# A Digital Cash Paradigm with Valued and No-Valued e-Coins

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

#### 2.1. Public Key Encryption

#### 2.2. Digital Signatures

#### 2.3. Simulatable Digital Signatures

#### 2.4. Blind Signatures

## 3. Message Digests for Simulatable Signatures

#### 3.1. Optimal Asymmetric Encryption Padding

- Compute $X=M\oplus \mathcal{G}\left(r\right)$,
- Compute $Y=r\oplus \mathcal{H}\left(X\right)$,
- Return $(X,Y)$.

- Compute $r=Y\oplus \mathcal{H}\left(X\right)$,
- Compute $M=X\oplus \mathcal{G}\left(r\right)$,
- Return $(M,r)$.

**Lemma**

**1.**

**Proof.**

#### 3.2. Plaintext Awareness

#### 3.3. Proposed Construction

- Let M be the m-bit message to be signed.
- Let l be the length of the digests signed by the signature scheme.
- Generate a random l-bit bitstring r and compute $(X,Y)={\mathrm{OAEP}}_{m,l}(M,r).$
- Compute a digital signature over Y, namely $\mathrm{Sign}\left(Y\right)$.
- Send the $\{X,Y,\mathrm{Sign}(Y\left)\right\}$ tuple to the receiver.

- Validate the $\{Y,\mathrm{Sign}(Y\left)\right\}$ digest-signature tuple under signer’s public key.
- Compute $(M,r)={\mathrm{OAEP}}_{m,l}^{-1}(X,Y)$ so as to get message M.

## 4. Novel Digital Cash Paradigm Description

#### 4.1. Overview

- Vendor. A vendor sells digital products online and participates in the issuance of valued e-coins after being paid for them.
- Customers. They manage an e-wallet containing valued e-coins. These e-coins are acquired in advance and stored until spent during a purchase procedure. Customers can generate no-valued e-coins on their own.

#### 4.2. e-Coin Composition

- ${v}_{S}$/${Q}_{S}$ is a private/public key-pair of a public key cryptosystem allowing digital signature computation. Hence, data signed with ${v}_{s}$ can be validated under ${Q}_{S}$. ${Q}_{S}$ has been ${\mathrm{OAEP}}_{\mathrm{PA}}$-encoded (with plaintext-awareness) into $({X}_{S},{Y}_{S})={\mathrm{OAEP}}_{\mathrm{PA}}({Q}_{S},{r}_{S})$ for some random ${r}_{S}$.
- ${v}_{R}$/${Q}_{R}$ is a private/public key-pair of a public key cryptosystem allowing data encryption. Hence, data encrypted under ${Q}_{R}$ can only be decrypted by providing ${v}_{R}$. ${Q}_{R}$ has been OAEP-encoded into $({X}_{R},{Y}_{R})=\mathrm{OAEP}({Q}_{R},{r}_{R})$ for some random ${r}_{R}$.
- Let $Y={Y}_{S}\oplus {Y}_{R}$. Then, $\{Y,{\mathrm{Sign}}_{P{K}_{V}}\left(Y\right)\}$ is a digest-signature tuple which can be validated under $P{K}_{V}$.

#### 4.3. Valued e-Coin Generation

- The customer pays the vendor the price of an e-coin.
- The customer generates a random private key ${v}_{S}$ and the corresponding public one ${Q}_{S}$. The customer also generates a random ${r}_{S}$ and computes $({X}_{S},{Y}_{S})={\mathrm{OAEP}}_{\mathrm{PA}}({Q}_{S},{r}_{S})$.
- The customer generates a random private key ${v}_{R}$ and the corresponding public one ${Q}_{R}$, and computes $({X}_{R},{Y}_{R})=\mathrm{OAEP}({Q}_{R},{r}_{R})$ for some random ${r}_{R}$ chosen by the customer.
- The customer computes $Y={Y}_{S}\oplus {Y}_{R}$.
- The customer requests the vendor to compute a blind signature on Y. Let ${\mathrm{Sign}}_{P{K}_{V}}\left(Y\right)$ be the resulting signature. Hence, $\{Y,{\mathrm{Sign}}_{P{K}_{V}}\left(Y\right)\}$ is a digest-signature tuple.

#### 4.4. No-Valued e-Coin Generation

- The customer generates a simulated message-signature tuple under vendor’s public key. Let $\{Y,{\mathrm{Sign}}_{P{K}_{V}}\left(Y\right)\}$ be the simulated tuple.
- The customer generates a random private key ${v}_{S}$ and the corresponding public one ${Q}_{S}$. The customer also generates a random ${r}_{S}$ and computes $({X}_{S},{Y}_{S})={\mathrm{OAEP}}_{\mathrm{PA}}({Q}_{S},{r}_{S})$.
- The customer calculates ${Y}_{R}=Y\oplus {Y}_{S}$, generates a random ${X}_{R}$, and computes $({Q}_{R},{r}_{R})={\mathrm{OAEP}}^{-1}({X}_{R},{Y}_{R})$. If ${Q}_{R}$ is not a valid public key, this step is run again taking a different ${X}_{R}$.

#### 4.5. Spending an e-Coin

- The customer sends $\{({X}_{S},{Y}_{S}),({X}_{R},{Y}_{R}),{\mathrm{Sign}}_{P{K}_{V}}\left(Y\right)\}$ to the vendor together with a digital signature ${\mathrm{Sign}}_{{Q}_{S}}\left(\mathcal{H}\right(CurrentTime\left|\right|{Y}_{S}\left|\right|{Y}_{R}\left)\right)$ computed with private key ${v}_{S}$ ($\mathcal{H}$ is a hash function).
- The vendor runs $({Q}_{S},{r}_{S})={{\mathrm{OAEP}}_{\mathrm{PA}}}^{-1}({X}_{S},{Y}_{S})$. If the plaintext-awareness checking is met, they check the digital signature received at the previous step under ${Q}_{S}$. In case of failure, the e-coin is rejected.
- The vendor computes $Y={Y}_{S}\oplus {Y}_{R}$ and checks that $\{Y,{\mathrm{Sign}}_{P{K}_{V}}\left(Y\right)\}$ is a valid digest-signature tuple under vendor’s public key $P{K}_{V}$.
- The vendor checks that no e-coin with the same ${Y}_{S}$ component has been spent before. In such a case, the previously stored digital signature, which includes the time it was spent for the first time, is returned as a proof of double spending and the transaction is rejected. Otherwise, all the data received at step 1 is stored by the vendor.
- The vendor computes $({Q}_{R},{r}_{R})={\mathrm{OAEP}}^{-1}({X}_{R},{Y}_{R})$.
- The vendor encrypts the product P under public key ${Q}_{R}$ (creating a digital envelope if P is large) and sends the resulting ciphertext to the customer.
- If the spent e-coin was valued, the customer decrypts the received ciphertext using private key ${v}_{R}$, getting P as a result. Otherwise, this step is skipped and the customer does not get any product.

## 5. Cryptosystems Choice

#### 5.1. Cryptosystem for Vendor’S Key-Pair

- If the e-coin is valued, the customer computes Y and requires the vendor to compute a blind signature on it (Section 4.3, step 5).
- If the e-coin is no-valued, the tuple is simulated by the customer. The vendor does not take part in this process (Section 4.4, step 1).

- The computation of blind signatures.
- The generation of simulated digest-signature tuples.

#### 5.1.1. RSA Signatures

- Alice chooses a random $R\in {\mathbb{Z}}_{N}$ and computes $\overline{M}=M\xb7{R}^{e}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$ and sends $\overline{M}$ to Bob (operator · denotes the integer modular multiplication).
- Bob computes $\overline{S}={\overline{M}}^{d}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$ and sends $\overline{S}$ to Alice.
- Alice computes $S=\overline{S}\xb7{R}^{-1}\phantom{\rule{4.44443pt}{0ex}}(mod\phantom{\rule{0.277778em}{0ex}}N)$ obtaining signature S on M.

#### 5.1.2. Boldyreva Signatures

- Alice chooses $r\in \{0,\dots ,q-1\}$ and computes $\overline{M}=M\xb7{g}^{r}$. Then she sends $\overline{M}$ to Bob.
- Bob computes $\overline{S}={\overline{M}}^{x}$ and sends $\overline{\sigma}$ back to Alice.
- Finally, Alice computes $S=\overline{S}\xb7{y}^{-r}$ which is a digital signature over M.

#### 5.2. Cryptosystem for e-Coin Transaction Signature

#### 5.3. Cryptosystem for Product Encryption

- If the e-coin is valued, the customer generates private key ${v}_{R}$ and then the corresponding public one ${Q}_{R}$ (Section 4.3, step 3).
- If the e-coin is no-valued, public key ${Q}_{R}$ is obtained pseudo-randomly (Section 4.4, step 3).

- It allows public key data encryption;
- It provides a relatively high probability of obtaining a valid public key by means of a pseudo-random process;
- It cannot be determined whether a given public key has been generated together with its private counterpart (Section 4.3 step 3) or through a pseudo-random process (Section 4.4, step 3).

#### 5.3.1. ECIES

#### 5.3.2. ElGamal

## 6. Security Analysis

- Valued e-coins cannot be forged by malicious customers;
- E-coins cannot be double-spent;
- Customers cannot be falsely accused of double-spending an e-coin.

**Lemma**

**2.**

**Proof.**

**Lemma**

**3.**

**Proof.**

**Lemma**

**4.**

**Proof.**

## 7. Experimental Results

`Java`. Cryptographic operations involving large integers use the

`java.math.BigInteger`library. Hash digests have been computed using the SHA-224 [25] function. Regarding the employed cryptosystems, we have chosen the following:

- Vendor’s key-pair (Section 5.1): RSA with 2048 bit keys.
- Cryptosystem for e-coin transaction signature (Section 5.2): ECDSA [26] with 224 bit keys.
- Cryptosystem for product encryption (Section 5.3): ECIES with 224 bit keys.

## 8. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Chaum, D. Blind Signatures for Untraceable Payments. In Advances in Cryptology; Chaum, D., Rivest, R.L., Sherman, A.T., Eds.; Springer: Boston, MA, USA, 1983; pp. 199–203. [Google Scholar]
- Brands, S. Untraceable Off-line Cash in Wallet with Observers. In Advances in Cryptology—CRYPTO’93; Stinson, D.R., Ed.; Springer: Berlin/Heidelberg, Germany, 1994; pp. 302–318. [Google Scholar]
- Eng, T.; Okamoto, T. Single-term divisible electronic coins. In Advances in Cryptology—EUROCRYPT’94; De Santis, A., Ed.; Springer: Berlin/Heidelberg, Germany, 1995; pp. 306–319. [Google Scholar]
- Nakanishi, T.; Sugiyama, Y. Unlinkable Divisible Electronic Cash. In Information Security; Goos, G., Hartmanis, J., van Leeuwen, J., Pieprzyk, J., Seberry, J., Okamoto, E., Eds.; Springer: Berlin/Heidelberg, Germany, 2000; pp. 121–134. [Google Scholar]
- Canard, S.; Gouget, A. Divisible E-Cash Systems Can Be Truly Anonymous. In Advances in Cryptology—EUROCRYPT 2007; Naor, M., Ed.; Springer: Berlin/Heidelberg, Germany, 2007; pp. 482–497. [Google Scholar]
- Au, M.H.; Susilo, W.; Mu, Y. Practical Anonymous Divisible E-Cash from Bounded Accumulators. In Financial Cryptography and Data Security; Tsudik, G., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 287–301. [Google Scholar]
- Liu, J. Efficient Arbitrarily Divisible E-Cash Applicable to Secure Massive Transactions. IEEE Access
**2019**, 7, 59299–59310. [Google Scholar] [CrossRef] - Bourse, F.; Pointcheval, D.; Sanders, O. Divisible E-Cash from Constrained Pseudo-Random Functions. In Advances in Cryptology—ASIACRYPT 2019; Galbraith, S.D., Moriai, S., Eds.; Springer International Publishing: Cham, Switzerland, 2019; pp. 679–708. [Google Scholar]
- Rivest, R.L.; Shamir, A. PayWord and MicroMint: Two simple micropayment schemes. In International Workshop on Security Protocols; Springer: Berlin/Heidelberg, Germany, 1996; pp. 69–87. [Google Scholar]
- Oros, H.; Popescu, C. A Secure and Efficient Off-Line Electronic Payment System for Wireless Networks. Int. J. Comput. Commun. Control.
**2010**, V, 551–557. [Google Scholar] [CrossRef][Green Version] - Sai Anand, R.; Madhavan, C. An Online, Transferable E-Cash Payment System. In Progress in Cryptology —INDOCRYPT 2000; Roy, B., Okamoto, E., Eds.; Springer: Berlin/Heidelberg, Germany, 2000; pp. 93–103. [Google Scholar]
- Bauer, B.; Fuchsbauer, G.; Qian, C. Transferable E-Cash: A Cleaner Model and the First Practical Instantiation. In Public-Key Cryptography—PKC 2021; Garay, J.A., Ed.; Springer International Publishing: Cham, Switzerland, 2021; pp. 559–590. [Google Scholar]
- Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2009, pp. 1–9. Available online: https://bitcoin.org/bitcoin.pdf (accessed on 22 September 2021).
- Wood, G. Ethereum: A secure decentralised generalised transaction ledger. Ethereum Proj. Yellow Pap.
**2021**, 151, 1–32. [Google Scholar] - Park, K.W.; Baek, S.H. OPERA: A Complete Offline and Anonymous Digital Cash Transaction System with a One-Time Readable Memory. IEICE Trans. Inf. Syst.
**2017**, 100, 2348–2356. [Google Scholar] [CrossRef][Green Version] - European Central Bank. Report on Digital Euro; Tech. Report; Frankfurt am Main, Germany, 2020; Available online: https://www.ecb.europa.eu/pub/pdf/other/Report_on_a_digital_euro~4d7268b458.en.pdf (accessed on 22 September 2021).
- Borges, R.; Sebé, F. An efficient privacy-preserving pay-by-phone system for regulated parking areas. Int. J. Inf. Secur.
**2021**, 20, 715–727. [Google Scholar] [CrossRef] - Bellare, M.; Rogaway, P. Optimal Asymmetric Encryption—How to Encrypt with RSA; Springer: Berlin/Heidelberg, Germany, 1995; pp. 92–111. [Google Scholar]
- Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed.; John Wiley & Sons, Inc.: Hoboken, NJ, USA, 1995. [Google Scholar]
- Goldwasser, S.; Micali, S.; Rackoff, C. The knowledge complexity of interactive proof systems. SIAM J. Comput.
**1989**, 18, 186–208. [Google Scholar] [CrossRef] - Rivest, R.L.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] - Boldyreva, A. Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. In Public Key Cryptography—PKC 2003; Desmedt, Y.G., Ed.; Springer: Berlin/Heidelberg, Germany, 2002; pp. 31–46. [Google Scholar]
- Gayoso, V.; Hernandez, L.; Sánchez, C. A Survey of the Elliptic Curve Integrated Encryption Scheme. J. Comput. Sci. Eng.
**2010**, 2, 7–13. [Google Scholar] - ElGamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory
**1985**, 31, 469–472. [Google Scholar] [CrossRef] - Handschuh, H. SHA Family (Secure Hash Algorithm). In Encyclopedia of Cryptography and Security; van Tilborg, H.C.A., Ed.; Springer: Boston, MA, USA, 2005; pp. 565–567. [Google Scholar] [CrossRef]
- Johnson, D.; Menezes, A.; Vanstone, S.A. The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Secur.
**2001**, 1, 36–63. [Google Scholar] [CrossRef]

System Server & Client | Valued e-Coin | No-Valued e-Coin | |||||
---|---|---|---|---|---|---|---|

Processor | Cores | Threads | GHz | Serial | Parallel | Serial | Parallel |

AMD Athlon | 4 | 4 | 2.80 | 49.28 | 13.62 | 68.25 | 20.39 |

Intel i5-8350U | 4 | 8 | 1.70–3.60 | 21.40 | 5.23 | 32.69 | 7.69 |

Intel i7-6700 | 4 | 8 | 3.40–4.00 | 20.50 | 4.71 | 28.95 | 7.27 |

Intel i7-8700 | 6 | 12 | 3.20–4.60 | 18.75 | 4.66 | 28.41 | 6.31 |

AMD Ryzen 7 | 8 | 16 | 3.70–4.30 | 23.18 | 3.05 | 32.86 | 3.97 |

System Server | |||||
---|---|---|---|---|---|

Processor | Cores | Threads | GHz | Serial | Parallel |

AMD Athlon | 4 | 4 | 2.80 | 51.24 | 13.99 |

Intel i5-8350U | 4 | 8 | 1.70–3.60 | 26.67 | 7.37 |

Intel i7-6700 | 4 | 8 | 3.40–4.00 | 22.68 | 5.12 |

Intel i7-8700 | 6 | 12 | 3.20–4.60 | 20.69 | 3.59 |

AMD Ryzen 7 | 8 | 16 | 3.70–4.30 | 25.41 | 2.69 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Borges, R.; Sebé, F.
A Digital Cash Paradigm with Valued and No-Valued e-Coins. *Appl. Sci.* **2021**, *11*, 9892.
https://doi.org/10.3390/app11219892

**AMA Style**

Borges R, Sebé F.
A Digital Cash Paradigm with Valued and No-Valued e-Coins. *Applied Sciences*. 2021; 11(21):9892.
https://doi.org/10.3390/app11219892

**Chicago/Turabian Style**

Borges, Ricard, and Francesc Sebé.
2021. "A Digital Cash Paradigm with Valued and No-Valued e-Coins" *Applied Sciences* 11, no. 21: 9892.
https://doi.org/10.3390/app11219892