2. What is Digital Cash?
¨ A payment message bearing a digital signature
which functions as a medium of exchange or store
of value
¨ Need to be backed by a trusted third party, usually
the government and the banking industry.
4. Digital Cash vs Credit Card
Anonymous Identified
Online or Off-line Online
Store money in
digital wallet
Money is in the
Bank
5. The Online Model
¨ Structure Overview
Link with
other banks
Deposit
Coins
Bank
Withdraw
Coins
Payment
User Merchant
6. Pros and Cons of the online scheme
¨ Pros
– Provides fully anonymous and untraceable digital cash.
– No double spending problems.
– Don't require additional secure hardware – cheaper to implement.
¨ Cons
– Communications overhead between merchant and the bank.
– Huge database of coin records.
– Difficult to scale, need synchronization between bank servers.
– Coins are not reusable
7. The Offline Model
¨ Structure Overview
Bank
Merchan
t
User
Temper-resistant
device
Others
T.R.D
.
8. Pros and Cons of the offline model
¨ Advantages
– Off-line scheme
– User is fully anonymous unless double spend
– Bank can detect double spender
– Banks don’t need to synchronize database in each transaction.
– Coins could be reusable
– Reduced the size of the coin database.
¨ Disadvantages
– Might not prevent double spending immediately
– More expensive to implement
9. Traceable Signature Protocol
Merchant Customer Bank
m
message m
= amount,
serial no
(m)d
d is secret key of the
Bank
(m)d spend
send m
(m)d send
(m)d verify
10. Blind Signatures
¨Add a blinding factor b
¨ r = (m)be
¨rd = (mbe)d
¨Bank could keep a record of r
¨Remove blinding factor
¨ (mbe)d = (m)dbed
¨ b-1 md
message
11. Untraceable Digital Cash
¨Create k items of m
m1 = (…, amount, serial number)
mk = (…, amount, serial number)
Random Serial Number
m1
Random Serial Number
, …, mk
12. Untraceable Digital Cash
¨Create blinding factors:b1
e,…, bk
e
¨Blind the units - m1b1
e, …, mk bk
e
m1b1
e mkbk
, …, e
Bank
¨Send to bank for signing
13. Untraceable Digital Cash
¨Bank chooses k –1 to check
¨Customer gives all blinding factors except
for unit i
¨Bank checks they are correct
i
14. Untraceable Digital Cash
¨Bank signs the remaining one and sends it
back – (mbe
)d = mdbiii
i
Customer
¨The customer removes the blind using
bi
Serial no
-1 mi
d
15. Problem!
¨When the merchant receives the coin, it still
has to be verified
¨The merchant has to have a connection with
the bank at the time of sale
¨This protocol is anonymous but not portable
17. Secret Splitting
¨A method that splits the user ID in to n parts
¨Each part on its own is useless but when
combined will reveal the user ID
¨Each user ID is XOR with a one time Pad,
R
18. Cont…
¨E.g. User ID = 2510, R = 1500:
¨2510 XOR 1500 = 3090
¨The user ID can now be split into 2 parts,
I.e. 1500 and 3090
¨On their own they are useless but when
XOR will reveal the user ID
¨I.e 1500 XOR 3090 = 2510
19. A Typical Coin
¨Header Information
¨Serial number
¨Transaction Item – pairs of user ID’s
¨ User ID:
1500 3090
4545 6159
5878 7992
20. A Typical Coin
¨Header Information
¨Serial number
¨Transaction Item – pairs of user ID’s
¨ User ID:
1500 XOR 3090 = 2510
4545 XOR 6159 = 2510
5878 XOR 7992 = 2510
User ID
21. Blanking
Randomly blank one side of each identity pair
¨ User ID:
0 3090
4545 6159
5878 7992
23. The coin is now
spent
You can no longer tell who owns the coin
¨ User ID:
0 3090
4545 0
5878 0
•Merchant would now deposit this coin into the
bank
24. The coin is copied and spent at
another merchant
•Before the user spent the coin the first time, the user
made a copy of it
¨ User ID:
1500 0
4545 0
0 7992
•Merchant would now deposit this coin into the
bank
25. How can we catch
the user?
¨ Original Coin
¨ User ID:
0 3090
4545 0
5878 0
¨ Duplicate Coin
¨ User ID:
1500 0
4545 0
0 7992
This is what is in the bank
26. How can we catch
the user?
¨ Original Coin
¨ User ID:
0 3090
4545 0
5878 0
¨ Duplicate Coin
¨ User ID:
1500 0
4545 0
0 7992
This is what is in the bank
3090 XOR 1500 = 2510
5878 XOR 7992 = 2510
User ID
27. Probability of catching the culprit
¨Depends on the number of the identity
strings used
¨Probability of catching a user is:
– 1 - ½n , where n is the number of identity strings
E.g. n = 5, the probability of catching a user is:
0.97
28. Reusability
¨Once the coin has been spent the merchant
has to deposit it to the bank
¨Therefore, coin can only be spent once
¨Convenience, ability to give change,
unnecessary transactions between bank and
merchant
¨Banks database size – less serial numbers
¨Solution – Add the new User ID to the coin
31. Amit spends his coin at Hirens
shop
The coin will now look like this:
Amit no longer owns
the coin, it is bounded
to Hiren
User ID:
A 0
0 IT
AMI 0
HI REN
HIR EN
H IREN
32. Hiren can now go and spend his
coin at Kevin's shop
The coin looks like this:
User ID:
A 0
0 IT
AMI 0
HI REN
HIR EN
H IREN
33. Hiren can now go and spend his
coin at Kevin's shop
The coin will now look like this:
User ID:
A 0
0 IT
AMI 0
0 REN
0 EN
H 0
KE VIN
K EVIN
KEV IN
34. Size Matters!
¨Coin m = (Serial num, denomination,
Transaction list (transactions * user ID),
Other Header info)
¨Limit size by Validity Period and/or
max Transactions
35. Other proposals
¨What if you what buy something that costs
£4.99 and you have £5 coin?
¨Would have a ‘file’ for every coin
£4
£2 £2
£1 £1 £1 £1
£2
£1 £1
£2
£1 £1
36. Fair Blind Signatures
¨Possible solution to undetectable money
laundering or ransom demands
Sender Signing protocol Signer
Message-signature pair Un-linkable View of protocol
Judge
37. Conclusion
¨Feasible from a purely technological
perspective
¨Anonymous is at the heart of the
government's attack
¨Cannot attract funding