digital cash
DESCRIPTION
A payment message bearing a digital signature which functions as a medium of exchange or store of valueTRANSCRIPT
Digital Cash
Present By Kevin, Hiren, Amit, Kai
What is Digital Cash?
♦ A payment message bearing a digital signature which functions as a medium of exchange or store of value
♦ Need to be backed by a trusted third party, usually the government and the banking industry.
Key Properties
♦ Secure ♦ Anonymous
♦ Portable
♦ Reusable
♦ User-friendly
Digital Cash vs Credit Card
Anonymous Identified
Online or Off-line Online
Store money in digital wallet
Money is in the Bank
The Online Model
♦ Structure Overview
Deposit Coins
Bank
User Merchant
Withdraw Coins
Payment
Link with other banks
Pros and Cons of the online scheme
♦ Pros– Provides fully anonymous and untraceable digital cash.
– No double spending problems.
– Don't require additional secure hardware – cheaper to implement.
♦ Cons– Communications overhead between merchant and the bank.
– Huge database of coin records.
– Difficult to scale, need synchronization between bank servers.
– Coins are not reusable
The Offline Model
♦ Structure Overview
Bank
Merchant
User
Temper-resistant
device
Others
T.R.D.
Pros and Cons of the offline model
♦ Advantages– Off-line scheme
– User is fully anonymous unless double spend
– Bank can detect double spender
– Banks don’t need to synchronize database in each transaction.
– Coins could be reusable
– Reduced the size of the coin database.
♦ Disadvantages– Might not prevent double spending immediately
– More expensive to implement
Traceable Signature Protocol
mmessage m = amount, serial no
(m)d
d is secret key of the Bank
spend (m)d
send m
send (m)d
verify (m)d
Customer BankMerchant
Blind Signatures
♦ Add a blinding factor b
♦ rd = (mbe)d
♦ Bank could keep a record of r
♦ Remove blinding factor
♦ (mbe)d = (m)dbed
♦ b-1 md
♦ r = (m)be
message
Untraceable Digital Cash
♦ Create k items of m
Random Serial Number
m1
Random Serial Number
, …, mk
m1 = (…, amount, serial number)mk = (…, amount, serial number)
Untraceable Digital Cash
♦ Create blinding factors:b1e,…, bk
e
♦ Blind the units - m1b1e, …, mk bk
e
m1b1e mkbk
e, …,
Bank
♦ Send to bank for signing
Untraceable Digital Cash
♦ Bank chooses k –1 to check♦ Customer gives all blinding factors except
for unit i♦ Bank checks they are correct
i
Untraceable Digital Cash
♦ Bank signs the remaining one and sends it back – (mibe
i)d = midbi
Customer
Seria
l no
♦ The customer removes the blind using bi
-1 mid
Problem!
♦ When the merchant receives the coin, it still has to be verified
♦ The merchant has to have a connection with the bank at the time of sale
♦ This protocol is anonymous but not portable
How to make it off-line
Secret Splitting
♦ A method that splits the user ID in to n parts♦ Each part on its own is useless but when
combined will reveal the user ID♦ Each user ID is XOR with a one time Pad,
R
Cont…
♦ E.g. User ID = 2510, R = 1500:♦ 2510 XOR 1500 = 3090♦ The user ID can now be split into 2 parts,
I.e. 1500 and 3090♦ On their own they are useless but when
XOR will reveal the user ID♦ I.e 1500 XOR 3090 = 2510
A Typical Coin
♦ User ID:
1500 3090
4545 6159
5878 7992
♦Header Information♦Serial number ♦Transaction Item – pairs of user ID’s
A Typical Coin
♦ User ID:
1500 XOR 3090 = 2510
4545 XOR 6159 = 2510
5878 XOR 7992 = 2510
User ID
♦Header Information♦Serial number ♦Transaction Item – pairs of user ID’s
Blanking
♦ User ID:
0 3090
4545 6159
5878 7992
Randomly blank one side of each identity pair
Blanking
♦ User ID:
0 3090
4545 0
5878 7992
Randomly blank one side of each identity pair
The coin is now spent
♦ User ID:
0 3090
4545 0
5878 0
You can no longer tell who owns the coin
•Merchant would now deposit this coin into the bank
The coin is copied and spent at another merchant
♦ User ID:
1500 0
4545 0
0 7992
•Before the user spent the coin the first time, the user made a copy of it
•Merchant would now deposit this coin into the bank
How can we catch the user?
♦ Original Coin♦ User ID:
0 3090 4545 0 5878 0
♦ Duplicate Coin♦ User ID:
1500 0
4545 0
0 7992
This is what is in the bank
How can we catch the user?
♦ Original Coin♦ User ID:
0 3090 4545 0 5878 0
♦ Duplicate Coin♦ User ID:
1500 0
4545 0
0 7992
This is what is in the bank
3090 XOR 1500 = 2510
5878 XOR 7992 = 2510User ID
Probability of catching the culprit
♦ Depends on the number of the identity strings used
♦ Probability of catching a user is:– 1 - ½n , where n is the number of identity strings
E.g. n = 5, the probability of catching a user is: 0.97
Reusability
♦ Once the coin has been spent the merchant has to deposit it to the bank
♦ Therefore, coin can only be spent once♦ Convenience, ability to give change,
unnecessary transactions between bank and merchant
♦ Banks database size – less serial numbers♦ Solution – Add the new User ID to the coin
Setup
ID=HIREN
ID=KEVIN
ID=AMIT
Coins
♦ Users Coin♦ User ID:
A MIT AM IT AMI T
Amit spends his coin at Hirens shop
The coin will now look like this:
Amit no longer owns
the coin, it is bounded
to Hiren
User ID: A 0 0 IT AMI 0HI RENHIR EN H IREN
Hiren can now go and spend his coin at Kevin's shopThe coin looks like this:
User ID: A 0 0 IT AMI 0HI RENHIR EN H IREN
Hiren can now go and spend his coin at Kevin's shopThe coin will now look like this:
User ID: A 0 0 IT AMI 00 REN0 EN H 0KE VINK EVINKEV IN
Size Matters!
♦ Coin m = (Serial num, denomination, Transaction list (transactions * user ID), Other Header info)
♦Limit size by Validity Period and/or max Transactions
Other proposals
♦ What if you what buy something that costs £4.99 and you have £5 coin?
♦ Would have a ‘file’ for every coin
£4
£2 £2
£1 £1 £1 £1
£2
£1 £1
£2
£1 £1
Fair Blind Signatures
♦ Possible solution to undetectable money laundering or ransom demands
Sender SignerSigning protocol
Judge
Un-linkableMessage-signature pair View of protocol
Conclusion
♦ Feasible from a purely technological perspective
♦ Anonymous is at the heart of the government's attack
♦ Cannot attract funding
Advantages:
♦ Convenience
♦ Secure ♦ Handling costs ♦ Time saving
♦ Transaction Costs
Global Disadvantages
♦ Safety Issue
♦ Physical Securities
♦ Users Issue
♦ Legal problems
Questions?