1

A Comparison Of Electronic CashSchemes and Implementations

ECE 646 Presentation13 December 2001

Wook JungAndrew KirbyRajesh Kolluri

Kenneth ShannonYeo-won Yoon

Cold, Hard, Cash

• Advantages– Highly portable

– No apparent cost

– No audit trail

– $3.4 Trillion exchanged300 Billion transactionsavg of $11

– By far, the preferredpayment scheme for smallanonymous transactions

• Disadvantages– $1 bills have a finite

lifetime (18 months) at4c per bill

– Large quantities mustbe secured duringtransfer

– Can be counterfeited

– Cost is not negligible

2

User Merchant

Withdraw Tokens

MakeNew

Tokens

Deposit/Exchange

Tokens

Valid TokenIndication

Get Receipt

Spend TokensRequest Payment

-Makes Payments- Accepts Payments

-Sells Items-Accepts Payments-Makes Deposits

- Signs Tokens- Charges User Accounts- Keeps Serial # Database

BANK(issuer)

Digital Cash: Six Ideal Properties• Independence - no vault or geographic location required• Security - no counterfeiting or double spending• Privacy (untraceability) - a user’s purchases and identity

cannot be linked• Offline Payment - execution of transfer protocol needs

no real-time link to bank• Transferability - digital cash can flow to another user• Divisibility - amounts must be easily subdivided to

some smallest denomination

Finding: No existing electronic cash scheme meets all six ideals! Data requirements/performance prohibit all 6

3

Cheating…

• Digital money nothing but a string of bits!– Bits can be copied more easily than cash– Anonymity, untraceability, guarantee trouble

• Multiple ways to cheat– Fraud, Counterfeiting– Double spending– HW tampering

• Complex cryptographic protocols necessary– Blind signatures [Schnoor, Brand, et. al.]– 11 step protocol to prevent cheating by all parties!

10110110010010100100001110011

Representative Electronic CashSchemes

Online transaction Offline transaction

Traceable

Untraceable

MondexMondex

Millicent,MicroMint,

Payword

E-cash,Netcash,

SET CAFE

4

Individual SystemsCAFE

CAFÉ (1)

• Status: developmental 92-95, trial 95-today, no real user base

• Online vs. Offline: offline unless $ > limit

• Protocol: withdraw -> pay - > deposit

• Security: totally open using RSA Public Key,known hashes, blind signatures [Chaum, Schnoor]

• Cheating: not possible for user or merchant

• Anonymity: for user not double spending

5

CAFÉ (2)

• Restrictions: none on divisibility in the payslip mode

• Fault Tolerance: yes, even it wallet lost• Operating Systems: special HW wallet not

designed for general network use• Cost: probably under $200 to user• Performance: slow, cryptographically

complex, but not a real-time system

CAFÉ: Digital-Cash Ideals

• Independent? Not entirely – not designed for useover Internet or networks at user end

• Secure? YES, complex cryptographic tools• Private? YES, to responsible users (not merchants)• Offline? YES, if below threshold• Transferable? NO, payment only to merchant• Divisibility? 2 operational modes: pay slip

completely divisible, coins discreet.• SCORE = 4.5

6

Original Message

Signed Message

Envelope containingMessage and Carbon Paper

Blinding Process

Sent to Signer

Envelope Removed

Signature

Envelope is signed(by signer)

Signature

Message has now been signed

Blind Signature: Basic Concept

Untraceable Cash - Blinding• Blinded RSA signatures

– One way hash function f

– RSA key pair (PUK,PRK) chosen by bank foreach denomination

• Denomination– Amount (serial number), f (amount $) PRK

• Withdraw and Spend

f($) * R PUK

PUK PRK

f($) * R/R = f($) PRK PRKMerchant

Person

BANKf($) * R

7

Mondex

Mondex (1)• Status: Production. Wholly owned subsidiary of

MasterCard International. Licensed in more than 80territories worldwide.

• Online vs. Offline: Both Online (Internet, Mondex enabledphones) and Offline (Electronic Purse) capability.

• Cheating: Relatively impossible, the cost of the technologycapable of making counterfeit chip is too expensive to beviable.

• Anonymity: Not completely Anonymous, merchants canfind out the identity of the users.

8

Mondex (2)

• Security: Security mechanism used in Mondex is notpublic but it uses the combination of the following:

DES signature generation: CBC single/triple DES

Encryption/decryption: ECB single DES

RSA: Up to 1024 bit using both normal and CRT modes

SHA-1

Asymmetric HASH functions

• Protocol: Value Transfer Protocol

Mondex (3)• Restrictions: None. Upper limits being varies for different

countries.

• Fault Tolerance: Yes, even if wallet is lost

• Operating Systems: MULTOS, runs on a H8/3112 Hitachichip. On PC, the program runs on Windows 3.x orWindows 9x operating system, and are equipped withSmartMouse card readers.

• Cost: Varies on what the consumer buys

• Performance: 1024 bit RSA executed in 480ms

9

Mondex Hardware

Mondex: Digital-Cash Ideals

• Independent? Yes – designed for use over Internet ornetworks at user end

• Secure? YES, complex cryptographic tools

• Private? Partly Anonymous

• Offline? YES, using smart cards

• Transferable? Yes, using smart cards

• Divisibility? Yes, to the lowest

• SCORE = 5.5

10

Ecash, NetCash

Ecash

11

Untraceable Cash - Blinding• Blinded RSA signatures

– One way hash function f

– RSA key pair (PUK,PRK) chosen by bank foreach denomination

• Denomination– Amount (serial number), f (amount $) PRK

• Withdraw and Spend

f($) * R PUK

PUK PRK

f($) * R/R = f($) PRK PRKMerchant

Person

BANKf($) * R

NetCash

• 7KH EX\HU VHQGV WKH HOHFWURQLF FRLQV LQ SD\PHQW� LGHQWLILHU� VHFUHW NH\� SXEOLF VHVVLRQNH\� DOO HQFU\SWHG ZLWK PHUFKDQW’V SXEOLF NH\� WR WKH PHUFKDQW�

^&RLQV� 6.>%X\HU@� .>3XEOLF� %X\HU@� 6BLG` .>3XEOLF� 0HUFKDQW@

• 7KH PHUFKDQW FKHFN FRLQV YDOLGLW\ WR VHQG WKHP WR WKH FXUUHQF\ VHUYHU WR EH H[FKDQJHG IRU QHZ FRLQV RU IRU D FKHTXH�

^&RLQV� 6.>0HUFKDQW@� WUDQVDFWLRQBW\SH`.>3XEOLF� &6@

• 7KH FXUUHQF\ VHUYHU FKHFNV WKDW WKH FRLQV DUH YDOLG E\ FKHFNLQJ LWV GDWDEDVH� 7KHQ WKH VHUYHU UHWXUQV QHZ FRLQV RU FKHTXH� HQFU\SWHG ZLWK PHUFKDQW’V VHVVLRQ NH\�

^1HZBFRLQV`6.>0HUFKDQW@

• 7KH PHUFKDQW NQRZV WKDW KH KDV EHHQ SURSHUO\ SDLG E\ WKH EX\HU� +H QRZ UHWXUQV D UHFHLSW� HQFU\SWHG ZLWK KLV SULYDWH NH\ DQG EX\HU’V VHFUHW NH\�

^^$PRXQW� WUDQVDFWLRQBLG� GDWH`.>3ULYDWH� 0HUFKDQW@` 6.>%X\HU@

%X\HU�SD\RU�

0HUFKDQW�SD\HH�

&XUUHQF\�6HUYHU

� �

� �

12

Comparison of Ecash/NetCash

( F D V K 1 H W & D V K

O ve r vie w A no nym o us, untra c ea b le , o nline to k e n p a ym e nt sys te m b y D igiC a sh

R e a l- tim e p a ym e nt ac ro ss m ultip le a d m inis tra tive d o m a in o n a n unse c ure d ne tw o rk b y U S C

O n l i n e vs o f f l i n e

O nline o nly O nline b ut p a rtia lly sup p o rt o ffline w he n the p a rtie s a re o ffline d uring the fina l e xc ha nge

O S S up p o rt any k ind o f p la tfo rm U nk no w n

R e s t r ic t io n s S ize o f the d a ta b ase o f sp e nt c o ins F ra ud b y p a ye e is p o ssib le

U s e r - b as e N o rea l use r b a se - fre e tr ia l N o resp o nse fro m the S o ftw a re A gents Inc .

A n o n y m i ty Y e s . C o m p le te ly gua ra ntee d b y b lind s igna ture

W e a k er tha n unc o nd itio na l ano nym ity o f E c a sh b ut m o re sc a la b le

C h e at in g N o . P o ss ib le

P r o to c o l Im p le m e n ta t io n

T rip le D E S , d igita l s igna ture , R S A , S H A S ym m e tr ic /a sym m e tr ic c ip her, d igita l s igna ture , c e rtific a te , ha sh

F au l t - t o le r an c e G o o d . E ve n if the ne tw o rk fa ils a nd c o in b e lo st, it c a n b e re c o ve red

?

C o s t L o w . H igh

Meeting Six criteria

E ca sh N e tC a shInde pe nde nce Pote ntia lly low G ood. Sca lable e le ctronic curre ncy that

is acce pte d acros s multiple adminis tra tive domains

Se curity Fully anonymous by blind s ignature . Paye e anonymity is guarante e d in Ecas h only

practica l le ve l o f anonymous le s s abs olute than Ecas h

Privacy Ye s . G uarante e d anonymity Ye sO ffline N o B as ica lly online bas e but partia lly

Trans fe rability D iv is ibility Ye s UnknownScore 4 3.5

N o. N one of the m a llow a note to pas s from us e r to us e r without the bank 's inte rve ntion.

13

SET

Benefits Drawbacks• Provides confidentiality thru

strong 1024-bit public keyencryption vs. 128-bit SSL

• Provides authentication ofevery party to onlinetransaction

• Provides integrity via hashingand digital signing

• Guaranteed payment tomerchant can expand Internetbusiness

• Certificates backed by CA andfinancial institution

• Customers reluctant to shop viaInternet

• Increased complexity degradesperformance – delays!!!

• Expensive to implement - $$$

• Global compliance issues

• Interoperability amongsoftware vendors

• Not portable

• Use of smartcards increasescustomer security

14

Greater cost due to certificateprocess

Less expensiveCOST

More complex. Needs certificationof all involved parties.

EasierEASE OFIMPLEMENTATION

Inherently stronger security design.Less secure. However,recent attempts for addingauthentication ofclient/customer bypasswords, certificates orsmart cards have added tothe security level.

OVERALL SECURITY

1024-bit encryption128-bit encryptionMESSAGE INTEGRITY

All parties including consumersneed digital certificates.

Usually only the shop isauthenticated. However,option for certificate basedauthentication ofclient/customer has beenadded later on.

AUTHENTICATION OFALL PARTIES

SETSSL

Cardholder(digital wallet)

Acquirer-Gateway(Payment auth.)

SET Participants

Certificate Authority

Merchant(Storefront)

Electronic Certification

Internet

Electronic Commerce

15

SET: Step by Step

SET: Digital-Cash Ideals• Independent? YES – designed for use over the Internet, across

multiple platforms• Secure? YES – provided by combination of strong encryption

with added integrity via hashing and digital signing• Private? YES – separate 1024-bit public keys: merchant sees

only order information; payment gateway sees only paymentinstruction

• On-line? YES - payment authorization provided duringtransaction session

• Transferable? NO - payment request made only from uniquecomputer containing digital wallet.

• Divisibility? YES - divisible to smallest denomination• SCORE = 5.0

16

0LFURSD\PHQW

,Q�*HQHUDO

:KDW�LV�0LFURSD\PHQW"

• A business transaction type, which specialized inthe sub-dollar range

• On-line services providing newspaper, magazines,or digital information (documents, music, evenmovies) could be inexpensive if it sold separately

• For example, a monthly $20 150-hour InternetDial-up Service costs 13 cents per hour, a $4 100-page magazine costs 4 cents per page. If you areonly interested in a 5-page article, 20 cents willdo it

• Pay-per-view, pay-per-login, or pay-per-download…

17

0LFURSD\PHQW�6FKHPH

• Demands of the protocol make it practical forsmall payments amounts

• Computation(processing) time and storagerequirements must be suitable for low-value(fractions of a cent) and fast transaction

• To reduce processing and storage requirements,minimize the use of public key algorithm and on-line verification

• Apparently, the security of micropayment schemeis not as good as that of macropayment scheme

&RPPRQ�)HDWXUHV• Use token (coin) as a payment for purchasing• Use fast one-way, collision-resistant hash function

(such as MD5 or SHA1) for generating token orsignature

• Decentralized validation (off-line processing)• Provide decent level of security/privacy• Involve three parties:

the user(U): makes the purchasethe vendor(V): sells the goodsthe broker(B): keeps the accounts for U and V

• Token can be generated by all the parties

18

%DVLF�)ORZ�RI�0LFURSD\PHQW

Broker

VendorUser

1.request coin

2.return coin

3.purchase

4.goods

5.redemption

6L[�,GHDO�3URSHUWLHV

• Independence: YES, physical location anywhere• Security: YES, forgery is possible, but detectable• Privacy(Untraceability): NO, cannot protect user’s

information and payment records are traceable• Off-line Payment: YES, no need to connect for

validation with central authority (the broker)• Transferability: No, user_specific token is used• Divisibility: YES, token can represent any

denomination• SCORE = 3.8

19

Summary

Scheme Independent Secure Private Offline Transferable Divisibility SCORE

CAFÉ Partial YES YES YES NO YES 4.5

Mondex YES YES Partial YES YES YES 5.5

Ecash Partial YES YES NO NO YES 3.5

NetCash YES Partial YES Partial NO YES 4

Micropayment YES Partial Partial YES NO YES 3.8

IKP

SET

Qualitative vs. Quantitative Scoring…

20

General Conclusions• All security requirements can be implemented

with existing cryptographic tools!– Authentication, Confidentiality, Integrity– Privacy / anonymity / untraceability

• Most systems don’t implement all tools– Complexity, performance penalties– Not necessary, desirable for every application

• No scheme (Mondex?) with widespread base• Anonymity may not be essential or a driver

Electronic Cash: Outlook

• Digital cash won’t likely replace cold, hard cash– Not the vision, not a paperless society…

– Issues of trust for some

• Cheaper HW, SW – no cost barriers to users– Card readers interfaced to PCs– Smart-cards, electronic wallets, purses

• Increasing speed, bandwidth - more crypto w/o penalties– “Moore’s” law valid for another decade

– Complex protocols implemented more easily

21

Electronic Cash: Outlook

• Schemes should achieve all six ideals– Anonymity not a driver, nor a threat

– $ Losses comparable to credit cards (for all parties)

– Counterfeiting, fraud, double spending all manageable

• Major questions remain…– Will US banks / financial institutions wean themselves

off profitable credit cards?

– Will pay ahead systems ever compete in US with buynow pay later borrowing?

Time to Party!

22

Back Up Slides

Categories of Characteristics

U s e r-re la te d c a te g o ry

S y s te m c a te g o ry

A no ny m ity A utho riza tio n ty peA pplic a b ility D iv is ib ilityE a s e o f us e (U s a bility )

S c a la b ility

T ra c e b ility R e lia b ilityT rus t E ffic ie nc y C o nv e rtib ility

In te ro pe ra b ilityS e c urity o f tra ns a c tio ns a nd da ta ba s e