What is Digital Cash?
Digital cash aims to mimic the
functionality of paper cash, by providing such properties of anonymity
and transferability of payment. Digital cash is intended to be
implemented data which can be copied, stored, or given as payment (for
example, attached to an email message, or via a USB stick, bluetooth,
etc). Just like paper currency and coins, digital cash is
intended to represent value because it is backed by a
trusted third party (namely, the government and the banking industry).
Most money is already paid in
electronic form; for example, by credit or debit card, and by direct
transfer between accounts, or by on-line services such as PayPal. This
kind of electronic money is not digital cash, because it doesn't have
the properties of cash (namely, anonymous and off-line transferability
How does Digital Cash work?
The figure shows the basic operation. User A obtains digital cash "coins" from her bank (and the bank deducts a corresponding amount from her account). The user is now entitled to use the coins by giving them to another user B, which might be a merchant. B receives e-cash during a transaction and see that it has been authorized by a bank. They can then pay the cash into their account at the bank.
Ideal properties of a Digital Cash system
Secure. Alice should be able to pass digital cash to Bob without either of them, or others, able to alter or reproduce the electronic token.
Alice should be able to pay Bob without revealing her identity, and
without Bob revealing his identity. Moreover, the Bank should not know
who Alice paid or who Bob was paid by. Even stronger, they should
have the option to remain anonymous concerning the mere existence of
a payment on their behalf.
Portable. The security and use of the digital cash is not dependent on any physical location. The cash should be able to be stored on disk or USB memory stick, sent by email, SMS, internet chat, or uploaded on web forms. Digital cash should not be restricted to a single, proprietary computer network.
Two-way. Peer-to-peer payments are possible without either party required to attain registered merchant status (in contrast with today's card-based systems). Alice, Bob, Carol, and David share an elaborate dinner together at a trendy restaurant and Alice pays the bill in full. Bob, Carol, and David each should then be able to transfer one-fourth of the total amount in digital cash to Alice.
Off-line capable. The protocol between the two exchanging parties is executed off-line, meaning that neither is required to be host-connected in order to proceed. Availability must be unrestricted. Alice can freely pass value to Bob at any time of day without requiring third-party authentication.
Wide acceptability. The digital cash is well-known and accepted in a large commercial zone. With several digital cash providers displaying wide acceptability, Alice should be able to use her preferred unit in more than just a restricted local setting.
User-friendly. The digital cash should be simple to use from both the spending perspective and the receiving perspective. Simplicity leads to mass use and mass use leads to wide acceptability. Alice and Bob should not require a degree in cryptography as the protocol machinations should be transparent to the immediate user.
Categorization of payment systems
Implementations of payment systems that don't satisfy all the requirements may be conveniently classified according to these criteria:
Anonymous or identified. Anonymous e-cash works just like real paper cash. Once anonymous e-cash is withdrawn from an account, it can be spent or given away without leaving a transaction trail. This however, can be considered contentious. Identified payment systems such as credit card payment, or payment by Paypal leave an audit trail, and the identity of the payee and the payer is known to the Bank, and (usually) to each other.
Online or offline. Online means you need to interact with a bank (via a network) to conduct a transaction with a third party. Offline means you can conduct a transaction without having to directly involve a bank.
Requiring a trusted platform. Some protocols may require a trusted platform, such as a smart card. Smart cards are small plastic cards like credit cards, bearing a chip. They are tamper-resistant and can force Alice and Bob to adhere to the protocol. This is convenient for the protocol designer, but threatens to tie users to proprietary interfaces and to remove transparency of the system. In contrast, internet protocols endorsed by the IETF are open and can be interoperably implemented by anyone.
Two big problems
How can we guarantee
anonymity? If the bank can see which coins it gives to A, and later it
sees the same coins coming back from B. it can infer that A has paid
them to B (possibly via an intermediary).
How can we avoid double
spending? Because electronic files
can be duplicated, a big challenge for digital cash is how to stop
users spending money twice. On-line solutions achieve this by making
the payee check with the bank before acknowledging payment. Off-line
solutions have to use more elaborate methods.
Some technical concepts are
needed to understand digital cash protocols.
Online Digital Cash
Let's look at how each
The customer creates k units of money m. Each unit contains some header information, the denomination, and a unique serial number. The serial number is randomly generated and would be long enough so that collision does not take place (e.g. 64-bit serial number has a probability of collision of 1/264). So the money would have the format:
m1 = (header info, denomination, serial number), …, mk = (header info, denomination, serial number).
The customer blinds each of them with different binding factors bi, and sends them to the bank for signing.
The bank randomly chooses k-1
of them to check, and leaves one unit i.
The customer gives the bank all the blinding factors except the one for unit i
The bank can now check the content to make sure the customer has not tried to cheat (e.g. by putting an amount larger than the agreed amount m). There is still a chance that the bank would not check the unit that is fraudulent but the probability of this happening deceases as we increase the size of k
If all checks out, the bank signs the remaining unit with its private key d and sends it back to the customer.
The customer un-blinds it by using bi to obtain the coin mi signed by the bank.
To tackle the double spending problem, the payee has to verify the coin with the bank at the point of sale in each of the transactions. This verification of the legitimacy of the coin requires extra bandwidth and is a potential bottleneck of the system especially when the traffic is high. The real time verification also means there is a need for the synchronization between bank servers.
Pros and Cons of the online digital cash system
Here is the summary of the pros and cons of the online system:
Provides fully anonymous and untraceable digital cash:
No double spending problems (coins are checked in real time during the transaction).
additional secure hardware required
Communications overhead between merchant and the bank.
Huge database of coin records -- the bank server needs to maintain an ever-growing database for all the used coins’ serial numbers.
Difficult to scale, need synchronization between bank servers.
Coins are not reusable
Offline Digital Cash
the off-line scheme, the withdrawal and disposal of the coins are
very similar to the one in the on-line scheme; the main difference is
in how coins are spent, in order to prevent double-spending without the
need to verify with the bank. This is
achieved by adding an additional component in the model: it is a
trusted party, which performs a digital transformation of the coin when
it is transferred between users. This trusted party may be implemented
as a tamper–resistant device.
In a real
example, you could think of it as a smart card reader at the point
of sale, although note that it is not required to be on-line. The
device is trusted by the bank and by users, and is used to
authenticity of the coin and to address the double-spending problem. It
does not prevent users from double-spending, but it provides a means to
trace them if they do double-spend. This has to be carefully designed,
in order to keep anonymity. Secret splitting is used to allow the user
be anonymous as long as he/she doesn’t double spend. Details are given
In this system, coins are reusable. The merchant can spend the coin elsewhere with other parties through another tamper-resistant device before the coin is finally deposited back to the bank for verification.
In additional to the secret splitting method, in order to add extra security to the offline system, there could be a link between the bank and the temper-resistant device which allows the T.R.D. to download a blacklist of double spenders in a set period of time when the traffic is low. This reduces the chance of people double spending their money in the first place.
off-line protocol works
A coin will contain the following:
Serial number – a unique number that identifies the coin
Denomination – the actual value of the coin
Transaction list – has an arbitrary number of transaction items.
transaction item is created when the coin is transferred between the
customer and the merchant. Each transaction item consists of n
pairs. A pair (p1,p2) is the identity of a user, split into two parts
using the secret splitting idea described above. The transaction list
consists of k transaction items. In all but the last one, half of each
pair has been blanked out.
Thus, a transaction list might
look like this:
If P1 and P2 are XORed the original id of the user will be revealed. But only the last owner can be seen, "CHARLIE". Note that secret sharing is done with XOR, not concatenation. Concatenation is used for illustration just to make the picture readable. There is no way the identities of ALICE and BOB can be extracted from the transaction list.
When a user spends their money, the protocol will randomly blank some of P1 and some of the P2 for the current owner, and adds another list of P1 and P2 for the new owner.
How does this detect double spending?
a user makes a copy of a coin before they spend it, they have the
possibility to spend that coin again. However, when the coin is
finally returned to the issuer, it will be possible to discover the
culprit. This is achieved by combining a particular part of the
identity from the original coin with its corresponding part from the
copied coin. Note that the corresponding part will have been blanked
out in the original coin.
The probability of catching a user depends on the number of identity pairs used in the transaction. The more pairs used, the greater the chance of catching the culprit. The probability of catching the culprit is:
Where n is the number of pairs used.
if n=5 then the chance of catching a user is 0.97. If n=20, it is more
than 0.00000095; in that case, a double-spender would have only one
chance in a million of not being caught.
By allowing more than one person to use the same coin, there will be extra data appended to the coin ‘file’. Thus, the size of this file will be ever growing. A possible solution to this is to have a maximum number of transactions. This would limit the number of ID’s added to the file. No more transactions can take place once the maximum has been reached, and the coin must be banked.
Also to prevent the banks database of serial numbers there maybe a validity period (or expiration date) associated with the coin, and then the coin will no longer be able to be banked. This would allow the bank to ‘clean-up’ its database of invalid serial numbers.
Pros and Cons of the offline digital cash system
Off-line, portable scheme
User is fully anonymous unless double spends
can detect double spender (with high probability)
Banks don’t need to synchronize database in each transaction.
Coins are reusable
Might not prevent double spending immediately
More expensive to implement - the extra security hardware needed in the system requires an additional cost.
There is a lot of concern regarding the anonymity of digital cash with respects to illegal activities. For example it can be used for money laundering and ransom demands without being able to trace the culprit. There are proposals/solutions that overcome this intractability, involving identity escrow and trusted parties.
One of these solutions is to have a trusted third party in the transaction on money. In the below diagram it is called a judge. The judge would have access to either the massage-signature pair or the signer’s view of his protocol. With this information and the information from either the sender or signer the culprit can be traced.
However, digital cash has not taken off,
in contrast with other electronic payment systems such as Paypal.
The elimination of physical cash from our economy is already feasible from a purely technological perspective. However, substantial additional investment in equipment and cards would be needed to permit even purchases such soft drinks to be made.
transactional privacy is at the heart of critics' attack
on digital cash. Because it’s untraceable,
there are concerns about money laundering, offshore banking and tax
has been closely monitoring developments of digital cash. Investors
have confidence in the development of digital cash. In contrast,
non-anonymous, on-line payment systems like Paypal are enjoying huge
David Chaum, Amos Fiat and
Moni Naor, "Untraceable
Electronic Cash", in Advances in Cryptology -
CRYPTO '88 Proceedings
This paper describes an off-line system which doesn't require any trusted hardware, but coins can only be used once.
David Chaum, “Blind Signature System”. US Patent #4759063
Pater Wayner, "Digital Cash Commerce on the Net", Academic Press Inc 1996
Hitesh Tewari, Donal O'Mahony
& Michael Peirce (1998). “Reusable
Off-Line Electronic Cash Using
Secret Splitting”, Technical Report TCD-CS-1998-27, Trinity College
Dublin Computer Science Department, Dublin.