The e-cash solutions use serial numbers. Money spent have their serial number re

Question

The e-cash solutions use serial numbers. Money spent have their serial number recorded, in order to prevent double spending. Remember that when withdrawing the money, Bob the payer, needs to create multiple copies of the money he wants to withdraw. All the copies are for the same currency level (e.g, 20 dollars) but have a different serial number. Why are the serial number used in the copies, unique? show what happens if Bob inadvertently create two copies of the money with the same serial number

Explanation / Answer

In more detail, this is how it works: The user signs up for an account at the Ecash "mint" into which he transfers money from a regular bank account. He then receives a password to download the client software from the Net. No other hardware than a networked PC is needed. After installation, the software asks the user to type in some random keystrokes. Because people's typing is not purely random, the input is "whitened," i.e. the user types in a lot more digits than are displayed. To this uniform distribution some redundancies are added for the purpose of printing it out and typing it in, so that the software can detect errors and correct them. Says Chaum: "The cryptographic pseudo-random techniques we use are powerful enough that there's an extremely high grade security, higher than the normal commercial stuff you see."

The client finally displays a string of digits, and asks the user to write them down in a safe place. This is the random seed value from which the unique "serial numbers" of the actual Ecash coins will be calculated, and which also allows the user to recover her Ecash value in case her harddisk crashes. Explains Chaum, "The seed can be expanded cryptographically to be a whole lot of, in effect, independent numbers that would be, as far as we know, impossible to link in any way. There is a pseudo-random sequence, an arbitrarily long sequence of digits that can be created from a single secret number such that knowing any sub-sequence gives you no help whatsoever in finding anything useful about any other sub-sequence."

A number created from the seed is large, say 100 digits long, which makes it extremely unlikely that the same number is created twice. The user's client then multiplies it by a random factor, i.e. "blinds" it, and sends this "envelop" to the bank in public key encryption format. The bank countersigns the blinded "serial number," sends it back, and the random number is divided out. The electronic coin residing in a "wallet" on the user's harddisk is now ready to be spend. The crypto magic sounds rather complicated, but is performed by the client software. For the user, the process has the feel of withdrawing money from a regular automatic teller machine.

When the user comes across an Internet service accepting Ecash, the wallet pops up, he confirms the product to be bought, the payee and the amount, and the exact number of coins are transferred. The merchant's software immediately clears the coins with the issuing bank to make sure they are valid. In the same way also individual users can make over money between themselves.

The bank keeps a record of the now unblinded serial numbers and matches them against incoming coins to check for double spending. If a user made copies of a coin and tried to spend it again, only the first coin would be accepted. A coin is only used once. After it is received by the bank it is retired and its value is credited to the recipient's account. If a user wants to spend her electronic earnings again in the form of Ecash, she has to re-withdraw them as fresh coins. A large retailer would just send all their money to the bank and leave it there.

In this way, the bank knows the amounts a person receives. It also knows how much he withdraws from his account onto his wallet, just as with current ATMs. And just as with cash, the bank does not know where the money goes from there.

Because the bank does not know the blinding factor, it has no way of linking the coins issued during the user's original withdrawal to those that are finally deposited by a shop. The system is designed such that if a bank recorded everything it could possibly know, and even if the shop and the bank colluded, they would not be able to determine who spent which coins. The blinded coin numbers are "unconditionally untraceable."

The only record the bank, in fact, retains of the withdrawal transaction is a coded compression, a so called "cryptographic hash function," of all the envelops received. The hash value can not be reversed to recreate the original information. It only comes into play when lost Ecash is recovered and the bank has to verify that the resubmitted coins are identical to the ones it had previously signed.

Also the retailer will not necessarily know where the information it sells is going to. Usually, proxy servers are used to buffer packet traffic, in which case the shop does not know the individual user, but only the address of the server. For absolute anonymity, "re-payers" have been set up, proxy servers that bounce the transactions just like anonymous re-mailers.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.