Digital Cash

What is Digital Cash?

Digital cash aims to mimic the functionality of paper cash, by providing such properties of
anonymity and transferability of payment. Digital cash is intended to be implemented data which
can be copied, stored, or given as payment (for example, attached to an email message, or via
a USB stick, bluetooth, etc). Just like paper currency and coins, digital cash is intended to
represent value because it is backed by a trusted third party (namely, the government and the
banking industry).

Most money is already paid in electronic form; for example, by credit or debit card, and by direct
transfer between accounts, or by on-line services such as PayPal. This kind of electronic money
is not digital cash, because it doesn't have the properties of cash (namely, anonymous and off-
line transferability between holders).
How does Digital Cash work?

The figure shows the basic operation. User A obtains digital cash "coins" from her bank (and the
bank deducts a corresponding amount from her account). The user is now entitled to use the
coins by giving them to another user B, which might be a merchant. B receives e-cash during a
transaction and see that it has been authorized by a bank. They can then pay the cash into their
account at the bank.

Ideal properties of a Digital Cash system

Ideal properties:

1. Secure. Alice should be able to pass digital cash to Bob without either of them, or
others, able to alter or reproduce the electronic token.
2. Anonymous. Alice should be able to pay Bob without revealing her identity, and without
Bob revealing his identity. Moreover, the Bank should not know who Alice paid or who
Bob was paid by. Even stronger, they should have the option to remain anonymous
concerning the mere existence of a payment on their behalf.
3. Portable. The security and use of the digital cash is not dependent on any physical
location. The cash should be able to be stored on disk or USB memory stick, sent by
email, SMS, internet chat, or uploaded on web forms. Digital cash should not be
restricted to a single, proprietary computer network.
4. Two-way. Peer-to-peer payments are possible without either party required to attain
registered merchant status (in contrast with today's card-based systems). Alice, Bob,
Carol, and David share an elaborate dinner together at a trendy restaurant and Alice
 pays the bill in full. Bob, Carol, and David each should then be able to transfer one-
fourth of the total amount in digital cash to Alice.
5. Off-line capable. The protocol between the two exchanging parties is executed off-line,
meaning that neither is required to be host-connected in order to proceed. Availability
must be unrestricted. Alice can freely pass value to Bob at any time of day without
requiring third-party authentication.
6. Wide acceptability. The digital cash is well-known and accepted in a large commercial
zone. With several digital cash providers displaying wide acceptability, Alice should be
able to use her preferred unit in more than just a restricted local setting.
7. User-friendly. The digital cash should be simple to use from both the spending
perspective and the receiving perspective. Simplicity leads to mass use and mass use
leads to wide acceptability. Alice and Bob should not require a degree in cryptography
as the protocol machinations should be transparent to the immediate user.

These are ideal properties, and no known system satisfies them all.

Categorization of payment systems

Implementations of payment systems that don't satisfy all the requirements may be conveniently
classified according to these criteria:

1. Anonymous or identified. Anonymous e-cash works just like real paper cash. Once
anonymous e-cash is withdrawn from an account, it can be spent or given away without
leaving a transaction trail. This however, can be considered contentious. Identified
payment systems such as credit card payment, or payment by Paypal leave an audit
trail, and the identity of the payee and the payer is known to the Bank, and (usually) to
each other.
2. Online or offline. Online means you need to interact with a bank (via a network) to
conduct a transaction with a third party. Offline means you can conduct a transaction
without having to directly involve a bank.
3. Requiring a trusted platform. Some protocols may require a trusted platform, such as
a smart card. Smart cards are small plastic cards like credit cards, bearing a chip. They
are tamper-resistant and can force Alice and Bob to adhere to the protocol. This is
convenient for the protocol designer, but threatens to tie users to proprietary interfaces
and to remove transparency of the system. In contrast, internet protocols endorsed by
the IETF are open and can be interoperably implemented by anyone.

Two big problems

How can we guarantee anonymity? If the bank can see which coins it gives to A, and later it sees
the same coins coming back from B. it can infer that A has paid them to B (possibly via an
intermediary).

How can we avoid double spending? Because electronic files can be duplicated, a big challenge
for digital cash is how to stop users spending money twice. On-line solutions achieve this by
making the payee check with the bank before acknowledging payment. Off-line solutions have to
use more elaborate methods.

Cryptographic primitives

Some technical concepts are needed to understand digital cash protocols.

• Blind signatures. Suppose Charlie wants Dianne to sign a message m, but does not want
Dianne to know the contents of the message. This might seem like a strange thing -- why
would Diane sign something without knowing what it is? But the concept has useful
applications in situations involving anonymity, such as digital cash. The arrangement
works like this:
o Charlie "blinds" the message m, with some random number b (the blinding
factor). This results in blind(m,b).
o Dianne signs this message, resulting in sign(blind(m,b),d), where d is Dianne's
private key.
o Charlie then unblinds the message using b, resulting in
unblind(sign(blind(m,b),d),b). The functions are designed so that this reduces to
sign(m,d), i.e. Dianne's signature on m.

Details of how blind signatures can be implemented using RSA are given in another
lecture.

• Secret splitting. Suppose I have a secret message string m, and I want to give part of it to
Alice and part of it to Bob, in such a way that neither of them individually can tell
anything about the secret, but if they get together then they can reconstruct it.
o One way might be to split the secret string into two parts, m1 and m2, such that m
= m1.m2, i.e. concatening m1 and m2 yields m. This is not very satisfactory
because Alice and Bob each learns the first half or the second half of the message.
o A better way is to invent a random number r, and XOR m with r. Give r to Alice,
and m XOR r to Bob. Now neither of them knows anything about the secret,
because each of them has what looks like a completely random string. However,
if they get together, they can obtain m by calculating r XOR (m XOR r) -- that is
indeed m.
o This can be generalised to any number of participants.
Online Digital Cash

Let's look at how each component works.

Withdrawing coins

The following protocol is used in order to create a single coin of a given denomination, say m.

1. The customer creates k units of money m. Each unit contains some header information, the
denomination, and a unique serial number. The serial number is randomly generated and would
be long enough so that collision does not take place (e.g. 64-bit serial number has a probability of
collision of 1/264). So the money would have the format:

m1 = (header info, denomination, serial number), …, mk = (header info, denomination, serial

number).

2. The customer blinds each of them with different binding factors bi, and sends them to the bank for
signing.
3. The bank randomly chooses k-1 of them to check, and leaves one unit i.
4. The customer gives the bank all the blinding factors except the one for unit i
5. The bank can now check the content to make sure the customer has not tried to cheat (e.g. by
putting an amount larger than the agreed amount m). There is still a chance that the bank would
 not check the unit that is fraudulent but the probability of this happening deceases as we increase
the size of k
6. If all checks out, the bank signs the remaining unit with its private key d and sends it back to the
customer.
7. The customer un-blinds it by using bi to obtain the coin mi signed by the bank.

Thus, a coin consists of a signed message from the bank, asserting the value of the coin.
Importantly, the bank does not know the serial number of the coins. That is how we obtain
anonumity.

Spending and depositing coins

These procedures are straight forward. To spend the coins, just give them to the payee. To
redeem them, just give them to the bank. The bank will check their validity and credit your
account.

To tackle the double spending problem, the payee has to verify the coin with the bank at the
point of sale in each of the transactions. This verification of the legitimacy of the coin requires
extra bandwidth and is a potential bottleneck of the system especially when the traffic is high.
The real time verification also means there is a need for the synchronization between bank
servers.

Pros and Cons of the online digital cash system

Here is the summary of the pros and cons of the online system:

Pros

• Provides fully anonymous and untraceable digital cash:

• No double spending problems (coins are checked in real time during the transaction).

• No additional secure hardware required

Cons

• Communications overhead between merchant and the bank.

• Huge database of coin records -- the bank server needs to maintain an ever-growing
database for all the used coins’ serial numbers.

• Difficult to scale, need synchronization between bank servers.

• Coins are not reusable

Offline Digital Cash

In the off-line scheme, the withdrawal and disposal of the coins are very similar to the one in the
on-line scheme; the main difference is in how coins are spent, in order to prevent double-
spending without the need to verify with the bank. This is achieved by adding an additional
component in the model: it is a trusted party, which performs a digital transformation of the coin
when it is transferred between users. This trusted party may be implemented as a tamper–
resistant device. In a real life example, you could think of it as a smart card reader at the point of
sale, although note that it is not required to be on-line. The device is trusted by the bank and by
users, and is used to verify the authenticity of the coin and to address the double-spending
problem. It does not prevent users from double-spending, but it provides a means to trace them
if they do double-spend. This has to be carefully designed, in order to keep anonymity. Secret
splitting is used to allow the user to be anonymous as long as he/she doesn’t double spend.
Details are given below.

In this system, coins are reusable. The merchant can spend the coin elsewhere with other
parties through another tamper-resistant device before the coin is finally deposited back to the
bank for verification.

In additional to the secret splitting method, in order to add extra security to the offline system,
there could be a link between the bank and the temper-resistant device which allows the T.R.D.
to download a blacklist of double spenders in a set period of time when the traffic is low. This
reduces the chance of people double spending their money in the first place.

How off-line protocol works

A coin will contain the following:

 • Serial number – a unique number that identifies the coin
• Denomination – the actual value of the coin
• Validity Period
• Transaction list – has an arbitrary number of transaction items.

Withdrawing and depositing the coins is the same as in the on-line method, but spending the
coins is different.

A transaction item is created when the coin is transferred between the customer and the
merchant. Each transaction item consists of n pairs. A pair (p1,p2) is the identity of a user, split
into two parts using the secret splitting idea described above. The transaction list consists of k
transaction items. In all but the last one, half of each pair has been blanked out.

Thus, a transaction list might look like this:

P1 P2
ALI ---
--- ICE
--- E
BO ---
--- OB
B ---
CHA RLIE
CH ARLIE
CHARL IE

If P1 and P2 are XORed the original id of the user will be revealed. But only the last owner can
be seen, "CHARLIE". Note that secret sharing is done with XOR, not concatenation.
Concatenation is used for illustration just to make the picture readable. There is no way the
identities of ALICE and BOB can be extracted from the transaction list.

When a user spends their money, the protocol will randomly blank some of P1 and some of the
P2 for the current owner, and adds another list of P1 and P2 for the new owner.

How does this detect double spending?

If a user makes a copy of a coin before they spend it, they have the possibility to spend that coin
again. However, when the coin is finally returned to the issuer, it will be possible to discover the
culprit. This is achieved by combining a particular part of the identity from the original coin with
its corresponding part from the copied coin. Note that the corresponding part will have been
blanked out in the original coin.
The probability of catching a user
The probability of catching a user depends on the number of identity pairs used in the
transaction. The more pairs used, the greater the chance of catching the culprit. The probability
of catching the culprit is:

1-½n
Where n is the number of pairs used.

Example, if n=5 then the chance of catching a user is 0.97. If n=20, it is more than 0.00000095;
in that case, a double-spender would have only one chance in a million of not being caught.

Memory requirements
By allowing more than one person to use the same coin, there will be extra data appended to
the coin ‘file’. Thus, the size of this file will be ever growing. A possible solution to this is to have
a maximum number of transactions. This would limit the number of ID’s added to the file. No
more transactions can take place once the maximum has been reached, and the coin must be
banked.

Also to prevent the banks database of serial numbers there maybe a validity period (or
expiration date) associated with the coin, and then the coin will no longer be able to be banked.
This would allow the bank to ‘clean-up’ its database of invalid serial numbers.

Pros and Cons of the offline digital cash system

Pros

• Off-line, portable scheme

• User is fully anonymous unless double spends

• Bank can detect double spender (with high probability)

• Banks don’t need to synchronize database in each transaction.

• Coins are reusable

Cons

• Might not prevent double spending immediately

 • More expensive to implement - the extra security hardware needed in the system
requires an additional cost.

Policy considerations

There is a lot of concern regarding the anonymity of digital cash with respects to illegal
activities. For example it can be used for money laundering and ransom demands without being
able to trace the culprit. There are proposals/solutions that overcome this intractability, involving
identity escrow and trusted parties.

One of these solutions is to have a trusted third party in the transaction on money. In the below
diagram it is called a judge. The judge would have access to either the massage-signature pair
or the signer’s view of his protocol. With this information and the information from either the
sender or signer the culprit can be traced.

However, digital cash has not taken off, in contrast with other electronic payment systems such
as Paypal.

Paypal

Paypal is not "digital cash", because it doesn't attempt to provide properties similar to cash
(anonymity, off-line usage). Instead, it aims to replace credit cards, and is much more secure. In
contrast with credit cards, Paypal payees do not have to have merchant status. Thus, it is
attractive to private individuals selling at auctions.

Digital cash was invented by David Chaum in 1988. In 1990 he founded DigiCash, a pioneering
firm in the area, but attracted only $160k US dollar in two years, declared bankruptcy in 1998,
and was bought by eCash Technologies. Now eCash is having its own troubles and has been
bought by another company called InfoSpace.

PayPal was founded in December 1998. Adopting aggressive marketing campaigns offering $10
(and later $5) for new users to sign up, the firm grew at a meteoric rate of 7–10 percent per day
between January and March 2000. In October 2002 PayPal was acquired by eBay. PayPal had
previously been the payment method of choice by over fifty percent of eBay users, and the
service competed with eBay's subsidiary BillPoint. eBay has phased out its BillPoint service in
favor of retaining the PayPal brand. PayPal's only substantially similar competitor is now
BidPay, after Citibank's c2it service closed in late 2003, and Yahoo!'s PayDirect service closed
in late 2004. In 2004, the total value of transactions through the PayPal system was $18.9 billion,
up 55% year over year. As of the end of Q2 2005, PayPal operates in 57 countries (including
China) and it manages over 78.9 million accounts. Every second PayPal processes an average of
$823 in total payment volume. (This information is extracted from Wikipedia.)
Conclusion

The elimination of physical cash from our economy is already feasible from a purely
technological perspective. However, substantial additional investment in equipment and cards
would be needed to permit even purchases such soft drinks to be made.

But transactional privacy is at the heart of critics' attack on digital cash. Because it’s
untraceable, there are concerns about money laundering, offshore banking and tax havens,
and has been closely monitoring developments of digital cash. Investors don’t have confidence
in the development of digital cash. In contrast, non-anonymous, on-line payment systems like
Paypal are enjoying huge success.

Questions to consider - just to check that you understand what this is about!

• How does Paypal overcome the double spending problem?

• Categorise mobile phone top-up scratch-card vouchers in terms of the Categorization of
payment systems above.
• What if Alice and Bob1 and Bob2 conspire together to achieve double spending by Bob1
and Bob2 picking the same random numbers to hide Alice's identity?

References

1. David Chaum, Amos Fiat and Moni Naor, "Untraceable Electronic Cash", in Advances in
Cryptology - CRYPTO '88 Proceedings
This paper describes an off-line system which doesn't require any trusted hardware, but coins can
only be used once.
2. David Chaum, “Blind Signature System”. US Patent #4759063
3. Pater Wayner, "Digital Cash Commerce on the Net", Academic Press Inc 1996
4. Hitesh Tewari, Donal O'Mahony & Michael Peirce (1998). “Reusable Off-Line Electronic Cash
Using Secret Splitting”, Technical Report TCD-CS-1998-27, Trinity College Dublin Computer
Science Department, Dublin.

5. Digital Cash and Net Commerce. http://www2.pro-ns.net/~crypto/toc12.html