problem [30].

$ \mathsf {G}_0(n,m,q,\alpha ) $: Sample and output the index $ \left( \mathbf {A}, \mathbf {B}:=\mathbf {S}^\top \mathbf {A}+\mathbf {E}^\top +\mathbf {G}^\top \right) $ along with trapdoor $ \mathbf {S} $.
$ \mathsf {G}_1(n,m,q,\beta ) $: Sample and output the index $ \left( \mathbf {A}, \mathbf {B}:=\mathbf {S}^\top \mathbf {A}+\mathbf {E}^\top \right) $
$ \mathsf {F}$: On input $ \left( (\mathbf {A}, \mathbf {B}), \mathbf {x}\right) $ where $ \mathbf {A} \in \mathbb {Z}_q^{n \times m}, \mathbf {B} \in \mathbb {Z}_q^{\bar{n} \times {m}} $ and $ \mathbf {x} \in \{0,1\}^m $, output $ (\mathbf {A}\mathbf {x}, \mathbf {B}\mathbf {x}) $
$\mathsf {F}^{-1}$: On input $ (\mathbf {S}, (\mathbf {y}_1, \mathbf {y}_2)) $ where $ \mathbf {S} \in \mathbb {Z}_q^{n \times \bar{n}}, \mathbf {y}_1 \in \mathbb {Z}_q^{n} $ and $ \mathbf {y}_2 \in \mathbb {Z}_q^{\bar{n}} $, compute $ \mathbf {y} := \mathbf {y}_2 - \mathbf {S}^\top \mathbf {y}_1 $. Use the efficient bounded-error decoder with respect to $ \mathbf {G} $ on $ \mathbf {y} $ to recover a vector $ \mathbf {x}^* \in \{0,1\}^m $ such that $ \mathbf {e}^* + \mathbf {G}^\top \mathbf {x}^* = \mathbf {y} $ for some small $ \mathbf {e}^* $ with $ \Vert \mathbf {e}^*\Vert _{\infty } \le q/p $. Output $ \mathbf {x}^* $.

Lemma 1

([34]). For any constant $ \gamma <1 $ and n, take $ q = \varTheta (n^{1+1/\gamma }) $, $ p = \varTheta (n^{1/\gamma }) $ such that $ p \le q/(4n) $. Further, take $ m=\mathcal {O}(n \log q), \alpha = \varTheta (\sqrt{n}/q) $ and $ \bar{n} = m/{\log }\,p $. Assuming that the $ \textsf {LWE} _{n,m,q,\alpha } $ problem is hard, the above construction is an (m, k)-$\mathsf {LTF}$ family where $ k= (1-\gamma )m-n\log q. $

The following instantiation of the generalized Leftover Hash Lemma of [17, Lemma 2.4] will be particularly useful:

Lemma 2

Choose $ \gamma ,n,q,p,\alpha $ as in Lemma 1, arbitrary integers $ n',q'>2 $ and an arbitrary distribution $ \mathcal {X} $ over $ \{0,1\}^m $. Then, for , , and , we have

$$\begin{aligned} \varDelta \left( \left( \mathbf {A} \mathbf {x}, \mathbf {A}, (\bar{\mathbf {A}},\bar{\mathbf {B}}, \bar{\mathbf {A}}\mathbf {x}, \bar{\mathbf {B}}\mathbf {x})\right) \!, \left( \mathbf {u}, \mathbf {A}, (\bar{\mathbf {A}},\bar{\mathbf {B}}, \bar{\mathbf {A}}\mathbf {x}, \bar{\mathbf {B}}\mathbf {x})\right) \right) \qquad \qquad \qquad \quad \qquad \\ \le \frac{1}{2} \cdot \sqrt{2^{-\left( \mathsf {H}_{\infty }(\mathcal {X}) - ( m \gamma +n \log q+n' \log q') \right) }}. \end{aligned}$$

2.3 Witness Extraction and Forking Lemma

Recall that the transcript of a $\varSigma $-protocol consists of three messages starting with a message from a prover to a verifier. The Fiat-Shamir transform [21] provides a well-known method to remove interaction from a $\varSigma $-protocol. In particular, the second message (which is a uniformly chosen “challenge” value from the verifier to the prover) is replaced by the evaluation of a random oracle on input given by the first message. When adopting this method, it is important to carefully argue that the resulting non-interactive protocol is still an argument of knowledge. That is, if a prover convinces the verifier to accept with non-negligible probability, then replaying the prover allows for the extraction of a witness to the statement in question. This is usually achieved by applying a “forking lemma”.

We will focus on the argument system of Yang et al.[35] which takes the three-message form of a $\varSigma $-protocol. The witness extraction for the interactive ZKAoK of Yang et al. requires any $ \ell =3 $ accepting transcripts, all with the same first prover message but distinct challenge values. We refer to $ \ell $ such accepting transcripts as an $ \ell $-fork.

When using a random oracle to remove interaction with our chosen argument system, a forking lemma that considers the probability of producing an $ \ell $-fork for $ \ell =3 $ should be used. The extended/generalised forking lemma of El Kaafarani and Katsumata [18, Lemma 1] provides a forking lemma for any $ \ell \ge 2 $. For simplicity, we state their result in the special case that $ \ell =3 $.

Lemma 3

([18]). Fix some input $ x \in \{0,1\}^* $ and take some arbitrary set $ \mathsf {accept}$. Let $ \mathcal {A}$ be an efficient algorithm outputting triples $ (m_1, m_2,m_3) $ on input x that has oracle access to a random oracle $ H : \{0,1\}^* \rightarrow [h] $ and let Q be an upper bound on the number of queries that $ \mathcal {A}$ makes to H. Denote

$$\begin{aligned} \mathsf {acc}&:= \Pr \left[ (m_1,m_2,m_3) \leftarrow \mathcal {A}^{H(\cdot )}(x) : \begin{array}{c} (m_1,m_2,m_3) ~ \in ~ \mathsf {accept}~\wedge ~ \\ m_2 \text { is the result of an }H\text {-query} \end{array}\right] \\ \mathsf {frk}_3&:= \Pr \left[ ((m_{1}, m_{2,i}, m_{3,i}))_{i=1}^3 \leftarrow F^{\mathcal {A}}(x) : \begin{array}{c} \forall i \in \{1,2,3\} ~:~ (m_1, m_{2,i}, m_{3,i}) ~\in ~ \mathsf {accept}\\ \wedge ~ (m_{2,i})_{i=1}^3 \text {are pairwise distinct} \end{array}\right] \\ \end{aligned}$$

for any efficient algorithm $ F^{\mathcal {A}} $ that runs $ \mathcal {A}$ at most 3 times. Then, for a particular choice of $ F^{\mathcal {A}} $,

$$\begin{aligned} \mathsf {frk}_3 \ge \mathsf {acc}\cdot \left( \left( \frac{\mathsf {acc}}{Q}\right) ^{2} - \frac{3}{h} \right) . \end{aligned}$$

2.4 E-Cash Security Definitions

E-cash systems involve three types of parties: banks denoted $ \mathcal {B}$, users denoted $ \mathcal {U}$ and merchants denoted $ \mathcal {M}$. The syntax of an offline compact e-cash system consists of the following algorithms/protocols:

: On input a security parameter and wallet size , outputs public parameters $ \mathsf {par}$ containing L (amongst other things).
: On input $ \mathsf {par}$, outputs a key pair $ (PK_\mathcal {B}, SK_\mathcal {B}) $ for the bank, which allows $ \mathcal {B}$ to issue wallets of size $ 2^L $.
: On input $ \mathsf {par}$, generates a key pair $ (PK_{\mathcal {U}},SK_\mathcal {U}) $ for the user.
: On input $ \mathsf {par}$, generates $( PK_{\mathcal {M}},SK_\mathcal {M}) $ for the merchant.

We henceforth assume that all algorithms implicitly take $ \mathsf {par}$ as input.

: An interactive protocol that allows $ \mathcal {U}$ to obtain a wallet $ \mathcal {W}$ consisting of $ 2^L $ coins or an error message $ \bot $. The bank $ \mathcal {B}$ obtains tracing information $ \textsf {T}_{\mathcal {W}} $.
: A protocol allowing a user $ \mathcal {U}$ to give a coin from $ \mathcal {W}$ to merchant $ \mathcal {M}$ with respect to transaction metadata $ \mathsf {info}$. The user outputs an updated wallet $ \mathcal {W}' $ whereas the output of $ \mathcal {M}$ is a coin $ \mathsf {coin}$ consisting of $\mathsf {info}$, a serial number, a security tag and a proof of validity or an error symbol $ \bot $.
: Outputs 1 if the proof of validity in $ \mathsf {coin}$ verifies correctly with respect to $ PK_{\mathcal {B}} $ and 0 otherwise.
: Outputs 1 if the proof of validity in $ \mathsf {coin}$ verifies correctly with respect to $ PK_{\mathcal {B}} $ and if the data $\mu $ verifies correctly with respect to $PK_\mathcal {M}$. Else, outputs 0.
: This is a protocol allowing $ \mathcal {M}$ to deposit $ \mathsf {coin}$ (containing some metadata $\mathsf {info}$) in its account with $ \mathcal {B}$. In the protocol, $\mathcal {M}$ sends $\mathsf {coin}$ along with some data $\mu $. Then, $\mathcal {B}$ uses a list $ \mathsf {state}_\mathcal {B}$ of previously deposited coins to proceed as follows. If $ {\textsf {VerifyCoin}}\left( PK_{\mathcal {B}},\mathsf {coin} \right) =0 $ or ${\textsf {VerifyDeposit}}\left( PK_\mathcal {B},PK_\mathcal {M},\mathsf {coin},\mu \right) =0$, $ \mathcal {B}$ outputs $\perp $. If $ \mathsf {info}$ and $PK_\mathcal {M}$ exist in the same entry of $ \mathsf {state}_\mathcal {B}$, then $\mathcal {B}$ returns this entry $(\mathsf {coin}, PK_\mathcal {M},\mu ')$. If the serial number $\mathbf {y}_{S}$ derived from $ \mathsf {coin}$ is not in $ \mathsf {state}_\mathcal {B}$, then $ \mathcal {B}$ adds the tuple $ (\mathsf {coin}, PK_\mathcal {M},\mu ,\mathbf {y}_{S}) $ to $ \mathsf {state}_\mathcal {B}$. If there is some tuple $(\mathsf {coin}', PK'_\mathcal {M},\mu ',\mathbf {y}_{S})$ in $ \mathsf {state}_\mathcal {B}$, then $ \mathcal {B}$ outputs such a tuple.
: An algorithm allowing to identify a double spender $ \mathcal {U}$ whenever $ \mathsf {coin}_1 $ and $ \mathsf {coin}_2 $ share the same serial number. The output of this algorithm is a public key $ PK_\mathcal {U}$ and a proof that this public key corresponds to a double spender $ \varPi _G $.

E-cash systems should provide the following properties whose formal definitions, adapted from [9, 26], are provided below.

Anonymity: no coalition of banks and merchants can identify the wallet that a coin originates from.
Traceability: the bank is always able to identify at least one member of a coalition that has spent more than it has withdrawn. This property introduced by Canard et al. [12] simultaneously captures the balance and identification properties considered in [6, 11].
Strong exculpability: no coalition of banks and merchants can convincingly accuse an innocent user of double-spending.
Clearing: an honest merchant is always able to deposit the received coins. In particular, no coalition of bank, merchants and users can generate a convincing proof that the latter have already been deposited.

Definition 4

An e-cash system provides anonymity if there exists an efficient simulator $\mathcal {S}=(\mathsf {SimParGen},\mathsf {SimSpend})$ such that no PPT adversary $\mathcal {A}$ has non-negligible advantage in the anonymity game described below:

1.
The challenger flips a fair coin and runs $\mathsf {par}\leftarrow \mathsf {ParGen}(1^\lambda ,1^L)$ if $d=1$ and otherwise. In either case, it gives $\mathsf {par}$ to $\mathcal {A}$.
2.
$\mathcal {A}$ outputs some public key $PK_\mathcal {B}$ and adaptively invokes the following oracles:
- $\bullet $ $\mathcal {Q}_{\textsf {GetKey}}(i)$: this oracle generates if it does not exist yet and returns $PK_{\mathcal {U}_i}$.
- $\bullet $ $\mathcal {Q}_{\textsf {Withdraw}}(PK_\mathcal {B},i)$: this oracle plays the role of user $\mathcal {U}_i$ – and creates their key pair if it does not exist yet – in an execution of the withdrawal protocol $\mathsf {Withdraw}\big ( \mathcal {U}(\mathsf {par},PK_{\mathcal {B}},SK_{\mathcal {U}_i}),\mathcal {A}(\mathsf {state})\big )$, with the adversary $\mathcal {A}$ playing the role of the bank. At the j-th query, we denote by $\mathcal {W}_j$ the user’s output which may be a valid wallet or an error message $ \perp $.
- $\bullet $ $\mathcal {Q}_{\textsf {Spend}}\big (PK_{\mathcal {B}},i,j, PK_{\mathcal {M}},\mathsf {info}\big )$: the oracle first checks if the wallet $\mathcal {W}_j$ has been issued to $\mathcal {U}_i$ by the bank $\mathcal {B}$ via an invocation of $\mathcal {Q}_{\textsf {Withdraw}}(PK_\mathcal {B},i )$. If not, the oracle outputs $\perp $. Otherwise, $\mathcal {Q}_{\textsf {Spend}}$ checks if the internal counter J of $\mathcal {W}_j$ satisfies $J<2^L-1$. If $J=2^L-1$, it outputs $\perp $. Otherwise, $\mathcal {Q}_{\textsf {Spend}}$ responds as follows:
  - If $d=1$, it runs $\mathsf {Spend}\big ( \mathcal {U}_i(\mathcal {W}_j, PK_{\mathcal {B}}, PK_\mathcal {M}) , \mathcal {A}(\mathsf {state},\mathsf {info}) \big )$with the merchant-executing $\mathcal {A}$ in order to spend a coin from $\mathcal {W}_j$.
  - If $d=0$, $\mathcal {Q}_{\textsf {Spend}}$ runs $ {\mathsf {SimSpend}}\big ( \mathsf {par},\tau _{sim},PK_{\mathcal {B}}, PK_{\mathcal {M}},\mathsf {info}\big )$.
3.
When $\mathcal {A}$ halts, it outputs a bit $d'\in \{0,1\}$ and wins if $d'=d$. The adversary’s advantage is the distance $\mathbf {Adv}^{\mathrm {anon}}_\mathcal {A}(\lambda ) := | \Pr [d'=d]-1/2|$, where the probability is taken over all coin tosses.

Definition 5

An e-cash system ensures traceability if, for any PPT adversary $\mathcal {A}$, the experiment below outputs 1 with negligible probability:

1.
The challenger generates public parameters and a public key . It gives $\mathsf {par}$ and $PK_{\mathcal {B}}$ to $\mathcal {A}$.
2.
$\mathcal {A}$ is granted access to the oracle $\mathcal {Q}_{\textsf {Withdraw}}\left( PK_{\mathcal {U}}\right) $ that plays the role of the bank $ \mathcal {B}$ in an execution of $ \mathsf {Withdraw}(\mathcal {A}(\mathsf {state}),\mathcal {B}(\mathsf {par},PK_{\mathcal {U}},SK_\mathcal {B})) $ with $\mathcal {A}$, acting as a cheating user. After each query, the challenger stores in a database $\textsf {T}$ the information $\textsf {T}_{\mathcal {W}}=PK_{\mathcal {U}}$, or $\perp $ if the protocol fails.
3.
After $Q_w$ polynomially many queries, $\mathcal {A}$ outputs coins $\{\mathsf {coin}_i\}_{i=1}^N$ which are parsed as $ (\mathsf {info}_i,PK_{\mathcal {M}_i},S_i,\pi _i)$. The experiment returns 1, unless (at least) one of the following conditions holds (in which case, it returns 0):
$\bullet $:

$N\le 2^L\cdot Q_w$;

$\bullet $:

$\exists (i,j)\in \{1,\ldots ,N\}^2$ such that $(\mathsf {info}_i,PK_{\mathcal {M}_i}) = (\mathsf {info}_j,PK_{\mathcal {M}_j})$;

$\bullet $:

$\exists i \in \{1,\ldots ,N\}$ such that ${\textsf {VerifyCoin}}\left( PK_\mathcal {B},\mathsf {coin}_i \right) =0$;

$\bullet $:

$\exists (i,j)\in \{1,\ldots ,N\}^2$ such that $\mathsf {Identify}\big ( \mathsf {par}, PK_{\mathcal {B}}, {coin}_i, {coin}_j\big )$ returns a public key $PK_\mathcal {U}$ that belongs to the database $\textsf {T}$.

Definition 6

An e-cash system provides strong exculpability if no PPT adversary $\mathcal {A}$ has noticeable success probability in the game below:

1.
The challenger runs $\mathsf {par}\leftarrow \mathsf {ParGen}(1^\lambda ,1^L)$, gives $\mathsf {par}$ to $\mathcal {A}$ and initializes empty sets of honest users $\mathcal {HU}$, wallets $ \textsf {T}_{\textsf {FW}} $ and double spent coins $ \textsf {T}_{\mathsf {ds}} $.
2.
$\mathcal {A}$ generates $PK_{\mathcal {B}}$ on behalf of the bank and interacts with these oracles:
$\bullet $:

$\mathcal {Q}_{\textsf {GetKey}}(i)$: this oracle generates if it does not exist yet and returns $PK_{\mathcal {U}_i}$, which is added to $\mathcal {HU}$.

$\bullet $:

$\mathcal {Q}_{\textsf {Withdraw}}(PK_\mathcal {B},i)$: this oracle plays the role of $\mathcal {U}_i$ – and creates $(SK_{\mathcal {U}_i},PK_{\mathcal {U}_i})$ if it does not exist yet – in an execution of $\mathsf {Withdraw}\big ( \mathcal {U}(\mathsf {par},PK_{\mathcal {B}},SK_{\mathcal {U}_i}),\mathcal {A}(\mathsf {state})\big )$ where $\mathcal {A}$ plays the role of the bank. At the j-th such query, we denote by $\mathcal {W}_j$ the user’s output. If the protocol succeeds $(\mathcal {W}_j=\perp )$, then $ (j,\mathcal {W}_j) $ is added to $ \textsf {T}_{\textsf {FW}} $.

$\bullet $:

$\mathcal {Q}_{\textsf {Spend}}\big (PK_{\mathcal {B}},i,j, PK_{\mathcal {M}},\mathsf {info}\big )$: the oracle first checks if the wallet $\mathcal {W}_j$ was provided to $\mathcal {U}_i$ via an invocation of $\mathcal {Q}_{\textsf {Withdraw}}(\mathsf {par},PK_\mathcal {B},i )$ using $ \textsf {T}_{\textsf {FW}} $. If not, the oracle outputs $\perp $. If the internal counter of $ \mathcal {W}_j $ satisfies $ J=2^{\ell }-1 $, then $ \mathcal {W}_j $ is reset to its original state, where $ J=0 $. Then, $\mathcal {Q}_{\textsf {Spend}}$ spends a coin from $\mathcal {W}_j$ by running $\mathsf {Spend}\big ( \mathcal {U}_i(\mathcal {W}_j, PK_{\mathcal {B}}, PK_\mathcal {M}) , \mathcal {A}(\mathsf {state},\mathsf {info}) \big )$ with $\mathcal {A}$. If the resulting coin has the same serial number S as a previous query $ \mathcal {Q}_{\textsf {Spend}}\big (PK_{\mathcal {B}},i,j, \cdot ,\cdot \big ) $ then add (i, j, S) to $ \textsf {T}_{\mathsf {ds}} $.
3.
When adversary $\mathcal {A}$ halts, it outputs two coins $\mathsf {coin}_1,\mathsf {coin}_2$. It is declared successful if $\mathsf {Identify}(\mathsf {par},PK_\mathcal {B},{\mathsf {coin}}_1,{\mathsf {coin}}_2) \in \mathcal {HU}$ and $ \forall (i,j), (i,j,S) \notin \textsf {T}_{\mathsf {ds}} $ where S is the common serial number shared by $ \mathsf {coin}_1$ and $ \mathsf {coin}_2$.

Definition 7

An e-cash system ensures clearing if for any PPT adversary $\mathcal {A}$, the probability of $ \mathcal {A}$ winning the clearing game below is negligible:

1.
The challenger runs $\mathsf {par}\leftarrow \mathsf {ParGen}(1^\lambda ,1^L)$, gives $\mathsf {par}$ to $\mathcal {A}$ and initializes a set of honest merchants $\mathcal {HM}$ which is initially empty.
2.
$\mathcal {A}$ generates $PK_{\mathcal {B}}$ on behalf of the bank and interacts with these oracles:
$\bullet $:

$\mathcal {Q}_{\textsf {GetKey}}(i)$: this oracle generates if it does not exist yet and returns $PK_{\mathcal {M}_i}$, which is added in $\mathcal {HM}$.

$\bullet $:

$\mathcal {Q}_{\textsf {Receive}}\big (PK_{\mathcal {B}},i \big )$: this oracle plays the role of a merchant – and creates $(SK_{\mathcal {M}_i},PK_{\mathcal {M}_i})$ if it does not exist yet – in an execution of $\mathsf {Spend}\big ( \mathcal {A}(\mathsf {state}),\mathcal {M}_i(SK_\mathcal {M},PK_{\mathcal {U}},\mathsf {info})\big )$ where $\mathcal {A}$ plays the role of the user. At the j-th query, we denote by $\mathsf {coin}_j$ the merchant’s output.

$\bullet $:

$\mathcal {Q}_{\textsf {Deposit}}\big (PK_{\mathcal {B}},i,j \big )$: this oracle plays the role of the merchant in an execution of $\mathsf {Deposit}(\mathcal {M}_i(SK_{\mathcal {M}_i}, \mathsf {coin}_j,PK_{\mathcal {B}}),\mathcal {A}(\mathsf {state}))$ with $\mathcal {A}$ playing the role of $\mathcal {B}$. It however aborts if $PK_{\mathcal {M}_i}\notin \mathcal {HM}$, if $\mathsf {coin}_j$ has not been received by merchant i or if it has already been deposited.
3.
When $\mathcal {A}$ halts, it outputs a tuple $(PK_\mathcal {M},\mathsf {coin},\mu )$. The adversary wins if $PK_\mathcal {M}\in \mathcal {HM}$, ${\textsf {VerifyDeposit}}\left( PK_\mathcal {B},PK_\mathcal {M},\mathsf {coin},\mu \right) =1$ and $\mathsf {coin}$ has not been involved in a previous $\mathcal {Q}_{\textsf {Deposit}}$ query.

3 Intuition

The core of an e-cash system is the pair constituted by the serial number $\mathbf {y}_{S}$ and the double-spending tag $\mathbf {y}_T$ of a coin. Besides zero-knowledge proofs, they are essentially the only elements made public during a spending and therefore must comply with very strong anonymity requirements while allowing the identification of double-spenders. In addition, it should be possible to (efficiently) prove that they are well-formed, which rules out most simple constructions.

Designing such elements is thus far from trivial which partially explains why most e-cash systems have followed the elegant idea proposed by Camenisch et al. [11]. It relies on a pseudo-random function $\mathsf {PRF}$ as follows. For a wallet of $N=2^L$ coins, a first seed $ \mathbf{k} $ is used to generate N pseudo-random values $\mathsf {PRF}_\mathbf{k }(i)$, for $i\in [1,N]$, acting as the coins’ serial numbers. Meanwhile, a second seed t allows generating independent values $\mathsf {PRF}_\mathbf{t }(i)$ acting as one-time pads on the spender’s identity. The concealed identity constitutes the double-spending tag.

Any user can generate at most N fresh pairs $(\mathsf {PRF}_\mathbf{k }(i), \mathsf {PRF}_\mathbf{t }(i))$ per wallet. In case of double-spending, a pair must have been re-used, meaning that a serial number $\mathsf {PRF}_\mathbf{k }(i)$ will appear twice in the bank database, thus making frauds easy to detect. Moreover, in such a case, the spender’s identity will be masked using the same value $\mathsf {PRF}_\mathbf{t }(i)$. An appropriate combination of the corresponding double-spending tags thus allows to remove $\mathsf {PRF}_\mathbf{t }(i)$ and so to identify the defrauder. Some adjustments are necessary in the lattice setting [26], but the high-level principle remains the same.

However, Bourse et al. [9] recently showed that this approach may fail to provide a sound proof of exculpability in many cases. Indeed, the identity returned by the identification algorithm is a complex mix of PRF outputs, public keys and random values, most of them being totally controlled by the adversary. It is therefore impossible to guarantee that the returned identity corresponds to the author of these fraudulent payments nor even to guarantee that both payments have been performed by the same user.

In [9], Bourse et al. point out that this problem is partially due to a misidentification of the properties that must be satisfied by the pseudo-random function $\mathsf {PRF}$. They therefore propose to strengthen the requirements on $\mathsf {PRF}$, introducing in particular a notion of collision resistance that essentially states the difficulty of finding $(\mathbf{s} ,\mathbf{s} ',i,i')$ such that $\mathsf {PRF}_\mathbf{s }(i)= \mathsf {PRF}_\mathbf{s '}(i')$. Assuming that the PRF satisfies such suitable properties, they prove security of generic constructions that are reminiscent of the seminal scheme proposed by Camenisch et al. An interesting aspect of [9] is thus the rehabilitation of the original intuition of compact e-cash [11] that has been common to all following works.

Unfortunately, this is done by relying on unconventional security notions for PRFs that have not been considered by designers of such functions. Bourse et al. show that, under suitable assumptions, these notions are actually already satisfied by some PRFs in cyclic groups, but similar results are not known in the lattice setting. Indeed, existing lattice-based PRFs are not known to provide collision-resistance in this strong sense, which prevents instantiation of their frameworks in this setting. Concretely, this means that secure lattice-based e-cash systems are not known to exist for the time being.

In this work, we choose a very different strategy that we believe to be better suited for the lattice setting as it does not rely on collision-resistant PRFs.

Our first step is to modify the construction of the serial numbers to ensure that collisions only occur for spendings performed by the same user. In [9], this is achieved by using the same seed (but different public parameters) to generate all the pseudo-random values used during a spending. Assuming that pseudo-randomness still holds in this context and that collision resistance is achieved by some of the PRFs, they prove that a collision only occurs for spendings involving the same seed. They are then able to prove that the use of the same seed implies the involvement of the same user, and so on until proving exculpability of their construction. Here, we still use a PRF as a source of pseudo-random values but our serial numbers are not simply the outputs of such a function. We indeed want to reuse the same pseudo-random values for different parts of our serial numbers and double-spending tags to rule out the adversarial strategy pointed out in [9]. To achieve this while retaining anonymity, we use the notion of a lossy trapdoor function $F_{\mathsf {LTF}}$ introduced in [30] and more specifically, the elegant instantiation based on LWE proposed in [34] related to the original construction in [30].

The first element of $\mathbf {y}_{S}$ is now $F_{\mathsf {LTF}}(\mathsf {PRF}_\mathbf{k }(i))$, which still allows to extract random bits from $\mathsf {PRF}_\mathbf{k }(i)$ using a universal hash function $H_{\mathsf {UH}}$, as proved in [30]. We can thus incorporate $PK_{\mathcal {U}} + H_{\mathsf {UH}}(\mathsf {PRF}_\mathbf{k }(i))$ in $\mathbf {y}_{S}$ while ensuring anonymity of the user $\mathcal {U}$ that owns the public key $ PK_{\mathcal {U}} $. In the exculpability proof, we will generate $F_{\mathsf {LTF}}$ in the injective mode, thus ensuring that a collision $\mathbf {y}_{S} = \mathbf {y}_{S'}$ can only occur when the same value $\mathsf {PRF}_\mathbf{k }(i)$ is used for both transactions. Together with $PK_{\mathcal {U}} + H_{\mathsf {UH}}(\mathsf {PRF}_\mathbf{k }(i))= PK_{\mathcal {U}'} + H_{\mathsf {UH}}(\mathsf {PRF}_\mathbf{k }(i))$, this implies $PK_{\mathcal {U}} =PK_{\mathcal {U}'}$.

We then adapt this idea to double-spending tags. We similarly extract random bits from $\mathsf {PRF}_\mathbf{k }(i)$ using a different universal hash function $H'_{\mathsf {UH}}$ to define $\mathbf {y}_T = PK_{\mathcal {U}} + \mathsf {FRD} (R) \cdot H'_\mathsf {UH}(\mathsf {PRF}_\mathbf{k }(i)), $ where $ \mathsf {FRD} (R)$ is some public matrix specific to the transaction. As $\mathsf {PRF}_\mathbf{k }(i)$ and the public key $PK_{\mathcal {U}}$ are the same for both transactions, the formula $ \mathbf {y}_{T} - \mathsf {FRD} (R) \cdot [\left( \mathsf {FRD} (R) - \mathsf {FRD} (R') \right) ^{-1} \cdot (\mathbf {y}_{T} - \mathbf {y}_{T'})] $ necessarily returns such a public key whose owner is guilty of double-spendings.

As far as efficiency goes, we essentially add some matrix-vector products to the construction of [26]. Moreover, since all of these matrices are public, a NIZK proof of correct computations can be produced using the framework provided in [26] or the more efficient techniques in Sect. 5.

4 Construction

We present a new e-cash system that overcomes the aforementioned issues in the proof of exculpability. We use the PRF from [7] that allows for a simpler description of our system. We nevertheless explain in Sect. 7 how to improve efficiency by using the alternative PRF from [4]. While the $ {\textsf {Withdraw}} $ protocol is a simplification of [26], the $ {\textsf {Spend}} $ protocol is very different in the way to construct coin serial numbers and security tags. Additional details on the zero-knowledge arguments of knowledge used in our construction are given in Sect. 5.

: Given security parameter and integer $ L>0 $ such that $ 2^L $ is the desired number of coins per wallet issued, perform the following:
1. 1.
  Choose secure public parameters $\mathsf {par}_\mathsf {PRF}= \big (m,n,p,q , \mathbf {P}_0,\mathbf {P}_1 \big )$ for the BLMR PRF family [7]. Namely,
  1. a.
    For , set $ \alpha =2^{-\omega (\log ^{1+c}(n))} $ for some constant $ c>0 $; a prime $ p=2^{\log ^{1+c}(n)} $; a prime power $ q=\mathcal {O}(\sqrt{n}/\alpha ) $ such that p divides q; and $ m=n \cdot \lceil \log q \rceil $.
  2. b.
    Sample over $ \mathbb {Z}_q $-invertible matrices.
2. 2.
  Choose parameters $ \mathsf {par}_{sig} = (q_s, \ell , \sigma , (m_i)_{i=0}^3, m_s, m_f) $ for a signature scheme allowing to sign committed values [25]. Namely,
  1. a.
    Choose a prime power modulus $ q_s = \tilde{\mathcal {O}}(n^3) $ dividing q, an integer and a Gaussian parameter $ \sigma = \varOmega (\sqrt{n \log q_s} \log n) $. Set $ \delta _{q_s-1} = \lceil \log _2(q_s) \rceil $, $ \delta _{q-1} = \lceil \log _2(q) \rceil $ and $ \delta _{p-1} = \lceil \log _2(p) \rceil $. Define the message block lengths $ m_0=m_s:=2n\delta _{q_s-1} $, as well as $m_1=m$ and $ m_2=\bar{m}:=m\delta _{q-1} $.
  2. b.
    Sample and , for $ i \in \{1,2\} $, and define the commitment key to be $ CK:=\left( \mathbf {D}_0 := [\mathbf {D}_0' | \mathbf {D}_0''], \mathbf {D}_1, \mathbf {D}_2 \right) . $
  3. c.
    Sample .
3. 3.
  Choose parameters $\mathsf {par}_\mathsf {LTF}$ for the lossy trapdoor function of [30]. In terms of for constant $ c > 0 $, these consist of moduli $q_\mathsf {LTF}= \varTheta (n_{\mathsf {LTF}}^{1+1/\gamma })$ that divides q and $p_\mathsf {LTF}=\varTheta (n_{\mathsf {LTF}}^{1/\gamma })$ for some constant $ \gamma <1 $; matrix dimensions $n_\mathsf {LTF}$ and $ m_\mathsf {LTF}= \varTheta (n_{\mathsf {LTF}} \log q_{\mathsf {LTF}}) $ and $\bar{n}_\mathsf {LTF}= \bar{m}_\mathsf {LTF}/ \log p_\mathsf {LTF}$ such that $ p_{\mathsf {LTF}} < q_{\mathsf {LTF}} /4n_{\mathsf {LTF}} $; and an LWE error rate $ \alpha _\mathsf {LTF}= \varTheta (\sqrt{n}/q_{\mathsf {LTF}}) $. We additionally require that $m_\mathsf {LTF}= m \cdot \lceil \log p \rceil $. Then, select an evaluation key $ek_{\mathsf {LTF}}$ for a lossy trapdoor function in injective mode $ F_{\mathsf {LTF}}: \{0,1\}^{m_\mathsf {LTF}} \rightarrow \mathbb {Z}_{q_{\mathsf {LTF}}}^{n_\mathsf {LTF}+ \bar{n}_\mathsf {LTF}} $, meaning that $ek_{\mathsf {LTF}}= \big ( \mathbf {A}_\mathsf {LTF}, \mathbf {U}_\mathsf {LTF}\big )$ consists of a random and a matrix
  $$\mathbf {U}_\mathsf {LTF}=\mathbf {S}_{\mathsf {LTF}}^\top \cdot \mathbf {A}_{\mathsf {LTF}} + \mathbf {E}_{\mathsf {LTF}}^\top + \mathbf {G}_\mathsf {LTF}^\top \in \mathbb {Z}_{q_\mathsf {LTF}}^{\bar{n}_\mathsf {LTF}\times m_\mathsf {LTF}},$$
  for some , and $ \mathbf {G}_{\mathsf {LTF}} $ referred to in the preliminaries.
4. 4.
  Choose an integer $ \bar{p} >0 $ such that $ \bar{p} < p/2 $ which will define a challenge space $ \{-\bar{p}, \dots , \bar{p}\} $ for the argument system of [35]. Choose a hash function $ H_{\mathrm {FS}} : \{0,1\}^* \rightarrow \{-\bar{p}, \dots , \bar{p}\}^{\kappa } $, for some , which will be modelled as a random oracle in the security analysis.
5. 5.
  Choose a full-rank difference function $ \mathsf {FRD} :\mathbb {Z}_p^n \rightarrow \mathbb {Z}_p^{n \times n} $ such as the one in [1]; two universal hash functions $ H_{\mathsf {UH}}: \mathbb {Z}_p^{ m_{\mathsf {LTF}}} \rightarrow \mathbb {Z}_{p}^{n }, H'_{\mathsf {UH}}: \mathbb {Z}_p^{ m_{\mathsf {LTF}}} \rightarrow \mathbb {Z}_{p}^{n } $ keyed by two uniformly random matrices ; and a collision resistant hash function $ H_0: \{0,1\}^* \rightarrow \mathbb {Z}_p^n {\setminus } \{ \mathbf {0}^n\} $.
6. 6.
  Select a digital signature algorithm^{Footnote 2} $\varSigma $ able to sign any bitstring.
The final output is $ \mathsf {par}= ( \mathsf {par}_\mathsf {PRF}, \mathsf {par}_{sig}, \mathsf {par}_\mathsf {LTF}, \mathbf {F}, \mathsf {FRD} , \mathbf {U}_{\mathsf {UH}}, \mathbf {U}'_{\mathsf {UH}}, H_0, ek_{\mathsf {LTF}},H_{\mathrm {FS}},CK, \varSigma ). $
: The bank $ \mathcal {B}$ generates a key pair for the signature scheme by conducting the following steps.
1. 1.
  Sample (details are provided in the full version of this work [16]) so that $ \mathbf {T}_{\mathbf {A}} $ is a short basis of $ \varLambda ^{\bot }_{q_s}(\mathbf {A}) $ that allows $ \mathcal {B}$ to sample Gaussian vectors in $ \varLambda ^{\bot }_{q_s}(\mathbf {A}) $ with parameter $ \sigma $.
2. 2.
  Choose uniform .
3. 3.
  Choose and .
The key pair consists of $ PK_{\mathcal {B}} := \left( \mathbf {A}, \left\{ \mathbf {A}_j \right\} _{j=0}^{\ell },\mathbf {D},\mathbf {u} \right) $ and $ SK_{\mathcal {B}} := \mathbf {T}_{A} $.
: Choose a secret key and set the public key to be $ PK_{\mathcal {U}} := \mathbf {F} \cdot \mathbf {e}_{u} \in \mathbb {Z}_p^{n} $.
: Generate and output .
: A user $ \mathcal {U}$ withdraws a wallet with $ 2^L $ coins from a bank $ \mathcal {B}$ by engaging in the following protocol:
1. 1.
  $ \mathcal {U}$ picks a PRF key and computes its binary decomposition $ \tilde{\mathbf {k}}=\textsf {vdec}_{m,q-1}\left( \mathbf {k}\right) \in \{0,1\}^{\bar{m}} $. Then, $ \mathcal {U}$ commits to the 2-block message $ (\mathbf {e}_u, \tilde{\mathbf {k}}) \in \{0,1\}^{m} \times \{0,1\}^{\bar{m}} $ by sampling and sending
  $$ \mathbf {c}_{\mathcal {U}} = \mathbf {D}_0' \cdot \mathbf {r}_0 + \mathbf {D}_1 \cdot \mathbf {e}_u + \mathbf {D}_2 \cdot \tilde{\mathbf {k}} \in \mathbb {Z}_{q_s}^{n} $$
  to $ \mathcal {B}$. In addition, $ \mathcal {U}$ generates an interactive zero-knowledge argument of knowledge of an opening $ (\mathbf {r}_0, \mathbf {e}_u, \tilde{\mathbf {k}}) $ such that $ PK_{\mathcal {U}} = \mathbf {F} \cdot \mathbf {e}_u $ with $ \mathcal {B}$. This argument of knowledge can be instantiated using the methods of [35] by applying the technique of [14] to parallel repetitions.^{Footnote 3}
2. 2.
  If the argument of $ \mathcal {U}$ verifies, then $ \mathcal {B}$ extends the commitment $ \mathbf {c}_{\mathcal {U}} $ by sampling , and computing $ \mathbf {c}_{\mathcal {U}}' = \mathbf {c}_{\mathcal {U}} + \mathbf {D}_0'' \cdot \mathbf {r}_1 $. Next $ \mathcal {B}$ chooses , defines $ \mathbf {u}_{\mathcal {U}} = \mathbf {u} + \mathbf {D} \cdot \textsf {vdec}_{n,q_s-1}\left( \mathbf {c}_{\mathcal {U}}'\right) $, sets
  $$ \mathbf {A}_{\tau } := [ \mathbf {A} | \mathbf {A}_0 + \sum _{j=1}^{\ell } \tau [j] \cdot \mathbf {A}_{j} ] \in \mathbb {Z}_{q_s}^{n \times 2m_s} $$
  and computes a short basis $ \mathbf {T}_{\tau } $ of $ \varLambda ^{\bot }_{q_s}(\mathbf {A}_{\tau }) $ using $ \mathbf {T}_{A} $. Using $ \mathbf {T}_{\tau } $, it then samples a short vector and sends $ (\tau , \mathbf {v}, \mathbf {r}_1) $ to $ \mathcal {U}$.
3. 3.
  $ \mathcal {U}$ verifies that $ \Vert \mathbf {v}\Vert \le \sigma \sqrt{2m_s} $, $ \Vert \mathbf {r}_1\Vert \le \sigma \sqrt{m_s} $ and
  $$ \mathbf {A}_\tau \cdot \mathbf {v} = \mathbf {u} + \mathbf {D} \cdot \textsf {vdec}_{n,q_s-1}\left( \mathbf {c}_{\mathcal {U}} + \mathbf {D}_0'' \cdot \mathbf {r}_1 \right) \in \mathbb {Z}_{q_s}^n . $$
  If so, $ \mathcal {U}$ sets $ \mathbf {r} = (\mathbf {r}_0^\top \mid \mathbf {r}_1^\top )^\top \in \mathbb {Z}_{q_s}^{2m_s} $ and stores the wallet $ \mathcal {W}:= \big ( \mathbf {e}_u, \mathbf {k}, \mathsf {Sig}_{\mathcal {B}} = (\tau , \mathbf {v}, \mathbf {r}), J=0 \big ) $ whereas $ \mathcal {B}$ records a debit of $ 2^L $ for the account associated to $ PK_{\mathcal {U}} $.
: A user $ \mathcal {U}$ in possession of a wallet $ \mathcal {W}= \big ( \mathbf {e}_u,\mathbf {k},\mathsf {Sig}_{\mathcal {B}} = (\tau , \mathbf {v}, \mathbf {r}), J \big ) $ wants to spend a coin with $ \mathcal {M}$. If $ J > 2^L-1 $, $ \mathcal {U}$ outputs $ \bot $. Otherwise, they run the following protocol:
1. 1.
  $ \mathcal {U}$ generates a digital coin by first hashing the transaction information to $ R=H_0(PK_{\mathcal {M}},\mathsf {info}) \in \mathbb {Z}_p^n $ before conducting the following steps.
  1. a.
    Compute a BLMR PRF evaluation on the standard binary representation of J in $ \{0,1\}^L $ using key $ \mathbf {k} \in \mathbb {Z}_q^m $; i.e., set
    $$ \mathbf {y}_{\mathbf {k}}= \left\lfloor \prod _{i=1}^L \mathbf {P}_{J[L+1-j]} \cdot \mathbf {k} \right\rfloor _{p}$$
    and let $\tilde{\mathbf {y}}_{\mathbf {k}}=\mathsf {bin}_p(\mathbf {y}_{\mathbf {k}}) \in \{0,1\}^{m_\mathsf {LTF}} $ its standard bit-decomposition.
  2. b.
    Using $ek_\mathsf {LTF}$, compute $ \mathbf {y}_1 = F_{\mathsf {LTF}}(\tilde{\mathbf {y}}_{\mathbf {k}})$ and $\mathbf {y}_2 = PK_{\mathcal {U}} + H_{\mathsf {UH}}(\tilde{\mathbf {y}}_{\mathbf {k}}) $ to form the serial number $ \mathbf {y}_{S} := (\mathbf {y}_1, \mathbf {y}_2) \in \mathbb {Z}_{q_\mathsf {LTF}}^{n_\mathsf {LTF}+ \bar{n}_\mathsf {LTF}} \times \mathbb {Z}_p^{n}. $
  3. c.
    Compute the security tag $ \mathbf {y}_T = PK_{\mathcal {U}} + \mathsf {FRD} (R) \cdot H'_{\mathsf {UH}}(\tilde{\mathbf {y}}_{\mathbf {k}}) \in \mathbb {Z}_p^n.$
  4. d.
    Generate a non-interactive argument of knowledge $ \pi _K $ to show knowledge of $ (J, \mathbf {k}, \mathbf {e}_u, (\tau , \mathbf {v}, \mathbf {r})) $ such that:
    - The vector $ \mathbf {k}$ and secret key $ \mathbf {e}_u $ associated with $\mathcal {W}$ and $ PK_{\mathcal {U}} $ have been certified by $ \mathcal {B}$ through the signature $ (\tau , \mathbf {v},\mathbf {r}) $.
    - $ \mathbf {y}_{S} $ and $ \mathbf {y}_T $ were computed correctly using $ \mathsf {par}$, the secret key $ \mathbf {e}_u $, the PRF seed $ \mathbf {k} $ and a valid $ J\in \{0,\ldots ,2^{L-1}\} $.
    More precisely, letting $ \mathbf {y}_S= (\mathbf {y}_1, \mathbf {y}_2) $, $ \pi _K $ argues knowledge of $ (J,\mathbf {k},\mathbf {e}_u, (\tau , \mathbf {v}, \mathbf {r})) $ where $ J \in \{0,1\}^L$, $\mathbf {k} \in \mathbb {Z}_q^m$, $\mathbf {e}_u \in \{0,1\}^m,$ $\tau \in \{0,1\}^\ell $, $\mathbf {v} \in \mathbb {Z}^{2m_s}$ s.t. $\Vert \mathbf {v}\Vert _{\infty } \le \sigma \sqrt{2m_s}$ and $\mathbf {r} \in \mathbb {Z}^{m_s}$ s.t. $\Vert \mathbf {r}\Vert _\infty \le \sigma \sqrt{2 m_s} $, satisfying the relations
    
    The non-interactive argument $ \pi _K $ is produced by running the proof described in Sect. 5.2 times in parallel and using the Fiat-Shamir heuristic with random oracle $ H_{\mathrm {FS}} $. We may write
    $$ \pi _K = \left( \left\{ \textsf {Comm}_{K,j} \right\} _{j=1}^{\kappa }, \textsf {Chall}_K, \left\{ \textsf {Resp}_{K,j} \right\} _{j=1}^{\kappa } \right) $$
    where $ \textsf {Chall}_K = H_{\mathrm {FS}}(\mathsf {par}, R, \mathbf {y}_S, \mathbf {y}_{T}, \left\{ \textsf {Comm}_{K,j} \right\} _{j=1}^{\kappa }). $
  $ \mathcal {U}$ sends $ \mathsf {coin}= (\mathsf {info}', PK_{\mathcal {M}}, \mathbf {y}_S, \mathbf {y}_T, \pi _K) $ to $ \mathcal {M}$.
2. 2.
  If $ \mathsf {info}'=\mathsf {info}$ and $ {\textsf {VerifyCoin}}\left( \mathsf {par}, PK_{\mathcal {B}}, \mathsf {coin} \right) $ outputs 1, then $ \mathcal {M}$ outputs $ \mathsf {coin}$. Otherwise, $\mathcal {M}$ outputs $ \bot $. In either case, $ \mathcal {U}$ outputs an updated wallet $ \mathcal {W}' $ where J is increased by 1.
: Parse the coin as $ \mathsf {coin}= (\mathsf {info}, PK_{\mathcal {M}}, \mathbf {y}_S, \mathbf {y}_T, \pi _K) $ and output 1 if and only if $ \pi _K $ verifies.
: If ${\textsf {VerifyCoin}}\left( PK_{\mathcal {B}}, \mathsf {coin} \right) =0$, return 0. Otherwise, return 1 if and only if $\mu $ is a valid signature on $\mathsf {coin}$ with respect to $PK_{\mathcal {M}}$: i.e., $\varSigma {.}\mathsf {Verify}(PK_{\mathcal {M}},\mu ,\mathsf {coin})=1$.
: $\mathcal {M}$ and $\mathcal {B}$ interact in the following way.
1. 1.
  $\mathcal {M}$ sends $ \mathsf {coin}= (\mathsf {info},PK_{\mathcal {M}}, \mathbf {y}_S, \mathbf {y}_T, \pi _K) $ to $ \mathcal {B}$ along with a signature $\mu = \varSigma {.}\mathsf {Sign}(SK_{\mathcal {M}},\mathsf {coin})$.
2. 2.
  If ${\textsf {VerifyDeposit}}\left( PK_\mathcal {B},PK_\mathcal {M},\mathsf {coin},\mu \right) =0$ or ${\textsf {VerifyCoin}}\left( PK_{\mathcal {B}},\mathsf {coin} \right) =0$, then $ \mathcal {B}$ outputs $\perp $. If $ \mathsf {info}$ and $PK_\mathcal {M}$ are found in $ \mathsf {state}_\mathcal {B}$, then $ \mathcal {B}$ outputs the corresponding entry $(\mathsf {coin}', PK_\mathcal {M},\mu ', \mathbf {y}'_S)$. If the serial number $\mathbf {y}_{S}$ contained in $ \mathsf {coin}$ is not found in $ \mathsf {state}_\mathcal {B}$, then $ \mathcal {B}$ accepts the coin, adds the tuple $ (\mathsf {coin}, PK_\mathcal {M},\mu ,\mathbf {y}_{S}) $ to $ \mathsf {state}_\mathcal {B}$ and credits $\mathcal {M}$’s account. If there exists a tuple $(\mathsf {coin}, PK'_\mathcal {M},\mu ',\mathbf {y}_{S})$ in $ \mathsf {state}_\mathcal {B}$, then $ \mathcal {B}$ outputs such a tuple.
: Parse $ \mathsf {coin}_i = (\mathsf {info}_i,PK_{\mathcal {M}_i}, \mathbf {y}_{S,i}, \mathbf {y}_{T,i}, \pi _{K,i}) $ for each $ i \in \{1,2\} $. If any of the following conditions hold, output $ \bot $:
- $ \mathbf {y}_{S,1} \ne \mathbf {y}_{S,2} $,
- $ {\textsf {VerifyCoin}}\left( \mathsf {par}, PK_{\mathcal {B}}, \mathsf {coin}_1 \right) $ or $ {\textsf {VerifyCoin}}\left( \mathsf {par}, PK_{\mathcal {B}}, \mathsf {coin}_2 \right) \ne 1 $,
- $ (\mathsf {info}_1,PK_{\mathcal {M}_1})=(\mathsf {info}_2,PK_{\mathcal {M}_2}) $.
Otherwise, compute $ \mathbf {y}_T' = \left( \mathsf {FRD} (R_1) - \mathsf {FRD} (R_2) \right) ^{-1} \cdot (\mathbf {y}_{T,1} - \mathbf {y}_{T,2}) \in \mathbb {Z}_p^n $ with $R_i=H_0(PK_{\mathcal {M}_i},\mathsf {info}_i)$ and set $ PK_{\mathcal {U}} = \mathbf {y}_{T,1} - \mathsf {FRD} (R_1) \cdot \mathbf {y}_{T}' \in \mathbb {Z}_{p}^n $. Note that this calculation is performed using publicly known values, so the proof of guilt of a double spender is simply $ \varPi _G = (\mathsf {coin}_1, \mathsf {coin}_2) $. The output of this algorithm is then the pair $ (PK_{\mathcal {U}}, \varPi _G) $.

5 Zero-Knowledge Arguments with Soundness Error $1/\mathsf {poly}(\lambda )$ in Standard Lattices

We proceed in two steps to describe the ZKAoK used to spend a coin. We first describe an argument of knowledge of a (seed,input) pair generating a given BLMR evaluation. We then extend this to capture the whole statement proved by a user during a spending. For the ZKAoK in the withdrawal protocol, we directly rely on results of [35]. Throughout our construction, we use the argument system of Yang et al. [35] which was originally proved computationally honest-verifier ZK (HVZK) with polynomial soundness error. However, we can use known techniques to transform parallel repetitions of this protocol into a 3-round, malicious verifier ZK protocol with negligible soundness error in the CRS model [14]. This is how we instantiate the interactive ZKAoK in the withdrawal protocol. In the spend protocol, we use the standard result that the Fiat-Shamir transform [21] applied to parallel repetitions of an HVZK protocol yields a NIZK argument in the ROM. We also note that one may use a statistically hiding configuration of the commitment scheme from [5] instead of the more efficient computationally hiding configuration chosen in [35] to obtain statistical ZK arguments.

5.1 Zero-Knowledge Arguments for the BLMR PRF

We extend the protocol of Yang et al. [35] to build a ZKAoK of a (seed,input) pair producing a given BLMR evaluation. A similar result for the GGM-based PRF implied by [4] is provided in the full version [16], leading to a more efficient instantiation.

In [35], Yang et al. provide an argument of knowledge for the “instance-relation” set given by

(1)

where $ \mathbf {M}' \in \mathbb {Z}_q^{m' \times n'}, \mathbf {y}' \in \mathbb {Z}_q^{m'}$ and $\mathcal {M}\subseteq [n'] \times [n'] \times [n'] $, for some prime power q. The tuple $ (\mathbf {M}',\mathbf {y}', \mathcal {M}) $ is the instance whereas $ \mathbf {x}' \in \mathbb {Z}_q^{n'} $ is the witness. By carefully crafting each of these elements, we show that a proof of correct evaluation of the BLMR PRF is an instance of this argument of knowledge.

Indeed, recall that, for any seed $\mathbf {k}$ and input $x\in \{0,1\}^L$, the PRF output is defined as $ \mathbf {y} = \left\lfloor \prod _{i=1}^L \mathbf {P}_{x_{L+1-i}} \cdot \mathbf {k} \right\rfloor _{p} $, where $ \mathbf {P}_0, \mathbf {P}_1 \in \{0,1\}^{m \times m} $ are public parameters and p is a prime power dividing q. If we write $ \mathbf {y}_j = \prod _{i=L+1-j}^{L} \mathbf {P}_{x_{L+1-i}} \cdot \mathbf {k} $ for $ j \in [L] $, we can represent a PRF evaluation using the linear system over $ \mathbb {Z}_q $:

$$\begin{aligned} \mathbf {y}_1 - \mathbf {P}_0 \cdot (1-x_1)\mathbf {k} - \mathbf {P}_1 \cdot x_1 \mathbf {k}&=\mathbf {0} \\ \mathbf {y}_2 - \mathbf {P}_0 \cdot (1-x_2)\mathbf {y}_1 - \mathbf {P}_1 \cdot x_2 \mathbf {y}_1&= \mathbf {0} \\ \vdots&\\ \mathbf {y}_L - \mathbf {P}_0 \cdot (1-x_L)\mathbf {y}_{L-1} - \mathbf {P}_1 \cdot x_L \mathbf {y}_{L-1}&=\mathbf {0} \\ \mathbf {y}_L - \mathbf {e}&=\frac{q}{p} \cdot \mathbf {y} \end{aligned}$$

where $ \mathbf {e} \in [0,q/p]^m $. This system is a linear system in the (quadratic) unknowns $ (1-x_1)\mathbf {k}, x_1\mathbf {k}, (1-x_2)\mathbf {y}_1, x_2\mathbf {y}_1, \dots , (1-x_L)\mathbf {y}_{L-1}, x_L\mathbf {y}_{L-1}, \mathbf {y}_L, \mathbf {e} $. As a first step towards transforming our system into one captured by $ \mathcal {R}^* $, we can embed the above system in a larger system whose solution is given by

$$\begin{aligned} (\mathbf {x}')^\top = \left( (\mathbf {x}'_{1})^\top , (\mathbf {x}'_2)^\top , (\mathbf {x}'_3)^\top , \tilde{\mathbf {e}}^\top \right) \end{aligned}$$

(2)

where

$ (\mathbf {x}'_{1})^\top = \big ((1-x_1), x_1, \dots , (1-x_L), x_L \big ) \in \{0,1\}^{2L} $,
$ (\mathbf {x}'_2)^\top = \big (\mathbf {y}_0^\top , \mathbf {y}_1^\top , \dots , \mathbf {y}_L^\top \big ) \in \mathbb {Z}_q^{(L+1)\cdot m} $, with $ \mathbf {y}_0 := \mathbf {k} $,
$ \mathbf {x}'_3 \in \mathbb {Z}_q^{2L\cdot m}$ is of the form
$$ (\mathbf {x}'_3)^\top = \big ((1-x_1)\mathbf {y}_0, x_1\mathbf {y}_0, (1-x_2)\mathbf {y}_1, x_2\mathbf {y}_1, \dots , (1-x_L) \mathbf {y}_{L-1}, x_L \mathbf {y}_{L-1}\big ) , $$
$ \tilde{\mathbf {e}} = \textsf {vdec}_{m,\frac{q}{p}-1}\left( \mathbf {e}\right) \in \{0,1\}^{m \cdot \left( \lfloor \log (\frac{q}{p} - 1)\rfloor +1\right) } $, which ensures that $ \Vert \mathbf {e}\Vert _{\infty } < q/p $.

One aspect of this extended solution is that every consecutive pair of entries of $ \mathbf {x}'_1 $ is either (0, 1) or (1, 0) . In other words, each consecutive pair of entries of $ \mathbf {x}'_1 $ sums to 1 and is binary. The fact that consecutive pairs add to 1 can be captured by a linear constraint that will constitute the first block of our matrix $\mathbf {M}'$. Next, the fact that the entries of $ \mathbf {x}'_1 $ are binary may be captured by the set of equations $ \mathbf {x}'_1[i] = \mathbf {x}'_1[i] \cdot \mathbf {x}'_1[i] $. In fact, proving this relation only for even i is sufficient as $\mathbf {x}'_1[2i] \in \{0,1\}$ and $\mathbf {x}'_1[2i] + \mathbf {x}'_1[2i-1] =1$ implies $\mathbf {x}'_1[2i-1] \in \{0,1\}$.

The next part of a valid solution’s structure is that entries of $ \mathbf {x}'_3 $ are the result of multiplying entries of $ \mathbf {x}'_1 $ and $ \mathbf {x}'_2 $. This can be written as $ \mathbf {x}'_3[h'] =\mathbf {x}'_1[i'] \cdot \mathbf {x}'_2[j'] $ for appropriate choices of $ h',i',j' $. It then only remains to prove that the entries of $ \tilde{\mathbf {e}} $ are binary, which is captured by the equations $ \tilde{\mathbf {e}}[i] = \tilde{\mathbf {e}}[i] \cdot \tilde{\mathbf {e}}[i] $.

Following the details outlined above, we may represent a BLMR evaluation as the system $ \mathbf {M}' \cdot \mathbf {x}' = \mathbf {y}' \bmod q $ for

$ \mathbf {x}' \in \mathbb {Z}_q^{2L+(L+1)\cdot m + 2L \cdot m + (\lfloor \log (q/p -1 )\rfloor +1)\cdot m} $ which is subject to the following constraints, when parsed as in Eq. 2:
$\bullet $:

for $ i \in [L] $: $ \mathbf {x}'_1[2i] = \mathbf {x}'_1[2i] \cdot \mathbf {x}'_1[2i] $

$\bullet $:

for $ (i,j) \in [m] \times [L] $: $ \mathbf {x}'_{3}[2m(j-1)+i] = \mathbf {x}'_1[2j-1] \cdot \mathbf {x}'_2[m(j-1)+i] $ and $ \mathbf {x}'_3[2m(j-1)+m+i] = \mathbf {x}'_1[2j] \cdot \mathbf {x}'_2[m(j-1)+i] $

$\bullet $:

for $ i \in [(\lfloor \log (q/p-1)\rfloor +1)\cdot m] $: $ \tilde{\mathbf {e}}[i] = \tilde{\mathbf {e}}[i] \cdot \tilde{\mathbf {e}}[i] $
$ (\mathbf {y}')^\top = (\overbrace{1, \dots , 1}^{L}, \overbrace{0, \dots , \dots , 0}^{m\cdot L}, (q/p) \mathbf {y}^\top ) $
$$\begin{aligned} \mathbf {M}' = \left[ \begin{array}{c|c|c|c} \mathbf {I}_L \otimes (1,1) &{} &{} &{} \\ \hline &{} 0^{mL \times m} \Vert \mathbf {I}_{m \cdot L} &{} -\mathbf {I}_L \otimes [\mathbf {P}_0 \Vert \mathbf {P}_1] &{} \\ \hline &{} 0^{m \times L\cdot m} \Vert \mathbf {I}_m &{} &{} -H_{m,q/p - 1} \end{array} \right] \end{aligned}$$
(3)
where all blank blocks consist of 0 entries.

5.2 Zero-Knowledge Arguments for the $ \mathsf {Spend}$ Protocol

The previous protocol enables to prove correct evaluation of the BLMR PRF but is not sufficient to produce the proof $\pi _K$ expected by the merchant during the $\mathsf {Spend}$ protocol. In particular, we also need to prove

knowledge of (short) solutions to linear systems (e.g., the user’s secret key);
knowledge of solutions to an equation involving a subset sum of known-matrix and secret vector multiplications (i.e. the computation of $ \mathbf {A}_{\tau } $);
correct evaluation of the lossy trapdoor function $F_{\mathsf {LTF}}$.

All these statements can be captured by the relation $ \mathcal {R}^* $ from [35], as explained below. Together with our proof of correct PRF evaluation, this means that $\pi _K$ can be instantiated using only the Yang et al. framework. We can then achieve inverse-polynomial soundness error $ 1/\bar{p} $ in one ZKAoK protocol run. To achieve a soundness error of $ 2^{-\lambda } $, we only need $\mathcal {O}(\lambda /{\log }\,\bar{p}) $ repetitions. This clearly improves upon the Stern-type protocols used in [26], which require $ \mathcal {O}(\lambda )$ repetitions.

Remark 1

It should be noted that we have different equations over various moduli in our $ \mathsf {Spend}$ protocol. However, as long as q is a prime power and all remaining moduli divide q, we may lift all equations to use the modulus q. For example, to lift an equation over $ \mathbb {Z}_{q'} $ to an equation over $ \mathbb {Z}_{q} $ where $ q' $ divides q, we simply multiply by $ q/q' \in \mathbb {Z}$. We will use this trick in what follows.

The Explicit Linear System. Transforming the argument of knowledge produced by a user during the $\mathsf {Spend}$ protocol into an instance of the Yang et al. protocol is far from trivial as there are several details to address. Besides the moduli issue mentioned above, we indeed need to juggle with two different types of binary decomposition in order to ensure security of the whole system.

We use the notation from the $ \mathsf {Spend}$ protocol specification in Sect. 4. We further parse $ \mathbf {v}$ as $(\mathbf {v}_1, \mathbf {v}_2) $, where $ \mathbf {v}_1, \mathbf {v}_2 \in \mathbb {Z}^{m_s} $. Also, we define $ \sigma ':=\lfloor \sigma \sqrt{m_s}+1 \rfloor $ and $ \mathbf {v}_i^{+} = \mathbf {v}_i+\sigma '\cdot \mathbf {1} $ for $ i \in \{1,2\} $, where $ \mathbf {1} $ denotes the all-one vector. This implies that valid values of $ \mathbf {v}_i $ (i.e., such that $ \Vert \mathbf {v}_i\Vert _{\infty } \le \sigma ' $) give rise to $ \mathbf {v}_i^{+} \in [0, 2\sigma ']^{m_s} $. We also set $ \mathbf {r}^+ := \mathbf {r} + \sqrt{2}\sigma ' \cdot \mathbf {1} $ so that $ \mathbf {r}^+ \in [0,2\sqrt{2}\sigma ']^{2m_s} $ for valid choices of $ \mathbf {r} $ (i.e. values such that $ \Vert \mathbf {r}\Vert _{\infty }\le \sqrt{2}\sigma ' $). We can then define $ \tilde{\mathbf {v}}_i := \textsf {vdec}_{m_s,2\sigma '}\left( \mathbf {v}_i^+\right) $ for $ i \in \{1,2\} $, $ \tilde{\mathbf {r}} := \textsf {vdec}_{2 m_s, 2\sqrt{2}\sigma '}\left( \mathbf {r}^+\right) $, $ \tilde{\mathbf {k}} := \textsf {vdec}_{m,q-1}\left( \mathbf {k}\right) $ and

We begin by considering the equation associated to the signature. We can express it as the following linear system over $ \mathbb {Z}_q $

whose solution is $ \mathbf {x}_1:=\left( \tau , \tilde{\mathbf {v}}_1, \tilde{\mathbf {v}}_2, \tau [1] \cdot \tilde{\mathbf {v}}_2, \dots , \tau [\ell ] \cdot \tilde{\mathbf {v}}_2, \tilde{\mathbf {w}}, \tilde{\mathbf {r}}, \mathbf {e}_u, \mathbf {k},\tilde{\mathbf {k}}\right) $, with some quadratic constraints amongst unknowns.

We next consider the evaluation of $ \mathbf {y}_1 $, as written in the $ \mathsf {Spend}$ protocol. Here a subtlety arises as we need to use two different types of binary decomposition. So far, we have only used the $\mathsf {vdec}_{m,p-1}$ function because it allows achieving exact soundness with the proofs of Yang et al. Unfortunately, the decomposition of an integer according to the sequences $B_1,\ldots ,B_{\delta _{p-1}}$ implicitly defined by $\mathsf {vdec}_{m,p-1}$ (see Sect. 2) may not be unique, which might lead to undetected frauds in our system. We will then also use the standard binary decomposition (that is unique) to ensure that the user is not evaluating $F_{\mathsf {LTF}}$ on two different decompositions of the same PRF output. It then remains to prove consistency of both decompositions, which is explained below.

Concretely, let $ \tilde{\mathbf {y}}_{\mathbf {k}} $ denote the standard binary decomposition of the PRF output $ \mathbf {y}_{\mathbf {k}} = \left\lfloor \prod _{i=1}^L \mathbf {P}_{J[L+1-j]} \cdot \mathbf {k} \right\rfloor _{p} $. Importantly, we must ensure that $ \tilde{\mathbf {y}}_{\mathbf {k}} $ does really correspond to binary decomposition of a vector in $ [0,p-1]^m $ rather than some larger space. Alternatively, we need to ensure that $ \mathbf {y}_\mathbf {k} $ (which is unknown) has entries in $ [0,p-1] $. We achieve this by considering $ \tilde{\mathbf {y}}'_{\mathbf {k}} = \textsf {vdec}_{m,p-1}\left( \mathbf {y}_{\mathbf {k}}\right) $. By multiplying the evaluation equation of $ \mathbf {y}_1 $ by $ q/q_{\mathsf {LTF}} $ and denoting the $ \mathsf {LTF}$ key $ ek_{\mathsf {LTF}} $ as $ \mathbf {B}_{\mathsf {LTF}} \in \mathbb {Z}_{q_{\mathsf {LTF}}}^{(n_{\mathsf {LTF}} + \bar{n}_{\mathsf {LTF}}) \times m_{\mathsf {LTF}}} $, we can derive the following equations over $\mathbb {Z}_q$:

Conveniently, the restriction that the entries of $ \tilde{\mathbf {y}}_{\mathbf {k}}$ and $ \tilde{\mathbf {y}}'_{\mathbf {k}}$ are binary is easily captured using quadratic constraints. Therefore all boxed equations so far constitute a linear system whose solution is $ \mathbf {x_2} := (\mathbf {x}_1 \Vert \tilde{\mathbf {y}}_{\mathbf {k}}, \tilde{\mathbf {y}}'_{\mathbf {k}}, \mathbf {y}_{\mathbf {k}}), $ subject to some quadratic constraints that can easily be handled with the Yang et al. framework. However, we still need some equations to ensure that $ \mathbf {y}_{\mathbf {k}} $ is computed correctly as a BLMR PRF output. In order to describe these equations, we will use the observations from Sect. 5.1 and the matrix $ \mathbf {M}' $ given in Equation (3). In particular, we set the unknown vector

$$\begin{aligned} \mathbf {x}_{\mathbf {k}} =&( 1-J[1], J[1], \dots , 1-J[L], J[L],\mathbf {yk}_0, \dots , \mathbf {yk}_{L},\\&(1-J[1])\mathbf {yk}_0,J[1]\mathbf {yk}_0, \dots , (1-J[L])\mathbf {yk}_{L-1}, J[L]\mathbf {yk}_{L-1}, \mathbf {e}_{\mathbf {k}} ) \end{aligned}$$

where $ \mathbf {yk}_i \in \mathbb {Z}_q^m $ for $ i \in [0,L] $ and $ \mathbf {e}_{\mathbf {k}} \in \{0,1\}^{m\cdot \left( \lfloor \log (\frac{q}{p}-1)\rfloor + 1\right) }. $ As noted in Sect. 5.1 (and shown by the form of $ \mathbf {x}_\mathbf {k} $), the constraints on these unknown vectors are quadratic as required. To capture the PRF computation, we extend the vector of unknowns by defining $ \mathbf {x}_3 := (\mathbf {x}_2 \Vert \mathbf {x}_{\mathbf {k}} ). $ We then add the following to the boxed linear equations over $ \mathbb {Z}_q $ above (where $ \mathbf {M}' $ is defined in Equation (3)):

Finally, it remains to prove that $ \mathbf {y}_2 $ and $ \mathbf {y}_T $ are well-formed. This consists in proving the following relation over $\mathbb {Z}_q$:

where the witnesses are already included in $\mathbf {x}_3$.

We have shown that the whole statement proved during the $ \mathsf {Spend}$ protocol can be expressed as the collection of the boxed linear systems with a vector $\mathbf {x}_3 $ of unknowns subject to quadratic constraints supported by the protocol of [35].

6 Security Proofs

In this section and the full version [16], we prove Theorem 1, which states that our construction provides all the required security properties.

Theorem 1

Our construction is a secure e-cash system in the random oracle model assuming that the following conditions hold:

The $ \textsf {SIS} _{n,m_s,q_s,\beta '} $ for $ \beta '=\mathcal {O}\left( \sigma ^2 m_s^{1/2} (m_s+m\log q)\right) $ and $ \textsf {SIS} _{n,m,p,2\sqrt{m}} $ problems are hard;
Parameters are chosen so that the interactive AoK $\varPi _1$ in the withdrawal protocol is zero-knolwedge (ZK) and that the non-interactive AoK $\varPi _2$ in the spend protocol is honest-verifier zero-knowledge (HVZK);
Parameters m, n, q, p are chosen so that the BLMR PRF is pseudo-random;
The $ \textsf {LWE} _{n_{\mathsf {LTF}}, m_{\mathsf {LTF}}, q_{\mathsf {LTF}},\alpha } $ problem is hard;
$\varSigma $ is an EUF-CMA secure signature scheme.

Proof of Exculpability. Suppose the lossy trapdoor function is sampled in its injective mode. The proof of exculpability relies on the fact that an adversary producing two valid coins with the same serial number must produce at least one fresh proof of knowledge of a secret key underlying an honestly produced public key. In particular, our construction guarantees that this public key is the one that $ \mathsf {Identify}$ points to. The ability to produce fresh arguments of knowledge for an honest public key can be used to solve the $\textsf {SIS}$ problem. We first present a lemma about collision probabilities on PRFs with randomly sampled seeds and polynomial-size domain.

Lemma 4

Let $ \mathsf {PRF}= \left\{ \mathsf {PRF}_{\mathbf {k}} : \{0,1\}^L \rightarrow \{0,1\}^{M} \mid \mathbf {k} \in \mathcal {K} \right\} $ be a family of pseudo-random functions where and . Take any and sample . The probability that $ \exists (i,j,x_1,x_2) \in [N]^2 \times \{0,1\}^L \times \{0,1\}^L $ such that $ \mathsf {PRF}_{\mathbf {k}_i}(x_1) = \mathsf {PRF}_{\mathbf {k}_j}(x_2) $ is negligible.

Proof

We first describe a challenger algorithm $ \mathcal {C}$. In the first stage, $ \mathcal {C}$ samples , samples N uniform functions $ U_1,\dots , U_N : \{0,1\}^L \rightarrow \{0,1\}^M $ and samples a challenge bit . In the second phase, $ \mathcal {C}$ waits for queries $ x \in \{0,1\}^L $. If $ b=1 $, it answers with $ (\mathsf {PRF}_{\mathbf {k}_1}(x),\dots , \mathsf {PRF}_{\mathbf {k}_N}(x)) $. On the other hand, if $ b=0 $, it responds with $ (U_1(x), \dots , U_N(x)) $. By a standard hybrid argument, no PPT adversary $ \mathcal {A}$ can guess the bit b with non-negligible advantage under the assumption that $ \mathsf {PRF}$ is a PRF family and . Consider the following adversary $ \mathcal {A}^* $ that queries $ \mathcal {C}$ on the entire set $ \{0,1\}^L $. Denote the response to query x as $ (y_{1,x}, \dots , y_{N,x}) $. Now, $ \mathcal {A}^* $ outputs $ b^*=1 $ if there exists $ (i,j,x_1,x_2) $ such that $ y_{i,x_1}=y_{j,x_2} $. Otherwise, $ \mathcal {A}^* $ outputs $ b^*=0 $. Note that, if $ b=0 $, the probability that $ \mathcal {A}^* $ outputs $ b^*=1 $ is equal to

$$\begin{aligned} 1-\prod _{k=1}^{2^L N} \left( 1 - \frac{(k-1)}{2^M} \right) \end{aligned}$$

which is negligible since and . Therefore, under the assumption that $ \mathsf {PRF}$ is a PRF family, the probability that $ \mathcal {A}^* $ outputs $ b^*=1 $ when $ b=1 $ is also negligible. $\square $

Lemma 5

Our construction provides strong exculpability in the random oracle model assuming that: (i) The $ \textsf {SIS} _{n,m,p,2\sqrt{m}} $ problem is hard; (ii) Parameters (m, n, p, q) are chosen so that the BLMR PRF is pseudo-random; (iii) $\varPi _1$ and $\varPi _2$ are ZK and HVZK, respectively; (iv) The protocols underlying $\varPi _1$ and $ \varPi _2 $ are arguments of knowledge.

Recall that a successful adversary returns $\mathsf {coin}_1$ and $\mathsf {coin}_2$ such that $ PK_{\mathcal {U}^*}=\mathsf {Identify}(PK_\mathcal {B},\mathsf {coin}_1,\mathsf {coin}_2) $ for honest user $ \mathcal {U}^* $. This implies two things:

First, the two coins have been generated using the public key $PK_{\mathcal {U}^*}$. Indeed, the fact that the identification procedure succeeds implies that these coins share the same serial number $ \mathbf {y}_{S} := (\mathbf {y}_1, \mathbf {y}_2) $. Since the evaluation key of $ F_{\mathsf {LTF}} $ was sampled in injective mode, the serial number $ \mathbf {y}_{S} $ uniquely determines the value $ PK' = \mathbf {y}_2 - H_{\mathsf {UH}}(F_{\mathsf {LTF}}^{-1}(\mathbf {y}_1)) $, which underlies both $ \mathsf {coin}_1 $ and $ \mathsf {coin}_2 $. Then, the soundness of $\varPi _2$ ensures that
$$\begin{aligned} \mathbf {y}_{T,1}= & {} PK' + \mathsf {FRD} (R_1) \cdot H'_{\mathsf {UH}}(F^{-1}_{\mathsf {LTF}}(\mathbf {y}_1)) , \qquad \\ \mathbf {y}_{T,2}= & {} PK' + \mathsf {FRD} (R_2) \cdot H'_{\mathsf {UH}}(F^{-1}_{\mathsf {LTF}}(\mathbf {y}_1)) , \end{aligned}$$
which implies that $ PK'$ is the public key $ PK_{\mathcal {U}^*} $ pointed to by $ \mathsf {Identify} $.
Second, there exists $ d \in \{1,2\} $ such that $ \mathsf {coin}_d = (R_d, \mathbf {y}_{S,d}, \mathbf {y}_{T,d}, \pi _{K,d}) $ is not the result of a $\mathcal {Q}_{\textsf {Spend}}$-query w.h.p. To see why, consider the case that $ \mathsf {coin}_1 $ and $ \mathsf {coin}_2 $ are both the result of $ \mathcal {Q}_{\textsf {Spend}}$-queries, but do not appear in $ \textsf {T}_{\mathsf {ds}} $. This occurs if, when sampling polynomially many seeds, one finds $ \mathbf {k}, \mathbf {k}' $ satisfying $ \mathsf {PRF}_{\mathbf {k}}(J) = \mathsf {PRF}_{\mathbf {k}'}(J') $ for some $ (J,J') \in [0,2^{L}-1]^2 $. By Lemma 4, this occurs with negligible probability .

Proof

Using these two observations, we will prove the strong exculpability of our scheme by defining the following sequence of games. Let $\epsilon $ be the probability that $\mathcal {A}$ succeeds against the exculpability of our scheme and let $ Q_w $ (resp. $Q_s$) denote the maximal number of $ \mathcal {Q}_{\textsf {Withdraw}}$ queries (resp. $\mathcal {Q}_{\textsf {Spend}}$ queries).

: This is exactly the strong exculpability experiment, as defined in Sect. 2. The probability $\epsilon _0$ that $\mathcal {A}$ succeeds in this game is then exactly $\epsilon $.
: In this game, our reduction $\mathcal {S}$ (acting as a challenger in the strong exculpability experiment) proceeds as in except that it defines $\mathbf {F}$ as $\bar{\mathbf {A}} \in \mathbb {Z}_p^{n \times m}$, where $\bar{\mathbf {A}}$ is a uniform matrix provided in a $ \textsf {SIS} _{n,m,p,2\sqrt{m}} $ instance. We denote by $ \mathbf {e}_{u^*} \in \{0,1\}^m $ the secret key generated by $\mathcal {S}$ for the accused user $PK_{\mathcal {U}^*} = \mathbf {F}\cdot \mathbf {e}_{u^*}$. Note that $ \mathcal {A}$ is given black-box access to $ H_{\mathrm {FS}} $ and $ \mathcal {S}$ answers queries to $ H_{\mathrm {FS}} $ by returning uniformly random elements of $ \{-\bar{p},\dots ,\bar{p}\}^{\kappa } $. In addition, $ \mathcal {S}$ initialises empty lists of honest users $ \mathcal {HU} $ and double-spent coins $ \mathcal {T}_{\mathsf {ds}} $. As $\bar{\mathbf {A}}$ is distributed as $\mathbf {F}$ in the original setup, the probability that $\mathcal {A}$ succeeds in this game is $\epsilon _{1,0} = \epsilon _0$.
: For $i\in [1,Q_w]$, this game is defined as , except that $\mathcal {S}$ now answers the i-th $\mathcal {Q}_{\textsf {Withdraw}}$-query (if any) by running the simulator of $\varPi _1$ to simulate the interactive proof generated by the user at this stage. This is done for every user $PK_{\mathcal {U}}$, and not just $PK_{\mathcal {U}^*}$. Any change of behaviour of $\mathcal {A}$ can thus be straightforwardly used against the zero-knowledge property of $\varPi _1$. We therefore have $\epsilon _{1,i-1} - \mathtt {Adv}_{ZK}^{\varPi _1}(\mathcal {A}) \le \epsilon _{1,i} $ for all $i\in [1,Q_w]$.
: For $i\in [1,Q_s]$, this game is defined as , except that $\mathcal {S}$ now answers the i-th $\mathcal {Q}_{\textsf {Spend}}$-query (if any) by running the simulator of $\varPi _2$ to simulate the non-interactive argument generated by the spender at this stage. This can be done (using only the user’s public key $PK_{\mathcal {U}}$) by applying the standard technique of programming the random oracle $ H_{\mathrm {FS}} $ on new inputs, which only requires the statistical HVZK property of $\varPi _2$. The simulation fails whenever the random oracle $ H_{\mathrm {FS}} $ needs to be programmed at an input that it was previously queried on. However, this happens with negligible probability at most , where $ Q_H $ is the total number of queries made by $ \mathcal {A}$ to $ H_{\mathrm {FS}} $ and the denominator is a lower bound on the domain-size of $ H_{\mathrm {FS}} $-inputs. Therefore, we can conclude that $ \epsilon _{1,Q_w+i-1} - \mathtt {Adv}_{HVZK}^{\varPi _2}(\mathcal {A}) - \mathtt {Coll}_H \le \epsilon _{1,Q_w+i} $ for all $i\in [1,Q_s]$.

It is important to note that, in , the reduction $\mathcal {S}$ only needs $PK_{\mathcal {U}^*}$ and not $\mathbf {e}_{u^*}$ to simulate the game. This concretely means that the adversary’s view is independent of the preimage $\mathbf {e}_{u^*}$ of $PK_{\mathcal {U}^*}$ selected by $\mathcal {S}$. Thanks to [27, Lemma 8], we know that this preimage is not unique: i.e., there exists at least one vector $ \mathbf {e} \in \{0,1\}^{m} {\setminus } \{ \mathbf {e}_{u^*} \} $ such that $ \bar{\mathbf {A}}\cdot \mathbf {e}_{u^*} = \bar{\mathbf {A}} \cdot \mathbf {e} \bmod p $ with all but negligible probability. This observation will be crucial in what follows.

: Let $ Q_H $ be a polynomial bounding the number of random oracle queries made by $ \mathcal {A}$ to $ H_{\mathrm {FS}} $. Up until $ \mathcal {A}$ terminates, $ \mathcal {S}$ answers $ \mathcal {A}$’s queries as in the previous games, recording the random oracle queries as $ (q_1, q_2, \dots ) $ and the corresponding uniformly distributed responses as $ (h_1, h_2, \dots ) $. Our second observation at the beginning of the proof implies that at least one coin $\mathsf {coin}_d$ returned by $\mathcal {A}$ is not the result of a $\mathcal {Q}_{\textsf {Spend}}$-query with overwhelming probability (if none of the coins were generated as a response to $\mathcal {Q}_{\textsf {Spend}}$-query, then select a random $d\in \{1,2\}$. Define
$$\begin{aligned} \pi _{K,d} := \left( \left\{ \textsf {Comm}_{K,d,j} \right\} _{j=1}^{\kappa }, \textsf {Chall}_{K,d}, \left\{ \textsf {Resp}_{K,d,j} \right\} _{j=1}^{\kappa } \right) , \\ \textsf {Chall}_{K,d} := H_{\mathrm {FS}}\left( \mathsf {par}, R, \mathbf {y}_{S,d}, \mathbf {y}_{T,d}, \left\{ \textsf {Comm}_{K,d,j} \right\} _{j=1}^{\kappa }\right) . \end{aligned}$$
In this game, $\mathcal {S}$ aborts if the above query was not made to $ H_{\mathrm {FS}} $. We note that in such a case the proof $\pi _{K,d} $ would only have been acceptable with probability at most $ (2\bar{p}+1)^{-\kappa } $. We then have $\epsilon _{1,Q_w+Q_s} - (2\bar{p}+1)^{-\kappa } \le \epsilon _2$.

From now on, we know that there exists an index $ i^* \in [Q_H] $ such that the $ i^*$-th $ H_{\mathrm {FS}} $-query is used to produce $ \textsf {Chall}_{K,d} $ (i.e., $ \textsf {Chall}_{K,d} = h_{i^*} $) and that $\mathcal {A}$ succeeds in with probability $\epsilon _2\ge \epsilon - Q_w\cdot \mathtt {Adv}_{ZK}^{\varPi _1}(\mathcal {A}) - Q_s(\mathtt {Adv}_{HVZK}^{\varPi _2}(\mathcal {A}) +\mathtt {Coll}_H) - (2\bar{p}+1)^{-\kappa }$. We then define our last game as follows:

1.
$ \mathcal {S}$ runs $ \mathcal {A}$ by behaving as in . If $ \mathcal {A}$ fails to win the game, then $ \mathcal {S}$ aborts. Otherwise, it records $ \mathsf {coin}_d, \pi _{K,d}, \textsf {Chall}_{K,d} $, $ (q_1,q_2,\dots ),(h_1,h_2,\dots ), i^* $, sets a variable $ \textsf {fork}=1 $ and proceeds to the next step.
2.
(Search for a 3-fork). This step is repeated twice. $ \mathcal {S}$ runs $ \mathcal {A}$ with the same random tape as in the beginning of the first step. In addition, it sends $ \mathcal {A}$ the same $ \mathsf {par}$ as before, giving $ \mathcal {A}$ oracle access to $ H_{\mathrm {FS}} $. $ \mathcal {S}$ allows $ \mathcal {A}$ to run until termination, answering queries to $ H_{\mathrm {FS}} $ as follows:
- Answer queries $ q_1, \dots , q_{i^*-1} $ (which are identical to those of the first run) using the same values $ h_1, \dots , h_{i^*-1} $ as before.
- At the $ i^* $-th query $ q_{i^*} $ (which is also the same as the first time $ \mathcal {A}$ was run), pick a fresh uniform response $ h'_{i^*} $.
- For the remaining queries made by $ \mathcal {A}$ denoted $ q'_{i^*+1}, \dots , q'_{Q_H} $, pick fresh uniform random responses $ h_{i^*+1}', \dots , h_{Q_H}' $.
If this is the first repetition, $ \mathcal {S}$ sets $ h_{i^*}^{(2)} = h'_{i^*} $. At the second repetition, it sets $ h_{i^*}^{(3)} = h'_{i^*} $. If $ \mathcal {A}$ terminates without winning the strong exculpability game, then $ \mathcal {S}$ begins the next repetition of this step. If $ \mathcal {A}$ terminates and wins the game, denote its output as $ (PK'_{\mathcal {B}'}, \mathsf {coin}'_1, \mathsf {coin}'_2) $. As before, let $ d' \in \{1,2\} $ denote the index that was not the result of a $\mathcal {Q}_{\textsf {Spend}}$-query (picking $ d' \in \{1,2\} $ randomly if neither coin was the result of a spend query). Recall that both coins can be the result of $ \mathcal {Q}_{\textsf {Spend}}$-queries with at most negligible probability , but if this is the case, $ \mathcal {S}$ skips to the next repetition of this step. Denote $ \mathsf {coin}'_{d'} = (R'_{d'}, \mathbf {y}'_{S,d'}, \mathbf {y}'_{T,d'}, \pi '_{K,d'}) $. Write
$$ \pi '_{K,d'} = \left( \left\{ \textsf {Comm}'_{K,d',j} \right\} _{j=1}^{\kappa }, \textsf {Chall}'_{K,d'}, \left\{ \textsf {Resp}'_{K,d',j} \right\} _{j=1}^{\kappa } \right) . $$
$ \mathcal {S}$ skips to the next repetition of this step at this point if
$$ \left( R_{d}, \mathbf {y}_{S,d}, \mathbf {y}_{T,d}, \left\{ \textsf {Comm}_{K,d,j} \right\} _{j=1}^{\kappa } \right) \ne \left( R'_{d'}, \mathbf {y}'_{S,d'}, \mathbf {y}'_{T,d'}, \left\{ \textsf {Comm}'_{K,d',j} \right\} _{j=1}^{\kappa } \right) $$
or if $ h_{i^*} = h'_{i^*} $. Otherwise, $ \mathcal {S}$ sets $ \textsf {fork} \leftarrow \textsf {fork}+1 $ and $ \pi ^{(\textsf {fork}+1)}_{K} = \pi '_{K,d'} $.
3.
If $ \textsf {fork} < 3 $ or, $ \textsf {fork}=3 $ but there exists no $ j \in [\kappa ] $ such that $ (h_{i^*}[j], h^{(2)}_{i^*}[j], h^{(3)}_{i^*}[j] ) $ take three distinct values, then $ \mathcal {S}$ terminates outputting $ \bot $. Otherwise, $ \mathcal {S}$ has access to arguments $ \pi _{K,d}, \pi ^{(2)}_{K}, \pi ^{(3)}_{K} $ sharing the same first message which we denote as $ \left\{ \textsf {Comm}_{j}\right\} _{j=1}^\kappa $. In addition, $ \exists j^* \in [\kappa ] $ at where $ h_{i^*}[j^*], h^{(2)}_{i^*}[j^*], h^{(3)}_{i^*}[j^*] $ take three distinct values in $ \{-\bar{p},\dots ,\bar{p} \}$. Now a witness can be extracted from the transcripts $ \pi _{K,d}, \pi ^{(2)}_{K}, \pi ^{(3)}_{K} $ by considering the $ j^* $-th parallel repetition and the special-soundness/extractor of the ZKAoK protocol [35]. We denote this witness as $ (\bar{J}, \bar{\mathbf {k}}, \bar{\mathbf {e}}_{u^*}) $. If $ \bar{\mathbf {e}}_{u^*} = \mathbf {e}_{u^*} $, then $ \mathcal {S}$ aborts. Otherwise, $ \mathcal {S}$ terminates, outputting $ \mathbf {v}:= \bar{\mathbf {e}}_{u^*} - \mathbf {e}_{u^*} \in \{-1,0,1\}^m $ as a $ \textsf {SIS} $ solution.

It then remains to evaluate the probability $\epsilon _3$ that $\mathcal {A}$ succeeds in this last game. We begin by noting that the first and second steps corresponds exactly to the forking algorithm denoted as $ F^{\mathcal {A}} $ in Lemma 3. Therefore, a direct application of this forking lemma implies that the variable $ \textsf {fork} $ reaches the value $ \textsf {fork} =3$ at the beginning of Step 3 with probability at least

$$ \mathsf {frk}:= \epsilon _2 \cdot \left( \Bigl (\frac{\epsilon _2}{Q_H} \Bigr )^2 - \frac{3}{(2\bar{p}+1)^\kappa } \right) . $$

which is non-negligible if $\epsilon _2$ is non-negligible as $ 1/(2\bar{p}+1)^{\kappa } $ is negligible and $ Q_H $ is polynomial. Next, note that $ \mathcal {S}$ extracts a witness $ (\bar{J}, \bar{\mathbf {k}}, \bar{\mathbf {e}}_{u^*}) $ if and only if it does not terminate at, or before the beginning of Step 3. In order to analyse the probability that this occurs, we define three events:

$ \mathsf {GF} $ (“Good fork”): This is the event that $ \textsf {fork} = 3 $ and there exists an index $ j^* \in [\kappa ] $ such that $( h_{i^*}[j^*], h^{(2)}_{i^*}[j^*], h^{(3)}_{i^*}[j^*] )$ is a triple of 3.
$ \mathsf {F} $ (“Any fork”): This is the event that $ \mathsf {fork}=3 $ at the beginning of Step 4.
$ \mathsf {GH} $ (“Good hashes”): This is the event that there is an index $ j^* \in [\kappa ] $ such that $( h_{i^*}[j^*], h^{(2)}_{i^*}[j^*], h^{(3)}_{i^*}[j^*]) $ take 3 distinct values.

It is easy to see that $ \Pr [\overline{\mathsf {GH}}] = ((6 \bar{p}+1)/(2 \bar{p}+1)^2)^{\kappa } $ is negligible and that $ \Pr [\mathsf {F}] = \mathsf {frk}$. We also have

This implies that $ \mathcal {S}$ does not abort at the beginning of Step 3 or before with non-negligible probability

The last step is to evaluate the probability that $ \bar{\mathbf {e}}_{u^*} = \mathbf {e}_{u^*} $, leading $\mathcal {S}$ to abort. Here we rely on our previous observation, namely that the adversary’s view has been independent of $\mathbf {e}_{u^*}$ since and that there is, with overwhelming probability, at least another vector $\bar{\mathbf {e}}_{u^*}\ne \mathbf {e}_{u^*}$ that is a valid secret key for $PK_{\mathcal {U}^*}$. We therefore know that the probability of the event $ \bar{\mathbf {e}}_{u^*} \ne \mathbf {e}_{u^*} $ is at least $ \frac{1}{2} $. In summary, we get the following bound on the probability $\epsilon _3$ that $\mathcal {A}$ succeeds in :

where $\mathsf {frk}$ is defined above. Any adversary $\mathcal {A}$ succeeding with non-negligible probability $\epsilon $ against the exculpability of our scheme can thus be used to solve the SIS problem, distinguish the BLMR PRF from pseudo-random, or break the zero-knowledge property of $\varPi _1$ or $\varPi _2$, which completes the proof. $\square $

7 A More Efficient GGM-based Construction

In Sect. 4, we use the BLMR PRF because it allows for a simpler description of the argument of knowledge, as it only requires one rounding per evaluation. Unfortunately, this comes at the price of a super-polynomial modulus q. We can do better by using a PRF obtained by applying the seminal construction of Goldreich, Goldwasser and Micali [23] to the $\textsf {LWR} $-based PRG of Banerjee et al. [4] for which the $ \textsf {LWE} $-to-$ \textsf {LWR} $ reduction of [2] allows the use of a polynomial modulus. This leads to an e-cash construction with $q=\mathsf {poly}(\lambda )$ which still relies on the hardness of standard worst-case lattice problems. Explicitly, the PRF we have in mind relies on the hardness of the $ \textsf {LWR} _{m,m,q,p} $ problem (which is at least as hard as $ \textsf {LWE} _{m', m,q,\alpha '} $ for $ m' \ge \frac{\log q}{\log (2\gamma ')} m , q \ge \gamma ' m^2 \alpha ' p $ for any $ \gamma ' \ge 1 $ [2]). This PRF uses public parameters $ m,p,q, \mathbf {A}_0, \mathbf {A}_1 \in \mathbb {Z}_q^{m \times m} $ where . The evaluation on seed $ \mathbf {k} \in \mathbb {Z}_q^m $ and input $ x \in \{0,1\}^L $ is

$$\begin{aligned} F_{\mathbf {k}}(x) := \left\lfloor \mathbf {A}_{x_L} \cdot \left\lfloor \dots \dots \left\lfloor \mathbf {A}_{x_2} \cdot \left\lfloor \mathbf {A}_{x_1} \cdot \mathbf {k} \right\rfloor _{p} \right\rfloor _{p} \dots \dots \right\rfloor _{p} \right\rfloor _{p}. \end{aligned}$$

(4)

When replacing the BLMR PRF with the above in our e-cash construction, it is more convenient to keep the parameters m and n as described in Sect. 4. This allows us to reuse our security proofs without any issues. However, in contrast with the BLMR instantiation, we choose polynomially large p and q such that $ q^2 > m^{5/2} p $ in the $ {\textsf {ParGen}}($) phase. In addition, the binary public matrices $ \mathbf {P}_0, \mathbf {P}_1 $ must be replaced by uniformly sampled $ \mathbf {A}_0, \mathbf {A}_1 \in \mathbb {Z}_q^{m \times m} $. In the full version [16], we show that this alternative PRF is compatible with the ZK relation $ \mathcal {R}^* $ considered in [35], as we did for the BLMR PRF in Sect. 5.1. Combining this with the reasoning in Sect. 5.2 allows us to show that the GGM-based PRF is compatible with the ZKAoKs used in $ \mathsf {Spend}$.

7.1 Parameters

We provide in this section some details on the parameters and the complexity of an instantiation of our e-cash system using the GGM-based PRF. Firstly, Theorem 1 states that the security of our construction relies on:

$ \textsf {LWR} _{m,m,q,p} $ (which is at least as hard as $ \textsf {LWE} _{m', m,q,\alpha '} $ for $ m' \ge \frac{\log q}{\log (2\gamma ')} m , q \ge \gamma ' m^2 \alpha ' p $ for any $ \gamma ' \ge 1 $ [2])
$ \textsf {LWE} _{n_{\mathsf {LTF}},m_{\mathsf {LTF}},q_{\mathsf {LTF}},\alpha } $ with $ \alpha =\varTheta \left( \frac{\sqrt{n_{\mathsf {LTF}}}}{q_{\mathsf {LTF}}}\right) , q_{\mathsf {LTF}} = \varTheta (n_{\mathsf {LTF}}^{1+1/\gamma })$ for constant $ \gamma <1 $
$ \textsf {SIS} _{n,m,p,2\sqrt{m}} $
$ \textsf {SIS} _{n,m_s,q_s,\beta '} $ for $ \beta '=\mathcal {O}(\sigma ^2m_s^{1/2}(m_s+\bar{m})) $

and also that we use secure ZKAoKs. Since all moduli will be polynomial, we may safely assume that there is a parameter setting such that the argument system of Yang et al. is a ZKAoK. Additionally, our proof of the clearing property requires use of a signature scheme. Note that we can use the signature scheme of [22] so that the arising assumption is made redundant by the final item listed above. Recall that for our zero-knowledge proofs, we require that $ q_s, q_{\mathsf {LTF}} $ and p all divide the prime power q. In order to achieve this, we now set $ q=q_0^e $ where $ q_0 $ is prime and $ e>1 $ is a constant integer. Since all moduli are polynomial, we may take $ n_{\mathsf {LTF}} = \varTheta (m) = \varTheta (n \log q) = \tilde{\mathcal {O}}(n) $. Additionally, $ m, \bar{m}, m_s, m_{\mathsf {LTF}}, \bar{n}_{\mathsf {LTF}} $ and $ n' $ are all $ \tilde{\mathcal {O}}(n) $. Note that we will take $ \gamma '=1 $ in the $ \textsf {LWE} $-to-$ \textsf {LWR} $ reduction result stated above and $ \gamma =1/2 $. To comply with hardness results relating standard worst-case lattice problems to $ \textsf {SIS} $ [22, 29] and $ \textsf {LWE} $ [10, 31], we require:

$$\begin{aligned} q^2/p = \tilde{\varOmega }(n^{5/2}) ~~\quad q_{\mathsf {LTF}} = \tilde{\varTheta }(n^{3}) ~~\quad p=\tilde{\varOmega }(n) ~~\quad q_s=\tilde{\varOmega }(\sigma ^2n^{2})=\tilde{\varOmega }(n^{3}). \end{aligned}$$

Therefore, to base security on worst-case lattice problems, we may take $ n,m,n_{\mathsf {LTF}}, \bar{n}_{\mathsf {LTF}} ,m_{\mathsf {LTF}},m_s$ all , and . Additional details on the communication costs are provided in the full version of this work.

Notes

1.
https://avpsolutions.com/blog/payment-cards-now-set-to-surpass-cash/.
2.
Any EUF-CMA secure scheme $ \varSigma $ can be selected here.
3.
Technically, we should add a CRS to $ \mathsf {par}$ but we leave this implicit for simplicity.

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Chapter MATH Google Scholar
Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 57–74. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_4
Chapter Google Scholar
Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 353–370. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_20
Chapter Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Chapter Google Scholar
Baum, C., Damgård, I., Lyubashevsky, V., Oechsner, S., Peikert, C.: More efficient commitments from structured lattice assumptions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 368–385. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_20
Chapter Google Scholar
Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact E-cash and simulatable VRFs revisited. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 114–131. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03298-1_9
Chapter Google Scholar
Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_23
Chapter Google Scholar
Bootle, J., Lyubashevsky, V., Seiler, G.: Algebraic techniques for short(er) exact lattice-based zero-knowledge proofs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 176–202. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_7
Chapter Google Scholar
Bourse, F., Pointcheval, D., Sanders, O.: Divisible E-cash from constrained pseudo-random functions. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 679–708. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_24
Chapter Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: On the classical hardness of learning with errors. In: STOC (2013)
Google Scholar
Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_18
Chapter Google Scholar
Canard, S., Pointcheval, D., Sanders, O., Traoré, J.: Divisible E-cash made practical. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 77–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_4
Chapter Google Scholar
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Chapter Google Scholar
Damgård, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_30
Chapter Google Scholar
Observatoire de l’épargne réglementée. Rapport annuel (2013). https://www.banque-france.fr/sites/default/files/medias/documents/observatoire-de-l-epargne-reglementee-rapport_2013.pdf
Deo, A., Libert, B., Nguyen, K., Sanders, O.: Lattice-based E-cash, revisited (full version). IACR Cryptology ePrint Archive 2020/614 (2020)
Google Scholar
Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: SIAM (2008)
Google Scholar
El Kaafarani, A., Katsumata, S.: Attribute-based signatures for unbounded circuits in the ROM and efficient instantiations from lattices. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 89–119. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_4
Chapter Google Scholar
Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: ACM CCS (2019)
Google Scholar
Farshim, P., Orlandi, C., Rosie, R.: Security of symmetric primitives under incorrect usage of keys. In: ToSC (2017)
Google Scholar
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Chapter Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. In: FOCS (1984)
Google Scholar
Kim, S., Wu, D.J.: Watermarking cryptographic functionalities from standard lattice assumptions. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 503–536. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_17
Chapter Google Scholar
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Chapter Google Scholar
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based PRFs and applications to E-cash. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 304–335. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_11
Chapter Google Scholar
Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_10
Chapter Google Scholar
Mastercard: Transaction processing rules (2019). https://www.mastercard.us/content/dam/mccom/global/documents/transaction-processing-rules.pdf
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2
Chapter Google Scholar
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC (2008)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC (2005)
Google Scholar
Ron, D., Shamir, A.: Quantitative analysis of the full bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_2
Chapter Google Scholar
Visa: Transaction acceptance device guide (2016). https://www.visa.com.pe/dam/VCOM/regional/na/us/partner-with-us/documents/transaction-acceptance-device-guide-tadg.pdf
Wee, H.: Dual projective hashing and its applications—lossy trapdoor functions and more. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 246–262. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_16
Chapter Google Scholar
Yang, R., Au, M.H., Zhang, Z., Xu, Q., Yu, Z., Whyte, W.: Efficient lattice-based zero-knowledge arguments with standard soundness: construction and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 147–175. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_6
Chapter Google Scholar

Download references

Acknowledgements

This work is supported by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and also partly funded by BPI-France in the context of the national project RISQ (P141580). Khoa Nguyen is supported in part by the Gopalakrishnan - NTU PPF 2018, by A*STAR, Singapore under research grant SERC A19E3b0099, and by Vietnam National University HoChiMinh City (VNU-HCM) under grant number NCM2019-18-01.

Author information

Authors and Affiliations

ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, Inria, UCBL), Lyon, France
Amit Deo & Benoît Libert
CNRS, Laboratoire LIP, Lyon, France
Benoît Libert
Inria, Lyon, France
Amit Deo
School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
Khoa Nguyen
Orange Labs, Applied Crypto Group, Cesson-Sévigné, France
Olivier Sanders

Authors

Amit Deo
View author publications
You can also search for this author in PubMed Google Scholar
Benoît Libert
View author publications
You can also search for this author in PubMed Google Scholar
Khoa Nguyen
View author publications
You can also search for this author in PubMed Google Scholar
Olivier Sanders
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Olivier Sanders .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Deo, A., Libert, B., Nguyen, K., Sanders, O. (2020). Lattice-Based E-Cash, Revisited. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12492. Springer, Cham. https://doi.org/10.1007/978-3-030-64834-3_11

Download citation

DOI: https://doi.org/10.1007/978-3-030-64834-3_11
Published: 05 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64833-6
Online ISBN: 978-3-030-64834-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Abstract

1 Introduction

2 Preliminaries

2.1 Lattice Preliminaries

Definition 1

Definition 2

2.2 Lossy Trapdoor Functions

Definition 3

Lemma 1

Lemma 2

2.3 Witness Extraction and Forking Lemma

Lemma 3

2.4 E-Cash Security Definitions

Definition 4

Definition 5

Definition 6

Definition 7

3 Intuition

4 Construction

5 Zero-Knowledge Arguments with Soundness Error \(1/\mathsf {poly}(\lambda )\) in Standard Lattices

5.1 Zero-Knowledge Arguments for the BLMR PRF

5.2 Zero-Knowledge Arguments for the \( \mathsf {Spend}\) Protocol

Remark 1

6 Security Proofs

Theorem 1

Lemma 4

Proof

Lemma 5

Proof

7 A More Efficient GGM-based Construction

7.1 Parameters

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation