V-cash

A Study in Electronic Commerce: Specification

Cornell University
Computer Science Department
Masters of Engineering Project
Spring 1998

Han-Yang Lo
Sanjeev Topiwala
Joyce Wang
with assistance from Keith Sollers

Under the supervision of: Professor Fred B. Schneider
last modified: Monday, 4/27/98

Introduction
Overview of System
Properties of System
Assumptions
High Level Functional Specification

Setup
Bank
Merchant
Client
Communication Protocols
Client -- Bank
Client -- Merchant
Merchant -- Bank
Features
Bank Server
Merchant Server
Consumer Client
Algorithms
Coins

Programming Languages and Platform Support
Demonstration of System
Notes
References

Introduction

The growth of the Internet has created a whole new marketing and sales paradigm. Merchants can sell practically anything over the Internet at any time. They can reach audiences far beyond their physical locations and can sell at cheaper prices. On the flip side consumers appreciate the convenience and ease of shopping from home. They also like the varied product selection and discount prices. The Internet brings together these advantages for both merchants and consumers. For this reason, the Internet is believed to be where the future of commerce lies.

However, at the current time, consumers must generally use credit cards or checking accounts to make purchases. Although these methods are safe and secure, they do not provide the anonymity and untraceability of cash. As the number of financial transactions over the network grows, consumers will demand a form of secure electronic cash to protect their privacy. This is where V-óa$h steps in. V-óa$h is a secure, anonymous, and untraceable system that allows consumers to make purchases over the Internet. They can be confident that their purchases occur as if they were spending cash at the mall.

Overview of System

The system consists of three main components: a bank server, a merchant server, and a consumer client. Each of these components communicates with each other over secure channels.

Anonymity means that the merchant does not know who the consumer is. Untraceability means that the bank cannot find out where the money came from. To this end, when the client (Alice) wants to withdraw some cash, she generates coins, blinds them and sends them to the bank for authentication. The bank signs these coins with its key, and sends them back to Alice. Then Alice unblinds the coins. Thus Alice withdraws money from her account at the bank, which is authenticated by the bank and usable, but the bank does not know the serial number of the coin.

Now when Alice is shopping online at Bob’s, she can spend the money by sending the coins to Bob, the merchant. Bob, in turn sends the coins to the bank for on-line validation, to confirm that the coins are valid and have not been spent already. After getting the confirmation, Bob completes the transaction with Alice by giving her the merchandise she has purchased.

At the high-level, this scheme is motivated from the implementation described in David Chaum's Scientific American paper (see references), along with several discussions obtained on the internet by other groups attempting to explain/implement an electronic cash system. Many low-level details were obtained by group consensus during the design process.

Properties of System

  1. Anonymous and untraceable purchases.
  2. Detection of double spending.
  3. Authentication of all parties.
  4. Audit through logs. (see above "logging functionality")
  5. Authorization of transactions through bank.

Assumptions

  1. Client and Merchant have accounts at the same bank
  2. Average transaction is around $201
  3. Communication channels are secure using standard encryption algorithms
  4. Software binary executable is secure

High Level Functional Specification

Setup

Setup functionality is limited:

Bank

  1. Bank creates a database of client/merchant V-óa$h accounts
  2. Bank creates a database for storing serial numbers of spent coins.

Merchant

Assumption 1

  1. Merchant requests software
  2. Merchant installs the software
  3. Bank receives and decrypts the information (see above "electronic registration")
  4. Bank sends a set of "challenge" questions (see above "electronic registration")
  5. Merchant answers the challenges (see above "electronic registration")
  6. Bank verifies merchant responses (see above "electronic registration")
  7. Merchant designs web page

Client

Assumption 1

  1. Client requests software
  2. Client installs the software
  3. Bank receives and decrypts the information (see above "electronic registration")
  4. Bank sends a set of "challenge" questions (see above "electronic registration")
  5. Client answers the challenges (see above "electronic registration")
  6. Bank verifies client responses (see above "electronic registration")

Communication Protocols

Logging functionality has now been integrated and testing. There will be no automatic recovery of data (manual recovery from logs). 4/26/98

All communication protocols have Assumption 3

Client -- Bank

  1. Client initiates connection with the bank
    1. Client sends a symmetric key
      • encrypted with the bank’s public key
    2. Bank decrypts the message with its private key
    3. Bank acknowledges the session key by returning the session key
      • signed by the bank’s private key
      • encrypted using the session key
  2. Client sends:
    1. account number encrypted with symmetric key and
    2. symmetric key signed with the client private key
    3. this entire packet encrypted with the symmetric key
  3. All messages from this point are encrypted using the session key
  4. To withdraw money:
    1. Client sends a message requesting withdrawal amount
    2. Bank checks the account
      • If there is enough money in the account
      • If the client hasn’t gone over the maximum daily withdrawal limit
    3. If the request is invalid:
      • the bank sends an ERROR message and disconnects
    4. Otherwise, the request is valid, and the bank sends an acknowledgement
    5. The client software generates and blinds the serial numbers for the appropriate number of coins and sends them to the bank
    6. The bank signs these coins with a specific private key for each coin denomination, and sends the signed, blinded coins back to the client
    7. The bank keeps a copy of these signed blinded coins until it receives a confirmation of receipt from the consumer(not implemented)
    8. The client software receives the coins:
      • unblinds the coins
      • verifies the bank signature (makes sure it returns the original serial number)
      • acknowledges receipt of coins, and sends receipt to bank
    9. Bank debits the client’s account upon receipt of acknowledgment
    10. If the bank does not receive an acknowledgment, bank resends coins upon client request (assumption that this will not happen. Resend implementation partially coded, but not integrated or tested. ... does not exist in the current applications. 4/23/98)
  5. To deposit coins:
    1. The client sends the bank the serial numbers of the coins to be deposited
    2. The bank validates the coins:
      • verifies that the coins were signed by the bank
      • checks the coins against the spent coin database to prevent "double spending"
    3. If the coins are valid, the bank credits the client’s account
      • Clients should not have any invalid coins
      • To correct a mistake, clients must contact the bank -- verification using logfiles. (see above "logging functionality")
    4. Bank sends a receipt to the client
    5. Client stores the receipt
  6. To get change:
    1. The client deposits the largest denomination coin
    2. The client withdraws an amount equal to that denomination
      • The client software automatically creates the necessary number of serial numbers
      • This withdrawal does not count toward the maximum daily withdrawal

Client -- Merchant

  1. Merchant sets up a web page for the merchandise
    1. Purchase page includes a button that will spawn an external application at the client site
    2. Sends the external application:
      • merchant’s public key
      • IP address of the merchant’s server
      • Port number of the merchant’s server
      • Total amount of purchase
  2. Client sends a symmetric key to the merchant
    1. Encrypted using the merchant’s public key
    2. Merchant acknowledges
  3. Everything from this point is encrypted using the symmetric key
  4. Merchant sends a bill for the goods
    1. If the client decides not to accept the charges, the client terminates the connection
  5. The client sends the coins
  6. The merchant validates the coins with the bank
  7. If the coins are valid:
    1. The merchant sends a signed receipt to the client. (not yet implemented 4/23)
    2. The merchant makes the goods available to the client (downloading, mail order, etc.)
    3. The client logs the charges. (see above "logging functionality")
  8. If the validation fails:
    1. The merchant tells the client
    2. Both parties log the failure. (see above "logging functionality")
    3. The client puts the coins in the "BadCoins" purse
    4. The client must contact the bank to correct an invalid mistake – verification using files. (see above "logging functionality")
    5. The client may attempt to purchase the item with other coins in the purse

Merchant -- Bank

  1. Merchant initiates connection with the bank
    1. Merchant sends a symmetric key and the account number
      • encrypted with the bank’s public key
    2. Bank decrypts the message with its private key
    3. Bank acknowledges the session key by returning the session key
      • signed by the bank’s private key
      • encrypted using the session key
  2. Merchant sends:
    1. account number encrypted with symmetric key and
    2. symmetric key signed with the merchant private key
    3. this entire packet encrypted with the symmetric key
  3. All messages from this point are encrypted using the session key
  4. The merchant sends:
    1. the coins received from the client
    2. total amount of payment
  5. The bank makes sure that the coins are valid
    1. The coins were signed by the bank
    2. The coins have not been used before ("double spending")
  6. If the coins are valid:
    • The bank credits the merchant's account
    • The bank sends a signed receipt to the merchant
    • Both parties log the transaction. (see above "logging functionality")
  7. If the validation fails, the bank logs the serial numbers of the coins and the merchant's account number. (see above "logging functionality")

Features

Bank Server

Merchant Server

Consumer Client

Table 1 Log Files
 

  Log kept by Bank  Log kept by Merchant  Log kept by Client 
Bank    1. Transaction date 
2. Amount deposited 
3. Success / failure 
1. Transaction date 
2. Amount withdrawn / deposited 
3. Serial numbers / denominations 
4. Signed coins 
Merchant  1. Transaction date 
2. Account number 
3. Amount deposited 
  1. Transaction date 
2. Coins used in payment 
3. Merchant ID 
Client  1. Transaction date 
2. Account number 
3. Amount withdrawn / deposited 
4. Breakdown of coins issued per denomination 
1. Transaction date 
2. Amount of purchase 
 

Algorithms

Coins

Programming Languages and Platform Support

Demonstration of System

The system will be demonstrated by creating a simple user interface with the above functionality. A single merchant web site will be created with a few purchaseable items. The client will indicate that he/she wishes to purchase this product, after acquiring the funds from the bank. The interface will spawn the software that initiates the payment transaction. A test validation suite was used to test the cryptographic algorithms.

Notes

1Amount was chosen to be between the amount of most micropayments and most credit card payments. Additionally, a lower amount is preferable given the security level of the system. Coin size and denomination considerations also played a role.

References

Digital Cash Home Page:
http://www.digicash.com

RSA Data Security Home Page:
http://www.rsa.com

Certicom white papers on ECC:
http://www.certicom.com/ecc/wpaper.htm

IEEE Internet Computing - Interview with David Chaum:
http://www.computer.org/internet/ic1997/w6toc.htm

Scientific American Article by David Chaum:
http://ganges.cs.tcd.ie/mepeirce/Project/Chaum/sciam.html