Appendix 1: Cryptographic Toolkit for Electronic Cash

Introduction

This appendix brings together many of the background technology issues surrounding the concept of the exchange of value using cryptographic techniques. The subject is introduced somewhat briefly and dismissively, as to do otherwise would drain the reader's patience. Hence I have ignored many of the contentious and current issues, in favour of the essential ideas.

Whilst the idea of digital money, or E-cash as it is now known, has been around for some time, it took several developments in the field of cryptography to bring the concept to a workable form. These developments can be viewed as adding tools into the cryptographer's tool-kit, the most important of which are described here. Acknowledgement: The details in this section were strongly dependent on the Schneier's epic tome [1]. Interested readers are referred to it as a first step in wider cryptographic knowledge.

Encryption

Firstly, the use of numbers-as-money transmitted over networks, or held on disks or smart-cards has obvious security flaws. The development of strong encryption in the 1970s, led by the Data Encryption Standard [2] designed by IBM, made it possible to lock away these numbers in un-openable envelopes. Whilst the DES and other algorithms can be broken using brute force (i.e., computers) the amount of computing power required is a function of the size (i.e., length in bits) of the chosen key. Current software versions generally choose keys that imply at least years of CPU power.

In technical terms, an encryption algorithm E takes a message M and converts it, with the aid of a key K, into ciphertext, C.

EK(M) = C

Conventional encryption has the property that a decryption algorithm will convert C, using K, back into the original E:

DK(EK(M)) = M

It should be clarified that we concentrate here on so-called strong crypto. Paradoxically, you can probably guess as to whether you are using strong crypto by the following test: if it was sold over-the-counter, it is probably not strong. Encryption supplied in publicly available software might, for example, frustrate a cheated spouse, but it provides fertile ground for revenue inspectors, police, and cypherpunks. In contrast, strong crypto is generally subject to various regulatory attempts, which have to date only succeeded in making it widely available for free. See cypherpunks and sci.crypt.research

Public-key Encryption

Historically, a shared weakness of any encryption method was the need to transmit the keys to the other party over possibly insecure channels. An allied development to strong encryption algorithms was the concept of public-key encryption [3], an algorithm that permits a secure channel to be set up without the risk normally associated with the physical exchange of keys. This idea postulated a function that given one key of a pair would perform encryption, and with the second key of the pair it would perform decryption. The first key, the so-called private key, should not be derivable from the second, or public key.

Hence, to create a secure method of communication, Alice produces the pair of keys, and gives the public one to Bob (the cryptographers' favourite characters). Bob, as the message sender, uses that key to encrypt a message which only Alice can decode (that is, the holder of the private key). Hence, it is unimportant who has the public key, it is only necessary that Alice keeps secure her private key. Then, in order to allow Alice to communicate with Bob, Bob must have produced a pair of keys, and given the public one to Alice.

Digital Signatures

The public key encryption idea allows Alice to receive messages that only she can read. If however, the public key is really public, then she will not know who has sent her the message - Mallory, a malicious attacker, could have sent a message with Bob's name appended to it.

The digital signature adds to the cryptographers tool-kit by allowing electronic documents to be marked in an unforgeable and undeniable manner by a signatory. Typically, this is done by reversing the above procedure. By encrypting a document with one's private key, anyone with the public key can confirm that only the private key holder could have produced that encryption.

Put together, these techniques allow Alice to send to Bob a note that cannot be denied or fraudulently reproduced.

Further, this is all possible without interference from Eve (the cryptographers' name for an eavesdropper) who would like to read the contents, change them, or undertake any number of other possible attacks on Alice and Bob's private communication.

Blinding

We can now perform secure electronic transactions. In order to produce an electronic coin, Alice could write a note with the words Alice promises to pay the bearer one dollar. Once this is signed by Alice, and given securely to Bob, the latter can use it in exchange for goods at Carol's shop. Carol can recognise the signature, having Alice's public key, and can thus accept the coin on good faith. In order to make sure that Bob does not spend his coin twice (digital coins are easily copied), Carol returns the coin immediately to Alice and the chain is completed.

The only problem remaining is that Alice and Bob share the secret of the coin, allowing Alice to fraudulently spend it first. To solve this problem, David Chaum designed a technique to allow Alice to sign a note from Bob, without being able to glance at the contents [4]. This is done with a function B that obscures a number before it is signed, but is commutative with the signature function. Therefore, the obscuration can be removed from the signed result to reveal the original number, still signed. Now, Bob can provide Alice with a blinded number. Alice can sign it, after adding that it is worth a dollar, and Bob can strip off the blinding to reveal the valid, completely secret, coin.

This final piece in the puzzle, called blinding, allowed Chaum's company, DigiCash , to design and build a scheme for anonymous and untraceable e-cash, and thus emulate one of the most important characteristics of physical cash. The blinding technique has been widely seen as the spark that prompted the current wave of interest in E-cash, although to date, progress has been slow.


1 Bruce Schneier, Applied Cryptography, second edition, John Wiley and Sons, 1996

2 See, for example, National Bureau of Standards NBS FIPS PUB 46, 1977

3 Whitfield Diffie and Martin Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, v. IT-22, n. 6 Nov 1976

4 David Chaum, "Achieving Electronic Privacy," Scientific American, v. 267, n. 2 Aug 1992. Click here for a quick look at the maths

Back to Index or Monetary Policy.