Professional Documents
Culture Documents
I n f o r m a t i o n Sciences I n s t i t u t e
U n i v e r s i t y of S o u t h e r n C a l i f o r n i a
102
Hardware independence: To prevent double spend-
ing during ofltine operation, some e-cash protocols rely on {Certif.id, CS_name, Kcs, issue_date, exp-date}K/7~c
tamper-proof hardware [4]. A drawback to this approach
is that new technology might allow the compromise of such F i g u r e 1: A c e r t i f i c a t e f o r m i n t i n g c u r r e n c y
hardware, leaving users vulnerable to double spending. {CS_name, s_addr, exp_date, serial_num, coin_val}Kc~,
3 Related work Certif_id
103
of the coin, but the fact that it has not been double spent is
not assured until the coin is exchanged for a new coin directly
with the currency server.
1. {instrument, SKx, transaction}Kos
S NetCash exchange protocols 2. {instrument} S K x
In this section, we define protocols for monetary exchanges F i g u r e 3: E x c h a n g e w i t h t h e c u r r e n c y s e r v e r
with provision of anonymity. We will concentrate on proto-
cols providing practical anonymity. In our protocol descrip- ............ l a ...........
tion, we make the assumption that clients use different cur- :."....... lb ............:
rency servers, each of which mints its own currency backed C : ) : " .................. ...................... 'U3
by account balances in the non-anonymous accounting infras-
tructure, but registered in the name of the currency server
itself, not its clients. For the sake of clarity in our proto-
cols, we refer to such non-anonymous transactions using this
accounting infrastructure as the transfer of a check. The me- la. KAN
chanics of the non-anonymous transfers will not be discussed lb. { KBN }KAN
here but can instead be found in [5]. lc. {coins, SKANI, K .... SAd }KBN, {Certif_id, Kcs,
issue_date, expiration_date} KF/aC
S.1 Notation
2. {{amount, T-id, date }RBN.- 1 }SKAN1
The participants in our protocols are: clients, merchants,
and currency servers. The first two are represented as A and F i g u r e 4: S i m p l e p a y m e n t , o p t i o n a l s t e p s : l a & l b .
B, the currency servers are denoted as CS. Banks are simply
and if a check, tile name of the party to which it should be
merchants in our protocol and are also represented by A and
payable), all sealed with the currency server's pubfic key.
B. X stands for any participant.
If the instrument provided is a coin issued by the currency
The term 'transaction' is used here to mean a monetary
server itself, the coin is checked for double spending by ver-
transaction between participants. A payment happens in one
ifying whether the record associated with the coin exists. If
direction from A to B. Encryption is represented by curly
the instrument is a coin issued by another currency server,
braces {}. A public key is represented as the letter K with a
the local currency server contacts the remote currency server
subscript naming the owner of the key. A subscript ending
to convert the coin, accepting in return a check payable to
with letter N indicates a newly generated key not advertised
the local currency server, which is then cleared through the
anywhere in association with the principal's identity. A pri-
global accounting infrastructure. If the instrument is a check,
vate key is the inverse of the public key and is represented
the local currency server clears it, depositing the proceeds in
as K key"
-1 Keys for a symmetric encryption system are repre-
its own account.
seated by the letters SK with a subscript. In the second step, the server returns the desired instru-
5.2 Basic building blocks ment, either newly issued coins, or a check made payable
In this section, we describe basic exchanges that serve as to the individual named in the transaction. Encryption with
building blocks for later protocols. As discussed in section 4,
SKx, proves the identity of the CS and prevents the contents
currency servers issue coins that may be used by their clients of the message from exposure to an attacker.
while preserving their anonymity. Currency servers provide S.2.2 Simple payor-payee exchange
the point of entry to the accounting infrastructure, accepting Figure 4 shows a simple payment protocol where A re-
coins from other currency servers as well as other financial mains anonymous. B has the option to remain anonymous
instruments (checks for example). with additional provisions described below. Upon comple-
Anonymity of a client is preserved in a pure currency ex- tion of the protocol, B is not protected against double spend-
change with the CS for several reasons: the CS exchanges ing and A is not guaranteed a valid receipt.
coins with a client by providing new coins having different Initially A is assumed to posses B's address. Messages l a
serial numbers and does not keep records pairing the coins and l b are used to obtain B's public key, either one that iden-
accepted with those issued. The exchange occurs anony- tifies B, or one generated on the fly if B is to remain anony-
mously; the CS does not know who is trading in the coins. mous. If A already knows B's public key these messages
It might be the client itself, or an anonymous merchant that may be dropped. In step lc, A sends the coins 2, the identi-
just accepted the coins and needs to exchange them to be fier of the desired service SAd along with two keys SKAN1
sure that they are not double spent. Finally, the client se- and K .... B uses Kcs to verify that a certified currency
lects the CS to be used and is likely to choose one it trusts. server minted the coins. In order to pair the coins with a
connection, B retains the session key Kse~,; at the time the
S.2.1 Exchange with the currency server
service is to be provided, B verifies that A knows the ses-
The basic exchange shown in figure 3, provides the follow- sion key. In the last step, B returns a receipt signed with its
ing services: coin verification (detection of double spend- private key and encrypted with SKAN1, thus preventing the
ing), coin exchange for untraceability, purchasing coins with contents of the message from exposure to an attacker. The
checks, and cashing in coins for checks. Only the latter two receipt includes amount paid, date and a unique identifier
operations expose the identity of X. Initially, X is assumed T_id that will be used along with the session key to obtain
to know the currency server's public key Kcs, cached from the service.
previous transactions or obtained directly from CS embed- Note if steps l a and lb are used to obtain an anonymous
ded in a certificate (see figure 1). In step 1, X sends a check public key, the protocol can withstand passive attacks in the
or a coin (collectively referred to as an instrument), SKx a
newly chosen secret key and an indication of the transaction 2The insurance certificate for the coins can be obtained in one of
to be performed (e.g., whether it wants new coins or a check, tile following ways: directly from the currency server, sent with the
coins as shown in figure 4, or retrieved from a directory service.
104
2
1. {coins, SKAN1, K .... SAd }KB 1. { coins, SKAN1, I(B, dateB, datea, amount}Kcs1
2. {coins, SKBN, transaction}Kcs 2. {< CB,CA,Cx>, <,,Cx>}SKaNa
3. {new_coins}SKBg 3. { CB, SKaN2, K .... SAd }KB
4. {{amount, W_id, date }KB 1 }SKANI 4. {{amount, TAd, date } K ~ ' }SKA2v2
F i g u r e 5: P r e v e n t i o n of d o u b l e s p e n d i n g . F i g u r e 6: P r o t e c t i o n f r o m f r a u d .
sense that the privacy of the transaction is maintained, but is can query the currency server and check whether B spent
vulnerable to an active attack where an anonymous attacker the coin. If B spent the coin, the currency server will issue
impersonates the anonymous service provider. A a receipt specifying the coin value and B's public key.
Otherwise, A can obtain a refund during the window in which
5.3 Combining the building blocks CA is valid. B should keep track of CB until it expires in case
A attempts to double spend CB with B. Cx is provided for
Below, we define protocols preserving the payee's and payor's
additional flexibility in monetary transactions when A does
anonymity using combinations of building blocks to provide
not ultimately spend the coin with B. Figure 6 shows the
guarantees against double spending, no receipt, or invalid
steps of the enhanced protocol. In step 1, A sends coins to
receipt. To avoid redundancy, we omit the detailed descrip-
its currency server to obtain a coin triplet a (dateA and dateB
tion of steps within a given block; refer to section 5.2 for this
denote expiration dates for A's and B's window of operation).
information.
The currency server creates a coin triplet and embeds the
5.3.1 Exchange with protection from double spending information in the coins as described above. CS1 returns the
triplet, along with possible change <,,Cx> if the amount
We combine the two protocol modules in figures 3 and 4 specified was less than the total value of the coins sent in
as shown in figure 5 to protect B from double spending by step 1. In step 3, A passes CB to B. B must convert the coin
an anonymous payor A. A is assumed to know B's public while it's valid, during the first interval. In the next step B
key, but the anonymity of B can be protected by adding returns a valid receipt to A. In case it doesn't, during the
message l a and l b from figure 4. After receiving coins from second time interval, A sends CA to CS1. CS1 then checks
A, B verifies the coins with the currency server. If the coins whether the coin was spent in the first window of time. If it
haven't been spent already, then B issues a receipt to A. was, CS1 returns a receipt specifying B's key and the value
The shortcoming of this protocol is that it only provides of the coin all signed with CSI's private key. In case the coin
protection from fraud by the payor. B could simply spend was not spent, CS1 will issue a new coin to A.
A's coin without providing a valid receipt. The protocol It should be noted even though B is a client of CS2, it
presented in the next section solves this problem. can still accept coins minted by other authorities because of
5.3.2 Exchange with both parties protected from fraud the accounting infrastructure on which NetCash is based.
The anonymity of the payee can be achieved by combining
We would like to extend the model presented in section 5.3.1 steps l a and l b of figure 4 with the protocol presented in this
to eliminate B's ability to cheat. The protocol presented in section. Ill the resulting protocol, the reciept provided to the
this section preserves A's anonymity, protects B from double payor is not very useful since the payee is anonymous. The
spending, and guarantees A a valid receipt or its money back. details of the protocol are left as an exercise to the reader.
To make such guarantees possible we extend the definition of
a coin. A coin can be customized for a given principal, i.e., 5.4 Off-line protocols
it can only be used by that principal for a certain window In an offline transaction, it is desirable to prevent double
of time. Thus, the payor A can use the currency server to spending while preserving the anonymity of the participating
obtain a coin triplet <CB,CA,Cx>. Each coin in the triplet parties. Transactions conducted in the offiine mode where
has the same serial number and coin value. neither party contacts the currency server during the ex-
During the first window, C~ is the only coin that can change can be supported in NetCash by several means.
be used with the currency server. In the next window, only The protocol shown in figure 6 can be used as follows: If
CA can be used, and in the last window the Cx coin is used A knows ahead of time that it is going to conduct business
exclusively. This can be implemented by embedding window with B, steps 1 & 2 can be done in advance. At a later time,
boundaries (time stamps) into each coin in the triplet. A & B go through an exchange, using steps 3 & 4, where
The first two coins, intended for B and A respectively upon completion, double spending is prevented and payor's
have keys embedded in them. If either party wants to use anonymity is maintained. A drawback of this protocol is the
its coin in a transaction with CS1, it must prove knowledge payor has to know in advance with which particular party a
of the embedded key. For example B's public key /(B is transaction will be performed.
encrypted in CB, durinlg the transaction with CS1 it must Another approach to offiine transactions is to use the pro-
prove knowledge of K B . The third coin Cx, does not have tocol shown in figure 4 in conjunction with tamper-proof
a key encrypted in it and can be used by anyone. Additional electronic wallets. Double spending is prevented by proper-
information embedded in Ca is B's public key, this is done to ties of the hardware. The problems with this approach was
reduce the amount of state information needed to be main- described in section 2.
tained by the server in order to issue A a receipt. Also, an Currently, we are looking into incorporating Chaum's
additional bit needs to be associated with a coin serial num- post-fact punishment scheme[2] into NetCash. Double spend-
ber in the CSI's database to keep track of whether A or B
spent the coin. 3In case different coin denominations are desired, A could spec-
In the transaction with B, A will keep coins Cx and CA ify several amounts, and obtain a number of triplets each h~ving a
and pass CB to B. If B does not give a receipt to A, A particular value.
105
ing makes it statistically possible to determine the identity of still providing scalability, acceptability, and interoperability
a dishonest client. T h e drawback with this approach is that across mechanisms.
post-fact punishment may be unacceptable to financial insti-
tutions due to the complications in tracking and punishing 7 Conclusion
potential violators.
This paper present s a framework for electronic transactions
6 Discussion that combines the benefits of anonymous transactions with
the scalability of non-anonymous online p a y m e n t protocols.
NetCash combines the benefits of anonymous transactions Our framework is secure, scalable, acceptable across adminis-
with the scalability of non-anonymous online payment pro- trative domains, and provides some assurance of anonymity
tocols. It is secure, scalable, valid across administrative do- for the parties a transaction. Our approach supports par-
mains, and provides some assurance of anonymity for the tially offiine operation, where the parties are otfline during
parties to a transaction. In this section, we discuss the ben- the final exchange; secure operations do require t h a t at least
efits and drawbacks of NetCash, revisiting some of the re- one party interact with a currency server at some point dur-
quirements from section 2. ing a transaction.
Where it is possible for at least one party to interact with Where unconditional anonymity or completely otltine op-
a currency server at some point during a transaction, Net- eration is required our framework can be e x t e n d e d to sup-
Cash is secure. Double spending is either detected at the port exchanges from other electronic currency mechanisms
time the recipient verifies or exchanges coins with the cur- for those transactions that require them, while still providing
rency server, or the coins can only be spent by the recipient scalability, acceptability, and interoperability across mecha-
during an initial time window, allowing the recipient to cash nisms.
them in before they can be double spent.
Because independent currency servers exist NetCash is Acknowledgments
more scalable t h a n other e-cash proposals. W h e n coins are We would like to give a special thanks to Yacov Yacobi for his
exchanged with r e m o t e currency servers, the balances of the insightful c o m m e n t s regarding e-cash. We would also like to
currency servers (the backing of the currency) are adjusted thank Celeste Anderson, Deborah Estrin, K a t i a Obraczka,
through the scalable, but non-anonymous, accounting infras- Barry Perkins, Jon Postel, Stuart Stubblebine, and Peter
tructure proposed in [5]. T h e anonymity of the client is not Will for discussion and c o m m e n t s on drafts of this paper. A
jeopardized because only the currency servers themselves are great thanks to Shai Herzog for coming up with the n a m e
identified in the non-anonymous transaction. NetCash.
T h e anonymity provided by N e t C a s h is weaker than the
unconditional anonymity provided by Chaum. In particular, References
at the point that a client purchases coins from a currency
server by check, or cashes in coins, it is possible for the cur- [1] D. C h a u m , B. Boer, E. Heyst, S. Mjolsnes, and A. Steen-
rency server to record which coins have been issued to a par- beek. Efficient off-line electronic checks. In Proceedings
ticular client. It is expected that currency servers will not of Eurocrypt '89, 1989.
do so, and it is likely t h a t the agreement with clients will
[2] D. Chaum, A. Fiat, and N. Naor. Untraceable electronic
specifically preclude it. Additionally, the client can choose
its own currency server, and will choose one t h a t it feels it cash. In Proceedings of Crypto '88, 1988.
can trust. [3] C h a u m D. Security without identification: Transaction
Once coins have been purchased, they can continue to cir- systems to make big brother obsolete. Communication of
culate without identifying the intermediaries. Although the the ACM, 28(10), O c t o b e r 1985.
currency server is involved each time a coin changes hands,
and could conceivably track which coins are exchanged for [4] S. Even, O. Goldreich, and Y. Yacobi. Electronic wallet.
others though prohibited from doing so, it will not know the In Proceedings o] Crypto '83, 1983.
identity of the intermediaries until one of the parties chooses
to identify itself when converting in coins. T h e longer the [5] B. Clifford Neuman. Proxy-based authorization and ac-
chain of intermediaries, the less information t h a t is available counting for distributed systems. In Proceedings of the
about who m a d e purchases where. 13th International Conference on Distributed Computing
Although coins may be transferred in our scheme without Systems, May 1993.
interaction with the currency server, when coins are used in
[6] T. O k a m o t o and K. Ohta. Universal electronic cash. In
this manner, no assurances exist that a coin has not been
Proceedings of Crypto '91, 1991.
double spent. Thus, among a group of individuals that trust
one another (or each others t a m p e r - p r o o f hardware), coin [7] B. Pfitzmann and M. Waidner. How to break and re-
transfer is possible. Parties to a transaction would need to pair a 'provably secure' untraceable p a y m e n t system. In
eventually verify and exchange their coins to limit their vul- Proceedings of Crypto '91, 1991.
nerability to double spending.
Our approach supports partially offline operation, where This research was supported in part by the Advanced R.esearch Projects
the parties are offiine during the final exchange; secure op- Agency under NASA Cooperative Agreement NCC-2-539. The views
erations do require that at least one party interact with a and conclusions contained in this paper are those of the authors and
currency server at some point during a transaction. should not be interpreted as representing the official policies, either
expressed or implied, of any of the funding agencies. Figures and de-
Where unconditional anonymity or completely offiine op- scriptions in this paper were provided by the authors and are used
eration is required, our framework can be extended to sup- with permission. Tile authors may be reached at USC/ISI, 4676 Ad-
port exchanges from C h a u m ' s protocol or from other elec- miralty Way, Marina del Rey, CA 90292-6695, USA. Telephone 4-1
tronic currency mechanisms. Such exchanges could be ap- (310) 822-1511, email ari@isi.edu, bcn@isi.edu.
plied to only those transactions that require them, while
106