Digital Cash

This project is based on the protocol number 4, described in [SCHN96], p. 142.  Please pick up this handout. Basically this protocol implements an electronic cash system, in which the digital cash cannot be copied or reused more than once and the privacy of the customer's identity is guaranteed.


The system allows money transaction between three parties: Customer, Merchant and Bank. The electronic cash (ecash) used during these transactions is a document which contains:




The following excerpt from [SCHN96], p. 142 describes the anonymous digital cash protocol.  It is recommended that you read the chapter for more discussion and background.

Protocol #4

  1. Alice prepares n anonymous money orders for a given amount.  Each of the money orders contains a different random uniqueness string X, one long enough to make the chance of two being identical negligible.  On each money order, there are also n pairs of identity bit strings, I1, I2, ... In. (yes, that's n different pairs on each check.)  Each of these pairs is generated as follows: Alice creates a string that gives her name, address, and any other piece of identifying information that the bank wants to see.  Then, she splits it into two pieces using the secret splitting protocol (see Section 3.6).  Then, she commits to each piece using a bit commitment protocol
  2. Alice blinds all n money order, using a blind signature protocol.  She gives them all to the bank.
  3. The bank asks Alice to unblind n-1 of the money orders at random and confirms that they are all well formed.  The bank checks the amount, the uniqueness string, and asks Alice to reveal all of the identity strings.
  4. If the bank is satisfied that Alice did not make any attempts to cheat, it signs the one remaining blinded money order.  The bank hands the blinded money order back to Alice and deducts the amount from her account.
  5. Alice unblinds the money order and spends it with a merchant.
  6. The merchant verifies the bank's signature to make sure the money order is legitimate.
  7. The merchant asks Alice to randomly reveal either the left half or the right half of each identity string on the money order.  In effect, the merchant gives Alice a random n-bit selector string b1, b2, ... bn.  Alice opens either the left half or right half of Ii, depending on whether bi is a 0 or a 1.
  8. Alice complies.
  9. The merchant takes the money order to the bank.
  10. The bank verifies its signature and checks its database to make sure a money order with the same uniquenes string has not been previously deposited.  If it hasn't, the bank credits the amount to the merchant's account.  The bank records the uniqueness string and all of the identity information in a database.
  11. If the uniqueness string is in the database, the bank refuses to accept the money order.  Then, it compares the identity string on the money order with the one stored in the database.  If it is the same, the bank knows that the merchant copied the money order.  If it is different, the bank knows that the person who bought the money order copied it.  Since the second merchant who accepted the money order handed Alice a different selector string than did the first merchant, the bank finds a bit position where one merchant had Alice open the left half and the other merchant had Alice open the right hald.  The bank XORs the two halves together to reveal Alice's identity.

The system should be implemented using your choice of C, C++, or Java.  (and maybe Microsoft .NET, we're thinking about it)  It will consist of 3 independant programs that communicate over the network using an XML based protocol.  One of these programs simulates the bank.  One program simulates a merchant.  The remaining program simulates the user, and interfaces with the user either as a traditional GUI program, or as a web server serving HTML pages.  Of course, all communications should be secured using SSL.


Please visit the resources page


[SCHN96] Applied Cryptography, Bruce Schneier, John Wiley and Sons, New-York, 1996.

An interesting article about the use of digital cash in France: