| Summary: | This paper describes an extension of the Brands protocol to incorporate flexibly-divisble k-term Coins via application of Shamir polynomial parameterisation and Feldman-Pedersen zero knowledge (ZK) verification. User anonymity is preserved for up to k sub-Coin Payments per k-term Coin, but revoked for over-Payments with (k+1) or more sub-Coins. Poly-cash construction using only discrete logarithm (DL) or elliptic curve (EC) operations enables efficient implementation in terms of the latter; which constitutes an advantage over previous divisble Coin formulations based on quadratic residue (QR) binary-trees, integer factorisation (IF) cryptography or hybrid DL/IF. Comparative analysis of Poly-cash and previous protocols illustrates the advantages of the former for operationally realistic Coin sub-denominations. The advantage of Poly-cash in terms computational overhead is particularly significant, and facilitates implementation on lightweight User Purses and Merchant Payment-terminals. Configurable k-divisibility is also an important consideration for real-world applicability with decimal currency denominations, which is not well addressed by the binarised values of QR-tree divisible Coins.
|
|---|