on the viability of digital cash in offline payments - diva portal

Master of Science in Software Engineering: Computer SecurityMay 2022

On the Viability of Digital Cash inOffline Payments

John EnarssonJoakim Holgersson

Faculty of Computing, Blekinge Institute of Technology, 371 79 Karlskrona, Sweden

This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology inpartial fulfillment of the requirements for the degree of Master of Science in Software Engineering:Computer Security. The thesis is equivalent to 20 weeks of full-time studies.

The authors declare that they are the sole authors of this thesis and that they have not usedany sources other than those listed in the bibliography and identified as references. They furtherdeclare that they have not submitted this thesis to any other institution to obtain a degree.

Contact Information:Author(s):John EnarssonE-mail: [email protected]

Joakim HolgerssonE-mail: [email protected]

University advisor:Docent Siril YellaDepartment of Computer Science and Engineering

Doctor Robert NyqvistDepartment of Mathemathics and Natural Sciences

Faculty of Computing Internet : www.bth.seBlekinge Institute of Technology Phone : +46 455 38 50 00SE–371 79 Karlskrona, Sweden Fax : +46 455 38 50 57

Abstract

Background. As the financial systems around the world become more digitizedwith the use of a card and mobile payments - we see a decrease in willingness toaccept cash payments in many countries. These digital payments require a stablenetwork connection to be processed in real-time. In rural areas or during times ofcrisis where these network connections may be unavailable there is a need to resortto some payment method that works offline. Paper cash is preferred by some becauseof its anonymous nature and with the realization of blind signatures the concept ofdigital cash was constructed. Digital cash is a digitized version of the traditionalpaper cash that values payer privacy and can be spent while both parties are offlinewith the use of smart cards or other mobile devices. Unlike physical paper cash,digital cash is without additional mitigations easily copied and forged as they onlyconsist of information.Objectives. The objective of this work is to determine the viability of digital cashas a replacement or complement to today’s paper cash. The results will describe ourfindings on what technologies are necessary to securely exchange digital cash offline,as well as our findings on whether arbitrary payment amounts can be exchangedefficiently as well as exchanged between users of different banks.Methods. This work consists of threat modeling to identify the necessary tech-nologies to securely exchange digital cash and what they accomplish. An extensiveliterature study and theoretical evaluations of state-of-the-art digital cash schemesare also part of the work.Results. The results show that digital cash can be constructed and exchanged se-curely with various optional features that make it more or less resemble its physicalcounterpart. With payer anonymity in the center and the inevitable risk of fraudu-lent users’ double spending coins - the identified technologies do their best to reducethe cost-effectiveness of double spending. Cryptographic solutions as well as hard-to-tamper-with hardware are the two key technologies for this. Advancements incryptography have enabled more efficient storage and spending of digital cash withcompact wallets and divisible digital cash.Conclusions. Digital cash has been a theoretical concept for almost four decadesand is becoming more secure and efficient by being reconstructed using more mod-ern cryptographic solutions. Depending on the requirements of the payment system,some schemes support arbitrary amount payment exchanges in constant time, be-tween users of different banks, transferability and some can run efficiently on privacyassuring hard-to-tamper with hardware. No scheme can do it all, but this work shinesa light on some important considerations useful for future practical implementationof digital cash.

Keywords: Digital cash, offline payments, anonymous payments, digital coin, elec-tronic coin

i

Sammanfattning

Bakgrund. Samtidigt som betalningar sker mer digitalt med hjälp av betalkort ochmobiltelefoner ser vi hur färre försäljare accepterar kontanter som betalningsmedel.Det är här digitala betalningarna kräver stabil nätverksuppkoppling för att genom-föras och på avlägsna platser och under krissituationer kan den här uppkopplingen bliotillgänglig - vilket leder till ett behov för offline-betalningar. Kontanter används avnågra på grund av dess anonyma natur och med förverkligandet av blinda signaturerväxte konceptet om digitala kontanter fram. Digitala kontanter är som det låter,en digital variant av kontanter som försöker uppnå samma anonymitet samt kunnaöverföras medan båda parter är offline med hjälp av betalkort eller andra mobilaenheter. Till skillnad från fysiska kontanter kan dessa digitala mynt utan speciellaåtgärder lätt kopieras och förfalskas eftersom de enbart består av information.Syfte. Syftet med det här arbetet är att ta redo på huruvida digitala kontanter kanersätta eller fungera som ett komplement till dagens kontanter, samt ta redo på vilkamöjligheter det finns för en implementation av ett sådant system idag. Resultatetska beskriva våra upptäckter om vilka tekniker som behövs för att på ett säkert sättkunna överföra digitala kontanter offline, samt våra upptäckter om huruvida godty-ckliga summor kan överföras på ett effektivt sätt och mellan kunder av olika banker.Metod. Metoden vi använder består av att konstruera en hotmodell för att identi-fiera nödvändiga tekniker för att på ett säkert sätt kunna överföra digitala kontanteroch kunna redogöra vad de uppfyller för funktioner. Arbetet innefattar även enomfattande litteraturstudie och teoretiska utvärderingar av toppmoderna digitalakontant-system.Resultat. Resultatet visar att digitala kontanter kan konstrueras för att överförassäkert med flera frivilliga funktioner som gör att överföringarna mer eller mindreliknar sin fysiska motsvarighet. Genom att värna om ärliga betalares anonymitetoch med en oundviklig risk för dubbelspendering gör de identifierade teknikerna sittbästa för att minska betalningstider och incitamentet att dubbelspendera med hjälpav kryptering och speciell svårmanipulerad hårdvara.Slutsatser. Digitala kontanter har funnits som ett teoretiskt koncept i snart fyradecennier och blir snabbt säkrare samt effektivare när de byggs om och baseras pånya krypteringslösningar. Beroende på vilka krav man har på sitt betalningssys-tem kan de byggas för att överföra godtyckliga summor i konstant tidskomplexitet,mellan användare av olika banker, överföras flera gånger likt vanliga kontanter ellermed hjälp av svårmanipulerad hårdvara. Inget system kan göra allt idag och det härarbetet kan hjälpa den som vill bygga ett produktionssystem med vilka avvägandensom kan göras.

Nyckelord: Digitala kontanter, offlinebetalningar, anonyma betalningar, digitalamynt, elektroniska mynt

iii

Acknowledgments

We give thanks to Siril Yella for his assistance, counsel, and proofreading throughoutthe thesis work. We also want to thank Robert Nyqvist for the provided assistancewith proofreading and mathematical discussions throughout the work. Another spe-cial thanks go to Henrik Karlsson for helping us with his expertise on mobile pay-ments and giving discussions, guidance and encouragement. Lastly, we are gratefulto Ericsson for their provided expertise and for lending us equipment.

v

Contents

Abstract i

Sammanfattning iii

Acknowledgments v

1 Introduction 11.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2.1 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . 31.2.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Background 52.1 Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Counterfeiting of Digital Cash . . . . . . . . . . . . . . . . . . . . . . 5

2.2.1 Double Spending Prevention . . . . . . . . . . . . . . . . . . . 62.2.2 Double Spending Detection . . . . . . . . . . . . . . . . . . . 6

2.3 Payer Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4 Optional Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.4.1 Divisible Coins . . . . . . . . . . . . . . . . . . . . . . . . . . 72.4.2 Transferable Coins . . . . . . . . . . . . . . . . . . . . . . . . 72.4.3 Fair Digital Cash . . . . . . . . . . . . . . . . . . . . . . . . . 72.4.4 Central Bank Digital Currencies . . . . . . . . . . . . . . . . . 7

3 Related Work 93.1 Offline Digital Payments . . . . . . . . . . . . . . . . . . . . . . . . . 93.2 Compact Wallets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.3 Coin Divisibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.4 Coin Transferability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.5 Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.6 Distributed Digital Banking . . . . . . . . . . . . . . . . . . . . . . . 11

4 Method 134.1 State of the Art - Digital Cash . . . . . . . . . . . . . . . . . . . . . . 134.2 Proof of Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2.1 Test environment . . . . . . . . . . . . . . . . . . . . . . . . . 144.3 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

vii

4.3.1 LINDDUN Methodology . . . . . . . . . . . . . . . . . . . . . 154.4 Finding Secure and Efficient Schemes . . . . . . . . . . . . . . . . . . 17

5 Results and Analysis 195.1 Digital Cash Threat Models . . . . . . . . . . . . . . . . . . . . . . . 19

5.1.1 Threat Model 1: Initial Threats . . . . . . . . . . . . . . . . . 195.1.2 Threat Model 2: Adding Blind Signatures . . . . . . . . . . . 245.1.3 Threat Model 3: Adding Double Spending Detection . . . . . 285.1.4 Threat Mitigation Summary . . . . . . . . . . . . . . . . . . . 305.1.5 Identified Solutions . . . . . . . . . . . . . . . . . . . . . . . . 305.1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.2 Digital Cash for Arbitrary Payments . . . . . . . . . . . . . . . . . . 335.2.1 Compact Wallets . . . . . . . . . . . . . . . . . . . . . . . . . 345.2.2 Divisible Digital Cash . . . . . . . . . . . . . . . . . . . . . . 355.2.3 Transferable Digital Cash . . . . . . . . . . . . . . . . . . . . 375.2.4 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5.3 Multiple Banks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.3.1 Group Digital Signatures for Digital Cash . . . . . . . . . . . 395.3.2 Multiple Bank Digital Cash and Fairness . . . . . . . . . . . . 395.3.3 State of the Art - Multiple Bank Digital Cash . . . . . . . . . 40

6 Discussion 416.1 Aspects Regarding Security of Digital Cash . . . . . . . . . . . . . . . 416.2 Aspects Regarding Digital Cash Performance and Scalability . . . . . 436.3 Aspects Regarding Digital Cash and Law Enforcement . . . . . . . . 446.4 Aspects Regarding Viability of Digital Cash . . . . . . . . . . . . . . 456.5 Aspects Regarding the Validity of the Study . . . . . . . . . . . . . . 466.6 Answers to the Research Questions . . . . . . . . . . . . . . . . . . . 46

7 Conclusions and Future Work 497.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527.3 Closing Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

References 55

viii

Chapter 1

Introduction

Today’s financial systems are to a great extent digitized to enable the use of mo-bile and credit/debit card payments. This has increased the financial freedom ofthe general public by enabling services such as online banking and online shoppingfrom anywhere where there is network connectivity. In rural areas where telecom-munications may be a scarcity or even during temporary disruptions that can occuranywhere - the availability of these services is compromised. When there is no net-work connectivity we need to resort to offline payment methods such as paper cashpayments again. For a long time, there have been a decreasing trend of cash pay-ments as more banks and shops are transitioning towards becoming cashless [4]. Aspaper cash is being phased out by the market, central banks and service providersaround the world have taken an interest in finding a safe and efficient digital replace-ment for paper cash.

The idea of a digital counterpart that simulates paper cash has been around forsome time in the literature. In the simplest form, these schemes include three parties- a bank, a payer (customer), and a payee (merchant) [14]. These parties then par-ticipate in four different protocols to complete the scheme. A user first completes theaccount establishment protocol to open an account with the bank. With an account,the user can then withdraw funds from the online account into its offline electronicwallet linked to that account. Funds from this wallet can then be transferred tocomplete a payment to the merchant using the spend protocol. Finally, the mer-chant can deposit the received funds into its account using the deposit protocol. Thescheme is considered to be offline if the spending protocol is restricted to interactionsbetween the customer and merchant, i.e. the bank or any other online third party isnot involved. A digital cash scheme is untraceable if the probability that the bankin collaboration with the merchant can trace the payment back to the customer isnegligible [14].

1.1 Motivation

As paper cash is being phased out, a secure replacement for offline payments arenecessary in remote areas and times of crisis. Central banks and service providersaround the world are currently evaluating the feasibility of digital cash systems. Oneof them is the Swedish Central Bank which is running a pilot project in developinga digital complement to the national currency [37].

1

2 Chapter 1. Introduction

The world cash report from G4S 2018, summarized studies of how many people ofthe population within a country is paying with paper cash [4]. Table 1.1 presents atable of the countries included in the study.

Country Continent % Cash SourceSouth Korea Asia 14% BOK study

Finland Europe 54% ECB Diary StudyEstonia Europe 48% ECB Diary StudyLatvia Europe 71% ECB Diary Study

Lithuania Europle 75% ECB Diary StudySlovakia Europe 78% ECB Diary StudyAustria Europe 85% ECB Diary StudySlovenia Europe 80% ECB Diary StudyGreece Europe 88% ECB Diary StudyCyprus Europe 88% ECB Diary StudyMalta Europe 92% ECB Diary StudyItaly Europe 86% ECB Diary Study

Germany Europe 80% ECB Diary StudyThe Netherlands Europe 45% ECB Diary Study

Belgium Europe 63% ECB Diary StudyLuxembourg Europe 64% ECB Diary Study

France Europe 68% ECB Diary StudySpain Europe 87% ECB Diary Study

Portugal Europe 81% ECB Diary StudyIreland Europe 79% ECB Diary StudySweden Europe 20% ECB Diary Study

United Kingdom Europe 42% Payments UK Diary StudyAustralia Oceania 37% RBA Diary Study

United States of America North America 32% FedResSys Diary Study

Table 1.1: Statistics usage of paper cash within different countries.

Looking at the statistics provided in Table 1.1 we can see that 17 of the 24 countrieslisted are above 50% when it comes to paying with paper cash. According to G4S, thepercentage of cash transactions is declining in various countries over the world [4].Since the majority of the countries of the world are still using paper cash, thismotivates the work to find a safe and efficient digital replacement for cash. If acorrect implementation that is secure enough could be found, it would likely decreasethese values even more. Because digital cash could provide the same convenience asonline digital payments - the population would likely accept this as a replacementfor paper cash [4].

1.2 Problem Formulation

Paper cash is an untraceable payment method that has worked for centuries. Withthe digitization of the financial system, we have now seen a rapid shift toward the

1.3. Thesis Outline 3

use of online digital payments as they in many ways provide a higher degree ofconvenience for both payers and payees. Digital cash is an idea of simulating papercash in the sense that digital payments can be exchanged anonymously while boththe payer and payee are offline. Because digital cash only consists of a series of bitsin memory it is easily duplicated, and because the transactions are offline, the copiedcoin will look just as valid as the original and can thus be spent twice which introducesproblems. We approach this work with an interest in finding the necessary techniquesused to construct a secure digital cash scheme and finding how viable digital cash isas a replacement for paper cash. For the general public to accept digital cash as areplacement, we see that digital cash should be exchangeable offline while providingstrong payer anonymity as well as high security, scalability, and fast transactiontimes. To find these answers three research questions were formulated. These arepresented in Section 1.2.1.

1.2.1 Research Questions

RQ1: How can digital cash be exchanged securely between users of the same bank?

RQ2: How can arbitrary amounts of digital cash payments be exchanged in a secureand high performant manner?

RQ3: How can digital cash be exchanged between users of different banks in asecure and high performant manner?

1.2.2 Scope

The scope of this thesis work will be limited to critical reviews and theoretical eval-uations of existing digital cash systems to answer the research questions. There willbe no empirical evidence observed due to time constraints, but also due to limita-tions with gathering data and setting up a test. When analyzing digital cash systemssome assumptions are made as listed in Section 4.3.1.3. This is done to remove riskscommon to most computer systems such as weak authentication and packet sniffing.The scope is therefore limited to the risks introduced by digital cash and digital cashtechnologies.

1.3 Thesis Outline

This thesis work will follow the following structure:

• Chapter 2 presents the background on digital offline payments, theoretical prob-lems, and optional features.

• Chapter 3 presents the history of digital cash and other work by which thisresearch is inspired and based.

4 Chapter 1. Introduction

• Chapter 4 presents the execution and implementation of the thesis work.

• Chapter 5 presents the result of the analysis.

• Chapter 6 further discusses the result and answers to the research questions.

• Chapter 7 presents the conclusion drawn from this thesis work and also dis-cusses interesting future work.

Chapter 2

Background

2.1 Digital Cash

A digital cash scheme is a type of scheme that allows digital funds/cash to be trans-ferred without network connectivity in a peer-to-peer fashion. Figure 2.1 shows aflow diagram of how digital cash systems are meant to function.

Figure 2.1: Flow diagram of a digital cash scheme.

Unlike online payments. the bank is released from participating in payments withoffline payments. After the customer has established an account with the bank, itcan make a withdrawal from the bank while being online into its offline balance.The customer can then pay the merchant funds from this offline balance while bothparties are offline. Finally, when the merchant is online again, it can deposit thefunds into its online balance.

2.2 Counterfeiting of Digital Cash

Transitioning from paper to digital cash is not straightforward as digital cash onlyconsist of information. This means that digital cash is more easily constructed,replicated and manipulated than the physical counterpart. Analogous to paper cash,digital coins can be counterfeited by adversaries by constructing valid-looking coinswithout interacting with the bank. This can become practically imposible with theuse of public-key cryptography and digital signatures. However if the bank canlearn any linkable or otherwise identifiable information about the coin - then payeranonymity is no longer guaranteed. A rouge user obtaining an actual valid coin mightalso be able to tamper with its wallet device. The coin could then be duplicated and

5

6 Chapter 2. Background

spent more than once. This will result in financial loss to the merchants as the bankcannot accept the same coin more than once.

2.2.1 Double Spending Prevention

One way to attack the counterfeiting problem is to secure the execution environmentof the wallet application from tampering [9]. If this was possible then the offlinebalance could be stored as a continuous value in memory that only the secure walletsoftware can write to. This would act as an online balance and allow arbitrarypayment amounts to be transferred. Unfortunately no such environment has beenproved to exist and if an adversary was able to tamper with the device, a significantfinancial loss can be expected. Even though not completely tamper-proof, the devicecould be constructed such that manipulating it is difficult and costly to reduce thecost-effectiveness of attempting it. Without insight into the device, the user mightbe discouraged to use it - as there is no guarantee that the device will not leak privatedata about the user, such as its purchase history.

2.2.2 Double Spending Detection

Another way of attacking the counterfeiting problem is with the use of cryptographyand double spending detection. Double spending detection would allow the bank to,with a significant probability, identify the user who maliciously copy and spend thesame coin more than once [15]. With a predominant risk of being identified upondouble spending, the incentive to double-spend will decrease. For such a solution tobe practical and provide payer anonymity, the bank must be able to identify doublespenders while not being able to track the financial history of honest customers.

2.3 Payer AnonymityPaper cash transactions are untraceable and anonymous. These are vital featuresdigital cash must have to replace paper cash. Completely anonymous payments dohowever come with some serious difficulties for law enforcement. Anonymous un-traceable payments can be abused by criminals to conduct illegal activities suchas money laundering, tax evasion, and blackmailing. Digital cash could open adoor to make these activities easier to carry out by being easier to carry, exchange-able over long distances, and not necessarily issued by the state. Another form ofanonymous digital payments with these possibilities is cryptocurrencies such as Bit-coins [32]. Cryptocurrency payments are commonly used by cybercriminals to safelyand unidentifiably get paid after carrying out cyberattacks such as ransomware at-tacks. Unlike cryptocurrencies like Bitcoin, digital cash is centralized which gives itother possibilities to handle payer anonymity.

2.4 Optional FeaturesThe required features of digital cash are that it should be infeasible to constructnew coins without doing a withdrawal, multiple spending detection/prevention, and

2.4. Optional Features 7

payer anonymity while being exchangeable offline. This section presents optionalfeatures of offline digital cash schemes that make them more practical.

2.4.1 Divisible Coins

Suppose that a user wants to purchase an item that costs $9.99. The likelihood thatthe user has electronic coins whose values add up to exactly that amount is unlikely.This is for the same reasons that one does not carry around a large amount of cash:loss of interest and fear of the cash being stolen or lost. Coin divisibility is a featureof digital cash that allows the payer to divide a coin into many pieces such that eachpiece is worth any desired value less than that of the original coin, while the totalvalue of all pieces adds up to the initial amount. With this, exact amount offlinepayments can be transferred without having to carry a supply of coins of differentdenominations. This decreases the traffic on the network during withdrawals as asingle coin is transmitted while the users still has the freedom to spend it howeverthey want. It also decreases the traffic during payments as a single coin with theexact amount is transferred and the merchant does not need to return any change.

2.4.2 Transferable Coins

To detect double spending of a coin, it can only be spent a limited number of timesbefore being deposited in the bank. This is due to it needing to keep the blindedidentifying information of all transfers resulting in it growing in size each time it isspent. Coin transferability is a property of digital cash which allow the same coin tochange hands multiple times without contacting the bank in between. Like physicalcash, this enables the merchant to return change and continue replacing change inthe register.

2.4.3 Fair Digital Cash

The anonymity in offline digital payments makes it inherit many negative features ofphysical cash abused by criminals. In the case of criminal actions such as money laun-dering, robberies, blackmailing, and purchasing of illegal goods neither the merchantnor the payer can be identified without the fairness property. Fairness is another op-tional property of digital offline cash that enables a trusted third party (TTP) suchas the police authority or central bank to trace coins that were acquired illegally.This feature does not exist with physical cash and might motivate the transition tonationwide adoption of the technology.

2.4.4 Central Bank Digital Currencies

Fiat currency is a government-issued currency that is not backed by a commoditysuch as gold. Central bank digital currencies are a digital form of a country’s fiatcurrency. Implementing digital cash to function on a nationwide scale is not easy asthe number of withdrawals and deposits to process will require extensive computingresources. Today the processing of central bank digital currency transactions isdelegated to local banks and is thus scalable. Research on if digital cash can be

8 Chapter 2. Background

implemented as a complement or replacement to paper cash on a nationwide scale,is being conducted by the Swedish Central Bank [37]. Today’s digital transactionscan be completed between users of different local banks because the payments areonline and the banks can contact each other and confirm the transfer during thepayment. Digital cash, on the other hand, being offline, does not have this possibility.Therefore, the scalability of digital cash would be increased if they could be exchangedbetween users of different banks in a secure way despite being offline.

Chapter 3Related Work

3.1 Offline Digital PaymentsThe idea of a digital currency that simulates paper cash was first proposed by Chaumwith the realization of blind signatures [14]. Blind signatures can be used to withdrawa coin and have it signed by the bank without the possibility to trace the coin backto the customer. Since then multiple digital cash schemes have been proposed withvarious features such as coin divisibility, coin transferability, and fairness. Papercash is thought to be virtually infeasible to copy, while the digital counterpart is not.This requires the latter to at least have the functionality to detect double spendingof a copied coin and be able to identify the cheater as the risk of it happening issignificantly higher. With paper cash, the history of one’s purchases is not availablefor inspection by third parties, such as banks and credit card companies. This shouldbe true for digital cash also. Chaum, Fiat, and Naor introduced the first digital cashscheme with untraceable payments and double spending detection [15]. If Alicespends a coin only once in this scheme, her privacy is protected unconditionally, butif the same coin is spent twice, the bank can trace it to her account and prove it.Another concept was proposed by Brands that use wallet-observers to prevent doublespending from happening [9]. The workload for the wallet-observer was so small thatit could be performed by a tamper-resistant smart card capable of performing theSchnorr identification scheme [9].

3.2 Compact WalletsDesigning a digital cash scheme that can handle any amount of payment is noteasy but several solutions exist in the literature. One solution is to have each coinrepresent the smallest possible denomination. This is equivalent to if physical cashonly would come in pennies or cents. This would be both inconvenient to carryand impractical to pay with as thousands of coins will need to be transferred inmany transactions. Camenisch et al. partially address this problem by proposing asolution to compact a wallet containing many coins into an acceptable size [10]. Intheir scheme, a user can withdraw wallets of 2N coins such that the space requiredto store them and the complexity of the withdrawal is proportional to N ratherthan 2N . Unfortunately, coin tracing is very inefficient in the scheme and each coinmust be spent one by one which still makes it unsuitable for practical use. Au etal. improve upon this by introducing two new spending protocols named compactspending and batch spending which allow the spending of all or any number of coins in

9

10 Chapter 3. Related Work

a wallet using a single execution respectively [7]. Lian et al. address the coin tracinginefficiency when there are no trusted third parties by leaking coin information in astatistical zero-knowledge way during spending [28].

3.3 Coin Divisibility

Coin divisibility is another solution to handle any amount of payments. The first suchscheme was proposed by Okamoto and Ohta and utilized a cut-and-choose methodwith binary trees [35]. Okamoto presented the first digital cash scheme in which everyprocedure is executed in the logarithmic order of the precision of divisibility (i.e.N = total coin value

minimum divisible unit value) [34]. What remained the biggest problem after this

scheme was realizing the unlinkability among coins divided from the same withdrawal.Without the unlinkability, any party might be able to trace the payer by other meanssuch as correlating locality, date, and frequency - something that is insufficient forstrong payer anonymity. Nakanishi et al. presented a scheme that addresses thelinkability problem at the cost of all procedures increasing in complexity to order(logN)2 [33]. Unfortunately which part of the coin that has been spent can still berevealed in this scheme which could damage anonymity as coins still can be linkedthis way. Canard et al. still using binary trees presented a scheme with strongeranonymity that only leak the level of the spent coin, something that always can bededucted by knowing its value [13]. Their scheme was also the first in which spendingand withdrawals could be computed in constant time and provable secure accordingto the standard model. Pointcheval et al. managed to get rid of the tree structurewhich further improved efficiency while lowering complexity [36].

3.4 Coin Transferability

Coin transferability - another solution that closer simulates paper cash was analyzedby Chaum and Pedersen [16]. They looked at how the same coin can change handsmultiple times during its life cycle until it is finally deposited while still allowingthe bank to discover the identity of a double-spender with significant probability. Toallow this, it is shown that extra bits need to be associated with the coin. Fuchsbaueret al. proposed a scheme that separates these extra bits from the actual coin, thusallowing the coin to stay constant in size [22]. The extra bits are instead kept as areceipt on the side that can be used later to prove innocence in a double spendingdispute. Because the coins remain constant in size the amount of data a user has todeal with is now proportional to the number of coins he has received - rather than thepath coins took until reaching him. These schemes have some drawbacks in terms ofprivacy as all users that have held a double-spent coin will be identified on the roadof tracing the actual double-spender. In the latter, a lost receipt could also make aninnocent user unable to prove his innocence.

3.5. Fairness 11

3.5 FairnessThe anonymity provided by blind signatures can be abused by criminals in ways thatphysical cash cannot and enable new "perfect crimes" from which criminals easilycan get away without leaving any trace. Solms and Nacche present a scenario thatdemonstrates how blind signatures can be abused in blackmailing to safely obtaina ransom [39]. Stadler et al. proposed a new type of blind signature called fairblind signatures [38]. With these new signatures used in electronic cash schemes,a trusted entity can deliver information allowing the signer to link his view of theprotocol and the message-signature pair. Essentially this allows a trusted third partysuch as the police authority to unconditionally revoke the anonymity of a paymenttransaction. The unconditional tracing paired with payer anonymity is inherentlycontradictory but likely required for some digital cash systems, such as central bankdigital currencies. Using group signatures Hou and Tan constructed a scheme thatrequires the cooperation of both the bank and a trusted third party to trace thetransaction owner [24]. This scheme assumes that all customers have the same bankwhich limits the usability. Li et al. constructed a fair scheme with support formultiple banks and a single tracing authority [27].

3.6 Distributed Digital BankingDistributed digital banking allows for a large group of banks to co-exist monitoredby a central bank, where each bank can dispense electronic cash. By combiningblind signatures with group signatures Lysyanskaya and Ramzan constructed a groupdigital signature scheme for a digital cash that would support multiple banks [29].With a digital cash implementation like this, the merchant should only need to invokea single universal verification procedure based on a group public key to ensure thevalidity of any digital coin he receives. No bank should be able to trace the digitalcoins it issues allowing customers to spend anonymously. A group public key shouldexist whose size is independent of the number of banks participating in the schemeand it should not change when additional banks join the group. The Central Bankshould be the only entity that can tell which bank in the group has issued a digitalcoin which adds an extra layer of anonymity since the customer’s bank is concealed inspending. Lastly, no entity, including the central bank, should be able to issue digitalcash on behalf of another bank to frame them. For Lysyanskaya’s and Ramzan’sscheme to work offline with double spending detection, all customers need to joina separate group from the banks in which the group manager is referred to as a"passive trustee". This passive trustee will act as the anonymity revoking party inschemes with the fairness property and can unconditionally extract the identity ofthe customer from a withdrawal.

Chapter 4

Method

4.1 State of the Art - Digital Cash

A systematic literature review was conducted to develop the research idea, scope, andquestions and find appropriate theoretical frameworks to analyze and interpret thefindings. The main source of literature was found via the three search engines BTHSummon [1], Google Scholar [2], and IEEE Xplore [3]. Initial articles were identifiedwith the following keyword searches: digital cash, anonymous digital payments, doublespending, and offline digital payments. Relevance and validity were determined bythe title, summary, method, number of citations, and where it was published. To findmore relevant articles and decide which ones to include in our work we then employedthe Snowballing method as described by Wohlin [42]. Snowballing is a systematic anditerative method to identify relevant articles from a start set of diverse articles. Thisstart set of articles included publications from different years, authors, and publishersincluding Springer Publishing, IEEE and ICT Express for diversity purposes. Thismethod was used to examine and extract as much information as possible from eachof the articles in the start set without moving on to a new paper until no moreinformation was available. Before deciding whether an article is to be included,the full paper was examined to decrease the number of rollbacks. We then employedbackward snowballing to identify new possibly relevant articles based on the referencelist of the iteration’s article. To decide whether a new article was to be excluded orincluded, we began by looking at basic criteria such as language, publication year,and type of publication. Then the abstract was read and the following parts ofthe paper until a definitive decision could be taken. Following this, we employedforward snowballing - which is the process of identifying articles citing the article ofthe iteration. The decision to exclude or include the paper was taken based on thesame criteria as for backward snowballing. A diagram of the process we followed isillustrated in Figure 4.1.

Figure 4.1: Snowball method for literature review.

13

14 Chapter 4. Method

4.2 Proof of Concept

Entering this project the initial idea was to develop a proof of concept wallet applica-tion to answer the research questions using primary experimental data. As the litera-ture study progressed we realized that there exist fundamentally different solutions tohandle both arbitrary payment amounts and double spending detection/preventionthat are worth covering to more elaborately answer them. We decided to formulateour research questions with security and performance in mind as many works alreadyinclude theoretical proof of concepts that we can use to answer the questions instead.Theoretical performance is presented for many of the schemes that were included inthe literature study and these will be used to answer the performance parts of theresearch questions. Lack of resources such as test environment, necessary equipmentand data was another factor that stopped us from creating a proof of concept. As per-formance will vary heavily on measurements such as the number of users, parametersize, execution environment, and whether double spending detection or prevention isemployed we will leave it as future work to experimentally evaluate this. To follow asystematic approach to answer possible security threats, we decided to construct oneor more threat models and find solutions based on the proof of concepts of three basicdigital cash schemes. See Section 4.3 for how the threat model(s) are constructed.

4.2.1 Test environment

Setting up a test environment to fully complete the proof of concept was evaluatedto take far more time than what was expected. Seemingly as mentioned above, thecurrent proof of concepts out there are purely theoretical. If we were to conductfully scaled proof of concepts in a test environment with the data that were collectedduring the literature review, the result would indicate that multiple proof of conceptswould have been required to be created. The reason for this is due to the fact thatsome of the modules or optional features are not compatible with each other andneeds a stand-alone scheme.

4.3 Threat Model

Our literature study led us to realize that an experimental approach to evaluatesecurity and performance would not be feasible for us as it depends on what fea-tures the scheme includes, meaning much would be left out of the answers to theresearch questions. Some features are outright incompatible with each other, andsome become redundant together - leading us to search for an alternative process tosystematically evaluate security threats to the identified schemes. This led us intoevaluating the security via threat modeling. Threat modeling is a systematic processof identifying threats that cause harm to an application or computer system - thuspromoting the security understanding of the system. The initial idea was to followMicrosoft’s STRIDE methodology. As we realized that the proof of concepts we willevaluate are theoretical and do not specify how communication between entities issent, how the bank handles customer registrations, or if the bank is non-compliantwe began searching for other threat modeling methodologies that better address the

4.3. Threat Model 15

threats to digital cash schemes. After consideration, we found the LINDDUN threatmodeling framework which is designed as a privacy threat modeling methodology.

4.3.1 LINDDUN Methodology

LINDDUN is a privacy threat modeling framework proposed by Deng et al. [19].Each letter in "LINDDUN" represents a privacy threat type obtained by negating aprivacy property. These are as follows:

1. Linkability - Being able to sufficiently distinguish whether 2 IOI (items ofinterest) are linked or not, even without knowing the actual identity of thesubject of the linkable IOI.

2. Identifiability - Being able to sufficiently identify the subject within a set ofsubjects (i.e. the anonymity set).

3. Non-repudiation - Having irrefutable evidence concerning the occurrence ornon-occurrence of an event or action.

4. Detectability - An attacker can sufficiently distinguish whether an item of in-terest (IOI) exists or not.

5. Disclosure of Information - Exposing information to someone not authorizedto see it.

6. Unawareness - Not understanding the consequences of sharing personal infor-mation in the past, present, or future.

7. Non-compliance - Not following the (data protection) legislation, the advertisedpolicies, or the existing user consents.

As payer anonymity is fundamental in digital cash schemes, the threats that LIND-DUN help analyze are more interesting than those of STRIDE for us. For instance,if coins from the same users are linkable, then other users might be able to trace theuser by means such as correlating locality, date, and frequency. Privacy assessmentis done via a systematic execution of a step-by-step method that guides you throughthe analysis. The LINDDUN threat modeling process consists of six high-level stepsthat are designed to be completed to guide through the analysis. The six steps ofLINDDUN are as follows:

1. Draw data-flow diagram - Mapping out the personal data flow between actorsand components of the system.

2. Privacy mapping - Identifying threats within the data flow and compiling anattack vector then mapping those to the privacy.

3. Identify threat scenarios - All the threat scenarios within the systems are spec-ified and written down.

4. Prioritize threats - Compile a list of which threat is to be most prioritized asdefined from the identified threats.

16 Chapter 4. Method

5. Selection of mitigation strategies - Within this step, the mitigation strategiesand techniques are chosen.

6. Selection of corresponding PETS - The final step determined which counter-measures are the most effective by mapping the identified mitigation strategiesto the list of PETS (Privacy Enhancing Technologies).

4.3.1.1 Data Flow Diagram

The first step in the LINDDUN methodology is to draw a data flow diagram (DFD) ofthe system and map out the data flow between the external entities and the processesof the system To graphically present the DFD the traditional LINDDUN shapes willbe used to represent data flow, data stores, processes, trust boundaries, and externalentities as suggested by Deng [19].

4.3.1.2 Mapping DFD Elements to Threats

After drawing the DFD we identify the privacy threat categories for each elementusing the LINDDUN mapping template. Potential threats that are considered to beof low importance to the security of the system will be marked with the X symbol.The threats that actually will be considered will instead be marked with a numberthat represents a threat scenario ID, and this number will be used later in the analysisfor ease of reference.

4.3.1.3 Threat Model Assumptions

Seeing as the schemes that will be evaluated are theoretical and do not specifycommunication channels or how the authentication between bank and customer isdone, we decided to add the following assumptions to the threat models:

• A01: A customer ID is mappable to an accountable citizen - that is if a customeris identified in a double spending dispute he or she can be held accountable tothe law.

• A02: A customer is authenticated with the bank before all transactions - thatis the customer need to show proof of account ownership before accessing theaccount.

• A03: All communications with the bank will be sent via encrypted channels.

• A04: The bank complies with all protocols.

• A05: Risks from loss or theft of wallet are ignored.

• A06: All customers are registered with the same bank.

This should keep the threats more to the point of what we want to answer with thehelp of the threat models. Assumption A01 can be realized by using strong identi-fication when registering with the bank, what type of identification do we want toleave open as it is not specified in the analyzed schemes. The reasoning behind A02

4.4. Finding Secure and Efficient Schemes 17

and A03 is to exclude risks that are common for most computer systems. RegardingA04, we will assume that the bank issues valid coins when debiting customers’ ac-counts and increment the balance upon deposits. Assumption A05 is there becausethe risks involved with a lost wallet are dependent on the implementation. Accessto the application can be protected with biometrics for instance - but this is nothingthe schemes specify. Some schemes identified from the literature study support therecovery of lost coins and this could still be interesting for practical implementationbut will be ignored in this work as it is not a feature of paper cash.

4.4 Finding Secure and Efficient SchemesAfter we have determined the necessities of how digital cash can be exchanged se-curely, the focus will shift to the second and third research questions. For digitalcash schemes to be accepted by the public as a replacement for cash, there is a needfor the scheme to be able to handle payments of arbitrary amounts in a secure andhigh-performant manner. Compact wallets, divisible digital cash and transferabledigital cash are three different variable payment solutions which were identified. Anattempt was made to select one of each payment solution that fulfills the criteriabelow:

1. The article is peer-reviewed and from a credible source.

2. The article includes a security model of the scheme that fulfills the privacy-preserving criteria of our threat model.

3. The article includes performance analysis and has the lowest spending time-complexity of similar identified schemes.

To find these articles, the same process as described in the Section 4.1 will be con-ducted again with a focus on performance. Finally, similar steps will be taken toanswer the third research question regarding multiple banks.

Chapter 5

Results and Analysis

5.1 Digital Cash Threat Models

This threat modeling process aims to identify privacy and security threats to digitalcash schemes. We will begin by examining the system when naively implementedwithout blind signatures and double spending detection to determine which threatsthese technologies mitigate under our assumptions. In our threat models Alice is acustomer, Bob and Carol are merchants and Eve is a malicious customer. Figure 5.1presents a data flow diagram of the system analyzed throughout this section.

Figure 5.1: Data flow diagram.

5.1.1 Threat Model 1: Initial Threats

This first threat model will begin with the assumption that digital cash can functionthe same way as paper cash without any additional mitigations. We assume the bankuses a private key to digitally sign coins upon withdrawals to make them verifiableby the merchants. This is equivalent to adding the security features used to detectcounterfeits of paper cash. The intended use of this scheme is as follows:

Withdrawal (Online)

1. Alice requests to withdraw a coin from the Bank.

2. The bank generates a coin and cryptographically signs it.

19

20 Chapter 5. Results and Analysis

3. The bank sends the coin to Alice and debits her account.

Spending (Offline)

1. Alice gives a coin to Bob.

2. Bob verifies the Bank’s signature.

3. Bob gives Alice the merchandise.

Deposit (Online)

1. Bob sends a coin to the Bank.

2. Bank verifies that the coin is signed.

3. Bank verifies the coin is not already spent.

4. Bank registers the coin as spent in the financial database.

5. Bank credits Bob’s account.

5.1.1.1 Identified Threats

Threat 1.1: Predictable Coin IDs

Summary: The bank generates sequential or otherwise predictable coin IDs - allowingthe bank and merchants to link consecutively withdrawn coins. It is likely that acustomer will withdraw more than one coin at a time and that these therefore willbe linkable.Assets, stakeholders, and threats: a financial history of the customer.

• Financial history of customer:

– A merchant visited more than once may be able to determine what mer-chandise the unidentifiable customer has purchased from him in the past.

– The bank may be able to determine the amount spent between the cus-tomer and merchant, which may lead to identifiability.

– Cooperating merchants may be able to link coins to build a picture of theunidentifiable customer’s spending habit.

Primary misactor: the malicious merchant(s).Basic flow:

1. Alice requested to withdraw a pool of N coins from the bank.

2. The bank issues the sequential coin IDs (c0, c1, ..., cN−1) = (c0, c0 + 1, ..., c0 +N − 1) to Alice.

3. Alice purchases an item worth N −K coins from Bob and at a later time anitem worth N −K − L coins using coins from the pool.

5.1. Digital Cash Threat Models 21

4. By examining the coin IDs, Bob can guess what item Alice bought from himin the past without any knowledge of her identity.

Alternative flow:

1. Alice purchase item B from Bob and item C from Carol using coins from thesame pool.

2. Bob and Carol can by cooperating determine that item B and C was purchasedby the same individual with high probability.

3. After Bob and Carol deposit the coins received from Alice, the bank can withthe same probability determine that the items were purchased by the sameindividual.

Trigger: a customer withdraws multiple coins in a short time period.Preconditions:

• the bank generates predictable coin IDs.

• bank not complying with data protection regulations.

• unaware customer.

Threat 1.2: Identifiable Payments

Summary: The bank store a link between the generated coin ID and the customer’sidentity in the financial database - thus creating a mapping between the two IDs.Assets, stakeholders, and threats: a financial history of the customer.

• Financial history of customer:

– The bank can determine who has withdrawn a specific coin.

– Upon deposit the bank can use this knowledge to determine to whom itwas spent.

Primary misactor: the bank.Basic flow:

1. After the bank generates a coin, the coin ID is linked to the withdrawingcustomer’s identity in the financial database.

2. Upon deposit. the bank can map the merchant’s identity to the customer’sidentity via the coin ID.

3. The bank knows who spent the coin.

Alternative flow:

1. The bank store its records of withdrawals and deposits over a long time period.

2. A misactor at the bank can determine arbitrary customers’ spending habits.


Trigger: by misactor at the bank.Preconditions:

• the bank can read coin IDs during withdrawal.

• no or insufficient protection of the financial database.


Threat 1.3: Financial Database Information Disclosure

Summary: An attacker gain access to the financial database. The associated riskdepends on how much data the bank store about its customers.Assets, stakeholders, and threats: financial history and identities of customers, fi-nancial loss.

• Financial history and identities of customers:

– The attacker can read all financial records of a customer, and also deter-mine their identities.

• Financial loss:

– The attacker can steal all withdrawn coins not yet spent.

Primary misactor: bank employee/external attacker.Preconditions:

• the bank store sensitive data in the financial database.

• no or insufficient protection of the financial database.


Threat 1.4: Withdrawal Unawareness

Summary: The customer is unaware that the bank can store a link between thewithdrawn coin and the customer’s identity.Assets, stakeholders, and threats: a financial history of the customer.

• The customer thinks he is unconditionally anonymous - while bank non-compliancecan allow the bank to read all of the customer’s financial history.

Basic flow:

1. Alice requests to withdraw N coins from the bank.

2. The bank creates a link between the withdrawn coins and Alice’s identity.

3. Alice is unaware that the coins are linked to her identity.

Preconditions:

• the bank not respecting customer privacy.

• customers not informed about privacy policies.


Threat 1.5: Double Spending Unawareness

Summary: The merchant is unaware that a customer can make copies of valid coins,and thus trust that all received coins are uncredited. Copying coins are a type of non-compliance from the customer, see Threat 1.6 for more details on the non-compliancethreat.

Threat 1.6: Double Spending

Summary: The customer creates a copy of a valid coin and spends it more thanonce. A malicious merchant can also create copies of received coins and spend themon other merchants, with no risk of being identified.Assets, stakeholders, and threats: financial loss

• A malicious customer can copy a valid coin and spend it multiple times.

• Only the first deposit of the coin will be credited - resulting in financial lossfor all the latter.

Basic flow:

1. Eve has withdrawn a coin c0 from the bank.

2. Eve spends c0 to purchase merchandise from both Bob and Carol while offline.

3. Bob and Carol both deposit c0 at a later time and only the first request willresult in a credit.

4. Upon the deposit the bank cannot prove who copied the coin resulting in noone being provably accountable and financial loss to the second merchant.

Alternative flow:

1. Alice spends coin c0 to purchase merchandise from Eve.

2. Eve extracts c0 from his merchant wallet and copies it into a customer wallet.

3. Eve spends c0 to purchase merchandise from both Bob and Carol while offline.

4. Upon the deposit the bank cannot prove who copied the coin resulting in noone being provably accountable for the financial loss.

Trigger: by malicious customer or merchant.Preconditions:

• Coins being copy-able.

• Likely merchant unawareness is involved, due to high risks.

• For alternative flow: Coins being transferable.


5.1.1.2 Prioritizing threats

Threats 1.1 through 1.4 are related to privacy and are enabled by inappropriateanonymization techniques in the bank’s protocols and data storage. The coin needsto be cryptographically signed by the bank for a merchant to verify and accept it. Assoon as the bank can read the coin, the bank can store a mapping between the coinand the customer in the financial database. To assure the customer’s anonymity, thebank should not be able to do this - even if they wanted to. Seeing as the scheme inthis model is transferable and there is no possibility to prove who has double-spent acoin - this information is unnecessary for the bank to know in the first place. Whenthe generated coin IDs are predictable, we found that the coins can become linkable.All these threats will need to be addressed.

5.1.1.3 Mitigation strategies

By using blind signatures as suggested by Chaum [14], coins can be signed by thebank without the bank being able to read the coin. This would in turn mitigateThreat 1.1 as the bank is no longer responsible for generating coin IDs - instead ofdelegating the work to the customer. As the bank is unable to extract the coin IDupon withdrawals Threat 1.2 is in turn also mitigated with blind signatures as thebank no longer can map the customer’s identity to the coin. The risk of informationdisclosure in the financial database is also no longer as serious with the introductionof blind signatures. Because the bank is unaware of which coins are issued, theycannot be stolen. Without the identity mapping, the financial history is protected.Threat 1.4 also becomes negligible with blind signatures as payments no longer areidentifiable. Before addressing Threats 1.5 and 1.6 we construct a new threat modelthat uses blind signatures.

5.1.2 Threat Model 2: Adding Blind Signatures

From the previous threat model, we identified privacy threats related to the fact thatthe bank can store mappings between coin IDs and customer identities, or otherwisegenerate predictable coin IDs. Using blind signatures, the customer becomes respon-sible for choosing his coin IDs and the bank is no longer able to store this mappingor maliciously construct predictable coin IDs. When a coin is blinded, the bank isunable to retrieve the customer-generated coin ID from the coin and is thereforeunable to extract information from it. We assume that with the addition of blindsignatures the scheme will function as follows:

Withdrawal (Online)

1. Alice creates a coin and blinds it.

2. Alice sends the blinded coin to the bank to sign it.

3. The bank signs the blinded coin.

4. The bank send the signed blinded coin to Alice and debits her account.


5. Alice unblinds the signed coin.

Spending (Offline)



3. Bob gives Alice the merchandise.

Deposit (Online)

1. Bob sends coin to the Bank.

2. Bank verifies the signature.

3. Bank verifies that the coin is not already spent.

4. Bank registers the coin as spent in the financial database.


Threat 2.1: Weak blinding parameter

Summary: The coin is blinded using a weak parameter allowing the bank to unblindthe coin - resulting in identifiability when the coin is deposited.Assets, stakeholders, and threats: financial history of the customer.

• Financial history of customer

– The bank can unblind the coin and can therefore determine to whom thecoin was spent upon deposit.

Primary misactor: by misactor at the bank.Basic flow:

1. Alice generates coin c and blinds it using a blinding factor b.

2. Alice send the blinded coin to the bank for signing.

3. The bank finds b through trial and error and stores a mapping between Alice’sidentity and c in the financial database.

4. Alice spends c to Bob and Bob deposits c to the bank.

5. The bank map c back to Alice - and thus learn that she paid Bob.

Trigger: a withdrawal request with a weak blinding parameter.Preconditions:

• Wallet application not verifying the strength of blinding parameter.


5.1.2.1 Threat 2.2: Blind signing attacks

Summary: The signing process is equivalent to decrypting with the bank’s privatekey which can allow an attacker to read messages encrypted with the bank’s publickey.Assets, stakeholders and threats: bank message confidentiality.

• Bank message confidentiality

– Messages encrypted by the bank’s public key might be decryptable by anattacker using the withdrawal protocol.

Primary misactor: an external attacker.Basic flow:

1. Eve sniffs an encryption c of message m sent from Alice to the bank.

2. Eve blinds c and requests the bank to sign it.

3. Eve unblinds the signed c and receives m.

Trigger: external attacker.Preconditions:

• The bank uses the same key for encryption and signing.

• An attacker has access to an encrypted message sent to the bank.

• The encryption of the sniffed message resembles a coin or the bank blindlysigns anything.

Threat 2.3: Coin Collision

Summary: The bank is unaware of what it signs, i.e. the bank cannot verify if a coinwith that ID is already issued. If customers freely can pick their coin IDs there is arisk that two identical coins might be issued and neither the bank nor the merchantcan detect this until it is finally deposited.Assets, stakeholders and threats: financial loss.

• Financial loss

– When a coin collision occurs one of the coins will be forever lost.

Trigger: two customers pick the same coin ID.Basic flow:

1. Alice generates coin ID c and blinds it using blinding factor a.

2. Bob independently generates coin ID c and blinds it using blinding factor b.

3. The bank blindly signs both Alice’s and Bob’s coins without detecting a colli-sion due to a ̸= b.

4. Alice and Bob both spend their respective coins honestly.

5. Upon deposit of the second coin the bank will detect a collision and not creditthe merchant.


Threat 2.4: Anonymous Withdrawals

Summary: Assuming the blind signatures work as intended there is no way for thebank or law enforcement to determine who has withdrawn and spent a particularcoin. This can be abused by criminals to safely conduct illegal activities such asmoney laundering and blackmailing.Basic flow:

1. Eve withdraws a coin c. The bank does not know about issuing c to Eve.

2. Eve uses the coin in illegal activities.

3. Eve’s anonymity is unconditionally protected and she cannot be held account-able for her actions.


Refer to Threat 1.6 for details.

5.1.2.2 Threat prioritization

With this model, 4 new threats related to blind signatures were identified. Threat2.1 is deemed to be of low risk as the customer is responsible to pick the blindingparameter and is therefore responsible to protect its anonymity. Threat 2.2 is presentonly if the bank uses its cryptographic keys to both sign and encrypt messages. Thisis easily mitigated by only using the key to sign coins. Coin collision is more seriousin this model as it might lead to financial loss even when all parties comply withthe protocols. Whether Threat 2.4, related to anonymous withdrawals is an actualthreat is arguable and depends on the requirements and scale of the banking system.If the bank or some other third party unconditionally can extract the identity froma coin - the scheme is no longer anonymous. We therefore accept this threat for nowand discuss it later. Finally, as non-accountable double spending still is possible inthis scheme it will likely not have any practical use.


Threat 2.1 can be mitigated by using large frequently changed randomly generatedblinding factors during withdrawals. To mitigate Threat 2.2 the bank simply shouldnot use the same key for signing coins and for encrypted communications. Threat2.3 can be mitigated by using partially blind signatures which would allow the bankto see a part of the coin that could be used to determine whether the requested IDis used already or not. Seeing as digital cash is supposed to be anonymous we arguethat Threat 2.4 is acceptable in this scheme because mitigating it would result inunconditional anonymity revocation. As double spending still is possible with noway of proving who double spent the coin this scheme is still not practical. In thenext threat model, we introduce double spending detection to the model.


5.1.3 Threat Model 3: Adding Double Spending Detection

Starting from Threat Model 2 the remaining threats are related to bad implemen-tations of blind signatures and double spending non-compliance. In this model, weassume the bank signs coins using a partially blind signature scheme, such that itcan verify that the coin is not constructed maliciously. The coin is spent in such away that the customer will reveal enough information that the bank can identify thecustomer if it is double spent. It is assumed that this is done with a challenge pro-vided by the merchant in combination with a cut-and-choose or two-points-on-a-linetechniques described in Section 5.1.5.4 and 5.1.5.5 respectively.

Withdrawal (Online)

1. Alice creates a coin including identifying information and blinds it.

2. Alice sends the blinded coin to the bank to sign it.

3. The bank verifies that Alice can be identified if the coin is double spent, with-out learning any linkable or otherwise identifiable information, and signs theblinded coin.

4. The bank send the signed blinded coin to Alice and debits her account.

5. Alice unblinds the signed coin.

Spending (Offline)



3. Bob sends Alice a challenge.

4. Alice responded with a challenge-response revealing one piece of identifyinginfo.

5. Bob verifies and stores the challenge-response and gives Alice the merchandise.

Deposit (Online)

1. Bob sends coin, challenge, and challenge-response to the Bank.

2. Bank verifies the signature.

3. Bank verifies the coin is not already spent.

4. Bank registers the coin, challenge, and challenge-response in the financial database.



5.1.3.1 Threat 3.1: Same spending challenge

Summary: Two merchants pick the same challenge while receiving the same coinresulting in no additional information being leaked during the second transactionand the coin staying untraceable.Assets, stakeholders and threats: financial loss.

• The identity of the double spending customer cannot be determined resultingin no proof of double spending happening and financial loss.

Primary misactor: the double spending customer.Basic flow:

1. Eve spends coin c to Alice and proves that she withdrew the coin by respondingcorrectly to challenge C with a challenge-response.

2. Eve spends the same coin c to Bob and proves that she withdrew the coin byresponding correctly to the same challenge C with the same challenge-response.

3. Eve’s identity cannot be determined since not enough information was leaked.

Trigger: two merchants pick the same spending challenge.Preconditions:

• The customer can copy a coin.

• Two merchants can pick the same spending challenge.


Refer to Threat 1.6 for details.

5.1.3.2 Threat prioritization

Assuming the threats related to blind signatures are solved and there are no cryp-tographic failures in the double spending tracing algorithm - this model describes apractical offline payment system. The risk of Threat 3.1 happening is very low as itrequires the malicious customer to be incredibly lucky (i.e. both merchants pick thesame random number) to receive the same spending challenge while double spending.Double spending still is possible with relative ease - resulting in financial loss for amerchant. In most schemes examined in this work, the risk is accepted as the prob-ability that the malicious customer will be unidentifiable is virtually zero. It wouldbe a desirable feature to make double spending more difficult by using some kindof protection to the wallet application’s memory to decrease the cost-effectiveness ofdouble spending to address Threat 3.2.



Threat 3.1 can be mitigated by making sure that each merchant uses a unique spend-ing challenge. This would in turn introduce new risks as a malicious customer nowcould cooperate with a malicious merchant to increase the odds of succeeding to100% by knowing the legitimate merchant’s spending challenge. By spending a cointo the malicious merchant who presents the legitimate merchant’s spending chal-lenge and shortly thereafter deposit it, the malicious customer could then withoutrisk of being identified spend the same coin on the legitimate merchant. This in turncould be mitigated by the bank mapping each merchant to a spending challenge, andnot crediting the coin if another one was used. Now when we have a feasible wayto detect double spending after-the-fact, it is interesting to find solutions to makedouble spending more difficult. This will come with impacts on the performance asadditional integrity checks will happen, but it will nevertheless increase the securityof the scheme.

5.1.4 Threat Mitigation Summary

To mitigate the threats identified through this threat modeling process - a partiallyblind signature scheme is required as well as some way to conditionally identify a dou-ble spending customer. The blind signature scheme should be partial to detect coincollisions and precautions should be taken to mitigate risks of using weak blindingparameters or the bank from using their public-private key-pair for other purposesthan signing coins. Another reason the blind signatures should be partial is for thebank to be able to verify that the customer with a high probability can be traced in adouble spending dispute, i.e. being able to verify that the customer has constructedthe coin honestly. Precautions should be taken to make sure that the risk of twoseparate merchants will use the same spending challenge is negligible. Lastly, withall this in place, it is desirable to protect the physical memory region of the walletapplication containing the coins to make it hard to tamper with.

5.1.5 Identified Solutions

This section will present identified solutions that mitigate the identified risks in thismodel. Three different schemes are identified that can be implemented to fulfill thethird threat model requirements. As can be seen in the Table 5.1, each schemeuses a different solution for blind signatures and two different solutions for doublespending detection. The scheme presented by Brands also supports double spendingprevention through a wallet observer.

Scheme Blind signature DSD DSPChaum-Fiat-Naor [15] RSA Cut-and-choose -

Ferguson [21] Randomized RSA Two-Points-on-a-Line -Brands [9] Schnorr Two-Points-on-a-Line Wallet Observer

Table 5.1: Identified schemes (DSD = Double Spending Detection, DSP = DoubleSpending Prevention)


The solutions used in each respective scheme is described in the following subsections.

5.1.5.1 Blind RSA Signatures

The Rivest–Shamir–Adleman (RSA) cryptosystem is well-known and is based on thecomputational difficulty of prime factorization and solving discrete logarithms. Amessage is signed by encrypting the message using the private key and it can beverified by anyone decrypting the result using the corresponding public key. Supposethe bank knows the factorization of an integer n = pq where p and q are large primenumbers. Let s denote the private key used for signing messages and v be the publickey used to verify signatures. The RSA cryptosystem describes how the two keys canbe generated from knowing the factorization of n such that the following propertyalways is true for a message m: msv ≡ m mod n. In order to sign a message,the bank computes Sign(m, s, n) ≡ ms mod n. Any entity knowing the public keycan then verify the signature by computing Verify(ms, v, n) ≡ (ms)v ≡ msv ≡ mmod n. The scheme can be blinded by having the customer introduce a blindingfactor r ∈ Zn to the message. Assume the customer has generated the coin c whichis to be kept secret from the bank. The customer blinds the coin by generating arandom r and computes cr ≡ rvc mod n and sends it to the bank for a signature.The bank does so and return crs ≡ rcs mod n. Finally the customer divide crs by rto acquire the bank’s signature cs - even though the bank never saw c. This techniqueis problematic as the bank does not know what it is signing. In the Chaum-Fiat-Naorscheme, this is mitigated by also including the cut-and-choose technique describedin Section 5.1.5.4.

5.1.5.2 Randomized RSA Signatures

With regular blind RSA signatures, the bank cannot determine what it is signing.By using randomized blind signatures the bank can get just enough insight into thecoin structure to determine that it contains enough information to identify a doublespending customer. This type of signature provides more freedom to how doublespending detection is implemented and does not require the use of the inefficientcut-and-choose technique described in Section 5.1.5.4. Generating these types ofsignatures is rather complex and it requires that both the customer and the bankcontribute random data to the message, such that the bank does not know what itis signing while knowing that the data was not chosen maliciously. In short, the ideaof randomized signatures is that the customer receives a signature on a number in aspecial format that he cannot create himself, while the bank receives no informationregarding which signature it gave away other than it was not maliciously chosen.

5.1.5.3 Chaum-Pederson Signatures

Chaum-Pederson signature is a type of Schnorr signature used in digital cash pro-tocols that provide both the signature and double spending detection requirementsof the protocol. Schnorr signatures is a digital signature scheme whose security isbased on the intractability of certain discrete logarithm problems. The signatures aresimple to compute while being shorter in length and more efficient to generate thanthe RSA-based ones. Schnorr signatures also have the advantage that they can be


applied to any setting where the discrete logarithm problem is difficult, such as overelliptic curves. Elliptic curve-based protocols tend to be much faster, and require farless transmission of data than non-elliptic protocols while giving the same level ofsecurity [25].

Assume the bank has picked two large prime numbers p and q such that q dividesp− 1. The bank then picks a generator g such that gq = 1 over the field of integersmodulo p. The function Blind(x) ≡ gx mod p can now act as a one-way functionbecause finding x is equivalent to solving the discrete logarithm problem. In Brand’sscheme, this one-way function is used to commit lines on the form y = mx + b to acoin and acquire blind signatures on them, where the slope m represents a messageand the intercept b a blinding factor. Knowing any two points on the line allow oneto find m as m = y0 − y1/x0 − x1 mod q, thus revealing the customer’s identity.

5.1.5.4 Cut-and-Choose

Cut-and-choose protocols can be used between two parties where one party want toconvince the other that some data he sent was honestly constructed as agreed upon.In the Chaum-Fiat-Naor scheme, the customer generates k honestly constructedblinded candidates to represent the coin. These honest candidates are represented asa pair of quantities such that if any two pieces of a pair are revealed, the customer’sidentity can be extracted. The number of candidates should be selected such thatan event with a probability of 2−k never should happen in practice. The bank picksk/2 of them at random and transmits them back to the customer to prove that theywere honestly constructed despite the blinding. If all candidates are valid, the banksigns the coin and debits the customer’s account. When the customer spends thecoin the merchant will send a bitstring of length k as the challenge. If the bit atposition i is 0 then the customer will share the first piece of the pair at that position,and if the bit instead was 1 then the second piece would be shared instead. Theserevealed pieces, as well as the used bitstring, are then sent together with the coinupon deposit. If the bank detects that the coin is already spent then the bank willhave access to both pieces of a pair, and therefore the customer’s identity, as long asthe one bit value differs between the two spending challenges.

5.1.5.5 Two-Points-on-a-Line

The two-points-on-a-line is an efficient proof of possession technique that can beapplied to the spending portion of digital cash schemes to provide double spendingdetection. It works by the customer committing a line on the form y(x) = mx + bto the coin without revealing m nor b to the bank. To generate points on the line,both m and b must be known - resulting in the customer can prove ownership ofthe withdrawal by revealing a point on the line. This line representation of coinsprovides the neat functionality that revealing one point on the line will leak nothingabout the secret quantities while revealing two distinct points always will. Usingpartially blind signatures such as randomized RSA or Chaum-Pederson signatures,the bank can verify that by knowing the secret quantities m and b. The customer’sidentity can be extracted and everyone should be able to verify whether a particular

5.2. Digital Cash for Arbitrary Payments 33

(x, y) pair is on the line.

5.1.5.6 Wallet Observer

Wallet observers is a concept introduced by [17] whose goal is to make it harder tomanipulate the wallet application data while giving the customer privacy assurance.The suggested wallet observer is placed on a hard-to-tamper with device and will actas a middle hand in writing and reading to a database containing private information,in this case, the coins. With the introduction of this observer, the customer can see allinformation entering and leaving the device, while not being able to easily manipulatethe database content. Seeing as the bank or a trusted subcontractor issues the walletdevice, the bank is certain that the coins will be stored and spent in a compliantway by the device. The wallet database can only be read from or written to withthe consent of the customer and the supervision of the observer. With the databasebeing hard to tamper with, the bank has effectively reduced the cost-effectivenessof copying and double spending coins. At the same time, the customer does notneed to trust the device as the observer gives the customer assurance that the devicedoes not leak any private information. The digital cash scheme presented by Brandshas been shown feasible to run on such a device with no significant impacts onperformance [9]. While it is shown that Ferguson’s scheme also works with walletobservers, the performance impact is more significant [20].

5.1.6 Summary

This threat model resulted in a list of threats and a list of solutions that mitigatethem. All three schemes examined in Section 5.1.5 can work in practice as longas the schemes are correctly implemented according to their description. Customeranonymity is protected with the use of blind signatures. Double spending will lead torevocation of anonymity in all the schemes. The most optimal solution of the threeaccording to our results would be Brand’s scheme as it can be applied to ellipticcurves, which will be more efficient than the other two schemes. Brand’s scheme isalso the only scheme of the three that provides a form of double spending preventionwithout any significant impact on performance. It is shown that the workload ofBrand’s scheme is so small that it can be performed on a smart card capable ofperforming Schnorr identification [9]. These schemes can all be implemented tohandle multiple denominations, which would significantly improve the efficiency ofmedium to large payments.

5.2 Digital Cash for Arbitrary Payments

The results of the threat model presented in Section 5.1 are used to construct a newmodel that checks integral criteria of secure digital cash systems. Each arbitrarypayment solution will be deemed secure if security models are presented that coverthe four problems presented below:

1. Unforgeability of Coins - Only the bank should be able to issue coins.


2. Anonymous Coins - Customers should be able to withdraw coins that are un-linkable and unidentifiable.

3. Unlinkable Withdrawal and Spending - Customers’ should be able to spendcoins however they like without the risk of linkability.

4. Double Spending Detection - The bank should be able to prove who has double-spent coins.

The selection is based on peer-reviewed articles and schemes with the fairness prop-erty, i.e. that support unconditional anonymity revocation are left out until Section5.3.

5.2.1 Compact Wallets

With compact wallets, the customer can withdraw pools of N coins through a sin-gle withdrawal and the storage requirement should be proportional to logN . Anyportion of the coins should be spendable until the wallet is depleted across multi-ple purchases, thus this can be considered an arbitrary payment amount method.In these schemes, each coin always represents the smallest supported denominationand double spending of any single coin should give the bank enough information toidentify the double spender. We refer to the work of Lian et al. who present anextensive performance comparison on compact wallet schemes to identify schemesthat fulfill the requirements [28]. In the scheme, coins are unpacked from the walletof size 2n using a pseudo-random function where the seed to the function is jointlyagreed to in a zero-knowledge way with the bank. When double spending occurs,enough information to determine this seed will be returned to the bank. Introducingbatch spending to the scheme outperforms similar schemes in the spending part ofthe protocol [28]. Without introducing a trusted third party that unconditionallycan revoke customer anonymity - the scheme presented by Lian et al. is shown tobe the most performant in spending. It is also as performant as similar schemes inthe other protocols. For an extensive security model and performance comparison,we refer to [28].

Unforgeability of Coins

Lian et al. show that under the S-RSA assumption an adversary cannot in proba-bilistic polynomial time output a valid wallet that is different from all the walletsobtained in the withdrawal protocol without the help of the bank. Doing this requiresthe factor knowledge of n = pq where p, q are large primes.

Anonymous Coins

The wallet parameters are jointly generated with the bank such that the bank onlygets a partial insight into the wallet structure to verify that it was generated honestly.Using the factor knowledge of n = pq the bank can compute Ae = a0a

xa1e1a2

e2a3e3hx

mod n as the signature where a, a0, a1, a2, a3, h are public parameters in a way suchthat the bank have zero knowledge of the parameters e1, e2, e3 and x.


Unlinkable Withdrawal and Spending

Coin unlinkability is achieved by concealing the withdrawal and payments usingrandom parameters and its security is proven under standard assumptions. In thewithdrawal step, the customer receives a seed under the bank’s blind signature thathas to be used to unpack valid coins from the withdrawn wallet.

Double Spending Detection

During spending the customer will leak information about the seed passed to therandom function used to unpack the wallet. Upon double spending, the bank cancombine the information to reconstruct the seed and identify the customer. Withproof of repeatable spending of the same coin and a successful identification, thecustomer can be held accountable for double spending.

5.2.1.1 Performance

In Table 5.2 the storage size and computations required by the customer to withdrawand spend coins are presented. Withdrawals are presented in the table because therequired storage size by the merchant can become significantly lower than that of thecustomer. For instance, a customer wallet containing 210 coins will require roughly6MB storage size while the merchant wallet only will require 270KB - roughly 4.5%of the initial size. The values in the Table 5.2 are coming from [28].

Scheme Computations Storage Size [bit]Withdraw 1 coin 10 ME 5828

Withdraw 2n coins 10 ME 5828nSpend 1 coin 12 ME 5190Spend k coins 6k ME n+1050k+9958Spend 2n coins 2n ME n+260*2n+4010

Table 5.2: ME = multi-based exponentiations, k = an arbitrary integer in range1 < k < 2n

5.2.2 Divisible Digital Cash

Divisible digital cash allows the same coin to be divided into many pieces such thateach piece is worth any desired value less than that of the original coin while thetotal value of all pieces adds up to the initial amount. Similar to compact wallets,distinct funds from the same withdrawal can honestly be spent on multiple occasions.Weighing performance early in the picture we decided to analyze the scheme byPointcheval et al. [36] as it is the only identified scheme that achieves constant-timespending of any arbitrary amounts. It is also do not rely on binary trees whichmake it simpler without cost to performance. Their scheme also keeps state-of-the-art features, such as both the efficiency of withdrawals [13] and scalability [11]. Theauthors also propose a scheme with similar spending efficiency built on more classicalassumptions at the cost of larger parameter sizes in the paper. Here again, we referto the referenced article for the security model of the scheme [36].


Unforgeability of Coins

Unforgeability is achieved with two different signatures. The first signature is usedby the bank to verify that the necessary secret values are associated with the coinand the second to prove that the coin is well-structured. The authors of [36] referto the work of Masayuki et al. as a functioning solution to both these signatureschemes [6].

Anonymous Coins

Anonymous coins are achieved with the customer proving knowledge of his secretkey in a zero-knowledge way using an interactive Schnorr protocol. The bank willonly be able to verify that the identity will be revealed upon double spending.


Coin unlinkability is achieved with the use of a non-interactive zero-knowledge proofas well as a non-interactive witness indistinguishability proof during spending asdescribed in the well-established Groth-Sahai proof system [23]. This achieves thetwo purposes of proving that the customer is an honest receiver of the coin and thevalidity of the coin structure without linking the coin to other coins after they arewithdrawn.


Upon deposit, the bank will check for a collision of serial numbers and if detected,the bank can extract a parameter that can be used to reconstruct the identity of thedouble spender. Only the bank will be able to do this as it requires trial-and-errorof public keys stored in the financial database. This can be computationally costlyif there are many users, but it is not time-critical.

5.2.2.1 Performance

Again performance and required storage size are presented in Table 5.3 for both thewithdrawal and spending protocol as the required storage size differs between thecustomer and merchant. In Table 5.3, we see that both the withdrawal and spendingprotocol are achieved in constant-time complexity, independent of the coin value.The public parameter (ppU) of the withdrawal grows linearly in size depending onthe withdrawal amount N . For reference with N = 1024, which could represent acoin of value $10.24, ppU would only be of size 230KB. The values in Table 5.3 comefrom [36].

Scheme Computations Storage Size [bit]Withdraw 2EG1 + Sign 2Zp + |Sign| + ppU

Spend 8EG1+Sign+NIZK{7EG1 + 2P + 2 Sign} 2Zp + 4G1+|Sign|+|NIZK|

Table 5.3: EG1 = exponentiation in G, P = pairing computation, Sign = cost ofsigning protocol, NIZK{*} = computations under non-interactive zero knowledgeproof, ppU = public parameter of the customer’s withdrawal


5.2.3 Transferable Digital Cash

Transferable digital cash can handle arbitrary payments via issuing coins of multiplefixed denominations and the merchant being able to return change in the same way asphysical cash. Unfortunately, unlike the other arbitrary payment amount solutions,this requires additional information to be associated with the coin after it is spent.This in order to allow the receiver to spend it further with double spending detec-tion. As the change will have to be returned in most practical scenarios, this addsadditional data transmission costs and change-of-ownership calculations which makethe spending protocol of these schemes magnitudes slower than for compact walletand divisible schemes in practice. Performance considerations with these schemes aremore related to minimizing the size growth of the coins and less to the actual transac-tion costs. Bauer et al. revisit the formal security model of transferable digital cashand refines it with stronger assumptions [8]. Unlike the other two technologies thatboth support transfers of exact amounts in single transactions - it is hard to assign anumber to the transferable schemes as it depends on both the payment amount andwhich denomination the customer has available.

Unforgability of Coins

The scheme by Bauser et al. achieves unforgeability with the use of digital signaturesand achieves anonymity with the use of Groth-Sahai randomizable non-interactivezero-knowledge proofs. The customer is required to commit some parameters intothe coin that the bank verifies in a zero-knowledge way before applying its signature.Forging coins is equivalent to applying the bank’s signature which requires access tothe bank’s private key.

Anonymous Coins

When withdrawing a coin the customer selects the initial serial number of the coinand after performing a zero-knowledge proof of knowledge on the customer’s secretkey, a tag is attached to the coin that will be used to identify the customer in caseof double spending. The bank signs this message blindly and thus cannot determinewho has withdrawn it if it is spent honestly.


When the scheme is transferable a new threat emerges to coin linkability namedcoin transparency. If the same customer receives a coin it has held previously, thecoin will be recognizable if the previous serial numbers are readable. The analyzedscheme addresses this by hiding the serial numbers and the associated tags using arandomizable proof system [8]. These tags are pieces of information appended to thecoin to continue detecting double spenders. By intelligently including encryptionsunder the bank’s public key into the coin the appearance will change after everytransfer such that the coin will not be recognizable anymore. This is combined witha Groth-Samui proof system to prove to be an honest receiver of the coin and thatthe coin structure is valid.



Double spending detection is achieved by combining the attached tags. If a customerhas spent the same coin twice - then the bank has access to two different tags bythe same user spent on the same level. The scheme is constructed such that thisinformation is enough to extract the non-compliant user’s identity as well as provethat a customer with access to his private key has double spent the coin in question.

5.2.4 Comparison

After analyzing state-of-the-art schemes for arbitrary digital cash payments - varioustrade-offs have been identified. One state-of-the-art solution was identified for eachof the arbitrary payment amount solutions and they all include extensive securitymodels. All solutions can be implemented without unconditional tracing - i.e. theonly way the customer’s identity will be revealed is upon double spending. Theidentified compact wallet solution is based on its performance fit for small to mediumamount payments, seeing as the transaction time of spending grows linearly withthe spending amount. In the common case, each coin will require 6 multi-basedexponentiation calculations to be spent, but if the customer owns a wallet containingthe exact amount this will be reduced to only 1 calculation per coin. Normally thesecalculations take only 10% more time compared with single-based exponentiationwhich is fast to compute [28]. State-of-the-art divisible digital cash can on the otherhand handle spending of arbitrary amounts in constant time. If the system shouldbe able to handle larger amounts of time-critical payments - then divisible digitalcash might be the better choice. The divisible cash solution based on the classicalassumptions will however put a significantly larger burden on the bank both interms of storage and computations to provide double spending detection [36]. Thisshould be considered in a practical implementation but is outside of the scope ofthis analysis. The analyzed transferable scheme requires the least communicationwith the bank as the coin can be transferred multiple times. In times of crisis orin rural areas where network connectivity may be unavailable for a long time - thismight be preferable for the customers. For transferable schemes, the customer andmerchant roles become indistinguishable as merchants can spend the received coinwithout contacting the online bank in between.

Scheme Storage Complexity Spending Complexity TransferableCompact logN N NoDivisible N 0 No

Transferable s0 + kT N∗ Yes

Table 5.4: N) withdrawal/payment amount, s0) constant initial coin size, k) numberof times coin have been payed with, T ) constant tag length, N∗) number of availablecoins needed to pay amount N

5.3. Multiple Banks 39

5.3 Multiple Banks

In real life, paper cash is issued by central banks and these funds can be transferredbetween people independent of what local bank they are a customer of. This worksfine since the physical bills and coins are transferable, constant in size as well ashard to forge. Unfortunately, the transferability property cannot be achieved incombination with constant size coins using digital cash due to the possibility ofdouble spending. Digital cash is without the transferability property short-lived andcan only be spent once, thus frequent withdrawals and deposits can be expected.Without support for multiple local banks, a single entity would have to process allwithdrawals, deposits as well as double spending tracing of the system - which is notscalable. All schemes analyzed in Section 5.1 and 5.2 require that all participatingusers have the same bank for the funds to be securely exchangeable offline. Thissection will analyze what technologies that could enable the exchange of digital cashbetween users of different banks as well as their implications.

5.3.1 Group Digital Signatures for Digital Cash

Group digital signatures work the same way as traditional digital signatures withthe exception that multiple parties enter a group in which any member can producea signature on behalf of the group. In group digital signature schemes there exists agroup manager who is the only party that can identify who in the group applied thesignature. For these signatures to apply to digital cash - we know that they mustsupport blind signing as well as a method of verifying that the coin can be traced ifdouble-spent. Lysyanskaya and Ramzan constructed a group blind signature schemefor digital cash that can be used to relieve a single bank from distributing, accepting,and tracing all the digital coins [29]. For the scheme to work offline, all spendersneed to join a separate group of spenders where a trusted third party act as thegroup manager. The merchant can verify that the coin is issued by a trusted bankby verifying that it is signed by someone in the bank group - without knowing whatbank the customer use. As there is a risk of double spending the merchant willalso verify that the customer group manager can identify the customer if the coin isdouble spent via a signature from the customer group.

5.3.2 Multiple Bank Digital Cash and Fairness

The presence of a trusted third party that unconditionally can extract the cus-tomer’s identifying information from a withdrawal is contradictory to the requestedanonymity properties of simulating paper cash. Solutions to remove the trusted thirdparty from multiple bank digital cash systems have been proposed based on groupsignatures [12] [40], but their security is questionable [27]. Another idea is to useidentity-based encryption to accomplish this [18], but the proposed scheme does notprovide double spending detection and will therefore not be secure to use offline.


5.3.3 State of the Art - Multiple Bank Digital Cash

Using group signatures in combination with the tools of the Groth-Sahai non-interactivezero-knowledge proof scheme - Li et al. present a state-of-the-art digital cash schemewith support for multiple banks and a single tracing authority [27]. In their scheme,the bank is replaced by two separate entities - a single central bank and a dynamicallyjoinable pool of local banks. The role of the central bank is to establish the scheme,issue certificates, and manage users while the local banks have the responsibility ofissuing digital coins, verifying user accounts as well as verifying the correctness ofdigital coins. In the case of double spending, the local banks can extract the double-spender’s identity by combining two spent coins without having to burden the centralbank. The central bank only needs to participate in the special case where uncondi-tional tracing is required. Lian et al. present a security model, security proof, andperformance comparison of the scheme to show that their scheme has advantages inboth security and efficiency compared with similar schemes [27]. The scheme is builtwith unconditional anonymity revoking via the central bank, but it also support con-ditional anonymity revocation by local banks on double spending. It do not fulfillany of the arbitrary payment properties, but we found no other scheme supportingmultiple banks that do.

Chapter 6

Discussion

6.1 Aspects Regarding Security of Digital Cash

Using a threat modeling approach with the LINDDUN framework, the necessarycomponents for a secure digital cash system were systematically pieced together asanswers to the identified privacy and non-compliance threats. With paper cash, thecustomer’s anonymity is unconditionally protected when spending, and digital cashsimulates this with the use of blind signatures. Blind signatures allow one to signa message without learning about its content. This type of signature is used indigital cash schemes to verify that a customer’s account has been debited upon awithdrawal - without revealing linkable or otherwise identifiable information to thebank. Blind signatures provide the necessary payer anonymity, but without a wayfor the bank to detect double spending of a coin, it is too risky in practice. Mostschemes solve the latter with the use of partially blind signatures which allows thebank to learn just enough information about the coin it is signing to know that thecustomer can be identified in case the coin is maliciously double-spent at a later time.

During the threat modeling, blind signature implementation errors were identifiedthat can damage both the bank and the honest customers. When withdrawing coins,the customer is responsible for constructing the identifiable part of the coin and prov-ing to the bank that it is honestly constructed without revealing more informationthan necessary. This put the customer in charge of their anonymity and the customeris free to pick the strength of the blinding parameter to use. With this implementedcorrectly - bank non-compliance with respect to storing customers’ financial historiesis prevented. Signing messages is often equivalent to encrypting a message with aprivate key. If the bank uses the same key for both signing and encrypted communi-cations, a customer might be able to maliciously embed an encrypted message sentfrom another user to the bank and receive a decryption of it in the coin. This iseasily mitigated by limiting the use of the key to only generate signatures. Unlessthe bank can validate that coins are honestly constructed, there is a risk that twoidentical coins are constructed by two different customers through a coin collision.

To provide payer anonymity these blind signatures should be implemented such thatthe bank is unable to retrieve identifiable or otherwise linkable information aboutthe withdrawals - while still being able to verify that the coins are not maliciouslyconstructed by the customer. This is achieved by using partially blind signatures.With the bank being able to read parts of the coin - an honestly constructed coin

41

42 Chapter 6. Discussion

could be defined such that coin collisions is impossible. The bank can do this byhaving the customer embed an obfuscation of its identity into the coin under a zero-knowledge proof. As customer anonymity is unconditionally protected with theseblind signatures, the risk of customers non-compliantly double spending coins needsto be addressed to make it practical. Double spending is a risk applicable to digitalpayments as digital data typically can be copied without much effort, unlike papercash.

In online digital payment solutions, double spending is prevented because the coincan be checked with the bank who maintains a database of spent coins before com-pleting the transaction. This is not the case with offline digital payments because thecoin will look identical to both merchants if it is copied, and without the possibilityof querying the bank whether the coin is deposited already, both coins will look justas valid to the both of them. With offline digital cash schemes cryptographic solu-tions can be used to detect double spenders after the fact which may be enough todiscourage double spending - but it does not solve the problem. Say for instance thata customer was able to register an account under a false identity or was willing todisappear after double spending, then the system is cheated. Banks could decreasethe risk by setting an upper bound on how many coins a customer is allowed topay in a single purchase - thus limiting the financial loss to the merchant in case ofdouble spending. Another way to decrease the risk is by adding additional physicalsecurity to the payment device to make it more resistant to tampering. All thesein combination with an upper limit of the purchase amount would surely reduce thecost-effectiveness of tampering with the payment device.

The major difference between paper and digital cash is that the first one is a phys-ical object that requires proprietary hardware to reproduce and the latter is justa series of bits in memory that is easily duplicated and spent again. Some digitalcash scheme implementations rely on physical security to protect the memory regionscontaining the digital coins from tampering with the use of smart cards or trustedexecution environments. The introduction of such a device requires the customer toput a great deal of trust into the device if the customer loses the ability to monitorthe communication. This device could also if constructed maliciously, leak privateinformation about the customer without the customer’s knowledge. These devices dohowever heighten the bar to perform double spending - but seeing as no environmentis truly tamper-proof this protection is not enough on its own either. Most schemes,therefore, rely on double spending detection, which allows the bank to identify andhold double spenders accountable after it happens using cryptography.

One solution to the identified threats, detection of double spenders, and the pos-sibility of running in an environment that is hard to tamper with without any sig-nificant performance or privacy impact was identified. This scheme by Brands usesChaum-Pederson Signatures in combination with the Two-points-on-a-line proof ofpossession technique described in Section 5.1.5.3 and 5.1.5.5 respectively. In short, acustomer commits a line with a slope and intercepts the withdrawn coins such thatthe customer can prove whether a point is present on the line and also that knowl-edge of how to generate these points will identify the customer. The bank can verify

6.2. Aspects Regarding Digital Cash Performance and Scalability 43

this without learning how to generate points and sign the coin. When the customerlater spends the coin, the customer proves ownership of the withdrawal by revealinga point on the line to the merchant. Upon double spending, two distinct points onthe line are revealed, which allow the bank to reconstruct the line and extract theidentifying information from the coin.

Seeing as there are still risks of double spending with double spending detectionsome schemes combine the technology with double spending prevention. By usingwallet databases in combination with an observer as suggested by [17] the customercan still monitor all communication and verify that no unwanted information isleaked from the device. This will provide both the security and correctness of thewallet database as well as provide the means for the customer to trust the device.The scheme presented by [9] having been shown that it can run efficiently on sucha device and will require cooperation between both the customer and the device tocreate a valid response to a challenge during the spending protocol. The authors alsoclaim that if the bank was to obtain and analyze one of these payment devices, thecustomer’s personal information would not be extractable.

All digital cash schemes rely on digital signatures of some kind to determine whethera coin is issued by a trusted bank. If the master key used by the bank to digitallysign coins would be compromised, then someone else gain the ability to forge coins.In case this happens the bank will not be able to distinguish the coins issued by itselffrom those that are forged due to the bank’s inability to store withdrawal recordsbecause of customer anonymity reasons. After learning about this compromise thebank is required to replace its master key and invalidate all issued coins which couldresult in a catastrophic financial loss for its customers. This was left out of thethreat model as it is a scenario that applies to various computer systems that usepublic-key cryptography to establish trust. To limit the number of coins that wouldhave to be invalidated upon a compromise the bank could change the master key fre-quently, but this also reduces the anonymity of the customers as fewer withdrawalswill correspond to each master key.

6.2 Aspects Regarding Digital Cash Performance andScalability

Physical cash is versatile in the sense that they are constant in size, never requires in-teraction with a bank after being issued and exact payment amount can be exchangedwith the ability to return change. During this work, three different state-of-the-artarbitrary payment amount solutions were examined and compared based on perfor-mance and functionality. First, we examined a compact wallet solution that allowsone to spend coins in linear time where each coin will require either 6 or 1 multi-basedexponentiation to be spent, depending on whether parts of or the entire wallet arespent respectively. Next, a divisible digital cash scheme was examined that allowedspending of arbitrary amounts less than the original coin’s value in constant timecomplexity. This scheme does however put significantly higher requirements on the


bank in terms of storage and computations for double spending detection. Since ituses double spending detection, coin tracing of double spenders is done after the fact.This tracing is not time-critical and the necessary information can thus be saved oncheap storage and processed later - it is reasonable.

Both compact wallets and divisible schemes provide the functionality to efficientlyspend parts of a withdrawal and are therefore easily comparable, unlike the thirdarbitrary payment amount method - transferable digital cash schemes. Transfer-able digital cash schemes are the closest related to physical cash and allow the samecoin to change hands multiple times without contacting the bank in between. Theseschemes cannot be optimized for spending arbitrary amounts in the same way asthe other two, as it will depend on what denominations the customer holds and alsobecause the coins will grow in size after each transaction to keep the double spendingdetection chain. All three solutions work to securely transfer arbitrary amounts ofdigital cash while offline with various trade-offs related to spending time, communi-cation costs and storage requirements.

Physical cash can be exchanged without being a customer of any bank as its valueresides in something you have, rather than something you know. It would be de-sirable both for convenience and scalability purposes to allow exchanges of digitalcash between users of different banks. By combining group signatures and blindsignatures, digital cash schemes can be implemented to allow this with the use of acentral bank or trusted third party. These types of schemes are implemented with thefairness property - but the examined state-of-the-art scheme also allows local banksto conditionally trace double spenders, which reduces the workload on the centralbank. Constructing a scheme supporting multiple banks and any of the arbitrarypayment amount solutions is still an open problem and these schemes are thereforenot yet suitable for general usage.

6.3 Aspects Regarding Digital Cash and Law En-forcement

Paper cash is untraceable and is therefore suitable to carry out criminal activitiessuch as blackmailing, money laundering, and tax evasion. As a consequence of condi-tionally reserving anonymity revocation to double spending - digital cash can providenew and more safe ways to carry out said crimes. It has been demonstrated for in-stance how the blind signatures used by digital cash can be abused to safely obtain aransom as a perfect crime [39]. Unlike paper cash, digital cash can be constructed touse so-called fair blind signatures instead, which give the ability of one or more co-operating trusted third parties to unconditionally revoke the anonymity of paymentand prove whose wallet sent or received funds in the illegal activity.

By allowing unconditional anonymity revocation in the scheme, payer anonymityis no longer guaranteed under cryptographic assumptions and may discourage usersfrom using the technology. However digital cash schemes that do not rely on fair

6.4. Aspects Regarding Viability of Digital Cash 45

blind signatures still allow the bank to monitor the number of coins flowing in andout of wallets, something which can be used as a flag for criminal activities beingcarried out on large scale. It is also possible to limit the number of coins that can bewithdrawn by a single wallet in a day to make such activities harder. Additionally,if the digital cash scheme is executed on a tamper-proof device, another mitigationis to limit the spending amount during a specified time period which would be anadditional benefit without including unconditional anonymity revocation. The mit-igations mentioned above will not stop criminals from abusing their anonymity toconduct illegal activities - but it will require them to put in more effort to go unde-tected.

With other anonymous digital payment solutions co-existing with digital cash, suchas cryptocurrencies like Bitcoin, criminals can still find ways to untraceable conductthese illegal activities. It can therefore be argued that adding unconditional trace-ability might not be necessary for these reasons. The more important reason to addunconditional traceability to digital cash schemes is to add the functionality to provewhether a coin is forged or not in case the bank’s master key has been compromised.By adding backward tracing as suggested by Stadler et al. [38] - the bank and trustedthird party can cooperate to test if a given coin is forged by linking each withdrawalto a deposit number such that the bank cannot unconditionally trace the paymentwithout help from the trusted third party. If the bank for some reason is suspiciousof a coin being forged - there at least exists a method to test if it is true using thisunconditional anonymity revocation technique. The scheme relies on the computa-tionally expensive cut-and-choose method, but the idea of backward tracing may beapplicable as an addition to more efficient schemes.

Digital cash systems could be deployed so that the anonymity revocation key issplit up between multiple parties that all need to cooperate to trace the coin. Withlaws and regulations, this could be controlled such that it is illegal to trace coinswithout a certain condition in place, such as first having to receive a court order.Realistically with the presence of other anonymous digital payment solutions - digitalcash will likely not provide criminals with a better platform for conducting illegalactivities on any large scale, even without the unconditional anonymity revocation.If paper cash ever were to be fully replaced by digital cash on a large scale, then itwould still likely be acceptable for most payments by most people because the generalpublic in many countries already share their financial history with their respectivebanks when paying using their debit and credit cards.

6.4 Aspects Regarding Viability of Digital Cash

Seeing as no truly tamper-proof device exist, double spending detection is requiredto safely accept digital cash payments. With double spending detection, digital cashinevitably has limited transferability which we argue is the biggest drawback of dig-ital cash compared to paper cash. Because of this limited coin transferability, thebank is required to participate more often, both to detect double spenders and re-fresh coins, i.e. shrinking back down transferable coins or changing spent coins back


into spendable ones. Transferable digital cash requires the least interaction with thebank, as the same coin can be spent multiple times, but transferable coins cannot bespent as efficiently as divisible coins or coins in compact wallets. Which one is betterdepends on what type of payments are most important to the users and merchants.Nothing prohibits the same bank from offering both divisible and transferable coinsas a service, nor a merchant from accepting them. We thus see digital cash as aversatile and viable payment method.

We argue that those who legally use paper cash extensively today will not neces-sarily have anything to lose from this transition, as long as the secret cryptographickeys are not compromised. The users’ financial histories will be cryptographicallyprotected from everyone on a per coin basis and the bank will not be able to learnmore than their withdrawal and deposit amounts. Those who today prefer the con-venience of digital payments at the cost of sharing their financial history with thebank will win in the sense that the payments they are already used to - not only willwork offline, but they will also see their privacy strengthened. In a world where otheranonymous payment methods exist without the possibility to unconditionally traceusers, any perfect crimes enabled by not adding unconditional tracing to digital cashwill still be possible.

6.5 Aspects Regarding the Validity of the Study

The aim of this work were to determine how viable digital cash are in offline pay-ments. From this we formulated an objective to determine whether digital cash canbe exchanged securely while offline. We decided to do this via systematic threat mod-eling using the LINDDUN threat modeling framework. The decision to use threatmodeling was taken because we wanted to analyze a theoretical high level scheme.If we were to analyze a specific scheme, then constructing a security proof usingthe standard or random oracle model would make the results stronger. In orderto not make the work overwhelming we made six assumptions for the theoreticalsystem as presented in Section 4.3.1.3. Without these assumptions we cannot saythat digital cash can be exchanged securely offline. Neither can we be sure that thepresented threat model cover all threats to digital cash in offline payments under theassumptions, as there is no way to objectively know this. It is possible that higherperformant state-of-the-art arbitrary amount payment schemes were missed out inthe second literature study. We found pros and cons for all three when comparingthem to each other though.

6.6 Answers to the Research Questions

Below we restate and answer the research questions based on our findings.

RQ1: How can digital cash be exchanged securely between users of the same bank?

Digital cash can be securely exchanged offline between users of the same bank with

6.6. Answers to the Research Questions 47

a combination of blind signatures and double spending detection. Ideally tamperingwith the payment device should be protected using a wallet database with an observer- to provide the security and correctness of the device, while still allowing the cus-tomer to monitor all information entering and leaving it. The digital cash protocolsshould be implemented such that the customer can be certain that withdrawals areboth unlinkable and unidentifiable under strong cryptographic assumptions. Thisis achieved by allowing the customer to blind the coin and without revealing anyidentifiable data prove to the bank that the coin is honestly constructed such thatdouble spending detection will work. Digital cash solve this with the use of partiallyblind signatures and zero-knowledge proofs. This functions as an incentive not tocheat. By using hard-to-tamper devices in combination with daily withdrawal andspending limits the cost-effectiveness of tampering with the device can further besignificantly reduced.

RQ2: How can arbitrary amounts of digital cash payments be exchanged in a secureand high performant manner?

Three different types of arbitrary payment amount digital cash schemes with exten-sive security models was identified and compared based on performance and func-tionality in this work. If the payment system is required to perform time-criticalsmall to medium amount payments then the compact wallet solution presented [28]can be used. The storage complexity of the wallet is logN and the computationalcomplexity of spending is proportional to N where N represents the number of coinsin the wallet. An alternative implementation is divisible digital cash. This type ofscheme can handle spending in a constant time of any amount less than the originalcoin’s value and therefore also work efficiently for large amount transactions. Bothof these solutions allow a coin to be spent exclusively by the customer who withdrewit and can thus be spent honestly only once. If the coins are required to be transfer-able multiple times then the transferable digital cash can be implemented. Spendingof arbitrary amounts is achieved in the same way as with paper cash, i.e. by themerchant returning change. Transferable digital cash is the most costly in terms ofboth spending time and coin storage, but requires less interaction with the bank.

RQ3: How can digital cash be exchanged between users of different banks in asecure and high performant manner?

For digital cash to be securely exchangeable between different banks - the blindsignatures are replaced with blind group signatures. When using blind group sig-natures multiple keys can be used to sign messages on behalf of the entire group,which allows one bank to sign a coin such that when the coin is deposited at anotherbank in the group, the signature will be indistinguishable from its own. With thistype of digital signature, one entity act as the group manager and it is the only oneable to determine who in the group produced the signature. Without cooperationwith the group manager, neither the merchant nor the merchant’s bank can deter-mine which bank the payer is a customer of, something that adds another layer ofpayer anonymity. Digital cash schemes supporting multiple banks uses blind groupsignatures and state-of-the-art cryptographic solutions to allow the local banks to


efficiently trace double spenders without having to interact with the bank groupmanager.

Chapter 7

Conclusions and Future Work

7.1 Conclusions

Digital cash have since the realization of blind signatures been a hot topic of re-search. This in combination with advancements in cryptology, processing power,storage capacity, and rapid digitization of the financial systems has led to the imple-mentation of various digital cash schemes with different features such as divisibility,transferability, and fairness. The primary goal of the schemes is to provide the abilityfor honest users to spend anonymously offline, while still being able to hold doublespenders accountable and reduce the cost-effectiveness of double spending.

We followed a threat model-based approach with the LINDDUN privacy threat mod-eling framework to identify the necessary technologies to securely construct a digitalcash scheme and detect vulnerabilities that might be introduced while implement-ing production-grade systems. The LINDDUN privacy threat modeling frameworkworked was a good choice as we managed to map all identified threats into relevantcategories with ease. It was also a good choice as most identified threats was pri-vacy related. The threat model was constructed in three steps and made it apparentthat digital cash systems are critical and that security failures can become expensivequickly.

The first technology introduced into the threat model was blind signatures whichprovides complete customer anonymity. Blind signatures allow the customer to re-ceive a valid signature on a message blinded from the bank. As the customer isresponsible for blinding the message, the customer can be certain that the bank isunable to extract any linkable or otherwise identifiable information out of the mes-sage. However, with this anonymity, the customers would be able to double spendcoins as many times as they would like without consequences - resulting in financialloss for all but the first merchant who deposits the coin. This is impractical as nomerchant would trust to use this system while being offline because of the significantrisk of untraceable double spending.

We analysed three different solutions addressing the double spending threat in thefinal threat model. One way is to use RSA blind signatures in combination witha cut-and-choose methodology. These technologies are described in Section 5.1.5.1and 5.1.5.4 respectively. By implementing these technologies correctly, the risk for auser to successfully evade identification after double spending can become negligible.

49

50 Chapter 7. Conclusions and Future Work

The cut-and-choose method is computationally inefficient but helps the bank assertthat the coin is honestly constructed without revealing any identifiable informationabout the coin. Another solution is to use randomized RSA signatures in combi-nation with the two-points-a-the-line principle. Randomized RSA signatures are atype of partially blind signature described in Section 5.1.5.2 that by itself allows thebank to assert that the coin is not maliciously constructed. This allows for morefreedom in how the identifying information is injected into the coin and removesthe need for the cut-and-choose method. Combining this signature scheme with azero-knowledge proof, such as the two-points-on-a-line principle described in Sec-tion 5.1.5.5, helps the bank assert that the customer will be identified upon doublespending the coin. The last solution is to use Chaum-Pederson signatures in com-bination with the two-points-on-a-line principle to identify double spenders. Thesetechnologies are described in Section 5.1.5.3 and 5.1.5.5 respectively. This solution isthe most efficient in terms of computations while requiring the lowest parameter sizebetween the three as it can utilize elliptic curves. It has been shown to be executableon hard-to-tamper with smart cards with an observer without any significant per-formance impact also. With this, the cost-effectiveness of tampering with the deviceis reduced compared with the previous two solutions without sacrificing performance.

Paper cash can effectively be used to pay arbitrary amounts with the possibilityof the payee returning change in case the payer does not have the exact denomina-tions at hand. This is not true for the digital cash solutions described above, as thecustomer has to prove ownership of the withdrawal for the merchant to accept thepayment and know that the customer can be identified in case of double spending.From this work, three different state-of-the-art solutions to the arbitrary paymentamount problem were identified. One of the solutions, compact wallets, allows with-drawals of 2n coins such that the storage space required is proportional to n, and thecomplexity to spend an arbitrary number of coins is linear to the spending amount.This state-of-the-art compact wallet solution will require at most 6 multi-based ex-ponentiation calculations per coin to spend, which is efficient for small to mediumamount payments. State-of-the-art divisible digital cash work similarly to compactwallets in the sense that one withdrawal can be used for multiple purchases as longas distinct parts of the withdrawal are revealed each time. Although having a higherinitial overhead than the compact wallet solution, the identified divisible digital so-lution can handle spending in constant time. This makes the divisible digital cashsolution viable for time-critical larger amount payments also. Worth noting thoughis that by allowing larger amounts of payments - the cost-effectiveness of doublespending increases. Transferable digital cash was the final identifiable solution. Itallow for arbitrary payment amounts by constructing the coin such that it can changehands multiple times without contacting the bank in between. In essence, this allowsmerchants to return change to solve the arbitrary payment amount problem similarlyto paper cash. The storage requirement for these coins depends on how many timesthe coin has been paid, and the spending time depends on how many coins needto be exchanged between the customer and merchant for the payment. This makestransferable digital cash harder to compare in terms of efficiency with the other two.

Blind group signatures can be used to transfer digital cash between different banks.

7.1. Conclusions 51

A group manager, commonly referred to as the central bank, initiates the scheme byconstructing a local bank group. All members in the group can produce signatureson behalf of the entire group such that only the central bank can identify which banksigned the message. Merchants will then verify the presence of the group signature toprevent coin forgeries. As the group manager is the only entity who can identify thesigner, neither the merchant nor the merchant’s bank can determine which bank thepayer is a customer alone. This adds an additional layer of payer anonymity. Theseschemes can be constructed such that the customer is unconditionally anonymousto all local banks or conditionally in case of double spending. With the possibilityof multiple local banks, the payment system becomes more scalable as each localbank only needs to handle withdrawals and deposits for their respective customers.The central bank can either act as an unconditional anonymity revocation party thatcan cooperate with law enforcement to trace illegally transferred funds or be split upbetween multiple parties that need to cooperate to unconditionally trace coins. Withthe latter construction, the system could be regulated with national laws such that acoin is only legal to be unconditionally traced after a court order is issued by a judge.

Double spending is an inevitable risk for all digital offline payments. To increasethe security of digital cash - the cost-effectiveness of double spending should be min-imized. The most effective way to do this is with double spending detection. Thismakes the probability of a malicious customer double spending without being iden-tified after the fact negligible, and thus reduces the incentive to double-spend in thefirst place. By running the customer wallet application on hard-to-tamper hardware,the cost-effectiveness of double spending will decrease even more as it will likely re-quire high technical expertise in combination with specialized expensive equipmentto perform. Banks also can introduce daily withdrawal limits and enforce maximumpayment amounts for single purchases to further reduce the cost-effectiveness.

In places where online payments already dominate and network connections are sta-ble, double spending is no longer a risk to merchants. When the merchant is online,the coin can be deposited as part of the purchase and be confirmed as not beingdouble-spent in real-time. Customers already using online payments will not noticeany difference in inconvenience, except maybe slightly increased transaction times,depending on the digital cash implementation. With this, these customers will winsignificantly in privacy - as their financial history then is accessible only to them-selves. Digital cash is, therefore, a risk-free payment method that enforces payeranonymity where network connections already are stable, and in combination withdouble spending cost-effectiveness reductions, a low-risk payment method for offlinepayments.

52 Chapter 7. Conclusions and Future Work

7.2 Future WorkPiecing together cryptographic protocols into a complete application is notoriouslyerror-prone, and innocent choices in the implementation can have significant effectson both security and performance. The threat model methodology applied in thisthesis work was conducted on a high level and did not examine many specifics inthe cryptographic protocols. We thus leave constructing a more extensive LIND-DUN threat model for specific schemes and their respective cryptographic protocolsas future work. Our threat model was also constructed with six assumptions andfuture work could include loosening these to possibly identify additional threats andthreat actors. These assumptions are listed in Section 4.3.1.3 for reference. Whenthe specifics of the scheme are put in detail, necessary parameter sizes could alsobe concluded to achieve the necessary security and scalability based on use-case re-quirements.

Part of this thesis work was to construct a proof of concept based on theoreticaldigital cash models, but due to a lack of functionality requirements and benchmark-ing data, this was excluded. With various digital cash functionalities existing thatare incompatible or redundant together it can be hard to narrow down and motivatewhich scheme to implement and benchmark. More on this is described in Section 4.2.This thesis identified and listed state-of-the-art schemes solving different problemstogether with their strengths and weaknesses, which could function as a motiva-tion to single down a future work to benchmark and implement a specific scheme.Establishing a standardized benchmarking environment for digital cash scheme im-plementations is also an interesting idea for future work.

Lately, there have been digital cash solutions introduced based on chaotic cryptogra-phy and signcryption [31] [30]. After discussing and achieving a better understandingof how they work, we found that there are long-standing concerns about its secu-rity [41] [26]. We, therefore, excluded these schemes from the snowballing processdescribed in Section 4.1 even though they seem promising and might further im-prove on both security and performance in practice. We leave it as future work tofurther compare these schemes with those built based on more standard assumptions.

Payment services are regulated nationally and internationally to guarantee the samerules for all, clear information on payments, fast payments, and consumer protectionfor a wide choice of payment services. These rules are by the EU today applicable tocredit transfers, direct debits, card payments as well mobile and online payments [5].By jointly constructing a regulation specific to digital cash - the usage will becomesafer for the users. No such regulations exist as of yet for digital cash and would behelpful for adopting it.

7.3. Closing Remarks 53

7.3 Closing RemarksDigital cash is a promising technology that promotes payer privacy and providesthe convenience of digital payments to all. Nations, unions, private companies, andresearchers are in the process of evaluating how the technology is best used safelyon various scales and with various user requirements. This thesis present findingson how digital cash can be exchanged securely offline as well as other possibilitiesof the technology. Digital cash can bring benefits to both the offline and onlinepayment markets with convenience and privacy enhancements respectively. Offlinedigital payments face the inevitable risk of double spending, but with the appropriatemechanisms in place, the cost-effectiveness of double spending and benefiting fromit can be minimized using digital cash.

References

[1] Bth summon 2022. Mar. 2022. Accessed on: Jan. 2, 2022. [Online], Available:.[Online]. Available: https://bth.summon.serialssolutions.com/#!/

[2] Google scholar 2022. Mar. 2022. Accessed on: Jan. 2, 2022. [Online], Available:.[Online]. Available: https://scholar.google.com/

[3] Ieee xplore 2022. Mar. 2022. Accessed on: Jan. 2, 2022. [Online], Available:.[Online]. Available: https://ieeexplore.ieee.org/Xplore/home.jsp

[4] World cash report 2018. Aug. 2018. Accessed on: Apr. 11, 2022. [Online],Available:. [Online]. Available: https://cashessentials.org/app/uploads/2018/07/2018-world-cash-report.pdf

[5] “Payment services,” 2022. [Online]. Available: https://ec.europa.eu/info/business-economy-euro/banking-and-finance/consumer-finance-and-payments/payment-services/payment-services_en

[6] M. Abe, J. Groth, K. Haralambiev, and M. Ohkubo, “Optimal structure-preserving signatures in asymmetric bilinear groups,” in Advances in Cryptology– CRYPTO 2011, P. Rogaway, Ed. Berlin, Heidelberg: Springer Berlin Heidel-berg, 2011, pp. 649–666.

[7] M. H. A. Au, W. Susilo, and Y. Mu, “Practical compact e-cash,” IACR Cryptol.ePrint Arch., vol. 2007, p. 148, 2007.

[8] B. Bauer, G. Fuchsbauer, and C. Qian, Transferable E-Cash: A Cleaner Modeland the First Practical Instantiation, ser. Lecture Notes in Computer Science(including subseries Lecture Notes in Artificial Intelligence and Lecture Notesin Bioinformatics). Cham: Springer International Publishing, 2021, vol. 12711,pp. 559–590.

[9] S. Brands, “Untraceable off-line cash in wallet with observers,” in Advances inCryptology — CRYPTO’ 93, D. R. Stinson, Ed. Berlin, Heidelberg: SpringerBerlin Heidelberg, 1994, pp. 302–318.

[10] J. Camenisch, S. Hohenberger, and A. Lysyanskaya, “Compact e-cash,” in Ad-vances in Cryptology – EUROCRYPT 2005, R. Cramer, Ed. Berlin, Heidelberg:Springer Berlin Heidelberg, 2005, pp. 302–321.

[11] S. Canard, D. Pointcheval, O. Sanders, and J. Traoré, “Scalable divisible e-cash,”in Applied Cryptography and Network Security, T. Malkin, V. Kolesnikov, A. B.Lewko, and M. Polychronakis, Eds. Cham: Springer International Publishing,2015, pp. 287–306.

55

https://bth.summon.serialssolutions.com/#!/

https://scholar.google.com/

https://ieeexplore.ieee.org/Xplore/home.jsp

https://cashessentials.org/app/uploads/2018/07/2018-world-cash-report.pdf

https://cashessentials.org/app/uploads/2018/07/2018-world-cash-report.pdf

https://ec.europa.eu/info/business-economy-euro/banking-and-finance/consumer-finance-and-payments/payment-services/payment-services_en



56 References

[12] S. Canard and J. Traoré, “On fair e-cash systems based on group signatureschemes,” in Information Security and Privacy, R. Safavi-Naini and J. Seberry,Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 237–248.

[13] S. Canard, D. Pointcheval, O. Sanders, and J. Traoré, “Divisible e-cash madepractical,” IET Information Security, vol. 10, no. 6, pp. 332–347, 2016. [Online].Available: https://ietresearch.onlinelibrary.wiley.com/doi/abs/10.1049/iet-ifs.2015.0485

[14] D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptol-ogy, D. Chaum, R. L. Rivest, and A. T. Sherman, Eds. Boston, MA: SpringerUS, 1983, pp. 199–203.

[15] D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in Advances inCryptology — CRYPTO’ 88, S. Goldwasser, Ed. New York, NY: Springer NewYork, 1990, pp. 319–327.

[16] D. Chaum and T. P. Pedersen, “Transferred cash grows in size,” in Advancesin Cryptology — EUROCRYPT’ 92, R. A. Rueppel, Ed. Berlin, Heidelberg:Springer Berlin Heidelberg, 1993, pp. 390–407.

[17] ——, “Wallet databases with observers,” in Advances in Cryptology —CRYPTO’ 92, E. F. Brickell, Ed. Berlin, Heidelberg: Springer Berlin Hei-delberg, 1993, pp. 89–105.

[18] W. Chen, B. Qin, Q. Wu, L. Zhang, and H. Zhang, “Id-based partially blindsignatures: A scalable solution to multi-bank e-cash,” in 2009 InternationalConference on Signal Processing Systems, 2009, pp. 433–437.

[19] M. Deng, K. Wuyts, R. Scandariato, B. Preneel, and W. Joosen, “A privacythreat analysis framework: supporting the elicitation and fulfillment of privacyrequirements,” Requirements Engineering, vol. 16, no. 1, pp. 3–32, Mar 2011.[Online]. Available: https://doi.org/10.1007/s00766-010-0115-7

[20] N. Ferguson, “Extensions of single-term coins,” in Advances in Cryptology —CRYPTO’ 93, D. R. Stinson, Ed. Berlin, Heidelberg: Springer Berlin Heidel-berg, 1994, pp. 292–301.

[21] ——, Single Term Off-Line Coins, ser. Advances in Cryptology — EURO-CRYPT ’93. Berlin, Heidelberg: Springer Berlin Heidelberg, 2001, pp. 318–328.

[22] G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Transferable constant-sizefair e-cash,” in Cryptology and Network Security, J. A. Garay, A. Miyaji, andA. Otsuka, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp.226–247.

[23] E. Ghadafi, N. P. Smart, and B. Warinschi, “Groth–sahai proofs revisited,”in Proceedings of the 13th International Conference on Practice and Theoryin Public Key Cryptography, ser. PKC’10. Berlin, Heidelberg: Springer-Verlag, 2010, p. 177–192. [Online]. Available: https://doi.org/10.1007/978-3-642-13013-7_11

https://ietresearch.onlinelibrary.wiley.com/doi/abs/10.1049/iet-ifs.2015.0485

https://ietresearch.onlinelibrary.wiley.com/doi/abs/10.1049/iet-ifs.2015.0485

https://doi.org/10.1007/s00766-010-0115-7

https://doi.org/10.1007/978-3-642-13013-7_11

https://doi.org/10.1007/978-3-642-13013-7_11

References 57

[24] X. Hou and C. Tan, “On fair traceable electronic cash,” in 3rd Annual Com-munication Networks and Services Research Conference (CNSR’05), 2005, pp.39–44.

[25] L. Law, S. Sabett, and J. A. Solinas, “How to make a mint: The cryptography ofanonymous electronic cash,” The American University law review, vol. 46, p. 6,1997.

[26] C. Li, “Cracking a hierarchical chaotic image encryption algorithm based onpermutation,” Signal Processing, vol. 118, pp. 203–210, 2016. [Online]. Available:https://www.sciencedirect.com/science/article/pii/S0165168415002431

[27] Y. Li, F. Zhou, and Z. Xu, “A fair offline electronic cash schemewith multiple-bank in standard model,” Journal of the Chinese Instituteof Engineers, vol. 42, no. 1, pp. 87–96, 2019. [Online]. Available:https://doi.org/10.1080/02533839.2018.1547664

[28] B. Lian, G. Chen, J. Cui, and M. Ma, “Compact e-cash with efficient coin-tracing,” IEEE Transactions on Dependable and Secure Computing, vol. 18,no. 1, pp. 220–234, 2021.

[29] A. Lysyanskaya and Z. Ramzan, “Group blind digital signatures: A scalablesolution to electronic cash,” in Financial Cryptography, R. Hirchfeld, Ed. Berlin,Heidelberg: Springer Berlin Heidelberg, 1998, pp. 184–197.

[30] C. Meshram, A. L. Imoize, A. Aljaedi, A. R. Alharbi, S. S. Jamal, andS. K. Barve, “An efficient electronic cash system based on certificatelessgroup signcryption scheme using conformable chaotic maps,” Sensors(Basel, Switzerland), vol. 21, no. 21, October 2021. [Online]. Available:https://europepmc.org/articles/PMC8587120

[31] C. Meshram, M. S. Obaidat, K.-F. Hsiao, A. L. Imoize, and A. Meshram, “Aneffective fair off-line electronic cash protocol using extended chaotic maps withanonymity revoking trustee,” in 2021 International Conference on Communica-tions, Computing, Cybersecurity, and Informatics (CCCI), 2021, pp. 1–5.

[32] M. Milutinovic, “Cryptocurrency,” Ekonomika, Journal for Economic Theoryand Practice and Social Issues, vol. 64, no. 1, p. 290219, 2018. [Online].Available: https://econpapers.repec.org/RePEc:ags:sereko:290219%7D

[33] T. Nakanishi and Y. Sugiyama, “Unlinkable divisible electronic cash,” in Infor-mation Security, G. Goos, J. Hartmanis, J. van Leeuwen, J. Pieprzyk, J. Seberry,and E. Okamoto, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2000,pp. 121–134.

[34] T. Okamoto, “An efficient divisible electronic cash scheme,” in Advances in Cryp-tology — CRYPT0’ 95, D. Coppersmith, Ed. Berlin, Heidelberg: SpringerBerlin Heidelberg, 1995, pp. 438–451.

[35] T. Okamoto and K. Ohta, “Universal electronic cash,” in Advances in Cryptology— CRYPTO ’91, J. Feigenbaum, Ed. Berlin, Heidelberg: Springer BerlinHeidelberg, 1992, pp. 324–337.

https://www.sciencedirect.com/science/article/pii/S0165168415002431

https://doi.org/10.1080/02533839.2018.1547664

https://europepmc.org/articles/PMC8587120

https://econpapers.repec.org/RePEc:ags:sereko:290219%7D

58 References

[36] D. Pointcheval, O. Sanders, and J. Traoré, “Cut down the tree to achieve con-stant complexity in divisible e-cash,” in Public-Key Cryptography – PKC 2017,S. Fehr, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2017, pp. 61–90.

[37] Riksbanken, “E-kronapiloten etapp 1,” Available at https://www.riksbank.se/globalassets/media/rapporter/e-krona/2021/e-kronapiloten-etapp-1.pdf.

[38] M. Stadler, J.-M. Piveteau, and J. Camenisch, “Fair blind signatures,” in Ad-vances in Cryptology — EUROCRYPT ’95, L. C. Guillou and J.-J. Quisquater,Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 1995, pp. 209–219.

[39] S. H. von Solms and D. Naccache, “On blind signatures and perfect crimes,”Comput. Secur., vol. 11, pp. 581–583, 1992.

[40] S. Wang, Z. Chen, and X. Wang, “A new certificateless electronic cash schemewith multiple banks based on group signatures,” in 2008 International Sympo-sium on Electronic Commerce and Security, 2008, pp. 362–366.

[41] D. D. Wheeler and R. A. J. Matthews, “Supercomputer investigations of achaotic encryption algorithm,” Cryptologia, vol. 15, no. 2, pp. 140–152, 1991.[Online]. Available: https://doi.org/10.1080/0161-119191865821

[42] C. Wohlin, “Guidelines for snowballing in systematic literature studies and areplication in software engineering.” ACM, 2014, pp. 1–10.

https://www.riksbank.se/globalassets/media/rapporter/e-krona/2021/e-kronapiloten-etapp-1.pdf

https://www.riksbank.se/globalassets/media/rapporter/e-krona/2021/e-kronapiloten-etapp-1.pdf

https://doi.org/10.1080/0161-119191865821

Faculty of Computing, Blekinge Institute of Technology, 371 79 Karlskrona, Sweden

on the viability of digital cash in offline payments - diva portal

Documents