Question regarding common modulus on elliptic curve cryptosystems AND E-CASH

Sergio Lerner sergiolerner at
Mon Mar 22 11:09:16 EDT 2010

I've read some papers, not that much. But I don't mind reinventing the 
wheel, as long as the new protocol is simpler to explain.
Reading the literature, I couldn't  find a e-cash protocol which :

- Hides the destination / source of payments.
- Hides the amount of money transferred.
- Hides the account balance of each person from the bank.
- Allows off-line payments.
- Avoids giving the same "bill" to two different people by design. This 
means that the protocol does not need to detect the use of cloned "bills".
- Gives each person a cryptographic proof of owning the money they have 
in case of dispute.

I someone points me out a protocol that manages to fulfill this 
requirements, I'd be delighted.
I think I can do it with a commutative signing primitive, and a special 
zero-proof of knowledge.

  Sergio Lerner.

On 22/03/2010 10:25 a.m., Jonathan Katz wrote:
> That paper was from 1980. A few things have changed since then. =)
> In any case, my point still stands: what you actually want is some 
> e-cash system with some special properties. Commutative encryption is 
> neither necessary nor (probably) sufficient for what you want. Have 
> you at least looked at the literature (which must be well over 100 
> papers) on e-cash?
> On Mon, 22 Mar 2010, Sergio Lerner wrote:
>> Commutativity is a beautiful and powerful property. See "On the power 
>> of Commutativity in Cryptography" by Adi Shamir.
>> Semantic security is great and has given a new provable sense of 
>> security, but commutative building blocks can be combined to build 
>> the strangest protocols without going into deep mathematics, are 
>> better suited for teaching crypto and for high-level protocol design. 
>> They are like the "Lego" blocks of cryptography!
>> Now I'm working on an new untraceable e-cash protocol which has some 
>> additional properties. And I'm searching for a secure  commutable 
>> signing primitive.
>> Best regards,
>> Sergio Lerner.
>> On 22/03/2010 09:56 a.m., Jonathan Katz wrote:
>>> Sounds like a bad idea -- at a minimum, your encryption will be 
>>> deterministic.
>>> What are you actually trying to achieve? Usually once you understand 
>>> that, you can find a protocol solving your problem already in the 
>>> crypto literature.
>>> On Sun, 21 Mar 2010, Sergio Lerner wrote:
>>>> I looking for a public-key cryptosystem that allows commutation of 
>>>> the operations of encription/decryption for different users keys
>>>> ( Ek(Es(m)) =  Es(Ek(m)) ).
>>>> I haven't found a simple cryptosystem in Zp or Z/nZ.
>>>> I think the solution may be something like the RSA analogs in 
>>>> elliptic curves. Maybe a scheme that allows the use of a common 
>>>> modulus for all users (RSA does not).
>>>> I've read on some factoring-based cryptosystem (like Meyer-Muller 
>>>> or Koyama-Maurer-Okamoto-Vantone) but the cryptosystem authors say 
>>>> nothing about the possibility of using a common modulus, neither 
>>>> for good nor for bad.
>>>> Anyone has a deeper knowledge on this crypto to help me?
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list