Digital Cash Present By Kevin, Hiren, Amit, Kai

What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of exchange or store of value  Need to be backed by a trusted third party, usually the government and the banking industry.

Key Properties  Secure  Anonymous  Portable  Reusable  User-friendly

Digital Cash vs Credit Card AnonymousIdentified Online or Off-lineOnline Store money in digital wallet Money is in the Bank

The Online Model  Structure Overview Deposit Coins Bank User Merchant Withdraw Coins Payment Link with other banks

Pros and Cons of the online scheme  Pros –Provides fully anonymous and untraceable digital cash. –No double spending problems. –Don't require additional secure hardware – cheaper to implement.  Cons –Communications overhead between merchant and the bank. –Huge database of coin records. –Difficult to scale, need synchronization between bank servers. –Coins are not reusable

The Offline Model  Structure Overview Bank Merchan t User Temper- resistant device Others T.R.D.

Pros and Cons of the offline model  Advantages –Off-line scheme –User is fully anonymous unless double spend –Bank can detect double spender –Banks don’t need to synchronize database in each transaction. –Coins could be reusable –Reduced the size of the coin database.  Disadvantages –Might not prevent double spending immediately –More expensive to implement

Traceable Signature Protocol m message m = amount, serial no (m) d d is secret key of the Bank spend (m) d send m (m) d verify (m) d CustomerBankMerchant

Blind Signatures  Add a blinding factor b  r d = (mb e ) d  Bank could keep a record of r  Remove blinding factor  (mb e ) d = (m) d b ed  b -1  m d  r = (m)b e message

Untraceable Digital Cash  Create k items of m Random Serial Number m1m1, …, mkmk m 1 = (…, amount, serial number) m k = (…, amount, serial number)

Untraceable Digital Cash  Create blinding factors:b 1 e,…, b k e  Blind the units - m 1 b 1 e, …, m k b k e m1b1em1b1e mkbkemkbke, …, Bank  Send to bank for signing

Untraceable Digital Cash  Bank chooses k –1 to check  Customer gives all blinding factors except for unit i  Bank checks they are correct i

Untraceable Digital Cash  Bank signs the remaining one and sends it back – ( m i b e i ) d = m i d b i Customer Serial no  The customer removes the blind using b i -1  m i d

Problem!  When the merchant receives the coin, it still has to be verified  The merchant has to have a connection with the bank at the time of sale  This protocol is anonymous but not portable

How to make it off-line

Secret Splitting  A method that splits the user ID in to n parts  Each part on its own is useless but when combined will reveal the user ID  Each user ID is XOR with a one time Pad, R

Cont…  E.g. User ID = 2510, R = 1500:  2510 XOR 1500 = 3090  The user ID can now be split into 2 parts, I.e and 3090  On their own they are useless but when XOR will reveal the user ID  I.e 1500 XOR 3090 = 2510

A Typical Coin  User ID:  Header Information  Serial number  Transaction Item – pairs of user ID’s

A Typical Coin  User ID: 1500XOR3090 = XOR6159 = XOR7992 = 2510 User ID  Header Information  Serial number  Transaction Item – pairs of user ID’s

Blanking  User ID: Randomly blank one side of each identity pair

Blanking  User ID: Randomly blank one side of each identity pair

The coin is now spent  User ID: You can no longer tell who owns the coin Merchant would now deposit this coin into the bank

The coin is copied and spent at another merchant  User ID: Before the user spent the coin the first time, the user made a copy of it Merchant would now deposit this coin into the bank

How can we catch the user?  Original Coin  User ID:  Duplicate Coin  User ID: This is what is in the bank

How can we catch the user?  Original Coin  User ID:  Duplicate Coin  User ID: This is what is in the bank 3090 XOR 1500 = XOR 7992 = 2510 User ID

Probability of catching the culprit  Depends on the number of the identity strings used  Probability of catching a user is: –1 - ½ n, where n is the number of identity strings E.g. n = 5, the probability of catching a user is: 0.97

Reusability  Once the coin has been spent the merchant has to deposit it to the bank  Therefore, coin can only be spent once  Convenience, ability to give change, unnecessary transactions between bank and merchant  Banks database size – less serial numbers  Solution – Add the new User ID to the coin

Setup ID=HIREN ID=KEVIN ID=AMIT

Coins  Users Coin  User ID: AMIT

Amit spends his coin at Hirens shop The coin will now look like this: Amit no longer owns the coin, it is bounded to Hiren User ID: A0 0IT AMI 0 HIREN

Hiren can now go and spend his coin at Kevin's shop The coin looks like this: User ID: A0 0IT AMI0 HIREN

Hiren can now go and spend his coin at Kevin's shop The coin will now look like this: User ID: A0 0IT AMI0 0REN 0EN H 0 KEVIN

Size Matters!  Coin m = (Serial num, denomination, Transaction list (transactions * user ID), Other Header info)  Limit size by Validity Period and/or max Transactions

Other proposals  What if you what buy something that costs £4.99 and you have £5 coin?  Would have a ‘file’ for every coin £4 £2 £1 £2 £1 £2 £1

Fair Blind Signatures  Possible solution to undetectable money laundering or ransom demands SenderSigner Signing protocol Judge Un-linkable Message-signature pairView of protocol

Conclusion  Feasible from a purely technological perspective  Anonymous is at the heart of the government's attack  Cannot attract funding

Advantages:  Convenience  Secure  Handling costs  Time saving  Transaction Costs

Global Disadvantages  Safety Issue  Physical Securities  Users Issue  Legal problems

Questions?