Internet Payment and DigiCash

What is DigiCash? DigiCash is a block of bits (normally more than 100), which represent a specific amount of money Digicash is the electronic equivalent of real paper cash, which try to achieve the same functionality of the real cash over Internet DigiCash, theoretically, must be anonymous, untraceable.

Why need DigiCash? Full Privacy Security Versatility DigiCash is anonymous, unconditionally untraceable Security the security of Digicash is unmatched in scope and cost effectiveness Versatility Whatever is exchanged, between businesses, governments, customers, clients, or citizens, the electronic cash is the medium of choice. Achieve Micro-payment customers do not need open accounts in every merchant

Transaction details (Ecash) ECash is the DigiCash solution of DigiCash Inc. Ecash is real anonymous, untraceable solution. The Ecash system consists of three main entities: banks, who mint the coins buyers, who have accounts in a bank, from which they can withdraw and deposit merchants, who can accept Ecash coins in payment for goods special client and merchant software is required to use the Ecash system. The client’s software is called ‘cyberwallet’ and is responsible for withdraw, deposit coins from a bank, and paying or receiving coins from a merchant

What buyers do? Open an account in the bank withdrawing the coins calculate the amount of coins needed and denominations. generate a big digital number in cyberwallet. blind the digital number using blind signature package it and send it to bank bank sign the coins, take same amount of money from the account and send it back users unblinded the number, and ready to spend Spending User collect enough unblinded Digicash and submit to merchant

What Banks do? Withdrawing Spending bank will keep his signed blind number in database, this number can not be used as Digicash though this blind number has his signature on it Spending Bank first checks the DigiCash number is not one of his signed blind number Bank also checks the digicash has never been deposited before. This prevent double spending. Then bank will accept the Digicash, deposit and credit the amount to the merchant’s account. Then send signed indication to both merchant and buyer, transaction completed.

What merchants do? Merchant open an account in bank In spending Merchant software will validate Digicash first by checking bank signature, then send it to bank to check double spending. If merchant receive the valid indication, He will send the indication and goods to the buyers

Typical Ecash Spending (on line) 6. Send change /indication back

How Digicash works ? Blind signature denomination solution which is the key to implement the Digicash anonymity denomination solution fixed one cent solution multi-note solution one note solution Cooke-jar for change which is used to solve the change problem of the one note solution Double Spending online double spending check offline double spending check

Blind Signature (1) Bank private key: d, p, q (pq=n) Bank public key: e, n customer software create a big random number X and a random factor r, and compute Xre mod n. bank signs it as (Xre )d mod n, deposit signed number and send it back to the customer customer get Xd r mod n, divide it by r, get real signed number Xd mod n, which is valid Digicash. because the bank does not know r, there is no way the bank can trace Xd to Xd r. The customer get fully anonymous digital cash, which can be used anywhere and untraceable.

Blind Signature (2) Bank User xr e mod n (xre)d = rxd mod n User can get: xd = r xd / r mod n e, and d are bank’s public key and private key respectively. X is the real number, rxd is blind signature and xd is real signature

Denomination (1) Fixed note How to determine the denomination of a Digicash? Easiest way is to assign every note one cent Problem need more computation power and communication is slow, because every payment need to send and validate a lot of notes. Database growing too fast Example: 1 note  Bank signs it  1 note == 1 cent $31.84 ===> 3184 different notes! It is not practical for general payment! But it may be acceptable for MicroPayment

Denomination (2) Multi-Note Solution Bank prepared a series of key pairs, which are (d1,e1), (d2, e2), (d3, e3),... (di, ei)…. In specific order. Each eCash is signed by only one key, specific key signature represents specific amount of money as follows: (d1,e1) --->1 (20) cents, (d2, e2) ---> 2 (21) (d3, e3) ---> 4 (22), (d4, e4) --->8 (23) …... (di, ei) ---> 2(i-1) cents Example: $31.84 = 1 1 0 0 0 1 1 1 0 0 0 0 $31.84 = (n1)d12 + (n2)d11 + (n3)d7 + (n4)d6 + (n4)d5 n1 signed by d12, so it represent 2(12-1) = 2048 cents Only five note needed

Denomination (3) One Note Solution As multi-note solution, Bank has a series of keys and each represents specific amount of money. Every number can be signed by any combination of the keys, and denomination of the signed number is then determined by the combination of signing keys Example: $ 31.84 = 1 1 0 0 0 1 1 1 0 0 0 0 $ 31.84 = (n1)d12*d11* d7*d6*d5 $ 31.84 = (d12)2048 + (d11)1024 + (d7)64 + (d6) 32 + (d5)16 any amount of money can be signed in one note In order to avoid bank to trace your cash according to unique withdrawing, user can withdraw only specific amount of money, ex. 50¢, 100¢, 500¢ etc.

Denominations (4): One note withdraw n re mod n (n * re)d = r nd mod N Bank User e=e5*e6*e7*e11*e12 d=d5*d6*d7*d11*d12 unblind it, So user gets: nd User spends $31.84: Show n and nd , and claim it 3148¢, so merchant can use specific e=e5*e6*e7*e11*e12 to verify.

One Note Denomination Problems How is the unspent value returned to the payer? Dr. David Chaum proposed three online schemes: Cookie Jar Declared note value Hidden note value

User Bank Cookie jar (1) Withdraw H(n1) * r1e , H(n2) * r2e Assume a user withdraw two 15 cent notes 15 = 1 1 1 1 e = e1*e2*e3*e4 d = d1*d2*d3*d4 User H(n1) * r1e , H(n2) * r2e Bank H(n1) d * r1 , H(n2) d * r2

Cookie jar (2) First Payment The user want to spend 10 cents 10 = 1 0 1 0, Change: 15 - 10 = 5 = 0 1 0 1 Bank will use e = e1*e2*e3*e4 to verify n1 worth 15, then deposit n1, sign blind cookie jar j, and return it to user User n1, f(n1) , 15, 10, H(j) * s1(e1*e3) Bank H(j) d1*d3 * s1 f(n1) = H(n1)d1*d2*d3*d4 H(j) * s1(e1*e3) is blind number to hold change

Cookie jar (3) Second Payment User spend 3 cents with note n2, which worth 15 cents 3 = 0 0 1 1 ( (e1,d1), (e2,d2) ) change 15-3 = 12 = 1 1 0 0 ( (e3,d3), (e4,d4) ) n2, f(n2) ,15, 3, f(j) * s2(e3*e4) Bank User f(j) (d3*d4) * s2 f(n2) = H(n2)d1*d2*d3*d4 f(j) = H(j)d1*d3

Bank Cookie jar(4) Deposit j, H(j) (d1*d3*d3*d4) , 5, 12 User User use only one cookie jar to collect all change with DigiCash payment Later, user can deposit cookie jar during the withdraw of the next batch of notes User should present change collection history in order to deposit cookie jar j, H(j) (d1*d3*d3*d4) , 5, 12 Bank User

Double Spending (1) Since e-money is just a bunch of bits, a piece of e-money is very easy to duplicate. the copy is indistinguishable from the original, so counterfeit would be impossible to detect. Online solution Online e-money will require merchants to contact the bank’s computer with every sale. The bank computer maintains a database of all the spent pieces of e-money and can easily indicate to the merchant if a given piece of e-money is still spendable. Imagine how big the database will be after 10 years?

Double Spending(2) Offline There are three proposed offline solution Smart card. It has a tamper-proof chip which keeps a mini database of all the pieces of e-money spent by that smart card. If the owner of the smart card attempts to copy some e-money and spend it twice, the imbedded chip would detect the attempt and would not allow the transaction.

Double Spending (3) Offline For identified e-money: Identified offline e-money systems accumulate the complete path that e-money made through the market. The particulars of each transaction are appended to the piece of e-money and travel with it as it moves from person to person, merchant to vender. When the e-money is finally deposited, the bank checks its database to see if the piece of e-money was double spent.

Double Spending(4) Offline Soution Third offline solution is more complicated Before accepting an off-line payment, the payee's equipment issues an unpredictable challenge to which the user's equipment must respond with some information about the note number. By itself, this information discloses nothing about the user. But if the user spends the note a second time, the information yielded by the next challenge gives away his identity when the note is ultimately deposited. Good idea, implementation is very complicated.

Dr. David Chaum Ph.D. in Computer Science, with minor in Business Administration from the University of California at Berkeley and taught at New York University Graduate School of Business Administration and at the University of California. He built up a cryptography research group at the Center for Mathematics and Computer Science (CWI) in Amsterdam and during this time also founded DigiCash. In 1993, he left CWI to become CEO of DigiCash. He is also the inventor of Blind signature.

DigiCash, Inc. Founded at 1990 and headquartered in Amsterdam. Main product: eCash Deutsche Bank 24, the first bank, provides access to eCash payments free of charge to all banked households in Germany. Two Australian banks, St. George Bank and Advance Bank have piloted DigiCash's eCash, and Nomura Research Institute markets eCash to financial institutions in Japan. The first American Bank to test its eCash is Mark Twain Bank. DigiCash, Inc. Bankrupted at 1998

Comments on Bankruptcy It is beautiful, elegant, socially desirable technology, but it is flat on the ground because it has been particularly weak at associating its technology proposal with all the other elements that are necessary for transforming a technology from an idea into something that actually works. DigiCash was too good a technology, too precisely thought out and over-developed. It was so well constructed that nobody dared to fiddle with it The product technologically, economically, legally, politically, socially, and culturally so complex.

Problem of ECash Blind signature introduces the anonymity, also It introduce problems: First, the uncontrolled database because the bank has to keep all spent e-money Second, It put too much pressure on the key protection. Once the key is lost or the basic algorithm become not secure, the whole system is at risk. Third, because its full anonymity, It can be used to launder money. No government will like it. The implementation of the system is also too complicated. User side required software and even hardware inhibits customers to participate.

“Identified” Electronic Money Identified e-money contains information revealing the identity of the person who originally withdraw the money from the bank, so it enable the bank to track the money as it moves through the economy. Identified money note is created by the bank, so the bank can put expire date and other control information into the note. So it is more controllable. The bank only need to store current active e-money, so the database is much more scalable than anonymous e-Money Most of the MicroPayment solutions use the idea of identified e-Money.

Other Companys and their DigiCash Compaq Computer Millicent It is identified E-money, it has value and expire date field in it, It can provide anonymous buy from the merchant. Every coin can be used only once, an new coin with the change will be signed to the user. The coin database is scalable. CyberCash CyberCoin Cybercoin is service designed for MicroPayment IBM NewGenPay (was Minipay) A secure and user-friendly solution for Micropayment can be built on top of the Valuto System.