Digital Cash

What is Digital Cash?

Digital cash aims to mimic the functionality of paper cash, by providing such properties of anonymity and transferability of payment. Digital cash is intended to be implemented data which can be copied, stored, or given as payment (for example, attached to an email message, or via a USB stick, bluetooth, etc).  Just like paper currency and coins, digital cash is intended to represent value because it is backed by a trusted third party (namely, the government and the banking industry).

Most money is already paid in electronic form; for example, by credit or debit card, and by direct transfer between accounts, or by on-line services such as PayPal. This kind of electronic money is not digital cash, because it doesn't have the properties of cash (namely, anonymous and off-line transferability between holders).

How does Digital Cash work?

The figure shows the basic operation. User A obtains digital cash "coins" from her bank (and the bank deducts a corresponding amount from her account).  The user is now entitled to use the coins by giving them to another user B, which might be a merchant. B receives e-cash during a transaction and see that it has been authorized by a bank. They can then pay the cash into their account at the bank.

Ideal properties of a Digital Cash system

Ideal properties:

1. Secure. Alice should be able to pass digital cash to Bob without either of them, or others, able to alter or reproduce the electronic token.

2. Anonymous. Alice should be able to pay Bob without revealing her identity, and without Bob revealing his identity. Moreover, the Bank should not know who Alice paid or who Bob was paid by. Even stronger, they should have the option to remain anonymous concerning the mere existence of a payment on their behalf.

3. Portable. The security and use of the digital cash is not dependent on any physical location. The cash should be able to be stored on disk or USB memory stick, sent by email, SMS, internet chat, or uploaded on web forms. Digital cash should not be restricted to a single, proprietary computer network.

4. Two-way. Peer-to-peer payments are possible without either party required to attain registered merchant status (in contrast with today's card-based systems). Alice, Bob, Carol, and David share an elaborate dinner together at a trendy restaurant and Alice pays the bill in full. Bob, Carol, and David each should then be able to transfer one-fourth of the total amount in digital cash to Alice.

5. Off-line capable. The protocol between the two exchanging parties is executed off-line, meaning that neither is required to be host-connected in order to proceed. Availability must be unrestricted. Alice can freely pass value to Bob at any time of day without requiring third-party authentication.

6. Wide acceptability. The digital cash is well-known and accepted in a large commercial zone. With several digital cash providers displaying wide acceptability, Alice should be able to use her preferred unit in more than just a restricted local setting.

7. User-friendly. The digital cash should be simple to use from both the spending perspective and the receiving perspective. Simplicity leads to mass use and mass use leads to wide acceptability. Alice and Bob should not require a degree in cryptography as the protocol machinations should be transparent to the immediate user.

These are ideal properties, and no known system satisfies them all.

Categorization of payment systems

Implementations of payment systems that don't satisfy all the requirements may be conveniently classified according to these criteria:

1. Anonymous or identified. Anonymous e-cash works just like real paper cash. Once anonymous e-cash is withdrawn from an account, it can be spent or given away without leaving a transaction trail. This however, can be considered contentious. Identified payment systems such as credit card payment, or payment by Paypal leave an audit trail, and the identity of the payee and the payer is known to the Bank, and (usually) to each other.

2. Online or offline. Online means you need to interact with a bank (via a network) to conduct a transaction with a third party. Offline means you can conduct a transaction without having to directly involve a bank.

3. Requiring a trusted platform. Some protocols may require a trusted platform, such as a smart card. Smart cards are small plastic cards like credit cards, bearing a chip. They are tamper-resistant and can force Alice and Bob to adhere to the protocol. This is convenient for the protocol designer, but threatens to tie users to proprietary interfaces and to remove transparency of the system. In contrast, internet protocols endorsed by the IETF are open and can be interoperably implemented by anyone.

Two big problems

How can we guarantee anonymity? If the bank can see which coins it gives to A, and later it sees the same coins coming back from B. it can infer that A has paid them to B (possibly via an intermediary).

How can we avoid double spending? Because electronic files can be duplicated, a big challenge for digital cash is how to stop users spending money twice. On-line solutions achieve this by making the payee check with the bank before acknowledging payment. Off-line solutions have to use more elaborate methods.

Cryptographic primitives

Some technical concepts are needed to understand digital cash protocols. Blind signatures. Suppose Charlie wants Dianne to sign a message m, but does not want

Dianne to know the contents of the message. This might seem like a strange thing -- why would Diane sign something without knowing what it is? But the concept has useful applications in situations involving anonymity, such as digital cash. The arrangement works like this:

o Charlie "blinds" the message m, with some random number b (the blinding factor). This results in blind(m,b).

o Dianne signs this message, resulting in sign(blind(m,b),d), where d is Dianne's private key.

o Charlie then unblinds the message using b, resulting in unblind(sign(blind(m,b),d),b). The functions are designed so that this reduces to sign(m,d), i.e. Dianne's signature on m.

Details of how blind signatures can be implemented using RSA are given in another lecture.

Secret splitting. Suppose I have a secret message string m, and I want to give part of it to Alice and part of it to Bob, in such a way that neither of them individually can tell anything about the secret, but if they get together then they can reconstruct it.

o One way might be to split the secret string into two parts, m1 and m2, such that m = m1.m2, i.e. concatening m1 and m2 yields m. This is not very satisfactory because Alice and Bob each learns the first half or the second half of the message.

o A better way is to invent a random number r, and XOR m with r. Give r to Alice, and m XOR r to Bob. Now neither of them knows anything about the secret, because each of them has what looks like a completely random string. However, if they get together, they can obtain m by calculating r XOR (m XOR r) -- that is indeed m.

o This can be generalised to any number of participants.

Online Digital Cash

Let's look at how each component works.

Withdrawing coins

The following protocol is used in order to create a single coin of a given denomination, say m.1. The customer creates k units of money m. Each unit contains some header information, the

denomination, and a unique serial number. The serial number is randomly generated and would be long enough so that collision does not take place (e.g. 64-bit serial number has a probability of collision of 1/264). So the money would have the format:

m1 = (header info, denomination, serial number), …, mk = (header info, denomination, serial number).

2. The customer blinds each of them with different binding factors bi, and sends them to the bank for signing.

3. The bank randomly chooses k-1 of them to check, and leaves one unit i.

4. The customer gives the bank all the blinding factors except the one for unit i

5. The bank can now check the content to make sure the customer has not tried to cheat (e.g. by putting an amount larger than the agreed amount m). There is still a chance that the bank would not check the unit that is fraudulent but the probability of this happening deceases as we increase the size of k

6. If all checks out, the bank signs the remaining unit with its private key d and sends it back to the customer.

7. The customer un-blinds it by using bi to obtain the coin mi  signed by the bank.

Thus, a coin consists of a signed message from the bank, asserting the value of the coin. Importantly, the bank does not know the serial number of the coins. That is how we obtain anonumity.

Spending and depositing coins

These procedures are straight forward. To spend the coins, just give them to the payee. To redeem them, just give them to the bank. The bank will check their validity and credit your account.

To tackle the double spending problem, the payee has to verify the coin with the bank at the point of sale in each of the transactions. This verification of the legitimacy of the coin requires extra bandwidth and is a potential bottleneck of the system especially when the traffic is high. The real time verification also means there is a need for the synchronization between bank servers.

Pros and Cons of the online digital cash system

Here is the summary of the pros and cons of the online system:

Pros

Provides fully anonymous and untraceable digital cash:

No double spending problems (coins are checked in real time during the transaction).

No additional secure hardware required

Cons

Communications overhead between merchant and the bank.

Huge database of coin records -- the bank server needs to maintain an ever-growing database for all the used coins’ serial numbers.

Difficult to scale, need synchronization between bank servers.

Coins are not reusable

Offline Digital Cash

In the off-line scheme, the withdrawal and disposal of the coins are very similar to the one in the on-line scheme; the main difference is in how coins are spent, in order to prevent double-spending without the need to verify with the bank. This is achieved by adding an additional component in the model: it is a trusted party, which performs a digital transformation of the coin when it is transferred between users. This trusted party may be implemented as a tamper–resistant device. In a real life example, you could think of it as a smart card reader at the point of sale, although note that it is not required to be on-line. The device is trusted by the bank and by users, and is used to verify the authenticity of the coin and to address the double-spending problem. It does not prevent users from double-spending, but it provides a means to trace them if they do double-spend. This has to be carefully designed, in order to keep anonymity. Secret splitting is used to allow the user to be anonymous as long as he/she doesn’t double spend. Details are given below.

In this system, coins are reusable. The merchant can spend the coin elsewhere with other parties through another tamper-resistant device before the coin is finally deposited back to the bank for verification.

In additional to the secret splitting method, in order to add extra security to the offline system, there could be a link between the bank and the temper-resistant device which allows the T.R.D. to download a blacklist of double spenders in a set period of time when the traffic is low. This reduces the chance of people double spending their money in the first place.

How off-line protocol works

A coin will contain the following:

Serial number – a unique number that identifies the coin Denomination – the actual value of the coin

Validity Period

Transaction list – has an arbitrary number of transaction items.

Withdrawing and depositing the coins is the same as in the on-line method, but spending the coins is different.

A transaction item is created when the coin is transferred between the customer and the merchant. Each transaction item consists of n pairs. A pair (p1,p2) is the identity of a user, split into two parts using the secret splitting idea described above. The transaction list consists of k transaction items. In all but the last one, half of each pair has been blanked out.

Thus, a transaction list might look like this:

P1 P2

ALI ---

--- ICE

--- E

BO ---

--- OB

B ---

CHA RLIE

CH ARLIE

CHARL IE

If P1 and P2 are XORed the original id of the user will be revealed. But only the last owner can be seen, "CHARLIE". Note that secret sharing is done with XOR, not concatenation. Concatenation is used for illustration just to make the picture readable. There is no way the identities of ALICE and BOB can be extracted from the transaction list.

When a user spends their money, the protocol will randomly blank some of P1 and some of the P2 for the current owner, and adds another list of P1 and P2 for the new owner.

How does this detect double spending?

If a user makes a copy of a coin before they spend it, they have the possibility to spend that coin again. However, when the coin is finally returned to the issuer, it will be possible to discover the culprit. This is achieved by combining a particular part of the identity from the original coin with its corresponding part from the copied coin. Note that the corresponding part will have been blanked out in the original coin.

The probability of catching a userThe probability of catching a user depends on the number of identity pairs used in the transaction. The more pairs used, the greater the chance of catching the culprit. The probability of catching the culprit is:

1-½n

Where n is the number of pairs used.

Example, if n=5 then the chance of catching a user is 0.97. If n=20, it is more than 0.00000095; in that case, a double-spender would have only one chance in a million of not being caught.

Memory requirements

By allowing more than one person to use the same coin, there will be extra data appended to the coin ‘file’. Thus, the size of this file will be ever growing. A possible solution to this is to have a maximum number of transactions. This would limit the number of ID’s added to the file. No more transactions can take place once the maximum has been reached, and the coin must be banked.

Also to prevent the banks database of serial numbers there maybe a validity period (or expiration date) associated with the coin, and then the coin will no longer be able to be banked. This would allow the bank to ‘clean-up’ its database of invalid serial numbers.

Pros and Cons of the offline digital cash system

Pros

Off-line, portable scheme

User is fully anonymous unless double spends

Bank can detect double spender (with high probability)

Banks don’t need to synchronize database in each transaction.

Coins are reusable

Cons

Might not prevent double spending immediately

More expensive to implement - the extra security hardware needed in the system requires an additional cost.

Policy considerations

There is a lot of concern regarding the anonymity of digital cash with respects to illegal activities. For example it can be used for money laundering and ransom demands without being able to trace the culprit. There are proposals/solutions that overcome this intractability, involving identity escrow and trusted parties.

One of these solutions is to have a trusted third party in the transaction on money. In the below diagram it is called a judge. The judge would have access to either the massage-signature pair or the signer’s view of his protocol. With this information and the information from either the sender or signer the culprit can be traced.

However, digital cash has not taken off, in contrast with other electronic payment systems such as Paypal.

Paypal

Paypal is not "digital cash", because it doesn't attempt to provide properties similar to cash (anonymity, off-line usage). Instead, it aims to replace credit cards, and is much more secure. In contrast with credit cards, Paypal payees do not have to have merchant status. Thus, it is attractive to private individuals selling at auctions.

Digital cash was invented by David Chaum in 1988. In 1990 he founded DigiCash, a pioneering firm in the area, but attracted only $160k US dollar in two years, declared bankruptcy in 1998, and was bought by eCash Technologies. Now eCash is having its own troubles and has been bought by another company called InfoSpace.

PayPal was founded in December 1998. Adopting aggressive marketing campaigns offering $10 (and later $5) for new users to sign up, the firm grew at a meteoric rate of 7–10 percent per day between January and March 2000. In October 2002 PayPal was acquired by eBay. PayPal had

previously been the payment method of choice by over fifty percent of eBay users, and the service competed with eBay's subsidiary BillPoint. eBay has phased out its BillPoint service in favor of retaining the PayPal brand. PayPal's only substantially similar competitor is now BidPay, after Citibank's c2it service closed in late 2003, and Yahoo!'s PayDirect service closed in late 2004. In 2004, the total value of transactions through the PayPal system was $18.9 billion, up 55% year over year. As of the end of Q2 2005, PayPal operates in 57 countries (including China) and it manages over 78.9 million accounts. Every second PayPal processes an average of $823 in total payment volume. (This information is extracted from Wikipedia.)

Conclusion

The elimination of physical cash from our economy is already feasible from a purely technological perspective. However, substantial additional investment in equipment and cards would be needed to permit even purchases such soft drinks to be made.

But transactional privacy is at the heart of critics' attack on digital cash. Because it’s untraceable,  there are concerns about money laundering, offshore banking and tax havens, and has been closely monitoring developments of digital cash. Investors don’t have confidence in the development of digital cash. In contrast, non-anonymous, on-line payment systems like Paypal are enjoying huge success.

Questions to consider - just to check that you understand what this is about! How does Paypal overcome the double spending problem? Categorise mobile phone top-up scratch-card vouchers in terms of the Categorization of

payment systems above.

What if Alice and Bob1 and Bob2 conspire together to achieve double spending by Bob1 and Bob2 picking the same random numbers to hide Alice's identity?

References

1. David Chaum, Amos Fiat and Moni Naor, "Untraceable Electronic Cash", in Advances in Cryptology - CRYPTO '88 ProceedingsThis paper describes an off-line system which doesn't require any trusted hardware, but coins can only be used once.

2. David Chaum, “Blind Signature System”. US Patent #4759063

3. Pater Wayner, "Digital Cash Commerce on the Net", Academic Press Inc 1996

4. Hitesh Tewari, Donal O'Mahony & Michael Peirce (1998). “Reusable Off-Line Electronic Cash Using Secret Splitting”, Technical Report TCD-CS-1998-27, Trinity College Dublin Computer Science Department, Dublin.

5. Digital Cash and Net Commerce. http://www2.pro-ns.net/~crypto/toc12.html