E-cash system architecture

The origin of the e-cash paradigm can be traced back to the notion of electronic equivalence of currency proposed by David Chaum and other pioneers. E-cash has been an important research topic for the crypto community, but received little attention from the systems and networking communities. The elegant mathematical constructs interlock the three properties controlled by the bank, the payer, and the payee, as illustrated by the following diagram. The payer wants to stay anonymous, the payee wants to assure that the transaction made by the payer is authentic, and the bank wants to capture double spending payers accountable. Similar to the real-world cash based transactions, the bank only knows that payer withdraws some E-cash (tokens). Then the payer can interact with payees directly. This is different from most electronic payment systems we use today that E-cash does not require online interactions with any central authority such as the credit card company during the payment phase.

In the context of E-cash, the zero knowledge proof (ZKP) protocol is essentially a challenge-and-response authentication protocol. A payer (a ZKP prover) can prove to payee (a ZKP verifier) the possession of a valid token issued by bank, which is a well-known central authority (CA). In the three move handshaking protocol, the prover first derives from the token a warrant and presents it to the verifier, who will then send a randomly chosen challenge to the prover. The prover needs to use its token, together with the challenge to produce a response and sends it back to the verifier. The triple (warrant, challenge, response) is collectively called the spent token, or the credential. The transaction is considered valid if the verifier can use the credential and other publicly known parameters to produce a "YES" answer from a well-known verification function.

The baseline E-cash architecture described above can be expanded to support transferability and divisibility using the generalized techniques proposed by Chaum-Pederson and Eng-Okamoto, respectively. A transferable E-cash scheme allows a payee to spend the received credential without depositing it to the bank first. A divisible E-cash scheme allows a payer to spend a token multiple times under certain quota limit. With transferability and divisibility, the baseline E-cash architecture above is expanded from a 3-party system to an n-party system. The distribution and storage of tokens and credentials become a major bottleneck to scale up the system to a large decentralized community.

We proposed the timed ZKP (TZKP) to add timestamps to transactions so that both the values of tokens and the spending records are timed. This way the overhead for tracking of credentials and the token withdrawal overheads can be drastically reduced. We also proposed the notion of multi-source reusable token so that a token can be reused for multiple (legal) transfer operations. When traditional transferable tokens are used, the number of withdrawals grows proportionally with the number of transfers because any reuse of a token may leak the identity of the payer. Our multi-source reusable token is resistant to credential-forgery and anonymity-guarantee for legal payers. We also studied the linkability tradeoff in reusing a token. Two credentials are linkable if we can tell whether or not they are produced by the same payer although we may not be able to know the identity of the payer.