CS 134 Winter 2016 Anonymity Application Example: Electronic Cash (E-Cash) and Bitcoin 1 Motivation For E-Cash Conventional Cash is: • Counterfeitable • Slow • Costly • Vulnerable • Bad for Remote Transactions 2 Credit Cards, Bank Cards, Checks, and Phone/Subway cards: Easy Fraud Little Privacy 3 Off-line Electronic Cash is for 2-Party (PayeràPayee) Payment Withdrawal Payment Deposit • Low Communication Requirements 4 In Contrast, On-line Payments: “ ” OK 5 E-Cash in 1970s • Stephen Wiesner‘s (graduate student at Columbia) paper “Conjugate Coding and Quantum Money” sent in 1970 to IEEE Transactions on Information Theory • Paper immediately rejected • Published in 1983 as is in ACM SIGACT • Proposed design of unforgaeble bank notes based on quantum properties • Influenced Quantum (Cryptographic) Key Distribution (QKD) E-Cash in 1980s and 1990s • Chaum’s “Blind Signatures for Untraceable Payments” paper is the first to propose (realizable) E-Cash using blind digital signatures • Based on RSA (Rivest Shamir and Adelman) signatures 1990s 1970s 2000s • RSA breaks if one can factor large composite numbers (100s of decimal digits, 1000s of bits) • DigiCash (anonymous ecash) launched by Chaum in 1990. DigiCash declared bankruptcy in 1998. Requirements for Anonymous Payments (afterwards known as E-Cash) From Chaum’s “Blind Signatures for Untraceable Payments” paper: Unlinkability: third parties can not determine payee (amount • and time of payment) Provability: individuals can provide (unforgaeble) proof of • payment, or determine identity of payee under exceptional circumstance (e.g., by courts) Revocation: revoke stolen coins or payment media • Anonymous Payments user 1 user 2 Anonymous Payments user 1 user 2