The document presents an overview of digital cash, defining it as a payment method with essential properties including security, anonymity, and portability. It compares online and offline transaction models, discussing their pros and cons, and introduces concepts like traceable signatures and secret splitting to enhance anonymity and prevent double spending. Additionally, it outlines issues of reusability and database management, while emphasizing the convenience and security of digital cash despite potential legal and safety concerns.

1. Digital Cash
Present By Kevin, Hiren, Amit, Kai

2. What is Digital Cash?
¨ A payment message bearing a digital signature
which functions as a medium of exchange or store
of value
¨ Need to be backed by a trusted third party, usually
the government and the banking industry.

3. Key Properties
¨ Secure
¨ Anonymous
¨ Portable
¨ Reusable
¨ User-friendly

4. Digital Cash vs Credit Card
Anonymous Identified
Online or Off-line Online
Store money in
digital wallet
Money is in the
Bank

5. The Online Model
¨ Structure Overview
Link with
other banks
Deposit
Coins
Bank
Withdraw
Coins
Payment
User Merchant

6. Pros and Cons of the online scheme
¨ Pros
– Provides fully anonymous and untraceable digital cash.
– No double spending problems.
– Don't require additional secure hardware – cheaper to implement.
¨ Cons
– Communications overhead between merchant and the bank.
– Huge database of coin records.
– Difficult to scale, need synchronization between bank servers.
– Coins are not reusable

7. The Offline Model
¨ Structure Overview
Bank
Merchan
t
User
Temper-resistant
device
Others
T.R.D
.

8. Pros and Cons of the offline model
¨ Advantages
– Off-line scheme
– User is fully anonymous unless double spend
– Bank can detect double spender
– Banks don’t need to synchronize database in each transaction.
– Coins could be reusable
– Reduced the size of the coin database.
¨ Disadvantages
– Might not prevent double spending immediately
– More expensive to implement

9. Traceable Signature Protocol
Merchant Customer Bank
m
message m
= amount,
serial no
(m)d
d is secret key of the
Bank
(m)d spend
send m
(m)d send
(m)d verify

10. Blind Signatures
¨Add a blinding factor b
¨ r = (m)be
¨rd = (mbe)d
¨Bank could keep a record of r
¨Remove blinding factor
¨ (mbe)d = (m)dbed
¨ b-1  md
message

11. Untraceable Digital Cash
¨Create k items of m
m1 = (…, amount, serial number)
mk = (…, amount, serial number)
Random Serial Number
m1
Random Serial Number
, …, mk

12. Untraceable Digital Cash
¨Create blinding factors:b1
e,…, bk
e
¨Blind the units - m1b1
e, …, mk bk
e
m1b1
e mkbk
, …, e
Bank
¨Send to bank for signing

13. Untraceable Digital Cash
¨Bank chooses k –1 to check
¨Customer gives all blinding factors except
for unit i
¨Bank checks they are correct
i

14. Untraceable Digital Cash
¨Bank signs the remaining one and sends it
back – (mbe
)d = mdbiii
i
Customer
¨The customer removes the blind using
bi
Serial no
-1  mi
d

15. Problem!
¨When the merchant receives the coin, it still
has to be verified
¨The merchant has to have a connection with
the bank at the time of sale
¨This protocol is anonymous but not portable

16. How to make it off-line

17. Secret Splitting
¨A method that splits the user ID in to n parts
¨Each part on its own is useless but when
combined will reveal the user ID
¨Each user ID is XOR with a one time Pad,
R

18. Cont…
¨E.g. User ID = 2510, R = 1500:
¨2510 XOR 1500 = 3090
¨The user ID can now be split into 2 parts,
I.e. 1500 and 3090
¨On their own they are useless but when
XOR will reveal the user ID
¨I.e 1500 XOR 3090 = 2510

19. A Typical Coin
¨Header Information
¨Serial number
¨Transaction Item – pairs of user ID’s
¨ User ID:
1500 3090
4545 6159
5878 7992

20. A Typical Coin
¨Header Information
¨Serial number
¨Transaction Item – pairs of user ID’s
¨ User ID:
1500 XOR 3090 = 2510
4545 XOR 6159 = 2510
5878 XOR 7992 = 2510
User ID

21. Blanking
Randomly blank one side of each identity pair
¨ User ID:
0 3090
4545 6159
5878 7992

22. Blanking
Randomly blank one side of each identity pair
¨ User ID:
0 3090
4545 0
5878 7992

23. The coin is now
spent
You can no longer tell who owns the coin
¨ User ID:
0 3090
4545 0
5878 0
•Merchant would now deposit this coin into the
bank

24. The coin is copied and spent at
another merchant
•Before the user spent the coin the first time, the user
made a copy of it
¨ User ID:
1500 0
4545 0
0 7992
•Merchant would now deposit this coin into the
bank

25. How can we catch
the user?
¨ Original Coin
¨ User ID:
0 3090
4545 0
5878 0
¨ Duplicate Coin
¨ User ID:
1500 0
4545 0
0 7992
This is what is in the bank

26. How can we catch
the user?
¨ Original Coin
¨ User ID:
0 3090
4545 0
5878 0
¨ Duplicate Coin
¨ User ID:
1500 0
4545 0
0 7992
This is what is in the bank
3090 XOR 1500 = 2510
5878 XOR 7992 = 2510
User ID

27. Probability of catching the culprit
¨Depends on the number of the identity
strings used
¨Probability of catching a user is:
– 1 - ½n , where n is the number of identity strings
E.g. n = 5, the probability of catching a user is:
0.97

28. Reusability
¨Once the coin has been spent the merchant
has to deposit it to the bank
¨Therefore, coin can only be spent once
¨Convenience, ability to give change,
unnecessary transactions between bank and
merchant
¨Banks database size – less serial numbers
¨Solution – Add the new User ID to the coin

29. Setup
ID=HIREN
ID=KEVIN
ID=AMIT

30. Coins
¨ Users Coin
¨ User ID:
A MIT
AM IT
AMI T

31. Amit spends his coin at Hirens
shop
The coin will now look like this:
Amit no longer owns
the coin, it is bounded
to Hiren
User ID:
A 0
0 IT
AMI 0
HI REN
HIR EN
H IREN

32. Hiren can now go and spend his
coin at Kevin's shop
The coin looks like this:
User ID:
A 0
0 IT
AMI 0
HI REN
HIR EN
H IREN

33. Hiren can now go and spend his
coin at Kevin's shop
The coin will now look like this:
User ID:
A 0
0 IT
AMI 0
0 REN
0 EN
H 0
KE VIN
K EVIN
KEV IN

34. Size Matters!
¨Coin m = (Serial num, denomination,
Transaction list (transactions * user ID),
Other Header info)
¨Limit size by Validity Period and/or
max Transactions

35. Other proposals
¨What if you what buy something that costs
£4.99 and you have £5 coin?
¨Would have a ‘file’ for every coin
£4
£2 £2
£1 £1 £1 £1
£2
£1 £1
£2
£1 £1

36. Fair Blind Signatures
¨Possible solution to undetectable money
laundering or ransom demands
Sender Signing protocol Signer
Message-signature pair Un-linkable View of protocol
Judge

37. Conclusion
¨Feasible from a purely technological
perspective
¨Anonymous is at the heart of the
government's attack
¨Cannot attract funding

38. Advantages:
¨ Convenience
¨ Secure
¨ Handling costs
¨ Time saving
¨ Transaction Costs

39. Global Disadvantages
¨ Safety Issue
¨ Physical Securities
¨ Users Issue
¨ Legal problems

40. Questions?