What is Digital Cash?

A system that allows a person to pay for goods or services by transmitting a number from one computer to another. Like the serial numbers on real dollar bills, the digital cash numbers are unique. Each one is issued by a bank and represents a specified sum of real money. One of the key features of digital cash is that, like real cash, it is anonymous and reusable. That is, when a digital cash amount is sent from a buyer to a vendor, there is no way to obtain information about the buyer. This is one of the key differences between digital cash and credit card systems. Another key difference is that a digital cash certificate can be reused. Digital cash transactions are expected to become commonplace by the year 2000\. Most digital cash systems start with a participating bank that issues cash numbers or other unique identifiers that carry a given value, such as five dollars. To obtain such a certificate, you must have an account at the bank; when you purchase digital cash certificates, the money is withdrawn from your account. You transfer the certificate to the vendor to pay for a product or service, and the vendor deposits the cash number in any participating bank or retransmits it to another vendor. For large purchases, the vendor can check the validity of a cash number by contacting the issuing bank.

In general, there are two distinct types of digital cash:

1 identified digital cash and 2 anonymous digital cash. Identified digital cash contains information revealing the identity of the person who originally withdrew the money from the bank. Also, in much the same manner as credit cards, identified digital cash enables the bank to track the money as it moves through the economy. Anonymous digital cash works just like real paper cash. Once anonymous digital cash is withdrawn from an account, it can be spent or given away without leaving a transaction trail. You create anonymous digital cash by using numbered bank accounts and blind signatures rather than fully identified accounts and non-blind signatures. There are two varieties of each type of digital cash: online digital cash and offline digital cash . Online means you need to interact with a bank (via modem or network) to conduct a transaction with a third party. Offline means you can conduct a transaction without having to directly involve a bank. Offline anonymous digital cash is the most complex form of digital cash because of the double-spending problem.

ince digital cash is just a bunch of bits, a piece of digital cash is very easy to duplicate. Since the copy is indistinguishable from the original you might think that counterfeiting would be impossible to detect. A trivial digital cash system would allow me to copy of a piece of digital cash and spend both copies. I could become a millionaire in a matter of a few minutes. Obviously, real digital cash systems must be able to prevent or detect double spending. Online digital cash systems prevent double spending by requiring merchants to contact the bank's computer with every sale. The bank computer maintains a database of all the spent pieces of digital cash and can easily indicate to the merchant if a given piece of digital cash is still spendable. If the bank computer says the digital cash has already been spent, the merchant refuses the sale. This is very similar to the way merchants currently verify credit cards at the point of sale. Offline digital cash systems detect double spending in a couple of different ways. One way is to create a special smart card containing a tamper-proof chip called an "Observer" (in some systems). The Observer chip keeps a mini database of all the pieces of digital cash spent by that smart card. If the owner of the smart card attempts to copy some digital cash and spend it twice, the imbedded Observer chip would detect the attempt and would not allow the transaction. Since the Observer chip is tamper-proof, the owner cannot Offline anonymous digital cash (sans Observer chip) also grows with each transaction, but the information that is accumulated is of a different nature. The result is the same however. When the anonymous digital cash reaches the bank, the bank will be able to examine it's database and determine if the digital cash was double spent. The information Jim Miller (Jim_Miller@suite.com)

Digital Cash

How does Digital Cash work?

The figure shows the basic operation. User A obtains digital cash "coins" from her bank (and the bank deducts a corresponding amount from her account). The user is now entitled to use the coins by giving them to another user B, which might be a merchant. B receives e-cash during a transaction and see that it has been authorized by a bank. They can then pay the cash into their account at the bank.

Ideal properties of a Digital Cash system

Ideal properties:

1. Secure. Alice should be able to pass digital cash to Bob without either of them,
or others, able to alter or reproduce the electronic token.

2. Anonymous. Alice should be able to pay Bob without revealing her identity, and
without Bob revealing his identity. Moreover, the Bank should not know who Alice paid or who Bob was paid by. Even stronger, they should have the option to remain anonymous concerning the mere existence of a payment on their behalf.

3. Portable. The security and use of the digital cash is not dependent on any
physical location. The cash should be able to be stored on disk or USB memory stick, sent by email, SMS, internet chat, or uploaded on web forms. Digital cash should not be restricted to a single, proprietary computer network.

4. Two-way. Peer-to-peer payments are possible without either party required to

attain registered merchant status (in contrast with today's card-based systems). Alice, Bob, Carol, and David share an elaborate dinner together at a trendy restaurant and Alice pays the bill in full. Bob, Carol, and David each should then be able to transfer one-fourth of the total amount in digital cash to Alice.

5. Off-line capable. The protocol between the two exchanging parties is executed
off-line, meaning that neither is required to be host-connected in order to proceed. Availability must be unrestricted. Alice can freely pass value to Bob at any time of day without requiring third-party authentication.

6. Wide acceptability. The digital cash is well-known and accepted in a large

commercial zone. With several digital cash providers displaying wide acceptability, Alice should be able to use her preferred unit in more than just a restricted local setting.

7. User-friendly. The digital cash should be simple to use from both the spending
perspective and the receiving perspective. Simplicity leads to mass use and mass use leads to wide acceptability. Alice and Bob should not require a degree in cryptography as the protocol machinations should be transparent to the immediate user.

These are ideal properties, and no known system satisfies them all.

Two big problems How can we guarantee anonymity? If the bank can see which coins it gives to A, and later it sees the same coins coming back from B. it can infer that A has paid them to B (possibly via an intermediary). How can we avoid double spending? Because electronic files can be duplicated, a big challenge for digital cash is how to stop users spending money twice. On-line solutions achieve this by making the payee check with the bank before acknowledging payment. Off-line solutions have to use more elaborate methods.

Cryptographic primitives Some technical concepts are needed to understand digital cash protocols.

Blind signatures. Suppose Charlie wants Dianne to sign a message m, but does not want Dianne to know the contents of the message. This might seem like a strange thing -- why would Diane sign something without knowing what it is? But the concept has useful applications in situations involving anonymity, such as digital cash. The arrangement works like this:

o o o

Charlie "blinds" the message m, with some random number b (the blinding factor). This results in blind(m,b). Dianne signs this message, resulting in sign(blind(m,b),d), where d is Dianne's private key. Charlie then unblinds the message using b, resulting in unblind(sign(blind(m,b),d),b). The functions are designed so that this reduces to sign(m,d), i.e. Dianne's signature on m.

Details of how blind signatures can be implemented using RSA are given in another lecture.

Secret splitting. Suppose I have a secret message string m, and I want to give part of it to Alice and part of it to Bob, in such a way that neither of them individually can tell anything about the secret, but if they get together then they can reconstruct it. o One way might be to split the secret string into two parts, m1 and m2, such that m = m1.m2, i.e. concatening m1 and m2 yields m. This is not very satisfactory because Alice and Bob each learns the first half or the second half of the message. o A better way is to invent a random number r, and XOR m with r. Give r to Alice, and m XOR r to Bob. Now neither of them knows anything about the secret, because each of them has what looks like a completely random string. However, if they get together, they can obtain m by calculating r XOR (m XOR r) -- that is indeed m. o This can be generalised to any number of participants.

Online Digital Cash

Pros and Cons of the online digital cash system

Here is the summary of the pros and cons of the online system: Pros

Provides fully anonymous and untraceable digital cash: No double spending problems (coins are checked in real time during the transaction). No additional secure hardware required

Cons

Communications overhead between merchant and the bank. Huge database of coin records -- the bank server needs to maintain an evergrowing database for all the used coins serial numbers. Difficult to scale, need synchronization between bank servers. Coins are not reusable

Offline Digital Cash

Pros and Cons of the offline digital cash system

Pros

Off-line, portable scheme User is fully anonymous unless double spends Bank can detect double spender (with high probability) Banks dont need to synchronize database in each transaction. Coins are reusable

Cons

Might not prevent double spending immediately More expensive to implement - the extra security hardware needed in the system requires an additional cost.

Paypal

Advantages

Convenience Secure Handling costs Time saving Transaction Costs

Diff between dc and cc Anonymous Identified Online or Off-line Online Store money in digital wallet Money is in the Bank

01011010110101011101011010101101011010101101011010101101010110101011011 1101011111011010000000110101010110101 Since digital cash is represented by data, it is easily replicated. How do we prevent: Counterfeiting? Multiple spending?

Digital cash must be deposited

Diag do from ppt