ECash is a computer generated Internet based system which allows funds to be transferred and items to be purchased by credit card,

check or by money order, providing secure on-line transaction processing. Using cryptography, ecash was introduced by David Chaum as an anonymous electronic cash system. He used blind signatures to achieve unlinkability between withdrawal and spend transactions. [1] Depending on the properties of the payment transactions, one distinguishes between on-line and off-line electronic cash. The first off-line e-cash system was proposed by Chaum and Naor. [2] Like the first on-line method, it is based on RSA blind signatures. In the United States, only one bank implemented ecash, the Mark Twain bank,[3] and the system was dissolved in 1997 after the bank was purchased by Mercantile Bank, a large issuer of credit cards.[4] Similar to credit cards, the system was free to purchasers, while merchants paid a transaction fee. In Australia ecash was implemented by St.George Bank, but the transactions were not free to purchasers. In June 1998, ecash became available through Credit Suisse in Switzerland. It was also available from Deutsche Bank in Germany, Bank Austria, Finland's Merita Bank/Eunet, Sweden's Posten, and Den norske Bank of Norway. "ecash" was a trademark of DigiCash, which went bankrupt in 1998, and was sold to eCash Technologies, which was acquired by InfoSpace in 2002 How ecash Works Inside Overview Like banknotes, ecash can be withdrawn from and deposited to transaction demand deposit accounts. And like banknotes, one person can transfer possession of a given amount of ecash to another person. But unlike cash, when a customer pays another customer an electronic bank will play an unobtrusive but essential role. To show how it all works we'll explain how a withdrawal works, then follow the ecash in a payment to a merchant. Combining these two transactions, we can then understand why the customer perceives that ecash is paid from person to person without involving any bank. Finally the withdrawal is explained in greater detail to illustrate the 'blind signature' concept, which is the foundation of the privacy feature, and explain why the bank cannot trace it's own money! Simple Withdrawal of ecash Figure 10 shows the two participants in the withdrawal transaction: the bank and customer, Alice. The digital coins that have been withdrawn from Alice's account at the bank are on their way to her PC. When they arrive, they will be stored along with some coins she already has on her hard disk.

Figure 10 - Alice withdraws ecash from her bank account No physical coins are involved in the actual system of course, but the messages include strings of digits, and each string corresponds to a different digital coin. Each coin has a denomination, or value, so that a purse of digital coins is managed automatically by Alice's ecash software. It decides which denominations to withdraw and which to spend in particular payments. (The ecash software keeps plenty of 'small change', but will prompt the user to contact the bank in the rare event that more change is needed before the next payment, to restructure its purse of coin denominations.) An ecash Purchase Now that Alice has some ecash on her hard drive, she can buy things from Bob's shop (as shown below). Having received a payment request from Bob, she agrees by ticking the 'Yes' box. Her ecash software chooses coins with the desired total value from the purse on her hard disk. Then it removes these coins and sends them over the network to Bob's shop. When it receives the coins, Bob's software automatically sends them on to the bank and waits for acceptance before sending the goods to Alice along with a receipt.

Figure 11 - Alice buys something from Bob To ensure that each coin is used only once, the bank records the serial number of each coin in its spent coin database. If the coin serial number is already recorded, the bank has detected someone trying to spend the coin more than once and informs Bob that it is a worthless copy. If, as will be the usual case, no such serial number has been recorded, the bank stores it at that position and informs Bob that the coin is valid and the deposit is accepted. Person-to-Person Cash When a consumer receives a payment, the process could be the same. But some people may prefer that when they receive money, it be made available on their hard disk immediately, ready for spending; just like when someone hands them a five dollar bill. This user preference can be realized as depicted in Figure 12. The only difference between this payment from Alice to another consumer, Cindy, and the one Alice paid to Bob's shop in Figure 11, is what happens after the bank accepts the cash. In Figure 12, Cindy has configured her software to request the bank to withdraw the ecash she has just deposited and send it back to her PC as soon as the coins are accepted. (Actually Cindy's bank will check with Alice's bank to make sure that the coins deposited are good.) Now when Alice sends Cindy five dollars, new coins are immediately available to spend from Cindy's PC.

Figure 12 - person-to-person payment How Privacy Is Protected In the simple withdrawal of Figure 10, the bank created unique blank digital coins, validated them with its special digital stamp, and supplied them to Alice. This would normally allow the bank (at least in principle) to recognize the particular coins when they are later accepted in a payment. And this would tell the bank exactly which payments were made by Alice. By using 'blind signatures, a feature unique to ecash, the bank can be prevented from recognizing the coins as having come from a particular account. The idea is shown in Figure 13. Instead of the bank creating a blank coin, Alice's computer creates the coin itself at random. Then it hides the coin in a special digital envelope and sends it off to the bank. The bank withdraws one dollar from Alice's account and makes its special 'worth-one-dollar' digital validation like an embossed stamp on the envelope before returning it to Alice's computer.

Figure 13 - Alice sends her coin for signature by the bank Like an emboss, the blind signature mechanism lets the validating signature be applied through the envelope. When Alice's computer removes the envelope, it has obtained a coin of its own choice, validated by the bank's stamp. When she spends the coin, the bank must honor it and accept it as a valid payment because of the stamp. But because the bank is unable to recognize the coin, since it was hidden in the envelope when it was stamped, the bank cannot tell who made the payment. The bank which signed can verify that it made the signature, but it cannot link it back to a particular object or owner. How It All Works with Numbers When Alice's computer creates a blank coin it chooses a random number. The bank's validating stamp on the coin is a public key digital signature encoded by the bank with the random coin number serving as the message to be coded. Checking the validity of a coin involves the verification of the digital signature using the bank's corresponding public key. The blinding operation is a special kind of encryption designed so that it can only be removed by the party who placed it there. It can be reversed using the public key digital signature process, and can thus be removed without disturbing the signature. How Funds Flow Although ecash works just like cash in the hands of a consumer, for a bank its properties are somewhat different.

As can be seen in the top of Figure 14, the first step in each case occurs when value comes out of a customer's account. In an ATM transaction, the cash given to the consumer constitutes a reduction in vault cash. In an ecash withdrawal, however, the value is moved within the bank and becomes an ecash liability that will be reversed when the ecash is presented for deposit. The second step is the spending of the value, where cash and ecash are very similar. In each case the merchant (or other party receiving it) can choose to be issued with new cash coins or can make a deposit to an ecash account.

Figure 14 - ecash flow When the merchant takes the final step and deposits the traditional cash, it constitutes an increase in vault cash, whereas deposit of ecash reduces the ecash liability and increases deposit liability. The chart below shows in more detail the difference in the actual transaction path for a 'hard cash' payment (on the left) and a digital cash payment, on the right While the main difference is invisible to the consumer, it is vitally necessary to protect the integrity of ecash. When a digital coin is received as payment it must be surrendered to the bank who will exchange it for an account credit or for freshly minted ecash. The left side of the chart shows a cash payment from Customer X, who has withdrawn cash from the bank to pay Customer Y. The payment goes directly from X to Y's wallet, and at some later time Y has the option of either depositing the cash in the bank or using the same coins to pay Customer Z. This process can continue indefinitely with the cash retaining its value as it passes from hand to hand. There is no essential need to deposit it at the bank. The right side of the chart shows an ecash payment from X to Y. Before the payment is accepted, Y verifies the validity of the ecash by sending it (online) to the issuing bank (the main step which is not necessary with traditional cash). Once the coins are checked by the Mint, Customer Y chooses whether to request new ecash coins of equivalent value(which can be stored on the hard disk and sent to a third party as payment) or to have the ecash deposited as a credit to their ecash account.

Figure 15 - cash flow / ecash flow

Ecash from DigiCash

Ecash[9,10] is a fully anonymous electronic cash system, from a company called Digicash, whose managing director is David Chaum, the inventor of blind signatures and many electronic cash protocols[1,3,4,5,6]. It is an on-line software solution which implements fully anonymous electronic cash using blind signature techniques. The Ecash system consists of three main entities:

Banks who mint coins, validate existing coins and exchange real money for Ecash. Buyers who have accounts with a bank, from which they can withdraw and deposit Ecash coins. Merchants who can accept Ecash coins in payment for information, or hard goods. It is also possible for merchants to run a pay-out service where they can pay a client Ecash coins.

Ecash is implemented using RSA public-key cryptography. Every user in the system has their own public/private key pair. Special client and merchant software is required to use the Ecash system. The client software is called a "cyberwallet" and is responsible for withdrawing and depositing coins from a bank, and paying or receiving coins from a merchant.

Withdrawing Ecash Coins

To make a withdrawal from the bank, the user's cyberwallet software calculates how many digital coins of what denominations are needed to withdraw the requested amount. The software then generates random serial numbers for these coins. The serial numbers are large enough so that there is very little chance that anyone else will ever generate the same serial numbers. Using a 100-digit serial number usually guarantees this. The serial numbers are then blinded using the blind signature technique[3]. This is done by multiplying the coins by a random factor. The blinded coins are then packaged into a message, digitally signed with the user's

private key, encrypted with the bank's public key, and then sent to the bank. The message cannot be decrypted by anyone but the bank. When the bank receives the message, it checks the signature. The withdrawal amount can then be debited from the signature owner's account. The bank signs the coins with a private key. After signing the blind coins, the bank returns them to the user, encrypted with the user's public key. The user can then decrypt the message, and unblind the coins by dividing out the blinding factor. Since the bank couldn't see the serial numbers on the coins it was signing there is no way to now trace these coins back to the user who withdrew them. In this way the cash is fully anonymous.

Spending Ecash
To spend Ecash coins, the user starts up their cyberwallet software and a normal Web client and then browses the Web till they find a merchant shop selling goods. The Ecash software can be used with any existing Web client and Web server software. A merchant shop is simply a HTML document with URLs representing the items for sale. To buy an item the user selects the URL representing that item. The following steps then occur as shown in Figure 1.

Figure 1 : Making a purchase with Ecash

1. The user's Web client sends a HTTP message requesting the URL to the Merchant's normal Web server. This URL will invoke a Common Gateway Interface (CGI) program[19]. 2. The CGI program invoked will be the merchant Ecash software, and it will be passed details of the item selected encoded in the URL. The location of the buyer's host machine will also be passed in an environment variable from the server to the merchant Ecash software. 3. The merchant software, now contacts the buyer's wallet using a TCP/IP connection, asking it for payment. 4. When the cyberwallet receives this request, it will prompt the user, asking them if they wish to make the payment. If they agree, the cyberwallet will gather together the exact amount of coins and send this as payment to the merchant. The coins will be encrypted with the merchant's public key so that only the merchant can decrypt them: {Coins}K[public,Merchant] If they disagree or do not have the exact denominations necessary to make a correct payment, the merchant is sent a payment refusal message. 5. When the merchant receives the coins in payment, he must verify that they are valid coins, and have not been double spent. To do this he must contact the bank, as only the minting bank can tell whether coins have been spent before or not. Thus the merchant packages the coins, signs the message with his private key, encrypts the message with the bank's public key, and sends it to the bank. {{Coins}K[private,Merchant]}K[public,Bank] 6. The bank validates the coins by checking the serial numbers with the large on-line database of all the serial numbers ever spent and returned to the bank. If the numbers appear in the database then they are not valid, since they have been spent before. If the serial numbers don't appear in the database, and have the bank's signature on them, then they are valid. The value of the coins are credited to the merchant's account. The coins are destroyed, and the serial numbers added to the the database of spent coins. Thus coins are good for one transaction only. The bank notifies the merchant of the successful deposit. 7. Since the deposit was successful, the merchant was paid, and a signed receipt is returned to the buyer's cyberwallet. 8. The purchased item, or an indication of successful purchase of hard goods, is then sent from the merchant Ecash software to the Web Server. 9. The Web server forwards this information to the buyer's Web client. Ecash client and merchant software is available for many platforms. Currently no real money is used in the system, but an Ecash trial[11] with 10,000 participants, each being given 100 "cyberbucks" for free has been running since late 1994. There are many sample Web shops at which to spend cyberbucks.

Advantages and Failings

The strengths of Ecash are its full anonymity and security. The electronic cash used is untraceable, due to the blind signatures used when generating coins.

By employing secure protocols using RSA public key cryptography, the Ecash system is safe from eavesdropping, and message tampering. Coins cannot be stolen while they are in transit. However, the protection of coins on the local machine could be strengthened by password protection and encryption. The main problem with Ecash may be the size of the database of spent coins. If a large number of people start using the system, the size of this database could become very large and unmanageable. Keeping a database of the serial number of every coin ever spent in the system is not a scalable solution. Digicash plans to use multiple banks each minting and managing their own currency with interbank clearing to handle the problems of scalability. It seems likely that the bank host machine has an internal scalable structure so that it can be set up not only for a 10,000 user bank, but also for a 1,000,000 user bank. Under the circumstances, the task of maintaining and querying a database of spent coins is probably beyond today's state-of-the-art database systems.