Bandar Al-Turaif
1.
baa@cise.ufl.edu
Electronic Cash
Credit cards today dominate the online payment systems, but electronic cash is the way
of the future. Electronic cash (also called e-cash or digital cash) is any value storage and
exchange system created by a private (non-governmental) entity that does not use paper
documents or coins and that can serve as a substitute for government-issued physical
currency. Since e-cash is issued by many private companies, we need common standards
for all e-cash issuers so that they are accepted by each other. Until now those common
standards were not met. Every issuer has its own standards and e-cash is not universally
accepted compared to government-issued physical currency.
Concerns about electronic payment methods include privacy and security,
independence, portability, and convenience. Privacy and security issues are probably the
most important issues.
E-cash has its unique security problems. E-cash must have two important
characteristics in common with physical currency. It must be spent only once and it must
be anonymous.
E-cash is independent and portable. E-cash is independent, if it is not related to any
network or storage device. It is portable, if it can be freely transferable between any two
parties. Credit and debit cards are not portable. In a credit card transaction, the credit card
recipient must have an account established with a bank unlike the case in e-cash.
The most important characteristic of cash is convenience. If e-cash requires special
hardware or software, it will not be convenient for people to use.
1.1. Advantages and Disadvantages of E-Cash
Transferring e-cash on the internet costs less than processing credit card transactions
because conventional money exchange systems require banks, bank branches, clerks,
automated teller machines, and an electronic transaction system to manage, transfer, and
dispense cash. Operating this conventional money exchange system is expensive.
E-cash transfers occur on an existing infrastructure, the internet, and existing
computer systems with no additional costs. With e-cash transferring money to next door
or to the other side of the world costs the same, while distance and cost are proportional
when we move physical cash and checks.
E-cash does not require authorization of payments, unlike credit card transactions.
E-cash does have disadvantages just like real cash, money laundering, it is not
traceable. Also it can be forged.
For e-cash has to be successful, a standard must be developed for e-cash disbursement
and acceptance.
1.2. How Electronic Cash works
To establish e-cash, a consumer opens an account with an e-cash issuer and presents
proof of identity. The consumer can then withdraw e-cash by accessing the issuer’s web
site and presenting proof of identity, such as a digital certificate. After the issuer verifies
the consumer’s identity, it gives the consumer a specific amount of e-cash and deducts it
from the consumer account. In addition, the issuer might charge a small processing fee.
1
Bandar Al-Turaif
baa@cise.ufl.edu
The consumer can store the e-cash in an electronic wallet on his or her computer. In
addition, the consumer can authorize the issuer to make payments to third parties from
the e-cash account.
2.
Electronic Cash Protocols
One of the major problems of e-cash is double spending. The main deterrent to double
spending is the threat of prosecution. Cryptography algorithms can help in this area to
create e-cash that can be traced back to its origins.
Creating anonymous e-cash requires a bank to issue e-cash with embedded serial
numbers such that the bank can sign the coins and then remove any association of the
coins with any particular customer.
Every protocol consists of at least three types of transactions:
 Withdrawal: transfers coins to the customer.
 Payment: transfers coins to the merchant.
 Deposit: transfers coins to real currency.
Some protocols have an additional procedure, opening procedure, similar to opening an
account with a bank. This procedure usually enables the bank to give the user a password
to identify him self to the bank.
There are two types of electronic cash schemes:
On-line: validity of the transaction is checked while it is occurring. The coin is sent back
to the bank or similar authority during the transaction to verify authenticity of coin and
that it was not spent before. The advantage is that the bank can check and prevent illegal
operations as they are happening unlike the case in off-line systems.
Off-line: validity of the transaction is checked after the transaction has occurred. The
merchant or bank can conduct a series of calculation to reveal the customer’s identity
when a security breach has occurred.
In general off-line schemes are more efficient than on-line ones. The two fundamental
issues with any off-line electronic cash scheme have been the detection of double
spending and provision of anonymity. Cut-and-Choose technology was one of the first
techniques that were introduced to address the issue of double spending in an off-line
scheme. However, it is not very efficient. Subsequently, other techniques had been
proposed to achieve both problems without the Cut-and-Choose method.
2.1. Chaum-Fiat-Naor Scheme
The anonymity is presented through the use of RSA-based blind signatures and the cut
and choose scheme.
This protocol allows the user to create a bank certified check without allowing the bank
to know what it signed. The bank is not able to link a specific deposit with a specific
withdrawal.
2
Bandar Al-Turaif
baa@cise.ufl.edu
Withdrawal (Cut and Choose Method)
1. Alice generates n coins. Each coin contains the amount of the coin, a uniqueness
string specific to the coin, and a series of identity string pairs which can be used
to identify Alice. She blinds the coins and sends them to the bank.
2. The bank chooses n/2 coins of them randomly.
3. Alice reveals details for the n/2 coins chosen by the Bank
4. Bank checks that the n/2 coins contain the correct amount and that the uniqueness
strings are indeed unique. The bank also requests that the customer reveals the
identity string for all n coins.
5. The bank signs the unblinded coins and returns them to Alice.
6. Alice unblinds the coins but keeps the identity strings hidden.
A
Bank
n blinded coins,
Coin=Amount +Identity +Serial #
n blinded coins
Chooses n/2 coins
n/2 coins
n/2 coins details +All coins serial no.
Checks coins and
signs other n/2 coins
Unblinds coins, keeps identity hidden
Payment
1. Alice sends the required number of coins to Bob.
2. Bob verifies that the coins are valid by checking the bank’s signature.
3. Bob challenges Alice to reveal one of the pair of identity strings for each coin. A
random binary string r is used to determine which identity string is revealed.
If ri  1 , Alice responds with the left half of the coin’s identity string.
If ri  0 , Alice responds with the right half of the coin’s identity string.
4. Bob verifies that the coin has the correct form and that the revealed identity
strings are correct.
A
B
k coins
k coins
Check bank’s
signature
Challenge to reveal pair of identity string
Pair of identity strings+ ri
3
Verifies coins and ri
Bandar Al-Turaif
baa@cise.ufl.edu
Deposit
1. Bob sends the payment transcript to the bank. This includes the coin and the half
of the identity string which was revealed during the transaction.
2. The bank checks that no other coins in its database have the same uniqueness
string.
3. If another coin has been returned with the same uniqueness string then double
spending has occurred. The bank then checks the identity string with the list of
strings it received from the customer during withdrawal.
 If the identity string is the same the bank knows that Bob has double
spent.
 If the identity string is different the bank knows that Alice has double
spent.
 The bank selects an identity string pair where one merchant has returned
the left half and the other merchant has returned the right half. The bank
then XORs the two halves to discover the identity of the customer. If the
two merchants have used the same random string the customer’s id cannot
be revealed.
4. If the uniqueness string is indeed unique the bank credits Bob account.
B
Payment transcript
Bank
Check serial no.
A possible attack against this protocol is a cooperation attack between Alice and Eve. If
Alice after paying Bob sends her spent coin to Eve with the binary string chosen by Bob
and the response to this string, then Eve will have an exact payment history as Bob and
the bank will not know which one of them is cheating.
2.2. Ferguson Scheme
This protocol uses secret sharing technique, which splits up a secret message between m
different people and only if we have n<m parts of the message we can reconstruct it. Also
this protocol uses a randomized blind RSA-based signature. The randomized blind
signature scheme requires both multiplicative and exponential blinding factors.
Withdrawal
During this transaction the coin is created by both the bank and the customer. The coin is
represented by three numbers A, B, C.
1. Alice chooses three random numbers a1, b1, and c1. She also chooses some
random multiplicative and exponential blinding numbers. Alice blinds a1, b1, and
c1 using these blinding factors. These values are then sent to the bank.
2. The bank also chooses three random numbers a2, b2 and c2. These are to be the
banks component of the coin. The bank sends them to Alice.
4
Bandar Al-Turaif
baa@cise.ufl.edu
3. Alice chooses another random number k1 and calculates ea, eb and ec whose values
contain both a1, b1, c1 and a2, b2, c2 and k1. Alice then sends ea, eb and ec to the
bank.
4. The bank calculates A’, B’, C’ the blinded values of A, B, and C using ea, eb and
ec. The bank now signs the components of the coin with its public key v and
selects a random value k2. The bank returns A’, B’, C’ along with a random
number k2 to Alice.
5. Alice unblinds the signed coin giving values for A, B, C.
A
Bank
a’1, b’1, c’1
Choose a1, b1, c1
a2, b2, c2
Choose k1
Calculate ea, eb, ec
Unblinds A’, B’, C’ to
get coin A, B, C
ea, eb, ec
Choose a2, b2, c2
Calculate A’, B’, C’
Sign with v
Choose k2
A’, B’, C’, k2
Payment
1. Alice sends A, B, C to Bob.
2. Bob returns a challenge x to Alice.
3. Alice calculates out the response r  kx  I .
signature (C r Ax B)1/ v .
A
She sends Bob r and the
B
A, B, C
x
Calculate r = kx + I
r, signature (C r Ax B)1/ v
5
Choose challenge x
Bandar Al-Turaif
baa@cise.ufl.edu
Deposit
1. The payment transaction details including the challenge and response are
forwarded to the bank.
2. If Alice has double spent the coin, the bank can determine two different points on
the line kx  I . The identity of the customer is revealed though I.
B
Bank
Transaction details
kx+I
A possible attack against this protocol is a cooperation attack between Alice and Eve. By
choosing the challenge to be a hash of a random number and Bob’s identity we can
prevent this attack.
2.3. Binary Tree
In all the previous protocols, the coin is not passable along several people and can not be
divided into smaller parts. This mechanism was first used by Okamoto and Otha.
$100
n0
$50
$50
n00
$25
n000
n01
$25
$25
n001
n010
$25
n011
The key to the binary tree method is the way the binary tree nodes are allocated values.
If a cash scheme uses the binary tree mechanism, each coin of worth w = 2 L is associated
with a binary tree of (1+L) levels and w leaves. Each node of the tree represents a certain
denomination.
When dividing the value of the coin two rules are followed:
1. Route Node Rule: when a node is used, all descendant nodes and all ancestor nodes
of this node cannot be used.
2. Same Node Rule: No node can be used more than once.
The divisibility service provided by the binary tree mechanism is implemented in the
payment transaction.
The following describes how Okamoto and Ohta employ the binary tree mechanism.
6
Bandar Al-Turaif
baa@cise.ufl.edu
Payment
1. Alice determines randomly which nodes are required to pay the merchant the
required amount. Alice keeps a record of the nodes which have already been
spent and does not select from these nodes. Alice then sends the x value for the
nodes to Bob.
2. Bob checks that the coin is valid and calculates e  H ( I b , T , r ) , where I b is Bob’s
identity, T is the time, r is a randomly generated number and H is a one way
function hash function. Bob sends e to Alice.
3. Alice now calculates the value of y and returns it to Bob. The value y is a history
of the transaction.
4. Bob validates y and accepts the payment.
A
B
x
Choose nodes randomly
e  H (I b ,T , r)
e
Calculate y
y
Validate and accept
When the coin is deposited in the bank the coin can be checked for double spending. If
the same node value is stored twice in the bank’s database the second rule has been
violated. Alice can double spend the coin without her identity being revealed, if she
cheated in the account opening.
3.
Existing Electronic Cash Systems
Here we will give an example on the implementation of e-cash on the internet. Some of
those systems are InternetCash, DigiCash, NetCash, CyberCash, NetBill, First Virtual,
and PayPal.
3.1. DigiCash
DigiCash was founded in Amsterdam by David Chaum in 1990. One of DigiCash
products is ecash; it is an online payment system over email or internet based on
Chaum’s digital cash system using blind signatures.
To use ecash, every user opens an account with a digital bank on the internet which
issues the coins for them. The ecash software (cyberwallet) issues an asymmetric key for
each user based on RSA.
7
Bandar Al-Turaif
baa@cise.ufl.edu
For Alice to withdraw cash she determines how much she needs, the software generates
random serial numbers, usually 100 digits, for the coins and a blinding factor and sends
them to the bank.
The bank verifies the message to make sure that it was signed by Alice, signs it and debts
Alice account.
Alice unblinds the coins and stores them on her PC. When Alice wants to buy something
from Bob, she sends him the coins. Bob sends the coins to the bank to verify the
authenticity of them and that they have not been spent before.
DigiCash advantages are anonymity for customers and the possibility of recovering lost
coins by giving the bank their serial numbers.
DigiCash disadvantages are that merchants must reveal their identity to the bank to cash
the coins and that both of them and their customers must open accounts at the same bank.
Also maintaining a database for spent coins is a major problem because it can become
very large and unmanageable.
Possible attacks are man in the middle attack and interception attack, since the bank
sends account numbers and passwords to users via unencrypted email messages.
4.3. NetCash
NetCash was developed at the Information Sciences Institute of the University of
Southern California. It uses identified online e-cash.
The system consists of buyers, merchants, and currency servers. The currency server
issues the coins; each coin is signed by the server private key and consists of:
 Currency Server Name
 Currency Server Network Address
 Expiry Date
 Serial Number
 Coin Value
The currency servers do not keep records of coin holders; coin holders can exchange
coins between different currency servers. The currency servers prevent double spending
by keeping a record of only valid and unspent coins.
When Alice wants to buy something from Bob, she sends him the coins, identifier of the
merchandise, a new secret key, and her public key all encrypted by Bob public key. Bob
verifies the coins by sending them to the issuing currency server along with a new secret
key and type of transaction encrypted by the server’s public key. The currency server
checks that the coins are valid and are in its database and exchanges them for new coins
and sends the new coins to Bob encrypted with the secret key sent by Bob. Bob then
sends a receipt to Alice signed with his private key and encrypted with their secret key.
This scheme does not protect Alice from fraud; Bob can spend the coins without sending
Alice any receipt. Extensions to the protocol solve this problem and provide extra things,
like anonymity and an offline scheme.
8
Bandar Al-Turaif
baa@cise.ufl.edu
NetCash advantages are that it is secure and scalable, but its lack of anonymity and the
extensive use of session keys, which slows it, are its disadvantages.
A
Choose merchandise
Bank
B
{C , M , S ab , d a }db
Validate coins
Create new coins
{C , SbB , T }d B
{NC}Sb B
{receipt}Sa b
Generate Receipt
3.3. InternetCash
InternetCash gives customers a chance to pay for their shopping on the internet with cash
instead of credit cards. It uses digital signatures and RSA.
Customers buy prepaid cards from any store and go online to activate the card by
entering a 20 digit number on the back of the card and create a PIN for their self. After
the customer finishes shopping, a secure browser window opens for him to enter his PIN.
The merchant sends the PIN to the InternetCash server to validate the card along with the
payment request. After the InternetCash server validates the card, it deducts the amount
from the card and credits the merchant.
InternetCash cards are comprised from:
 The Card ID (CID) : public nine alphanumeric (base 32) digits.
 The Card Secret Code (CSC): public eleven alphanumeric (base 32) digits. The
CSC is a keyed hash function of the truncated CID based on SHA-1 and
InternetCash secret key.
 A secret PIN: used for additional security in case the CID and CSC are
compromised.
The concatenation of CID and CSC is called the “InternetCash card number” and it is
twenty alphanumeric digits long.
Issuing Protocol
1. Alice is given an InternetCash card number over an encrypted channel with only
the InternetCash server being authenticated or by buying a card from any retail
store (over SSL or TLS).
2. Alice chooses a PIN over an encrypted channel with only the InternetCash server
being authenticated.
9
Bandar Al-Turaif
baa@cise.ufl.edu
Payment Protocol
Consists of a secret key digital signature of the payment information based on CSC
and PIN. The generated signature is called the Payment Authentication Number
(PAN) using a keyed hash function based on SHA-1. The user’s CID and the PAN are
sent to Bob over encrypted channel to eliminate eavesdropping.
Clearing Protocol
Bob forwards the payment data (amount, time/date, etc), the CID and the PAN to
InternetCash over a secure and authenticated channel. InternetCash recreates the PAN
from the payment data and the CID and compares it with the received PAN and debits
Alice’s account and credits Bob’s account.
InternetCash is anonymous and secure, but we have to maintain a huge database for the
cards.
4.
References













G. Schneider, Electronic Commerce, Fourth Annual Edition, Thomson, 2003.
D. Chaum, A. Fiat and M. Naor. “Untraceable Electronic Cash”, In Advances in
Cryptology - Proceedings of CRYPTO ‘88 (LNCS 403), pages 319-327, SpringerVerlag, 1990.
N. Ferguson, “Single Term Off-Line Coins”, In Advances in Cryptology Proceedings of EUROCRYPT ‘93 (LNCS 765), pages 318-328, Springer-Verlag,
1994.
T. Eng and T. Okamoto, “Single-Term Divisible Electronic Coins”, In Advances
in Cryptography - Proceedings of EUROCRYPT ‘94 (LNCS 950), pages 306-319,
Springer-Verlag, 1995.
T. Okamoto, “An Efficient Divisible Electronic Cash Scheme” In Advances in
Cryptology - Proceedings of CRYPTO ‘95 (LNCS 950), pages 438-451. SpringerVerlag, 1995.
T. Okamoto and K. Ohta, “Universal Electronic Cash”, In Advances in
Cryptology - Proceedings of CRYPTO ‘91 (LNCS 576), pages 324-337, SpringerVerlag, 1992.
M. Peirce and D. O’Mahony, “Scaleable-secure-cash-payment”, Proceedings of
the Fourth International World Wide Web Conference, 11-14 Dec, 1995.
Digital Cash, by M. Farsi, www.simovits.com/archive/dcash.pdf
InternetCash, http://www.internetcash.com
Electronic Cash, http://www.tcs.hut.fi/~helger/crypto/link/protocols/ecash.html
Electronic Cash Papers, http://dosan.skku.ac.kr/~jykim/list_of_e-cash_paper.htm,
http://www.geocities.com/holger_petersen/Cash.html
http://sky.fit.qut.edu.au/~fooe/research/cashtax2.doc
http://www.ex.ac.uk/~RDavies/arian/emoney.html
10