The research on off-line electronic cash(e-cash) schemes has drawn much attention since Chaum $\emph{etc}$ [8]. presented the first off-line anonymous electronic cash scheme in 1988. However, anonymous electronic cash schemes also facilitate fraud and criminal activities [32], such as money laundering, blackmailing and illegal purchases. Frankel $\emph{etc}$ [13]. first introduces the concept of fair electronic cash scheme in 1996, fair off-line e-cash (FOLC) schemes extend off-line anonymous electronic cash scheme to allow a qualified trust third party(TTP) to revoke the anonymity of the user under a warrant. The research on FOLC scheme has been one of the hottest topics on electronic cash since then.
In this thesis, we propose two off-line fair E-cash schemes: a fair e-cash protocol with the limited power of TTP and a fair e-cash system without TTP.
We first present a fair e-cash scheme with the limited power of TTP, which is normally used in several fair e-cash systems in order to conduct tracing mechanism. Generally user should send his withdrawal information to TTP before he withdraws the money from bank. In our protocol, bank first gives the signature on user's coin by using the blind signature protocol. After TTP verifies the validity of the e-coin, and ensures that each dubious coin and user can be traced if required. He gives his signature in the e-coin, which means he has the traceability on each e-cash during tracing protocol. So there are two signatures on a coin: The signature of the bank ensures that no entity is able to forge a coin, and the signature of the TTP ensures that each dubious user and coin can be traced with the cooperation of bank. We make the interaction between user and TTP after the withdrawal protocol, then TTP only knows information about coin. In this protocol TTP can't trace user's identity by himself. Even if he has the coin of user, there is not linkage to user's identity. and in case of coin tracing, since coin is provided by user anonymously, without bank or user's help, TTP can't distinguish which coin will be illegal. The tracing mechanism only can be carried out under the cooperation of bank's. The misuse of tracing mechanism of TTP can be prevented.
In our second e-cash system, an ID-based distributed "magic ink" signature is introduced to build a fair e-cash system without TTP. ID-based signature simplifies the certification of public key of bank, the bilinear pairings used to construct ID-based signature also reduces the size of public keys of signers. The fairness of our e-cash system is satisfied by the distributed "magic ink" signature, which gives the user a blind signature on his coin during withdrawal protocol to protect user's privacy, and detects any prefect crimes later. The tracing mechanism can be implemented without the help of TTP, in case of the tracing information are distributed by a set of signers of the bank through a (n, n) threshold secret sharing, only under the cooperation of n signers of bank the tracing protocol can achieve. The bank's tracing ability is well controlled. The additional computation and communications of TTP are omitted, the misbehavior of tracing, which is undesired by the user and the bank are prevented.
The security analysis and comparisons of our protocols are also discussed.