Digital Cash

Present By Kevin, Hiren, Amit, Kai

What is Digital Cash?

♦ A payment message bearing a digital signature which functions as a medium of exchange or store of value

♦ Need to be backed by a trusted third party, usually the government and the banking industry.

Key Properties

♦ Secure ♦ Anonymous

♦ Portable

♦ Reusable

♦ User-friendly

Digital Cash vs Credit Card

Anonymous Identified

Online or Off-line Online

Store money in digital wallet

Money is in the Bank

The Online Model

♦ Structure Overview

Deposit Coins

Bank

User Merchant

Withdraw Coins

Payment

Link with other banks

Pros and Cons of the online scheme

♦ Pros– Provides fully anonymous and untraceable digital cash.

– No double spending problems.

– Don't require additional secure hardware – cheaper to implement.

♦ Cons– Communications overhead between merchant and the bank.

– Huge database of coin records.

– Difficult to scale, need synchronization between bank servers.

– Coins are not reusable

The Offline Model

♦ Structure Overview

Bank

Merchant

User

Temper-resistant

device

Others

T.R.D.

Pros and Cons of the offline model

♦ Advantages– Off-line scheme

– User is fully anonymous unless double spend

– Bank can detect double spender

– Banks don’t need to synchronize database in each transaction.

– Coins could be reusable

– Reduced the size of the coin database.

♦ Disadvantages– Might not prevent double spending immediately

– More expensive to implement

Traceable Signature Protocol

mmessage m = amount, serial no

(m)d

d is secret key of the Bank

spend (m)d

send m

send (m)d

verify (m)d

Customer BankMerchant

Blind Signatures

♦ Add a blinding factor b

♦ rd = (mbe)d

♦ Bank could keep a record of r

♦ Remove blinding factor

♦ (mbe)d = (m)dbed

♦ b-1 md

♦ r = (m)be

message

Untraceable Digital Cash

♦ Create k items of m

Random Serial Number

m1

Random Serial Number

, …, mk

m1 = (…, amount, serial number)mk = (…, amount, serial number)

Untraceable Digital Cash

♦ Create blinding factors:b1e,…, bk

e

♦ Blind the units - m1b1e, …, mk bk

e

m1b1e mkbk

e, …,

Bank

♦ Send to bank for signing

Untraceable Digital Cash

♦ Bank chooses k –1 to check♦ Customer gives all blinding factors except

for unit i♦ Bank checks they are correct

i

Untraceable Digital Cash

♦ Bank signs the remaining one and sends it back – (mibe

i)d = midbi

Customer

Seria

l no

♦ The customer removes the blind using bi

-1 mid

Problem!

♦ When the merchant receives the coin, it still has to be verified

♦ The merchant has to have a connection with the bank at the time of sale

♦ This protocol is anonymous but not portable

How to make it off-line

Secret Splitting

♦ A method that splits the user ID in to n parts♦ Each part on its own is useless but when

combined will reveal the user ID♦ Each user ID is XOR with a one time Pad,

R

Cont…

♦ E.g. User ID = 2510, R = 1500:♦ 2510 XOR 1500 = 3090♦ The user ID can now be split into 2 parts,

I.e. 1500 and 3090♦ On their own they are useless but when

XOR will reveal the user ID♦ I.e 1500 XOR 3090 = 2510

A Typical Coin

♦ User ID:

1500 3090

4545 6159

5878 7992

♦Header Information♦Serial number ♦Transaction Item – pairs of user ID’s

A Typical Coin

♦ User ID:

1500 XOR 3090 = 2510

4545 XOR 6159 = 2510

5878 XOR 7992 = 2510

User ID

♦Header Information♦Serial number ♦Transaction Item – pairs of user ID’s

Blanking

♦ User ID:

0 3090

4545 6159

5878 7992

Randomly blank one side of each identity pair

Blanking

♦ User ID:

0 3090

4545 0

5878 7992

Randomly blank one side of each identity pair

The coin is now spent

♦ User ID:

0 3090

4545 0

5878 0

You can no longer tell who owns the coin

•Merchant would now deposit this coin into the bank

The coin is copied and spent at another merchant

♦ User ID:

1500 0

4545 0

0 7992

•Before the user spent the coin the first time, the user made a copy of it

•Merchant would now deposit this coin into the bank

How can we catch the user?

♦ Original Coin♦ User ID:

0 3090 4545 0 5878 0

♦ Duplicate Coin♦ User ID:

1500 0

4545 0

0 7992

This is what is in the bank

How can we catch the user?

♦ Original Coin♦ User ID:

0 3090 4545 0 5878 0

♦ Duplicate Coin♦ User ID:

1500 0

4545 0

0 7992

This is what is in the bank

3090 XOR 1500 = 2510

5878 XOR 7992 = 2510User ID

Probability of catching the culprit

♦ Depends on the number of the identity strings used

♦ Probability of catching a user is:– 1 - ½n , where n is the number of identity strings

E.g. n = 5, the probability of catching a user is: 0.97

Reusability

♦ Once the coin has been spent the merchant has to deposit it to the bank

♦ Therefore, coin can only be spent once♦ Convenience, ability to give change,

unnecessary transactions between bank and merchant

♦ Banks database size – less serial numbers♦ Solution – Add the new User ID to the coin

Setup

ID=HIREN

ID=KEVIN

ID=AMIT

Coins

♦ Users Coin♦ User ID:

A MIT AM IT AMI T

Amit spends his coin at Hirens shop

The coin will now look like this:

Amit no longer owns

the coin, it is bounded

to Hiren

User ID: A 0 0 IT AMI 0HI RENHIR EN H IREN

Hiren can now go and spend his coin at Kevin's shopThe coin looks like this:

User ID: A 0 0 IT AMI 0HI RENHIR EN H IREN

Hiren can now go and spend his coin at Kevin's shopThe coin will now look like this:

User ID: A 0 0 IT AMI 00 REN0 EN H 0KE VINK EVINKEV IN

Size Matters!

♦ Coin m = (Serial num, denomination, Transaction list (transactions * user ID), Other Header info)

♦Limit size by Validity Period and/or max Transactions

Other proposals

♦ What if you what buy something that costs £4.99 and you have £5 coin?

♦ Would have a ‘file’ for every coin

£4

£2 £2

£1 £1 £1 £1

£2

£1 £1

£2

£1 £1

Fair Blind Signatures

♦ Possible solution to undetectable money laundering or ransom demands

Sender SignerSigning protocol

Judge

Un-linkableMessage-signature pair View of protocol

Conclusion

♦ Feasible from a purely technological perspective

♦ Anonymous is at the heart of the government's attack

♦ Cannot attract funding

Advantages:

♦ Convenience

♦ Secure ♦ Handling costs ♦ Time saving

♦ Transaction Costs

Global Disadvantages

♦ Safety Issue

♦ Physical Securities

♦ Users Issue

♦ Legal problems

Questions?