pith. sign in

arxiv: 2604.10380 · v1 · submitted 2026-04-11 · 💻 cs.CR

Automatic Teller Machines for Offline E-cash

Anrin Chakraborti , Qingzhao Zhang , Jingjia Peng , Morley Mao , Michael K. Reiter This is my paper

Pith reviewed 2026-05-10 15:11 UTC · model grok-4.3

classification 💻 cs.CR
keywords e-cashoffline paymentsbearer tokensanonymityunforgeabilityATMsmulti-issuer schemescryptographic vouchers
0
0 comments X

The pith

A new cryptographic bearer token lets ATMs dispense coins in fully offline e-cash schemes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper designs a bearer token that ATMs can issue without a live connection to the central bank for withdrawals. This token is meant to keep the anonymity, unforgeability, and untraceability properties of standard e-cash even when the bank is unreachable. Users would be able to withdraw digital coins at any ATM and spend them later without their activities or withdrawal locations being linked back to them. The approach formalizes requirements for e-cash with multiple issuers and builds an efficient construction on an existing compact protocol. If the design works, it removes the bank from the critical path during withdrawals while still preventing forgery and tracking.

Core claim

We propose the design of a new cryptographic bearer token that can be dispensed by automatic teller machines (ATM) in a fully offline e-cash scheme. Such bearer tokens provide anonymity, unforgeability and untraceability, i.e., users cannot be tracked by their spending activities or the locations of withdrawal. We formalize the requirements of an e-cash scheme with multiple issuers and propose an efficient design building on top of the compact e-cash protocol of Camenisch et al. Our construction leverages an unforgeable and doubly-anonymous voucher that allows a one-time transfer of coins between an ATM and a user, while hiding their identities from parties not involved in the transaction.

What carries the argument

The unforgeable and doubly-anonymous voucher, which performs a one-time transfer of coins from ATM to user while concealing both parties' identities from outsiders.

If this is right

  • Withdrawals become possible during temporary loss of bank connectivity.
  • Multiple independent ATMs can act as coin issuers without compromising the scheme's security.
  • Spending remains unlinkable to withdrawal events or locations.
  • The overall e-cash system gains a decentralized withdrawal layer while inheriting the base protocol's protections.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The multi-issuer model could support hybrid networks mixing bank and ATM dispensers for broader coverage.
  • Untraceability across withdrawal points would require careful handling of any shared metadata between ATMs.
  • Real deployment would need to verify that the one-time voucher transfer resists network-level observation.

Load-bearing premise

The new voucher construction correctly extends the compact e-cash protocol while preserving its security properties and achieving unforgeability plus the stated anonymity and untraceability guarantees.

What would settle it

An adversary who forges a valid voucher that passes verification, or a successful trace linking a spent coin back to a specific ATM withdrawal location and user.

Figures

Figures reproduced from arXiv: 2604.10380 by Anrin Chakraborti, Jingjia Peng, Michael K. Reiter, Morley Mao, Qingzhao Zhang.

Figure 1
Figure 1. Figure 1: A description of the parties and operations in a multi-issuer e-cash scheme. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Formal interfaces in a multi-issuer e-cash scheme. Each withdrawal from [PITH_FULL_IMAGE:figures/full_fig_p012_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: πnc: Coin requests by ATM requested by the ATM before using the ReqCoin interface, where the user acts as the merchant. The transaction record becomes the voucher. In more details, the user commits to its identity private key in P, and proves in zero-knowledge that is has previously obtained a signature from the bank on the key (Steps 1–2). After verifying the signature and ensuring that the user has enoug… view at source ↗
Figure 4
Figure 4. Figure 4: πnc: Withdrawing a coin user’s identity. This is violated only if the user can open the commitment to multiple value, or modify the tokens in the voucher and forge a NIZK proof 20 [PITH_FULL_IMAGE:figures/full_fig_p020_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: πnc: Spending a coin without the witnesses, i.e., the PRF keys committed to in A, B by the ATM. Both these cases should happen with only negligible probability. Fair exchange of coins The ISSUERECEIPT interface is invoked by the user when receiving a coin from ATM j to produce a receipt. However, to ensure an optimistic fair exchange, we follow a three-step process. First, the ATM commits to the coin by co… view at source ↗
Figure 6
Figure 6. Figure 6: πnc: Verifying transactions 4 Description of Protocol with Compactness [PITH_FULL_IMAGE:figures/full_fig_p023_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: πcomp: Withdrawing a coin private key for a verifiable random function family (VRF) [29], for which the bank (and its ATMs) holds the corresponding public key, then an ATM can permit coin withdrawal by this user only if the user’s VRF, applied to the current beacon value, designates this ATM as the one at which the user is currently eligible to withdraw. In this way, the user will be rate-limited to withdr… view at source ↗
Figure 8
Figure 8. Figure 8: πcomp: Spending a coin 6 Microbenchmark We implemented our e-cash scheme with blind signatures on a 2048-bit RSA group, blind signature with proofs of knowledge on the elliptic curve BLS12_381 (CL signature [13]), and non-interactive zero-knowledge proofs of knowledge on a 2048-bit RSA groups. BLS12_381 is a pairing-friendly elliptic curve providing 128-bit security, widely adopted in blockchain applicatio… view at source ↗
Figure 9
Figure 9. Figure 9: Computation overhead of cryptographic functions. bit RSA public key system. All cryptographic functions utilized are standardized and recognized for their security. In terms of implementation details, the scheme is implemented in 1,694 lines of C++. The CL signature [13] and pseudorandom functions (PRFs) [20] are implemented using the MIRACL library [40], the NIZK is implemented on ZKPDL [28], while the ot… view at source ↗
read the original abstract

Electronic cash (e-cash) is a digital alternative to physical currency that allows anonymous transactions between users and merchants. Typically, coins in an e-cash scheme are only dispensed through a central bank. A drawback of this approach is that the bank is always on the critical path during withdrawals, and if a reliable connection to the bank is temporarily unavailable, users may be unable to withdraw coins in a timely fashion. As with physical currency, there are benefits to supporting a decentralized infrastructure where withdrawals can be performed without involving the bank in the critical path. We propose the design of a new cryptographic bearer token that can be dispensed by automatic teller machines (ATM) in a fully offline e-cash scheme. Such bearer tokens provide anonymity, unforgeability and untraceability, i.e., users cannot be tracked by their spending activities or the locations of withdrawal. We formalize the requirements of an e-cash scheme with multiple issuers and propose an efficient design building on top of the compact e-cash protocol of Camenisch et al. (EUROCRYPT 2005). Our construction leverages an unforgeable and doubly-anonymous voucher that allows a one-time transfer of coins between an ATM and a user, while hiding their identities from parties not involved in the transaction.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper proposes a cryptographic bearer token for fully offline e-cash schemes that can be dispensed by ATMs without involving the central bank in the critical path. It formalizes requirements for e-cash with multiple issuers and presents an efficient construction extending the compact e-cash protocol of Camenisch et al. (EUROCRYPT 2005) via an unforgeable, doubly-anonymous voucher that enables one-time coin transfers while hiding identities and providing anonymity, unforgeability, and untraceability.

Significance. If the construction correctly extends the base protocol while preserving its security properties, the result would enable decentralized withdrawals in e-cash systems, improving availability when bank connectivity is unavailable. This addresses a practical limitation of centralized e-cash and could support more resilient digital currency infrastructures with strong privacy guarantees.

major comments (1)
  1. [Abstract] Abstract: The manuscript asserts an efficient design that meets the listed security properties and correctly extends Camenisch et al. (EUROCRYPT 2005) while preserving anonymity, unforgeability, and untraceability, but supplies no formal security definitions, proof sketches, security reductions, or performance analysis to support the central claim.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback and positive evaluation of the work's significance. We address the major comment below and will revise the manuscript accordingly to strengthen its rigor.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The manuscript asserts an efficient design that meets the listed security properties and correctly extends Camenisch et al. (EUROCRYPT 2005) while preserving anonymity, unforgeability, and untraceability, but supplies no formal security definitions, proof sketches, security reductions, or performance analysis to support the central claim.

    Authors: We acknowledge that the current version presents the construction at a high level with informal security arguments and does not include formal definitions, proof sketches, reductions, or performance analysis. In the revised manuscript we will add a formal security model section defining anonymity, unforgeability, and untraceability for the multi-issuer setting; a proof sketch reducing the security of the voucher-based extension to the underlying Camenisch et al. (EUROCRYPT 2005) assumptions; and a performance section with asymptotic complexity and concrete operation counts relative to the base protocol. These additions will directly support the abstract claims. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper's central contribution is a high-level design extending the independently published Camenisch et al. (EUROCRYPT 2005) compact e-cash protocol to support multiple offline issuers via a doubly-anonymous voucher. No equations, definitions, or claims in the provided abstract and description reduce any derived property to a fitted parameter, self-citation chain, or ansatz internal to the present work. The security preservation argument is stated as an extension of an external result rather than a self-referential construction. The derivation chain therefore remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The central claim rests on the security of a prior protocol plus the correctness of two new cryptographic objects whose details are not supplied in the abstract.

axioms (1)
  • domain assumption The compact e-cash protocol of Camenisch et al. (EUROCRYPT 2005) is secure and can be safely extended to support offline ATM dispensing while preserving anonymity, unforgeability, and untraceability.
    The abstract states that the new design builds directly on top of this protocol.
invented entities (2)
  • Cryptographic bearer token no independent evidence
    purpose: Token that ATMs can dispense offline to enable e-cash withdrawals
    New primitive introduced to achieve the offline property.
  • Doubly-anonymous voucher no independent evidence
    purpose: One-time transfer mechanism that hides identities of both ATM and user
    Invented to realize the anonymous coin transfer step.

pith-pipeline@v0.9.0 · 5524 in / 1568 out tokens · 95014 ms · 2026-05-10T15:11:13.771647+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

40 extracted references · 40 canonical work pages

  1. [1]

    Atm malware,

    “Atm malware,” https://www .cyber.nj.gov/threat-landscape/malware/atm- malware

    work page

  2. [2]

    Optimistic protocols for fair exchange,

    N. Asokan, M. Schunter, and M. Waidner, “Optimistic protocols for fair exchange,” in ACM Conference on Computer and Communications Security, 1997, pp. 7–17

    work page 1997

  3. [3]

    Optimistic fair exchange of digital signa- tures,

    N. Asokan, V. Shoup, and M. Waidner, “Optimistic fair exchange of digital signa- tures,” inAdvances in Cryptology – EUROCRYPT. Springer, 1998, pp. 591–606

    work page 1998

  4. [4]

    Anonymous transfer- able e-cash,

    F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transfer- able e-cash,” inPublic Key Cryptography — PKC. Springer, 2015, pp. 101–124

    work page 2015

  5. [5]

    Pairing-friendly elliptic curves of prime order,

    P. S. Barreto and M. Naehrig, “Pairing-friendly elliptic curves of prime order,” in Workshop on Selected Areas in Cryptography. Springer, 2005, pp. 319–331

    work page 2005

  6. [6]

    Transferable e-cash: A cleaner model and the first practical instantiation,

    B. Bauer, G. Fuchsbauer, and C. Qian, “Transferable e-cash: A cleaner model and the first practical instantiation,” inPublic Key Cryptography — PKC. Springer, 2021, pp. 559–590

    work page 2021

  7. [7]

    Random oracles are practical: A paradigm for design- ing efficient protocols,

    M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for design- ing efficient protocols,” in1st ACM Conference on Computer and Communications Security, Nov. 1993

    work page 1993

  8. [8]

    Relations among notions of securityforpublic-keyencryptionschemes,

    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of securityforpublic-keyencryptionschemes,” inAdvances in Cryptology – CRYPTO 1998, ser. Lecture Notes in Computer Science, vol. 1462, Aug. 1998

    work page 1998

  9. [9]

    Code-based game-playing proofs and the security of triple encryption,

    M. Bellare and P. Rogaway, “Code-based game-playing proofs and the security of triple encryption,” 2004

    work page 2004

  10. [10]

    Untraceable off-line cash in wallet with observers,

    S. Brands, “Untraceable off-line cash in wallet with observers,” inAdvances in Cryptology – CRYPTO. Springer, 1994, pp. 302–318

    work page 1994

  11. [11]

    Value exchange systems enabling security and unob- servability,

    H. Bürk and A. Pfitzmann, “Value exchange systems enabling security and unob- servability,”Computers & Security, vol. 9, no. 8, pp. 715–721, 1990

    work page 1990

  12. [12]

    A signature scheme with efficient protocols,

    J. Camenisch and A. Lysyanskaya, “A signature scheme with efficient protocols,” in International Conference on Security in Communication Networks. Springer, 2003, pp. 268–289

    work page 2003

  13. [13]

    Signature schemes and anonymous credentials from bilinear maps,

    ——, “Signature schemes and anonymous credentials from bilinear maps,” inAn- nual international cryptology conference. Springer, 2004, pp. 56–72

    work page 2004

  14. [14]

    Compact e-cash,

    J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash,” inAn- nual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 2005, pp. 302–321

    work page 2005

  15. [15]

    Endorsed e-cash,

    J. Camenisch, A. Lysyanskaya, and M. Meyerovich, “Endorsed e-cash,” inIEEE Security and Privacy. IEEE, 2007, pp. 101–115

    work page 2007

  16. [16]

    Anonymity in transferable e-cash,

    S. Canard and A. Gouget, “Anonymity in transferable e-cash,” inInternational Conference on Applied Cryptography and Network Security. Springer, 2008, pp. 207–223

    work page 2008

  17. [17]

    Divisible e-cash made practical,

    S. Canard, D. Pointcheval, O. Sanders, and J. Traoré, “Divisible e-cash made practical,” inPublic Key Cryptography — PKC. Springer, 2015, pp. 77–100

    work page 2015

  18. [18]

    Blindsignaturesforuntraceablepayments,

    D.Chaum,“Blindsignaturesforuntraceablepayments,” inAdvances in Cryptology – CRYPTO ’82. Springer, 1983

    work page 1983

  19. [19]

    Untraceable electronic cash,

    D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” inAdvances in Cryptology – CRYPTO ’88, ser. Lecture Notes in Computer Science, vol. 403. Springer-Verlag, 1990

    work page 1990

  20. [20]

    A verifiable random function with short proofs and keys,

    Y. Dodis and A. Yampolskiy, “A verifiable random function with short proofs and keys,” inInternational Workshop on Public Key Cryptography. Springer, 2005, pp. 416–431

    work page 2005

  21. [21]

    Ethereum official website,

    Ethereum, “Ethereum official website,” https://ethereum.org/en/, 2024, accessed: 2024-06-02

    work page 2024

  22. [22]

    OpenSSL: The open source toolkit for SSL/TLS,

    O. S. Foundation, “OpenSSL: The open source toolkit for SSL/TLS,” 2024. [Online]. Available: https://www.openssl.org/

    work page 2024

  23. [23]

    Efficientnon-interactiveproofsystemsforbilineargroups,

    J.GrothandA.Sahai,“Efficientnon-interactiveproofsystemsforbilineargroups,” in Advances in Cryptology – EUROCRYPT. Springer, 2008, pp. 415–432

    work page 2008

  24. [24]

    A reference for randomness beacons: Format and protocol version 2,

    J. Kelsey, L. T. Brandão, R. Peralta, and H. Booth, “A reference for randomness beacons: Format and protocol version 2,” National Institute of Standards and Technology, Tech. Rep., 2019

    work page 2019

  25. [25]

    Crlite: A scalable system for pushing all tls revocations to all browsers,

    J. Larisch, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson, “Crlite: A scalable system for pushing all tls revocations to all browsers,” inIEEE Security and Privacy. IEEE, 2017, pp. 539–556

    work page 2017

  26. [26]

    A new off-line electronic cash scheme for bank delegation,

    J. Liu and Y. Hu, “A new off-line electronic cash scheme for bank delegation,” in International Conference on Information Science and Technology (ICIST), 2015

    work page 2015

  27. [27]

    A proxy blind signature scheme and an off-line elec- tronic cash scheme,

    J. Liu, J. Liu, and X. Qiu, “A proxy blind signature scheme and an off-line elec- tronic cash scheme,”Wuhan University Journal of Natural Sciences, 2013

    work page 2013

  28. [28]

    Zkpdl: A language-based system for efficient zero-knowledge proofs and electronic cash

    S. Meiklejohn, C. C. Erway, A. Küpçü, T. Hinkle, and A. Lysyanskaya, “Zkpdl: A language-based system for efficient zero-knowledge proofs and electronic cash.” in USENIX Security Symposium, vol. 10, 2010, pp. 193–206

    work page 2010

  29. [29]

    Verifiable random functions,

    S. Micali, M. Rabin, and S. Vadhan, “Verifiable random functions,” inIEEE Sym- posium on Foundations of Computer Science. IEEE, 1999, pp. 120–130

    work page 1999

  30. [30]

    Disposable zero-knowledge authentications and their applications to untraceable electronic cash,

    T. Okamoto and K. Ohta, “Disposable zero-knowledge authentications and their applications to untraceable electronic cash,” inAdvances in Cryptology – CRYPTO. Springer, 1989, pp. 481–496

    work page 1989

  31. [31]

    On the impossibility of fair exchange without a trusted third party,

    H. Pagnia, F. C. Gärtneret al., “On the impossibility of fair exchange without a trusted third party,” Technical Report TUD-BS-1999-02, Darmstadt University of Technology ..., Tech. Rep., 1999

    work page 1999

  32. [32]

    Non-interactive and information-theoretic secure verifiable secret sharing,

    T. P. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” inAdvances in Cryptology – CRYPTO. Springer, 1991, pp. 129–140

    work page 1991

  33. [33]

    Provably secure blind signature schemes,

    D. Pointcheval and J. Stern, “Provably secure blind signature schemes,” inAd- vances in Cryptology – ASIACRYPT. Springer, 1996, pp. 252–265

    work page 1996

  34. [34]

    Auditable, anonymous electronic cash,

    T. Sander and A. Ta-Shma, “Auditable, anonymous electronic cash,” inAdvances in Cryptology – CRYPTO. Springer, 1999, pp. 555–572

    work page 1999

  35. [35]

    (im) possibility of safe exchange mechanism design,

    T. Sandholm and X. Wang, “(im) possibility of safe exchange mechanism design,” in Eighteenth national conference on Artificial intelligence, 2002, pp. 338–344

    work page 2002

  36. [36]

    Conditionale-cash,

    L.Shi,B.Carbunar,andR.Sion,“Conditionale-cash,” in International Conference on Financial Cryptography and Data Security. Springer, 2007, pp. 15–28

    work page 2007

  37. [37]

    An off-line electronic cash scheme based on proxy blind signature,

    Z. Tan, “An off-line electronic cash scheme based on proxy blind signature,”The computer journal

    work page

  38. [38]

    Zcash official website,

    Zcash, “Zcash official website,” https://z.cash/, 2024, accessed: 2024-06-02

    work page 2024

  39. [39]

    Efficient verifiably encrypted signature and partially blind signature from bilinear pairings,

    F. Zhang, R. Safavi-Naini, and W. Susilo, “Efficient verifiably encrypted signature and partially blind signature from bilinear pairings,” inInternational Conference on Cryptology in India (INDOCRYPT), 2003

    work page 2003

  40. [40]

    Making a miracl: Multilingual information retrieval across a continuum of languages,

    X. Zhang, N. Thakur, O. Ogundepo, E. Kamalloo, D. Alfonso-Hermelo, X. Li, Q. Liu, M. Rezagholizadeh, and J. Lin, “Making a miracl: Multilingual information retrieval across a continuum of languages,”arXiv preprint arXiv:2210.09984, 2022. 31 A Cryptographic definitions A.1 Discrete log problem Given a multiplicative groupG of order p and group generator g,...

    work page arXiv 2022