Private eCash in Practice (Short Paper)

Most electronic payment systems for applications, such as eTicketing and eToll, involve a single entity acting as both merchant and bank. In this paper, we propose an efficient privacy-preserving post-payment eCash system suitable for this particular use case that we refer to, afterwards, as private eCash. To this end, we introduce a new partially blind signature scheme based on a recent Algebraic MAC scheme due to Chase et al. Unlike previous constructions, it allows multiple presentations of the same signature in an unlinkable way. Using it, our system is the first versatile private eCash system where users must only hold a sole reusable token (i.e. a reusable coin spendable to a unique merchant). It also enables identity and token revocations as well as flexible payments. Indeed, our payment tokens are updated in a partially blinded way to collect refunds without invading user's privacy. By implementing it on a Global Platform compliant SIM card, we show its efficiency and suitability for real-world use cases, even for delay-sensitive applications and on constrained devices as a transaction can be performed in only 205 ms.