Towson University
Department of Computer and Information Sciences
Digital Cash
Applied Cryptography
Nathan Bible, Brian Haar, Hui Liu
December 6, 2010
COSC 645 - Dr. Marius Zimand
Nathan Bible, Brian Haar, Hui Liu
Digital Cash Project
COSC 645: Applied Cryptography
Date: Dec 6, 2010
INTRODUCTION
People often use their credit or debit cards to make purchases throughout their
daily lives. However, many of these daily transactions are sensitive (e.g. illegal or
immoral) and require the anonymity of cash. Despite many advances in modern payment
systems such as credit cards, PayPal, and even Obopay, none of these systems offer the
anonymity of cash. Carrying around a large amount of paper money has many
drawbacks too, most notably it is subjective to theft. Because of all of these reasons,
there is a need for a digital cash protocol as developed by Schneier.[1] In this paper, we
will provide an overview of this protocol and describe our implementation of it.
This digital cash protocol provides a method for customer Alice to purchase an
electronic money order anonymously from a bank, and then spend it anonymously with
merchant Bob, who can then deposit it at the bank. Each party involved has no identity
information about the others in terms of the actual flow of money. One key to this
protocol is to ensure that neither Alice nor Bob try to cheat the bank by copying their
digital cash or claiming a greater value than in reality. Because anonymity is the ultimate
goal of this digital cash protocol, it is important to note that there are many economic and
legal concerns about possible real world implementations.[2][3]
Many additional or sub-protocols are needed to implement this digital cash
protocol including secret splitting, bit commitment, blind signatures, RSA, and MD5 to
name a few.
The secret splitting algorithm was borrowed from Tewari et al.[4] It divides the
customer identity string into two parts that alone have no meaning, but provide the
original string when the exclusive-or operation is applied to the two halves. The
commitment of these halves is described by Noir[5] and involves two stages, a commit
stage and a revealing stage. The commit stage produces some information about the split
identity strings that can be given to another party, while the revealing stage gives the
actual split identity strings to the other party. The blind signature algorithm was
originally developed by Chaum[6] requires a private signing function and publicly known
inverse, similar to RSA.
PROJECT
For our implementation of digital cash, we have broken the process down into
several (some Required, some Optional) steps and sub-steps with required protocols as
follows:

1R
o Alice prepares n money orders (number, value, uniqueness string)
o Alice commits n Left and Right half ID strings on each money order
 Secret splitting protocol implementation
 Bit commitment protocol implementation
o Alice blind n money orders
 Blind protocol implementation

2R
o Alice gives blind money orders to bank
o Bank chooses random number r between 1 and n (number of money orders)
and ask customer to un-blind left [1,r-1][r+1,n] money orders
Page: 2 of 4
Nathan Bible, Brian Haar, Hui Liu
Digital Cash Project
COSC 645: Applied Cryptography
Date: Dec 6, 2010
o Alice send un-blinds n-1 money orders and related n-1 blind seed r to
bank
o Bank verifies all n-1 un-blinded money orders are well formed
 Verify un-blinded money orders and blind money orders are match
 Verify that all amounts of n-1 money orders are the same
 Verify that all uniqueness strings of n-1 money orders are unique
 If all valid, ask Alice to reveal all L and R half ID strings on the
un-blinded money orders
o Alice reveals all L and R half ID strings on the un-blinded money orders
to Bank
o Bank signs one remaining blinded money order or catches Alice cheating
 Join all L and R half ID strings on the un-blinded money orders to
form ID strings. Verify all ID strings are the same
 If valid, sign the remaining blinded money order
 Deduct money from Alice’s account and pass blinded signature to
Alice
o Alice receives signed money order and her account is debited, or she goes
to jail
 Alice un-blind bank signature and save it to database

3O
o Alice chooses to copy her bank signed money order


4R
o
o
o
o
4RC
o
o
o
o
o

5O

6R
Alice wants to make a purchase and gives the signed money order to Bob
Bob chooses an n-bit selector string
Alice reveals the either the L or R half of each ID string
Bob accepts the money order as payment
Alice wants to cheat and tries to spend the money order a second time with
another merchant
The second merchant chooses a different n-bit selector string
Alice reveals the either the L or R half of each ID string
The second merchant accepts the money order as payment
When the second merchant tries to deposit the money order a second time,
Alice’s ID string, and so her identity, is revealed.
o Bob chooses to copy the money order with revealed ID string halves
o Bob deposits the money order with the bank
o Bank verifies the money order
 Verify bank signature
 Check the uniqueness string on the money order with uniqueness
strings of previously paid money orders (from database).
 If the same uniqueness strings is found, this money order has been
used before. Bank refuse to accept the money order
 Compare the identity strings on the money order with the
one stored in the database.
o If it is the same, Bob goes to jail for cheating
(copying his money order)
Page: 3 of 4
Nathan Bible, Brian Haar, Hui Liu
Digital Cash Project
COSC 645: Applied Cryptography
Date: Dec 6, 2010
o Otherwise, Alice is cheating. Compare two selector
strings to find a bit position where one is 0 and one
is 1. Bank join the two halves together to reveal
Alice’s identity
o If the money order is valid, then money order is accepted and Bob’s
account is credited the value.
For the RSA implementation, first a pure PHP script was used for generating RSA
keys. This script timed out on every attempt to generate new keys. Although it only
needed to be run once, it would be preferable to have a faster script. A Java program
utilizing the javax.security module was used for generating RSA keys, and was
seamlessly implemented with the PHP script (a demo is available under rsa_demo.php).
This was only used for key generation. We programmed all actual RSA functions
ourselves to use these keys in PHP.
This final version of this project is implemented using Apache HTTP Server, PHP:
Hypertext Preprocessor, and Oracle Express Edition and will be available online at
http://goohoo.dnsalias.com/digicash/ for several days following the completion of this
project.
RESULTS
Our project fully implements the anonymous digital cash protocol as described
above. It successfully maintains the anonymity of the customer while protecting the bank
from the possibility that either the customer or the merchant may cheat.
REFERENCES
[1] B. Schneier. Applied Cryptography. John Wiley & Sons, 1996, New York, pp.
139-147.
[2] T. Tanaka. Possible Economic Consequences of Digital Cash. First Monday,
Volume 1, Number 2.
[3] A. Foomkin. Flood Control on the Information Ocean: Living With Anonymity,
Digital Cash, and Distributed Databases. 15 U. Pittsburgh Journal of Law and
Commerce 395 (1996).
[4] H. Tewari, D. O’Mahony, M. Peirce. Reusable Off-Line Electronic Cash Using
Secret Splitting. Technical report, Trinity College, 1998
[5] M. Naor. Bit Commitment Using Pseudorandomness. Advances in Cryptology Crypto 89. Lecture Notes in Computer Science, Vol. 435, Springer-Verlag, New
York, 1990, pp. 128-137.
[6] D. Chaum. Blind Signatures for Untraceable Payments. In .-1dz:ances in
Cryptology – proceedings of CRYPT0 83, 19S.1.
APPENDIX
Database DDLsql
PHP code
Page: 4 of 4