Recently, there has been an interest in making electronic cash protocols more practical for electronic commerce by developing e-cash which is divisible (e.g., a coin which can be spent incrementally but total purchases are limited to the monetary value of the coin) [DC94, E094, 0 0 9 2 , Pai93, Oka951. In Crypto'95, T. Okamoto presented the first practical divisible, untraceable, off-line e-cash scheme, which requires only O(logh/) computations for each of the withdrawal, payment and deposit procedures, where h/ =(total coin value)/(smallest divisible unit). However, Okamoto's set-up procedure is quite inefficient (on the order of 4000 "multi-exponentiations" and depending on the size of the RSA modulus).We formalize the notion of "range-bounded commitment," originally used in Okamoto's account establishment protocol, and present a very efficient instantiation which allows us to construct the first truly efficient divisible e-cash system. Our scheme only requires the equivalent of one (1) exponentiation for set-up, less than two (2) exponentiations for withdrawal and around 20 for payment, while the size of our coin remains about 300 Bytes. Hence, our withdrawal protocol is 3 orders of magnitude faster than Okamoto's, while the rest of our system remains equally efficient, allowing for implementation in smart-cards. Similar to Okamoto's, our scheme is based on proofs whose cryptographic security assumptions are theoretically clarified.
Abstract-Recent research results on tree-based Oblivious RAM by Shi et al. [15] obtain communication complexity of O(l · log 3 (N )) in the worst-case for an N -capacity storage with blocks size l. The individual nodes in the tree, however, are constructed using traditional ORAMs which have worst-case communication complexity linear in their capacity and block size. PIR protocols are able to provide better worst-case bounds (decoupling capacity from block size), but have traditionally been less practical than ORAM due to the fact that they require O(N ) computational complexity on the server. This paper presents Path-PIR, a hybrid ORAM construction, using techniques from PIR, that overcomes the individual weaknesses of each. Path-PIR significantly reduces communication complexity when the block size of the ORAM is large. Compared to existing work, this leads to smaller data transfer costs by orders of magnitude for practical sized databases and achieves worst-case communication complexity of O(l · log 2 (N )) for large block sizes. Additionally, the typically high computational cost of PIR is negated by the tree structure of the ORAM, which requires only a small fraction of the database to be operated on for each query. We also investigate the concept of an ORAM's latency, which is the amount of communication required before users receive the result of their query. We show that Path-PIR achieves lower latency than any existing scheme, only about four times the block size. Using Amazon EC2 as an example, we demonstrate that even with the additional cost of PIR computation, Path-PIR provides a significant monetary saving compared to related work.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.