October 08, 2005

On Digital Cash-like Payment Systems

Just presented (slides) at ICETE2005 by Daniel Nagy: On Digital Cash-like Payment Systems:

Abstract. In present paper a novel approach to on-line payment is presented that tackles some issues of digital cash that have, in the author s opinion, contributed to the fact that despite the availability of the technology for more than a decade, it has not achieved even a fraction of the anticipated popularity. The basic assumptions and requirements for such a system are revisited, clear (economic) objectives are formulated and cryptographic techniques to achieve them are proposed.
Introduction. Chaum et al. begin their seminal paper (D. Chaum, 1988) with the observation that the use of credit cards is an act of faith on the part of all concerned, exposing all parties to fraud. Indeed, almost two decades later, the credit card business is still plagued by all these problems and credit card fraud has become a major obstacle to the normal development of electronic commerce, but digital cash-like payment systems similar to those proposed (and implemented) by D. Chaum have never become viable competitors, let alone replacements for credit cards or paper-based cash.

One of the reasons, in the author s opinion, is that payment systems based on similar schemes lack some key characteristics of paper-based cash, rendering them economically infeasible. Let us quickly enumerate the most important properties of cash:

1. "Money doesn't smell." Cash payments are -- potentially -- anonymous and untraceable by third parties (including the issuer).

2. Cash payments are final. After the fact, the paying party has no means to reverse the payment. We call this property of cash transactions irreversibility.

3. Cash payments are _peer-to-peer_. There is no distinction between merchants and customers; anyone can pay anyone. In particular, anybody can receive cash payments without contracts with third parties.

4. Cash allows for "acts of faith" or naive transactions. Those who are not familiar with all the antiforgery measures of a particular banknote or do not have the necessary equipment to verify them, can still transact with cash relying on the fact that what they do not verify is nonetheless verifiable in principle.

5. The amount of cash issued by the issuing authority is public information that can be verified through an auditing process.

The payment system proposed in (D. Chaum, 1988) focuses on the first characteristic while partially or totally lacking all the others. The same holds, to some extent, for all existing cash-like digital payment systems based on untraceable blind signatures (Brands, 1993a; Brands, 1993b; A. Lysyanskaya, 1998), rendering them unpractical.

[bulk of paper proposes a new system...]

Conclusion. The proposed digital payment system is more similar to cash than the existing digital payment solutions. It offers reasonable measures to protect the privacy of the users and to guarantee the transparency of the issuer s operations. With an appropriate business model, where the provider of the technical part of the issuing service is independent of the financial providers and serves more than one of the latter, the issuer has sufficient incentives not to exploit the vulnerability described in 4.3, even if the implementation of the cryptographic challenge allowed for it. This parallels the case of the issuing bank and the printing service responsible for printing the banknotes.

The author believes that an implementation of such a system would stand a better chance on the market than the existing alternatives, none of which has lived up to the expectations, precisely because it matches paper-based cash more closely in its most important properties.

Open-source implementations of the necessary software are being actively developed as parts of the ePoint project. For details, please see http://sf.net/projects/epoint

Posted by iang at October 8, 2005 01:25 PM | TrackBack

I have uploaded the presentation slides here:

Posted by: Daniel A. Nagy at October 8, 2005 11:29 PM

(_copied from cypherpunks_) This is a thorough and careful paper but the system has no blinding and so payments are traceable and linkable. The standard technique of inserting dummy transfers is proposed, but it is not clear that this adds real privacy. Worse, it appears that the database showing which coins were exchanged for which is supposed to be public, making this linkage information available to everyone, not just banking insiders.

Some aspects are similar to Dan Simon's proposed ecash system from Crypto 96, in particular using knowledge of a secret such as a hash pre-image to represent possession of the cash. Simon's system is covered by patent number 5768385 and the ePoint system may need to step carefully around that patent. See http://www.mail-archive.com/cpunks@einstein.ssz.com/msg04483.html for further critique of Simon's approach.

Posted by: Cyphrpunk at October 19, 2005 09:57 AM

(_copied from fc-discuss_) At the time of writing, I was already familiar with Simon's proposal and its above mentioned critique (I learnt about them from Stefan Brands' blog). At that time, the design and the implementation were already complete and the process of writing up the paper was also well advanced. Wishing to postpone the discussion of patents for as long as possible, I decided against citing Dan Simon's work in references, which may be regarded as an act of academic dishonesty on my part. Mea culpa. I am reasonably confident that I can legally defend the point that there are sufficient differences between my proposal and Simon's, but I might not be ready to fight off a legal assault from Microsoft (lack of time and money) right now. Leaving the patent issue at that, let us proceed to the substance.

I will probably need to write another paper, clarifiing some of these issues. Let me, however, re-emphasize some of the points already present in the paper and perhaps cast them in a slightly different light.

In my paper, I am explicitly and implicitly challenging Chaum's assumptions about the very problem of digital cash-like payment. One can, of course, criticize my proposal under chaumian assumptions, but that would miss the point entirely. I think, a decade of consistent failure at introducing chaumian digital cash to the market is good enough a reason to re-think the problem from the very basics.

Note that nowhere in my paper did I imply that the issuer is a bank (the only mentioning of a bank in the paper is in an analogy). This is because I am strongly convinced that banks cannot, will not and should not be the principal issuers of digital cash-like payment vehicles. If you need explanation, I'm willing to provide it. I do not expect payment tokens to originate from withdrawals and end their life cycles being deposited to users' bank accounts.

Insider fraud is a very serious risk in financial matters. A system that provides no safeguards against a fraudulent issuer will sooner or later be exploited that way. Financial systems (not just electronic ones) often fall to insider attacks. They must be addressed in a successful system. All chaumian systems are hopelessly vulnerable to insider fraud.

And now some points missing from the paper:

Having a long-term global secret, whose disclosure leads to immediate, catastrophic failure of the whole system is to be avoided in security engineering (using Schneier's terminology, it makes a hard system brittle). The private key of a blinding-based system is exactly such a component. Note that in the proposed system, the digital signature of the issuer is just a fancy integrity protection mechanism for public records, which can be supplemented and even temporarily substituted (while a new key is phased in in the case of compromise) by other mechanisms of integrity protection. It is the public audit trail that provides most of the security.

Using currency is, essentially, a credit operation, splitting barter into the separate acts of selling and buying, thus making the promise to reciprocate (that is the eligibility to buy something of equal value from the buyer) a tradeable asset itself. It is the trading of this asset that needs to be anonymous, and the proposed system does a good enough job of protecting the anonymity of those in the middle of the transaction chains.

Hope, this helps.

-- Daniel

Posted by: Daniel at October 19, 2005 10:06 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.