A faster single-term divisible electronic cash: ZCash

摘要

This paper presented a new unlinkable, single-term divisible electronic cash scheme, whose name is ZCash. This scheme overcomes the problems of previous schemes through its greater efficiency and the unlinkability of every cash it generates. Compared with Okamoto’s scheme [Advances in Cryptology—Crypto ’95, Springer, New York, 1995: 438–451] and Chan’s scheme [Advances in Cryptology—Eurocrypt ’98, Springer, New York, 1998: 561–575] (the two best known E-cash schemes), ZCash achieve higher efficiency by not using range-bounded commitment schemes. In addition, to prove the correctness of the blind candidate, we use some simple zero-knowledge protocols instead of the Account Opening protocol and Electronic License. By using the indirect disclosure proof in the payment protocol, ZCash realizes revocable anonymity, which allows a trustee to trace the owner of the E-cash according to its payment transcript. ZCash is the first E-cash scheme which realizes both divisibility and revocable anonymity.