Wallet Based E-Cash System for Secured Multi-hop Cash Exchange

Heinz Kreft
Christian Albrecht University of Kiel Kiel, Germany hk@informatik.uni-kiel.de

Wael Adi
Technical University of Braunschweig Braunschweig, Germany w.adi@ieee.org Abstract the majorities of contemporary proposed digital cash techniques have many disadvantages in being directly or indirectly account based or not anonymous and offer no offline peer-to-peer transferability. This is for the majority of users - in general - not acceptable. Such an approach fails to replace the role of cash in e-commerce systems. The basic result of this research is a new prepaid multihop (transferable) cash payment system solution based on hardware technology implementing an electronic wallet (ewallet) to accommodate digital coins. Transparent cash transfer (exchange) protocol software can serve at any network device as Internet host, mobile device or any future general purpose communication link. The result is a peer to peer (P2P) electronic cash transfer equivalent to a physical cash transfer in public use. This e-cash system could be a possible alternative to the physical coins & bills. It is a multi-purpose inter-operable digital cash payment scheme for domestic usage. The system is suitable for low value (micro payments in the 1 cent range), as well as for larger payments, regardless of the communication platform or transmission medium. Keywords: P2P, Unclonable Wallet, E-Cash, secured OffLine cash transfer Introduction, X.509 certification. I. INTRODUCTION AND STATE OF THE ART Since the beginning of mankind, there has been a need of exchanging services and objects. At first, as one can imagine, valuables were exchanged in kind, later coins came up, than followed by paper money. Nowadays the defiances of time is pushing new digital payment methods. The actual methods as those with plastic money have many disadvantages (e.g. account based, no anonymity, no offline transfer, fees for every transaction) and are accordingly not a satisfying and acceptable replacement for coins and bills in the area of ecommerce. The proposed e-cash system is a prepaid solution based on tamper-protected hardware technology implementing an ewallet to accommodate digital coins. The embedded cash transfer protocol software turns every eWallet into an open network device ready to connect to any standard general purpose communication link. The result is a peer to peer (P2P) electronic cash transfer equivalent to a physical cash transfer

for public use. This e-cash system should be an alternative to physical coins & bills. It is a multi-purpose inter-operable digital cash payment scheme for domestic or international usage. The system is suitable for low and high value money exchange, regardless of the communication environment as: Cellular networks like GPRS, EDGE, UMTS for Cell/Mobile phones for remote payments, Local PAN and WLAN like Bluetooth, IEEE802.11a/b/g/h/n for face-to-face payments, Generic Ethernet based Internet IP devices and more. The particular advantage of the system is that it is a nonaccountrelated anonymous payment system. There is ondemand registration for the user; participation is possible by just getting an e-wallet to start with. The e-coins are offline transferable in an open-loop chain. The usage is simple; it works like usual cash with the ability to fly over IT highways. It has the attractive cash re-spend feature ('Multi Hop Capability') or transferability without any grow in size for the e-coin. Nearly any modern device can be enabled utilizing virtually any communication platform (network) either offline or on-line, allowing borderless and long distance transfers usable for POS (Point Of Sale) transactions [B2C (Business to Customer), B2B (Business to Business), C2C (Customer to Customer), G2B (Government to Business) and G2C (Government to Citizen)]. The system is suitable for PersontoPerson (Chip-to-Chip) transfers as a (local & personal) secure money storage solution for e-coins, completely under individual owners spending control but with autonomous integrity enforcement. The e-cash system can be seen as an application of digital cash with an e-wallet, e-coins and an Internet based back office architecture, where the bank provides an e-mint service while a X.509-like Certification Authority architecture provides wallet authentication. Fresh e-coins can only be created or minted and cleared by the e-mint authority. They are strongly encrypted e-tokens, which may be transferred between partners participating on a value exchange transaction and can be passed on in consecutive transactions. These ecoins are digitally stored in a user owned e-wallet, based on the so called castor chip, acting as a local storage and personal payment server. Due to its P2P transactions, e-coins flow directly from one ewallet to another e-wallet. The transfer protocol is a type of an optimistic fair exchange one with extreme high probability acting without any trusted third-party (TTP), so only the holders of the two e-wallets are involved. Only in rare error conditions, an e-mint-TTP needs to be off-time contacted by presenting a proof for lost e-coins recreation actions. The proposed Digital Cash can be a new electronic mobile payment technology that works just like the conventional physical cash exchange system just better prepared for the electronic commerce. It involves the exchange of digital coins (e-coins) with fixed denominations and unique serial numbers among participating users. The e-coins are stored in a hardware device called e-wallet. The functional center of this

e-wallet is the Castor unit as shown in Fig. 2. The whole ewallet can be integrated into devices such as mobile phones, vending machines, slot metering (electricity, gas, heat, and water), cash registers and legacy Auto Teller Machines (ATM). In fact each e-wallet functions such as an ATM itself. This end-point connected infrastructure based on existing networks like Internet or Mobile Communication Networks will enable everybody to use the e-coins in the daily payment. This payment can be either physical proximity or remote. A unique feature will be that the e-coins can be reused in their original form for further transactions until they have reached their expiration date or cleared by the e-mint. II. STATE OF THE ART The first notion of e-cash was conceived by David Chaum [1]. Subsequently, many different types of e-cash system had been proposed [2-32]. They came with various properties such as divisibility, online or offline, anonymity, tracing with or without trustee using different cryptographic techniques (i.e. blind signature, group signature, zero-knowledge protocol etc). A list of schemes that were actually implemented is given in table 1. All the projects listed in table 1 were not successful to cover the practical demands as a replacement for physical cash. In [33], the reasons on why they failed are discussed. The major challenging reasons rest on the fact that the proposed e-cash systems do not behave like existing physical cash, in that they cannot be transferred among the users directly in an offline mode. The reason for lacking of this basic property is due to the fact that digital information can be easily copied. Thus, to allow an e-coin to be transferred from one to another user requires not only using cryptographic techniques against copy protection, but also physical hardening techniques to make ewallets temper-protected. In [5] Chaum showed that the size of the e-coins will increase with every cash transfer, storing the hop-chain into the e-coin. This is considered as an unacceptable effect in that technology. The comprehensive reference list shows major publications dealing with such difficulties. Many other non-technical reasons like political and bank concerns have led to the limited expansion of all the proposals so far introduced and prototyped. We are only concerned with the technical issues. e-Money Scheme Invented by Introduced Killed by / Remarks e-Cash (DigiCash) Dr. David Chaum 1994 tricky, no cash, closedloop CyberCoin (CyberCash)

Carnegie Mellon Uni 1994 tricky, no cash, closedloop Brands Cash Dr. Stefan A. Brands 1993 never activated Universal Electronic Cash (UEC) T. Okamoto& K. Ohta 1991 too fungible, limited Anonymity Conditional Access for Europe (CAF) ESPRIT Project 7023 1992 limited Transferability Mondex Jones u. Higgins (NatWest UK) 1990 money Generator on Chip OPERA (Open Payments Europ. Research Ass.) CAF 1995 limited Anonymity MILLION (CAF with PDAs) ESPRIT Project 20772 1995 no e-Money relation SOS cards (implementation of CAFE on smart cards) ESPRIT III Project 9259 1994 no e-Money relation

EMS (Electronic Monetary System) Sholom S. Rosen (Citibank) 1991 not disclosed completely Table 1 Classification of the implemented and published ecash systems III. SYSTEM CONCEPT The particular advantage of the proposed system is that it is a non-account-related anonymous payment system. There is no registration for the user; participation is possible by just getting a certified trustable electronic wallet to start with. The e-coins are offline transferable in an open-loop chain. The usage is simple; it works like usual cash with the ability to fly over the IT highways. It has the attractive cash re-spend feature ('Multi Hop Capability' or transferability). Nearly any modern device can be enabled utilizing virtually any communication platform (network) allowing borderless and long distance cash transfers. The system offers a suitable secure money storage solution for e-coins, completely under individual owners control. The whole system principle is depicted in Fig. 1. The e-cash system can be seen as an application of digital cash with an ewallet (a), e-coins and an Internet based back office architecture, where the bank provides an e-mint service (b) while the CA (Certification Authority) provides the e-wallet authentication (a). Fresh e-coins can only be created or minted and cleared by the e-mint authority. They are strongly encrypted e-tokens, which may be transferred off-line between partners (c) participating on a value exchange transaction and can be passed on in consecutive transactions.
E-Wallet Manufacturer
CA Certification Authority E-Wallet

E-Mint
E-Wallet

E-Coins

(a). E-Wallets Production (b). Minting Bank: Bank issues e-coins and sells them against cash
E-Wallet E-Wallet E-Wallet
E-Wallet

E-Coins E-Coins
E-Wallet E-Wallet E-Wallet

(c). Off-line Cash circulation:

E-Wallet E-Wallet

Raw System wallets

P2P Transactions

Fig. 1 Basic e-cash system operation-graph These e-coins are digitally stored in a user owned and operated e-wallet, based on a novel device the so called CAsk for Storage and Transport Of access Restricted value data (Castor) Chip as a core part of the e-wallet, acting as local cash storage. Fig 2 illustrates the basic concept of a Castor unit within the e-wallet.

Due to its P2P transactions, e-coins flow directly from one ewallet to another e-wallet. No online trusted third-party (TTP) or intermediary clears are required. Only the holders of the two e-wallets are involved. Possible Business case: The minting bank cashes a huge amount of money which is virtually kept in circulation between users. The bank can make use of this money as the reclaim rate is usually very low. The gain of the users is a simple e-cash exchange through the modern networks. Many new applications in e-commerce would be realizable. Another business case for the mobile operator is a new traffic for digital payment service. That is users would link their ewallets to the mobile device, which means additional pay load on the mobile network.
E-Wallet unit includes Castor Chip with Communication and user Interface Infrastructure
E-Wallet Castor Unit

User Bluetooth Interface GSM UMTS IP User Open 802.xx Network

Fig. 2 Castor chip concept in an e-wallet IV. UNCLONABLE E-WALLET The key functionality of the system is based on the hard wired e-wallet which should act as an unclonable certified entity in the system. Once a wallet is activated and certified it is deemed through hardware one-way-functions to generate once and forever its own secret identity through a hardware random generator. The generated identity is only provable but it is unknown similar to the physical unclonable functions PUF concept [34]. It proposed identity differs from the PUF in that it is error-free and self-generated and is principally clonable however an electronic evolution process is incorporated to the root identity during the lifetime of the device. This gives that identity a growing strength with the progress of time depending on its interaction history similar to identifying a living person depending on the persons interaction profile with the environment. The profile starts by the birth certificate and is updated after each interaction as it happens in real life. A precise technology is under development. Fig. 3 shows a conceptual block diagram of that identity technology. In reference to Fig.3 the identity setup proceeds roughly as follows: 1. A random process (as a binary symmetric source BSS) generates at the birth (or personalization) time a random unknown binary string. The result is called a mutated secret device identity MSDI. This unknown permanent secret string of at least say 128 bits would serve as a DNA like provable identity root. The identity could also be combined with a real PUF identity. 2. A trusted authority TA certifies the identity by inserting unreadable secret device identity SDI. 3. Joining the authority certificate SDI with the device own secret MSDI results with a mutual authentication

procedure which is not easy to abuse even if the trusted authority is willing to cheat. A possible simple joint authenticated common key KCt at some time can be generated with the help of the TA as the original certifier for all devices. The principle of a possible simplified mutual authentication scenario is shown in Fig. 3 using two time stamps t1 and t2 on both sides and exchanging fresh challenges in connection with the practically unclonable identities MSDI1 and MSDI2. The transactions history can contribute to the identity using the evolution register ER. ER includes important information about the transactions history profile of the device as a living entity. The trusted authority should not be capable to break the system as the common KCts should be only possible to generate exclusively within the certified hardware environment. Having reached this security quality, a secured exclusive link tunnel can be established between any two members of the certified e-wallet group.
SDI2 F-1 Kct SDI1 SDI1 F-1 Kct SDI2
SN1

CH2, Ei2 HH
Rt t2 H

H t1 CH1 CH1, Ei1

User 1 User 2
BSS

SN2
MSDI2

TA
SMK H

[ C-SDI1 | t2 | Ei ] t2 .. Rt
C-SDI1

MSDI2 SDI1 ER2 Ei BSS MSDI1 ER1 MSDI1 Ei SN1 C-SDI1 SDI2

PUF PUF

Fig. 3 Basic possible secret key identification concept The general exchange mode of e-coins is then accomplished as indicated in the Fig 1. The first initial load of e-coins is a transfer between the wallet and the bank as the e-mint in Fig.1 (b). The peer to peer exchange is then accomplished as in Fig. 1 (c). Moving any coins from one wallet to the other should be accomplished using a trustable soft and hardware environment called as e-castor. It is a secured hard and software environment deployed to control the traffic of coins between the two parties according to a simplified transaction interface to allow the user to set up and execute a cash exchange to fulfill a transaction and assure that the moved coin from one to the other e-castor is really removed from the spending castor to the receiving castor without a possibility of multi-spending. A hardwired secured algorithm tied to the unique e-wallet and its secured mutually authenticated virtual private link should allow such off-line exchange operation. Fig. 4 shows the initial hardware components of the e-wallet incorporating the e-castor. We call the secured electronic transfer teleportation which

should be equivalent to the physical transport of coins a teleportation or Singleton within the research group. The singleton operation has a wide spectrum of applications in modern communication systems. Once a secured e-transport is achieved, a variety of very interesting applications in licensing and usage of electronic services can be assured.
DMA Ctrl Unit Scheduling Unit Context Switching Unit Inter Process Communication Unit
Task TaTbClBe 1 TCB N-1 Semaphore Table SCB 0 SCB 1 SCB N-1

Crypto Primitive Coprocessor Elements 0..N-1

Crunch Unit

Wake-up Unit CLK & PWR MGMT CLK & PLL Unit 3,3V I/O Source
IPL Trustled Unit

WDOG Unit 4 x Timers 64-Bit

Soft core CPU-3 64bit RISC/DSP architecture Soft core CPU-1 64bit RISC/DSP architecture Soft core CPU-2 64bit RISC/DSP architecture Soft core CPU-4 64bit RISC/DSP architecture

SRAM MRAM

RESET Ctrl DEBUG JTAG Nested INT Castor ID Generator Ethernet 10/100/1G PUF* Unit 2 x SDIO Bus Master GPIO [31:00] 2 x USB 2.0 OTG

free free
TCB 0

Singleton Unit

ECC-512, AES256, HMAC, True RNG,

1,2V Core Source

SHA-512, DH,

Fig. 4 Proposed e-wallet hardware architecture Incorporating the hard-wired cloning-resistant identity with the living and evolving identity together with the necessary management protocols would exhibit a self healing and securely-stable system behavior. The stability in this context is that if a part of the system is compromised, then the whole system is not compromised and would be able to exclude the abusing entities through security procedures tightly linked to the modes of service and operation. We expect to achieve a more stable, controllable and cloning resistant cash circulation compared to the physical cash. We know that the physical cash system is still operational even if it is successfully

attacked by cloning bills and coins; however the system stays operational with a loss which does not destroy the whole monetary system. The electronic cash proposed can be more efficiently controlled and purified faster and more rigid after cloning attacks as no practical cryptographic system is theoretically perfect, however electronic means in a fast network are more efficient in tracking and purifying inconsistency than doing that in the physical cash environment. V. SUMMARY AND CONCLUSION An electronic cash system with off-line capability is presented. The system should exhibit nearly the same physical cash properties regarding anonymity and multi-spending (respending) without the need for a bank account. The system needs still a trusted authority which should act as catalyses to enhance the trust and possible abuse traceability. The system is expected to be self stabilizing and self healing in the sense that if a part of the system is abused, then the system would stay stable and have a limited loss without being completely compromised. Further future research is concentrating on minimizing the trusted authority and still keep the same security level and operational stability. REFERENCES [1] D. Chaum, "Blind signature systems", In Advances in Cryptology-CRYPTO'83, pages 153. Plenum, 1983 [2] D. Chaum, A. Fiat and M. Naor, "Untraceable Electronic Cash," In Advances in Cryptology-CRYPTO'88, pp. 319327, 1988 [3] T. Okamoto and K. Ohta, "Universal electronic cash," In Advances in Cryptology-CRYPTO'91, LNCS 576, pp. 324-337, 1991 [4] David Chaum, Torben P. Pedersen, "Wallet Databases with Observers," In Advances in CryptologyCRYPTO'92, pp. 89-105 [5] David Chaum, Torben P. Pedersen, "Transferred Cash Grows in Size," In Advances in CryptologyEUROCRYPT'92, pp.390-407 [6] M. Frankel and M. Yung, "Towards probably secure efficient electronic cash," Columbia Univ. Dept. of C.S. TR CUCS-018-92, 1992 [7] Rafael Hirschfeld, "Making Electronic Refunds Safer," In Advances in Cryptology-CRYPTO'92, pp. 106-112 [8] J. C. Pailles, "New protocols for electronic money," In Advances in Cryptology-AUSCRYPT'92, LNCS 718, pp. 263-274, 1992 [9] Stefan Brands, "Untraceable Off-line Cash in Wallets with Observers (Extended Abstract)," In Advances in Cryptology-CRYPTO'93, pp.302-318 [10] Ronald Cramer and Torben P. Pedersen, "Improved Privacy in Wallets with Observers (Extended Abstract)," In Advances in Cryptology-EUROCRYPT'93, pp. 329343 [11] Niels Ferguson, "Extensions of Single-term Coins," In Advances in Cryptology-CRYPTO'93, pp. 292-301 [12] Niels Ferguson, "Single Term Off-Line Coins," In Advances in Cryptology-EUROCRYPT'93, pp. 318-328

[13] M.

Franklin and M. Yung, "Secure and efficient off-line digital money," Proceedings of ICALP'93, LNCS700, pp. 265-276, 1993 [14] Jan Camenisch, Jean-Marc Piveteau, Markus Stadler, "An Efficient Electronic Payment System Protecting Privacy," Computer Security -- ESORICS 94, Lecture Notes in Computer Science v. 875, pp. 207-215, Springer Verlag, 1994. [15] Stefano D'Amiano, Giovanni Di Crescenzo, "Methodology for Digital Money based on General Cryptographic Tools," In Advances in CryptologyEUROCRYPT'94, pp. 156-170 [16] Y. Yacobi, "Efficient electronic money," Advances in Cryptology-ASIACRYPT'94, LNCS 917, pp. 153-163, 1994 [17] Stefan Brands, "Restrictive Blinding of Secret-Key Certificates," In Advances in CryptologyEUROCRYPT'95, pp. 231-247 [18] Stefan Brands, "Electronic Cash on the Internet," Proceedings of the Internet Society 1995 Symposium on Network and Distributed System Security, San Diego, California, February 16-17, 1995. [19] Markus Jakobsson, "Ripping Coins For a Fair Exchange," In Advances in Cryptology-EUROCRYPT'95, pp. 220230 [20] Tatsuaki Okamoto, "An Efficient Divisible Electronic Cash Scheme," In Advances in Cryptology-CRYPTO'95, pp. 438-451 [21] B. Schoenmakers, "An efficient electronic payment system with standing parallel attacks," Technical report, CWI, 1995, [22] E. Fujisaki and T. Okamoto, "Practical escrow cash systems," Security Protocols, LNCS 1189, pp. 33-48, 1996 [23] M. Jakobsson and M. Yung, "Revokable and versatile electronic money," 3rd ACM Conference on Computer and Communications Security, pp. 76-87, 1996 [24] Y. Tsiounis, Y. Frankel, and M. Yung, "Indirect Discourse Proofs: Achieving Fair Off-Line Electronic Cash," Asiacrypt '96, Lecture Notes in Computer Science 1163, pages 286-300, November 3-7, South Korea. [25] L. Chen and C.J. Mitchell, "An anonymous and undeniable payment scheme," Information and Communications Security LNCS 1334, pp. 478-482, 1997 [26] Ari Juels, Michael Luby and Rafail Ostrovsky, "Security of Blind Digital Signatures (Extended Abstract)," In Advances in Cryptology-CRYPTO'97, pp. 150-164 [27] Markus Jakobsson, Moti Yung, "Distributed "Magic Ink" Signatures," In Advances in CryptologyEUROCRYPT'97, pp. 450-464 [28] M. Jakobsson and M. Yung, "Applying anti-trust policies to increase trust in a versatile e-money system," Financial Cryptography, LNCS 1318, pp. 217-238, 1997 [29] H. Moribatake, M. Abe, E. Fujisaki and Y. Nakayama, "Electronic cash scheme," Proceedings of 1997 Symposium on Cryptography and Information Security,

SCI97-3C, 1997 [30] K. Q. Nguyen, Y. Mu and V. Varadharajan, "A new digital cash scheme based on blind Nyberg-Rueppel digital signature," Information Security, LNCS 1396, pp. 313-320, 1997 [31] H. Petersen and G. Poupard, "Efficient Scalable Fair Cash with Off-line Extortion Prevention," Technischer Report, ENS, April, (1997), 33 Seiten, Kurzfassung Proc.ICICS'97, Peking, LNCS 1334, Springer Verlag, S. 463 - 477. [32] C. Radu, "Analysis and design of off-line electronic payment systems", Ph.D. thesis 1997 [33] Heinz Kreft and Wael Adi, " fairCASH - A Digital Cash Candidate for the proposed GCC Gulf Dinar," Innovations in Information Technology, 2006. [34] G. Edward Suh, Srinivas Devadas Physical Unclonable Functions for Device Authentication and Secret Key Generation, DAC 2007, June 4-8, 2007, San Diego, California, USA