Professional Documents
Culture Documents
edu
1. Electronic Cash
Credit cards today dominate the online payment systems, but electronic cash is the way
of the future. Electronic cash (also called e-cash or digital cash) is any value storage and
exchange system created by a private (non-governmental) entity that does not use paper
documents or coins and that can serve as a substitute for government-issued physical
currency. Since e-cash is issued by many private companies, we need common standards
for all e-cash issuers so that they are accepted by each other. Until now those common
standards were not met. Every issuer has its own standards and e-cash is not universally
accepted compared to government-issued physical currency.
For e-cash has to be successful, a standard must be developed for e-cash disbursement
and acceptance.
1
Bandar Al-Turaif baa@cise.ufl.edu
The consumer can store the e-cash in an electronic wallet on his or her computer. In
addition, the consumer can authorize the issuer to make payments to third parties from
the e-cash account.
Off-line: validity of the transaction is checked after the transaction has occurred. The
merchant or bank can conduct a series of calculation to reveal the customer’s identity
when a security breach has occurred.
In general off-line schemes are more efficient than on-line ones. The two fundamental
issues with any off-line electronic cash scheme have been the detection of double
spending and provision of anonymity. Cut-and-Choose technology was one of the first
techniques that were introduced to address the issue of double spending in an off-line
scheme. However, it is not very efficient. Subsequently, other techniques had been
proposed to achieve both problems without the Cut-and-Choose method.
2
Bandar Al-Turaif baa@cise.ufl.edu
A Bank
n blinded coins
n blinded coins, Chooses n/2 coins
Coin=Amount +Identity +Serial #
n/2 coins
n/2 coins details +All coins serial no. Checks coins and
signs other n/2 coins
Payment
1. Alice sends the required number of coins to Bob.
2. Bob verifies that the coins are valid by checking the bank’s signature.
3. Bob challenges Alice to reveal one of the pair of identity strings for each coin. A
random binary string r is used to determine which identity string is revealed.
If ri 1 , Alice responds with the left half of the coin’s identity string.
If ri 0 , Alice responds with the right half of the coin’s identity string.
4. Bob verifies that the coin has the correct form and that the revealed identity
strings are correct.
A B
k coins
k coins Check bank’s
signature
Challenge to reveal pair of identity string
Deposit
3
Bandar Al-Turaif baa@cise.ufl.edu
1. Bob sends the payment transcript to the bank. This includes the coin and the half
of the identity string which was revealed during the transaction.
2. The bank checks that no other coins in its database have the same uniqueness
string.
3. If another coin has been returned with the same uniqueness string then double
spending has occurred. The bank then checks the identity string with the list of
strings it received from the customer during withdrawal.
If the identity string is the same the bank knows that Bob has double
spent.
If the identity string is different the bank knows that Alice has double
spent.
The bank selects an identity string pair where one merchant has returned
the left half and the other merchant has returned the right half. The bank
then XORs the two halves to discover the identity of the customer. If the
two merchants have used the same random string the customer’s id cannot
be revealed.
4. If the uniqueness string is indeed unique the bank credits Bob account.
B Bank
Payment transcript
Check serial no.
A possible attack against this protocol is a cooperation attack between Alice and Eve. If
Alice after paying Bob sends her spent coin to Eve with the binary string chosen by Bob
and the response to this string, then Eve will have an exact payment history as Bob and
the bank will not know which one of them is cheating.
Withdrawal
During this transaction the coin is created by both the bank and the customer. The coin is
represented by three numbers A, B, C.
1. Alice chooses three random numbers a1, b1, and c1. She also chooses some
random multiplicative and exponential blinding numbers. Alice blinds a1, b1, and
c1 using these blinding factors. These values are then sent to the bank.
2. The bank also chooses three random numbers a2, b2 and c2. These are to be the
banks component of the coin. The bank sends them to Alice.
4
Bandar Al-Turaif baa@cise.ufl.edu
3. Alice chooses another random number k1 and calculates ea, eb and ec whose values
contain both a1, b1, c1 and a2, b2, c2 and k1. Alice then sends ea, eb and ec to the
bank.
4. The bank calculates A’, B’, C’ the blinded values of A, B, and C using ea, eb and
ec. The bank now signs the components of the coin with its public key v and
selects a random value k2. The bank returns A’, B’, C’ along with a random
number k2 to Alice.
5. Alice unblinds the signed coin giving values for A, B, C.
A Bank
a’1, b’1, c’1
Choose a1, b1, c1
a2, b2, c2
Choose a2, b2, c2
Payment
1. Alice sends A, B, C to Bob.
2. Bob returns a challenge x to Alice.
3. Alice calculates out the response r kx I . She sends Bob r and the signature
(C r A x B )1/ v .
A B
A, B, C
x
Choose challenge x
Calculate r = kx + I r, signature
5
Bandar Al-Turaif baa@cise.ufl.edu
Deposit
1. The payment transaction details including the challenge and response are
forwarded to the bank.
2. If Alice has double spent the coin, the bank can determine two different points on
the line kx I . The identity of the customer is revealed though I.
B Bank
Transaction details
kx+I
A possible attack against this protocol is a cooperation attack between Alice and Eve. By
choosing the challenge to be a hash of a random number and Bob’s identity we can
prevent this attack.
$100
n0
$50 $50
n00 n01
The key to the binary tree method is the way the binary tree nodes are allocated values.
If a cash scheme uses the binary tree mechanism, each coin of worth w = 2 L is associated
with a binary tree of (1+L) levels and w leaves. Each node of the tree represents a certain
denomination.
When dividing the value of the coin two rules are followed:
1. Route Node Rule: when a node is used, all descendant nodes and all ancestor nodes
of this node cannot be used.
2. Same Node Rule: No node can be used more than once.
The divisibility service provided by the binary tree mechanism is implemented in the
payment transaction.
The following describes how Okamoto and Ohta employ the binary tree mechanism.
6
Bandar Al-Turaif baa@cise.ufl.edu
Payment
1. Alice determines randomly which nodes are required to pay the merchant the
required amount. Alice keeps a record of the nodes which have already been
spent and does not select from these nodes. Alice then sends the x value for the
nodes to Bob.
2. Bob checks that the coin is valid and calculates e H ( I b , T , r ) , where I b is
Bob’s identity, T is the time, r is a randomly generated number and H is a one way
function hash function. Bob sends e to Alice.
3. Alice now calculates the value of y and returns it to Bob. The value y is a history
of the transaction.
4. Bob validates y and accepts the payment.
A B
e
Calculate y
y
Validate and accept
When the coin is deposited in the bank the coin can be checked for double spending. If
the same node value is stored twice in the bank’s database the second rule has been
violated. Alice can double spend the coin without her identity being revealed, if she
cheated in the account opening.
3.1. DigiCash
DigiCash was founded in Amsterdam by David Chaum in 1990. One of DigiCash
products is ecash; it is an online payment system over email or internet based on Chaum’s
digital cash system using blind signatures.
To use ecash, every user opens an account with a digital bank on the internet which issues
the coins for them. The ecash software (cyberwallet) issues an asymmetric key for each
user based on RSA.
7
Bandar Al-Turaif baa@cise.ufl.edu
For Alice to withdraw cash she determines how much she needs, the software generates
random serial numbers, usually 100 digits, for the coins and a blinding factor and sends
them to the bank.
The bank verifies the message to make sure that it was signed by Alice, signs it and debts
Alice account.
Alice unblinds the coins and stores them on her PC. When Alice wants to buy something
from Bob, she sends him the coins. Bob sends the coins to the bank to verify the
authenticity of them and that they have not been spent before.
DigiCash advantages are anonymity for customers and the possibility of recovering lost
coins by giving the bank their serial numbers.
DigiCash disadvantages are that merchants must reveal their identity to the bank to cash
the coins and that both of them and their customers must open accounts at the same bank.
Also maintaining a database for spent coins is a major problem because it can become
very large and unmanageable.
Possible attacks are man in the middle attack and interception attack, since the bank
sends account numbers and passwords to users via unencrypted email messages.
4.3. NetCash
NetCash was developed at the Information Sciences Institute of the University of
Southern California. It uses identified online e-cash.
The system consists of buyers, merchants, and currency servers. The currency server
issues the coins; each coin is signed by the server private key and consists of:
Currency Server Name
Currency Server Network Address
Expiry Date
Serial Number
Coin Value
The currency servers do not keep records of coin holders; coin holders can exchange
coins between different currency servers. The currency servers prevent double spending
by keeping a record of only valid and unspent coins.
When Alice wants to buy something from Bob, she sends him the coins, identifier of the
merchandise, a new secret key, and her public key all encrypted by Bob public key. Bob
verifies the coins by sending them to the issuing currency server along with a new secret
key and type of transaction encrypted by the server’s public key. The currency server
checks that the coins are valid and are in its database and exchanges them for new coins
and sends the new coins to Bob encrypted with the secret key sent by Bob. Bob then
sends a receipt to Alice signed with his private key and encrypted with their secret key.
This scheme does not protect Alice from fraud; Bob can spend the coins without sending
Alice any receipt. Extensions to the protocol solve this problem and provide extra things,
like anonymity and an offline scheme.
8
Bandar Al-Turaif baa@cise.ufl.edu
NetCash advantages are that it is secure and scalable, but its lack of anonymity and the
extensive use of session keys, which slows it, are its disadvantages.
A Bank B
3.3. InternetCash
InternetCash gives customers a chance to pay for their shopping on the internet with cash
instead of credit cards. It uses digital signatures and RSA.
Customers buy prepaid cards from any store and go online to activate the card by
entering a 20 digit number on the back of the card and create a PIN for their self. After
the customer finishes shopping, a secure browser window opens for him to enter his PIN.
The merchant sends the PIN to the InternetCash server to validate the card along with the
payment request. After the InternetCash server validates the card, it deducts the amount
from the card and credits the merchant.
InternetCash cards are comprised from:
The Card ID (CID) : public nine alphanumeric (base 32) digits.
The Card Secret Code (CSC): public eleven alphanumeric (base 32) digits. The
CSC is a keyed hash function of the truncated CID based on SHA-1 and
InternetCash secret key.
A secret PIN: used for additional security in case the CID and CSC are
compromised.
The concatenation of CID and CSC is called the “InternetCash card number” and it is
twenty alphanumeric digits long.
Issuing Protocol
1. Alice is given an InternetCash card number over an encrypted channel with only
the InternetCash server being authenticated or by buying a card from any retail
store (over SSL or TLS).
2. Alice chooses a PIN over an encrypted channel with only the InternetCash server
being authenticated.
9
Bandar Al-Turaif baa@cise.ufl.edu
Payment Protocol
Consists of a secret key digital signature of the payment information based on CSC
and PIN. The generated signature is called the Payment Authentication Number
(PAN) using a keyed hash function based on SHA-1. The user’s CID and the PAN are
sent to Bob over encrypted channel to eliminate eavesdropping.
Clearing Protocol
Bob forwards the payment data (amount, time/date, etc), the CID and the PAN to
InternetCash over a secure and authenticated channel. InternetCash recreates the PAN
from the payment data and the CID and compares it with the received PAN and debits
Alice’s account and credits Bob’s account.
InternetCash is anonymous and secure, but we have to maintain a huge database for the
cards.
4. References
G. Schneider, Electronic Commerce, Fourth Annual Edition, Thomson, 2003.
D. Chaum, A. Fiat and M. Naor. “Untraceable Electronic Cash”, In Advances in
Cryptology - Proceedings of CRYPTO ‘88 (LNCS 403), pages 319-327, Springer-
Verlag, 1990.
N. Ferguson, “Single Term Off-Line Coins”, In Advances in Cryptology -
Proceedings of EUROCRYPT ‘93 (LNCS 765), pages 318-328, Springer-Verlag,
1994.
T. Eng and T. Okamoto, “Single-Term Divisible Electronic Coins”, In Advances
in Cryptography - Proceedings of EUROCRYPT ‘94 (LNCS 950), pages 306-319,
Springer-Verlag, 1995.
T. Okamoto, “An Efficient Divisible Electronic Cash Scheme” In Advances in
Cryptology - Proceedings of CRYPTO ‘95 (LNCS 950), pages 438-451. Springer-
Verlag, 1995.
T. Okamoto and K. Ohta, “Universal Electronic Cash”, In Advances in
Cryptology - Proceedings of CRYPTO ‘91 (LNCS 576), pages 324-337, Springer-
Verlag, 1992.
M. Peirce and D. O’Mahony, “Scaleable-secure-cash-payment”, Proceedings of
the Fourth International World Wide Web Conference, 11-14 Dec, 1995.
Digital Cash, by M. Farsi, www.simovits.com/archive/dcash.pdf
InternetCash, http://www.internetcash.com
Electronic Cash, http://www.tcs.hut.fi/~helger/crypto/link/protocols/ecash.html
Electronic Cash Papers, http://dosan.skku.ac.kr/~jykim/list_of_e-cash_paper.htm,
http://www.geocities.com/holger_petersen/Cash.html
http://sky.fit.qut.edu.au/~fooe/research/cashtax2.doc
http://www.ex.ac.uk/~RDavies/arian/emoney.html
10