Electronic Cash

Bahman RadjabalipourOsitadimma Maxwell EjelikeSchool of Computer Science

University of WindsorApril 2006

Contents

Introduction “What is money?” "Research on electronic payment model“ "A new electronic cash model” “PayCash: a secure efficient Internet

payment system.” Conclusion

Paper 1

WHAT IS MONEY?

Ray Byler, Ph.D.

Assistant Professor of Computer Science

Lyon College

Batesville, Arkansas 72501

Introduction

Most of the money that exists today doesn't exist as greenbacks, but as 1's and 0's in some computer.

Any monetary system, digital or otherwise, must be based on trust.

Reliability of that system The belief that others will accept the system

Areas of Concern

Convertibility and Flexibility connection to other monetary schemes Converting electronic dollars to electronic coins

Privacy Will government be able to track everything that

users earn and spend governments determine banking rules and

regulations Acceptability Cost

Background Terms

Public-key Encryption Diffie-Helman encryption Messages encrypted with the public key can only

be decrypted with the private key and vice-versa RSA Encryption

Crated by Rivest, Shamir, and Adleman less communications overhead less secure

Digital Certificates For verifying a public key

Minting Digital MoneyImportant Digital Money Schemes 1. Ecash2. Internet Keyed Payments Protocol (iKP)3. Micro Payment Transfer Protocol (MPTP)4. CyberCash5. NetCheque6. NetCash.

Ecash

Creation of Dr. David Chaum Diffie-Hellman public-private key Proprietary rather than an open system Did not have a payment limit to limit customer

loss Ecash had been used by Mark Twain Bank

Ecash: Minting Process

Ecash coin begins life as a 100-digit random number chosen by a user software package

The user transmits this number to the bank/mint along with the denomination requested.

The bank/mint verifies that the number is not already in use,

Validates the number by encoding the number with the private key

Debits the user's account Transmits the validated number back to the user,

who records the coin on his hard disk.

Ecash: Minting Process (cntd) Bank tracks the “serial number” of each coin that it

issues to ensure that a coin is not used twice Merchant must immediately check with the bank to

verify the coins for each and every transaction This is computationally expensive for buying

something like a newspaper Blind Signatures: a bank can verify that a coin is

good, but cannot identify to whom it was issued.

iKP - Internet Keyed Payments Protocol Proposed open standard by IBM Securing electronic commercial transactions Based on RSA public-key cryptography Users with no prior relationship iKP is designed to work with all Internet

communications channels (e.g. http, shttp, email) encryption is limited to sensitive data such as

account numbers and PINs The potential for credit card fraud is reduced by only

transmitting account numbers between buyers and banks, sellers never see the account numbers

iKP: weaknesses

Privacy: All payments can be traced There is no support for small real-time

payments

SET (Secure Electronic Transaction) Based on iKP developed by a consortium led by

MasterCard and Visa Primarily deals with credit card payments Uses RSA for signatures Private-key encryption: DES

Micro Payment Transfer Protocol (MPTP) Closely linked to the proposed iKP standard Is designed for payments that are too small to

justify the overhead of iKP MPTP processes can mostly be done off-line Makes no distinction between merchant and

customer MPTP is based on Lamport's S/Key

authentication mechanism (rfc1731)

CyberCash

Proprietary scheme It is designed to work with credit cards,

electronic checks, and electronic cash It is presently implemented for credit cards It is currently used by CyberCash

Corporation, Xerox, Point Scandinavia AS, and the Bank of America, and is certified by most major credit cards.

NetCheque and NetCash

invented by Clifford Neuman, Information Sciences Institute (ISI), University of Southern California (USC)

Based on the Kerberos security software system

Funded by ARPA (Advanced Research Projects Agency)

NetCheque software is free for personal, non-commercial or limited commercial use.

Paper 2

Research on Electronic Payment Model

Bo Meng

Qianxing Xiong

College of Computer Science and Technology

Wuhan University of Technology

Introduction

This paper introduces the 3e payment model.

The 3e payment model includes: electronic credit card payment model electronic cash payment model electronic check payment model

Introduction

Every electronic commerce system generally includes three parts:

1. data communication system: online procedure to establish business

2. logistics system: delivers products

3. electronic payment system.

JW (Janson and Waidner) Model In JW model the electronic payment system

is classified into: cash-like payment system cheque-like Payment System.

Both types of payment systems are direct payment systems, i.e., a payment requires an interaction between buyer and seller.

JW Model (cntd)

There are also indirect payment systems where either buyer or seller initiates the payment without having the other party (seller or buyer, respectively) involved online.

NA (N.Asokan) Model

In N.Asokan model two criterions are used to classify the electronic payment system direct or indirect communication The second criterion is the relationship between the time

the payment initiator consider the payment as finished, and the time the value is actually taken from the payer.

N. Asokan model includes four payment models: direct cash-like system direct cheque-like system indirect push system indirect pull system.

3e Payment Model

Based on the previous two models 3e model includes:

Electronic credit card payment model Electronic cash Payment model Electronic check Payment model

Electronic credit card payment model

Electronic Cash payment model

Electronic check Payment model

Comparison of 3e Payment Model

Properties Of Online Payment Protocols Security:

message integrity data confidentiality

Accountability Atomicity:

money atomicity goods atomicity Certified delivery

Anonymity Non-repudiation: provides proof of the integrity and

origin of data Fairness

Paper3

A New Electronic Cash Model

Written By Xiaosong Hou, Chik How Tan

Introduction

The paper presented a customer generated electronic cash model that offers unique trade-off between credit card and traditional off-line electronic cash systems

It addressed the problem of Online Transactions with Credit Cards as well as issues with current electronic payment systems

It applied the concept of Group Signatures, in the New Electronic Payment System.

Group Signature

Introduced by Chaum and Heijst in 1991 Type of Digital signatures that allows registered

group member to produce a digital signature on a message

Consists of four procedures Setup Sign Verify Open

Group Signature Contd

Security Requirements for secured Group Signatures Correctness Anonymity Unforgeability Unlinkability Exculpability Traceability

The New Electronic Payment Model.

Four Entities Involved Bank,Group registration manager, maintains the accounts

of all customers and registers new customers. The clearing house, Group revocation manager, clears the transactions between the shop and

the customer. The customer, group member, can make payment by

signing the transaction message using his/her private membership key.

The shop can verify the signature using the group public key published by the bank

Transactions in the New Electronic Payment Model Account Opening Transaction. Customer opens account in the bank and obtain a valid

membership certificate and a secret Payment Transaction. Shop prepares payment message that contains transaction

information, such as date, time, shop ID, currency and amount. Customer pays by signing the transaction message using his/her private membership key. The shop verifies the correctness of the customer’s payment signature, using the group public key published by the bank.

Transactions in the New Electronic Payment Model Contd. Deposit Transaction. The shop deposits the collected payment messages to the clearing

house. The clearing house, verifies the validity of the deposited payment transcripts, and sends the bank periodic summaries of settlement of funds. All transactions and settlement records are kept as evidence for audit and security purposes.

Tracing Transaction. The bank knows the linkage between the account number and the

customer identity, while the clearing house knows the linkage between the account number and the payment history, therefore, if and only if a Tracing Order (TO) is issued from the Judge, the clearing house can cooperate with the bank to achieve fair tracing.

Building Blocks

It was derived from zero-knowledge proofs of a piece of information, and are denoted as ‘ZKP’ for short.

ZKP { (a) : y1 = ga1^ y2 = ga

2}

Proposed Electronic System

Bank Parameters The bank chooses two large random prime numbers p and q of

the form p = 2p_+1 and q = 2q_+1 where p and q_ are prime numbers as well. The bank publishes n = pq and keeps p and q secret, then defines a subgroup of Z n ∗ and chooses two numbers z, h from this subgroup.

The Parameters of the Clearing House The secret key of the clearing house is x and the public key of

the clearing house is y = gx. Then a collision free hash function H is published

Proposed Electronic System Contd.

Opening AccountThe customer chooses two random prime numbers e and en, then he/she computes em = een and zm = zen. The bank computes u = zm 1/em and sends u to the customer, who checks that z = ue. The bank stores (u, em, zm) and the customer’s identity in the bank’s customer database.The customer keeps (u, e) as his/her membership key

Payment Protocols The shop first generates a transaction message of payment for the customer to

sign: m =H(ShopID,Date, Time, Amount,Currency). The customer chooses an integer w and computes a =gw, b = uyw and d = gehw. Then the customer chooses r1, r2 and r3, and computes t1 = br1(1/y)r2 , t2 =

ar1(1/g)r2, t3 =gr3 , t4 = gr1hr3 . After computation of c =H(g||h||y||z||a||b||d||t1///t2//t3//t4//m), the customer computes s1 = r1 − c(e − 2l1 ), s2 = r2 − cew, and s3 = r3 − cw.

Proposed Electronic System Contd. The signature of m is (c, s1, s2, s3, a, b, d). The shop verifies the signature using the equation c

=H(g||h||y||z||a||b||d||zcbs1−c2l1 /ys2||as1−c2l1 /gs2||acgs3||dcgs1−c2l1 hs3||m).

The shop accepts the signature on the transaction message as a valid payment signature if the above stated equation holds

Deposit Protocol The clearing house computes the identity code u = b/ax

Proposed Electronic System Contd. Deposit Protocol

The clearing house computes the identity code u = b/ax

Security Analysis

Anonymity: logga equals to logy

(b/b´ )

Unforgeability: Only registered members signs signatures Unlinkability: To find if two signed transaction messages (c, s1, s2, s3,

a, b, d) and (c´, s1´, s2´, s3´, a´, b´, d´ ) are from the same customer will be

logy(a/a´ )= logy(b/b´ )= logy(d/d´ )

Non-framing: Since it is hard to compute the discrete logarithm of z to the base u, which known by customer, bank, clearing house and some customers cannot collude to sign name of non-involved customer

Paper 4

PayCash: A Secure Efficient Internet Payment

System

Written By Jon M. Peha and Ildar M. Khamitov

Introduction

The paper describes PayCash, an Internet payment system that was designed to offer strong security and privacy protection.

This system creates verifiable records of all transactions that cannot be forged or undetectably altered by the party sending funds, the party receiving funds, or even by the operator of the payment system.

Flexible enough to accommodate privacy and security laws that differ from nation to nation.

It can be use by business-to-consumer, peer-to-peer funds transfers among consumers and among Businesses, and transfers from one agent of a licensed international funds transfer company to another.

STATUS QUO

Most Online transactions are done with Credit Cards Credit card Frauds Privacy is compromised with spam emails and

telemarketing calls Cost of transferring a payment can exceed the cost

of the product itself.

DESIGN GOALS OF EFFECTIVE PAYMENT SYSTEM Tamper-proof records: Privacy Protection: Flexible anonymity policies: Protection from password guessing Protection from outside observers:

PAYCASH DESIGN GOALS Support for disconnected users: Wide range of payments: Multiple currencies: Scalability

THE SUITABILITY OF CHAUM’SELECTRONIC COINS

THE SUITABILITY OF CHAUM’SELECTRONIC COINS Digital strings that can be transferred anonymously from person

to person just like cash. a coin with serial number X is defined by{ X, g-1(f(X)) }, where f(.)

and g(.) are functions that are easy to calculate and hard to invert.

Only payment system’s agent (which we call the Payment Authorizer) can “mint” a coin because only this agent can apply the function g-1(.)

The agent must mint the coin with serial number X without learning X or f(X).

LIMITATION OF CHAUM’S COIN.

A serious limitation of this scheme is the absence of tamper-proof transaction records.

Supporting a wide range of payments is also problematic.

List of all spent coins must be maintained, and frequently searched.

PAYCASH APPROACH

Producing Tamper-Proof Records All transaction records are digitally signed, and integrated into

the payment system itself to create tamperproof records Customer generates a pair of public and private keys, P and S

for this signature. Coin is { P, g-1(f(P)) }.P is both serial number and public key. To

transfer one coin, the user sends {record, Sign(S,record), P, g-1(f(P)) }.

Record is a description of the transaction, including recipient of the funds, timestamp, and any other information, or at least a hash of the function

CONDITION FOR VALID PAYMENT. Payment has not already been made with serial

number C. The coin has been properly minted with the g(.)

function i.e. f(C)=g(D), The digital signature is correct, i.e. Verify(C, B) = A, The recipient of the funds transfer corresponds with

the one listed in record A.

Protocol for Contract

Consumer sends information to merchant to be placed in contract Merchant composes contract, digitally signs it, sends result back to

consumer. Consumer includes a hash of the signed contract in record,

constructs payment as described above, and sends it to merchant. Merchant sends message to the Payment Authorizer to make sure

the payment is valid. Payment authorizer checks the signature, makes sure that the

serial number has not been spent already, updates records, and informs the merchant that the payment succeeded.

The merchant informs the consumer that the payment succeeded.

Making Payments of Different Amounts For each serial number P, the payment system agent keeps

track of the total amount of money m(P) that has been spent so far.

For K coins and value c, N ≥ k + m(P)/c. The same serial number can be minted multiple times with g-1(.) Define a Paybook(N,P), of N coins with serial number P as

Paybook(N,P), = {N, P, g-N(f(P)) } Where N is non-negative integer,g-0=x, and g-N(x)=g-1(g-(N-1)(x))

MULTI-COIN PAYMENT

Set:{record, Sign(S,record), PayBook(n,P) } ={record, Sign(S,record), n, P, g-n(f(P)) }

Transaction records include amount q A payment {record, sign, n, P, Y} of amount q is valid if the following

conditions are met. The Payment Authorizer verifies that the paybook is valid, i.e. f(P) =

gn(Y). If this condition is not met, or if the paybook is empty (n=0), then the payment is rejected.

The payment Authorizer verifies that the digital signature is correct, i.e. Verify(P, sign) = record. If not,the payment is rejected.

The Payment Authorizer checks its table to determine the amount of money m(P) associated with this paybook that has already been spent. If no paybook has been seen before with serial number P, then a new one is created with m(P)=0.

If there are insufficient funds, i.e. nc < q+m(P), then the payment is rejected. Otherwise, the payment is authorized, and m(P) is increased by q.

CONCLUSIONS

Security: Any successful digital money system will probably have to rely on public-key cryptography

Disadvantages of most electronic cash systems: Lack of insurance Overhead costs Database size

References

[1] Xiaosong Hou; Chik How Tan, "A new electronic cash model," Information Technology: Coding and Computing, 2005. ITCC 2005. International Conference on , vol.1, no.pp. 374- 379 Vol. 1, 4-6 April 2005

[2] Bo Meng; Qianxing Xiong, "Research on electronic payment model," Computer Supported Cooperative Work in Design, 2004. Proceedings. The 8th International Conference on , vol.1, no.pp. 597- 602 Vol.1, 26-28 May 2004

[3] Byler, R. What is money?. In Proceedings of the 2nd Annual Conference on Mid-South College Computing (Little Rock, Arkansas, April 02 - 03, 2004). ACM International Conference Proceeding Series, vol. 61. Mid-South College Computing Conference, Little Rock, Arkansas, 200-209. 2004.

[4] Peha, J. M. and Khamitov, I. M. PayCash: a secure efficient Internet payment system. In Proceedings of the 5th international Conference on Electronic Commerce (Pittsburgh, Pennsylvania, September 30 - October 03, 2003). ICEC '03, vol. 50. ACM Press, New York, NY, 125-130. 2003.