Electronic cash (E-cash), also known as E-money or digital currency, is a very important electronic payment system, which can be regarded as an electronic or digital simulation of real money. Electronic cash exists in the form of digital information and circulates through the Internet. But it is more convenient and economical than real money. Its simplest form includes three subjects: merchants, users and banks; And four security protocol processes: initialization protocol, withdrawal protocol, payment protocol and deposit protocol. The first electronic cash scheme was put forward by Chaum [2] in 1982. He used blind signature technology to realize it, which can completely protect users' privacy. However, this completely anonymous electronic cash has also provided convenience for many lawless elements, who use its complete anonymity to carry out some illegal and criminal activities, such as corruption, illegal purchase (such as buying drugs, arms, etc.), extortion and so on. Even if the police get the stolen money, they can't catch the criminals. For this reason, a reasonable electronic cash system should be incomplete or conditionally anonymous. In 1995, Stadler et al [3] put forward the concept of fair blind signature, which can be used in conditional anonymous payment systems. In 1996, Camenisch et al. [4] and Frankel et al. [5] independently put forward the concept of fair off-line electronic cash for the first time, and gave two schemes at the same time. The anonymity of users in fair electronic cash is incomplete, and it can be revoked by a trusted third party (TTP), thus preventing criminal activities by using the complete anonymity of electronic cash.

in its life cycle, electronic cash has to go through three processes: withdrawal, payment and deposit, involving users, merchants and banks. The basic circulation mode of electronic cash is shown in Figure 1. The user and the bank execute the withdrawal agreement to withdraw electronic cash from the bank; The user and the merchant execute a payment agreement to pay electronic cash; The merchant and the bank execute the deposit agreement and deposit the electronic cash obtained from the transaction into the bank.

The basic process of designing electronic cash is as follows:

1. Withdrawal Protocol: users withdraw electronic cash from their bank accounts. In order to obtain legal electronic cash with bank signature under the premise of ensuring users' anonymity, users will interact with banks to implement blind signature protocol, and banks must be sure that electronic cash contains the necessary user identity. General withdrawal agreements are divided into the following two-step agreements:

* account opening agreement. This step is usually computationally intensive and is used to provide users with an electronic license containing their identity information.

* withdrawal agreement. This step is just a simple blind signature process, and users can withdraw electronic cash from their accounts.

2. Payment Protocal: users use electronic cash to buy goods from stores. It is usually divided into two sub-protocols:

* Verifying the signature of electronic cash, which is used to confirm whether electronic cash is legal.

* knowledge disclosure protocol. The buyer will disclose some information about his identity to the seller to prevent the buyer from abusing electronic cash.

3. Deposit Protocal: users and businesses deposit electronic cash into their bank accounts. In this step, Bank of China will check whether the deposited electronic cash is used legally. If illegal use is found, the bank will use reuse detection protocol to track the identity of illegal users and punish them.