University of Virginia, Department of Computer Science
CS551: Security and Privacy on the Internet, Fall 2000

Digital Cash Protocols

Properties of Physical Cash

  1. Universally recognized as valuable
  2. Easy to transfer
  3. Anonymous
  4. Heavy
  5. Moderately difficult to counterfeit in small quantities
  6. Extremely difficult to get away with counterfeiting large quantities

Digital Cash, Protocol Attempt #1

  1. Alice prepares 100 money orders for $1000 each.
  2. Puts each one in a different sealed envelope, with a piece of carbon paper.
  3. Gives envelopes to bank.
  4. Bank opens 99 envelopes and checks they contain money order for $1000.
  5. Bank signs the remaining envelope without opening it (signature goes through carbon paper).
  6. Bank returns envelope to Alice and deducts $1000 from her account.
  7. Alice opens envelope, and spends the money order.
  8. Merchant checks the Banks signature.
  9. Merchant deposits money order.
  10. Bank verifies its signature and credits Merchants account.

Digital Cash, Protocol Attempt #2

  1. Alice prepares 100 money orders for $1000 each, adds a long, unique random ID to each note.
  2. Puts each one in a different sealed envelope, with a piece of carbon paper.
  3. Gives envelopes to bank.
  4. Bank opens 99 envelopes and checks they contain money order for $1000.
  5. Bank signs the remaining envelope without opening it.
  6. Bank returns envelope to Alice and deducts $1000 from her account.
  7. Alice opens envelope, and spends the money order.
  8. Merchant checks the Bank's signature.
  9. Merchant deposits money order.
  10. Bank verifies its signature, checks that the unique random ID has not already been spent, credits Merchant's account, and records the unique random ID.

Blind Signatures

  1. Alice picks random k between 1 and n.
  2. Send's Bank t = mke mod n. (e from the Bank's public key.)
  3. Bank signs t using private key d. Sends Alice:
    td = (mke mod n)d mod n = (mke)d mod n equiv mdked mod n = (mke)d mod n equiv mdked mod nequiv mdk mod n.
  4. Alice divides by k to get sm = md mod n.







Digital Cash Protocol (Final)

  1. Alice prepares n money orders each containing:
    • Amount
    • Uniqueness String: X
    • Identity Strings: I1 = (h(I1L), h(I1R)), ..., In = (h(InL), h(InR)).
      Each (IiL, IiR) pair reveals Alice's identity, I = IiL XOR IiR.
      h is a secure, one-way hash function.
  2. Alice blinds (multiplies by random k) all n money orders and sends them to bank.
  3. Bank asks for any n - 1 of the random kis and all its corresponding identity strings.
  4. Bank checks money orders. If okay, signs the remaining blinded money order, and deducts amount from Alice's account.
  5. Alice unblinds the signed note, and spends it with a Merchant.
  6. Merchant asks Alice to randomly reveal either IiL or IiR for each i. (Merchant chooses random n-bit selector string.)
  7. Alice sends Merchant corresponding IiLs or IiRs.
  8. Merchant uses h to confirm Alice didn't cheat.
  9. Merchant takes money order and identity string halves to bank.
  10. Bank verifies its signature, and checks uniqueness string. If it has not been previously deposited, bank credits Merchant and records uniqueness string and identity string halves.
  11. If it has been previously deposited, bank looks up previous identity string halves. Finds one where both L and R halves are known, and calculates I to identify Alice. Arrests Alice.
  12. If there are no i's, where different halves are known, arrest Merchant.

CS 655 University of Virginia
Department of Computer Science
CS 551: Security and Privacy on the Internet
David Evans
evans@cs.virginia.edu