User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

What is cash

Cash is a bearer instrument which means it carries no record of ownership. The holder of the cash is assumed to be the owner and they may pass that to another person who then becomes the new owner. This leads to a number of properties that define the use of cash in our environment,

  • The owner holds the cash (it is not held in an account managed by a third party)
  • It is an anonymous transaction (or as anonymous as the participants agree)
  • There is no payment intermediary (e.g. no bank is involved in the transfer of ownership), no permission is required to make a payment, it is censorship resistant
  • It is irrevocable (there is no concept of charge backs or dispute resolution)
  • There are no financial status requirements (you don’t have to have a bank account or credit card - financial inclusion)
  • The transfer of ownership is immediate (when you pass a $ bill to somebody they have it and you don’t, as before nobody else is involved and nobody else knows about the transaction)

The security model for physical cash is relatively straightforward, the owner must provide adequate physical protection of the cash in their possession and when they receive cash from another party they must be adequately assured that it is genuine. There is an implied authenticity check.

What is digital cash?

By definition any digital cash instrument must have the same properties as physical cash, it must be a bearer instrument so all the properties described for a physical cash instrument must apply to a digital cash instrument. You might think of digital cash as physical cash just in a different form factor, Instead of notes and metal coins digital cash is digital data.

The security model for digital cash can be equally described, the holder must provide adequate digital security protection against loss and it must be possible for the holder to be assured of its authenticity. The necessary requirements for protecting physical cash are of course well understood but the digital equivalent requires further elaboration,

The properties of notes and coins include security techniques to make them difficult to counterfeit. It is this feature that enables the acceptor to detect a fake note or coin. A digital coin however can be easily duplicated and would be imperceptible to the original digital coin. Detection of duplicate coins is a necessary security requirement of a digital cash system and this is often referred to as the double spend problem. The security requirements for digital cash can be defined as,

  • It should not be economically viable to create an apparently authentic digital coin
  • The users of digital cash must be protected from the double spend problem

digicashDigicash (1990 – 1998) was really the first serious attempt to provide a digital cash product. Dr David Chaum was the pioneer who actively promoted the ideas through the 1980s which culminated in the formation of Digicash in 1990. It eventually led to a product launch by the Mark Twain bank in the US in 1996 but never really caught on and quietly slipped away at the end of the 90s.

The concept was very simple, rather than have a $1 bill protected by special paper and inks etc why not have a $1 digital data block protected by a digital signature. In the case of the physical $1 bill the system relies on the users spotting fakes and declining to accept them. However you could easily copy a $1 electronic data block with its digital signature and such a copy would be perfect so you must have a way of rejecting the double spend as it is called. It is the “protection against the double spend” that is the security core of all digital cash products.

The core intellectual property of Digicash was the idea of mathematically blinding the digital $1 data message when it was created by the bank so that it could not be correlated with the user. This would make the electronic bill anonymous thereby achieving one of the core characteristics of cash. In operation users would go to their bank to get digital $1 bills to the value required in this sense just like real paper bills. Each of these $1 bills were prepared using public key cryptography and the blinding techniques mentioned earlier and sent back to the consumer. The consumer would go to the merchant and hand over the digital $1 bills to the value required. At this point the merchant doesn’t know if the $1 bills are authentic or whether they have already been given to somebody else, i.e. the double spend. So the merchant sends the digital $1 bills to the bank to get confirmation the digital cash is valid and that their account will be credited accordingly. The bank keeps a data base of the $1 bills in circulation and removes the spent $ bills as they are handed in.

Digicash is a remote asset transfer model, the issuing bank holds the fiat currency taking it from the payer’s account when the digital $ bills are issued and crediting the merchants account when the digital $ bills are presented and accepted.

mondexMondex (1990 – 2001)  which was invented by Tim Jones and Graham Higgins and architected by Dr David Everett also used public key cryptography but was designed to operate off line. Each user of the system would have a secure store of digital cash which they would use to create a digital value message. This digital value message could be for any value as long as it was no more than the value stored in the secure store. Such value messages were protected by digital signatures. In order to make a payment the payer would instruct their secure store to create a digital value message which they would then pass to the payee. The payee would then present this message to their secure store for acceptance. The value of the payer’s store would be decremented and the payee’s store incremented for the common amount. These secure stores were implemented in smart cards each containing a special security hardened integrated circuit chip.

The double spend problem was resolved by using a protocol. In essence the payee would generate a unique request message and on receipt the payer would generate a value message based on the data in the request message. This asynchronous protocol was enforced to ensure that each value message was only accepted once. All messages in the protocol were digitally signed.

Although the Mondex protocol was well capable of operating on-line its promotion by the member banks was focussed on the physical world and of course it pre-dated the introduction of the internet as we know it today.

This was the first real asset transfer model for digital cash. The users had a representation of fiat currency in their secure stores and could move such value as required to any other system user. There was no third party involvement in the individual payments. Each currency had an originator of value which was distributed to the users through the various partner banks.

The IPR surrounding Mondex was focussed on the concept of the float representing the value in circulation and its operation as well as the value transfer protocol. The security of Mondex relied on the integrity of the cryptographic protocols and the integrity of the secure stores.

mintchipMintChip (2008 - ) was designed and architected by Dr David Everett for the Royal Canadian Mint as an updated version of Mondex. It was designed around the use of secure asset stores to provide a distributed asset model. Each user of the system would own a secure asset store which they could individually manage or assign to an agent who might manage a large set of secure asset stores. Each currency has a minter of value which is distributed to the users through MintChip brokers.

MintChip is also an asset transfer model, value is moved from one store to another using digitally signed value messages. When a value message is created the value of that store is decremented and when a value message is accepted the value of that store is incremented accordingly. As with Mondex this is a fully distributed model because each secure asset store operates independently. There is no need for a central ledger or database and in fact you couldn’t create one because only the owner of the store or their agent has that knowledge.

MintChip is a payment push model, the payer creates the value message independently of the payee’s secure asset store but they do need prior information on the identity of the payee store which is used to create the message uniqueness. The double spend is prevented by each store only accepting a value message once, they effectively keep a log of all transactions each of which is unique. It should be noted however that this log is totally associated with the particular secure asset store and has no value outside this domain. As previously all value messages are protected by digital signatures using public key cryptography.

The MintChip IPR is centred on the asset transfer protocol and the cryptographic security techniques used to protect the integrity of the system. The security of the system is dependent on the integrity of the cryptographic operations and the Secure Asset Store.

bitcoinBitcoin (2008 - ) was designed and architected by Satoshi Nakamoto which is a pseudonym for who some people now believe is Dr Craig Wright. It was designed as a peer to peer digital cash system which introduced the concept of the Blockchain. In addition to the concepts of cash discussed previously it was a core design concept to avoid a centralised regulatory entity such as central banks, it was a new virtual currency independent of the existing national payment instruments. This currency is not collateralised and its volatility cannot be predicted. This is true of all virtual uncollateralised currencies.

Bitcoin is actually a transfer of ownership model, the Blockchain which is a publicly readable distributed ledger or data base holds the current ownership of every Bitcoin. When a user wants to make a payment they (or they may use an agent) issue a digitally signed command to the Bitcoin community stating their intention to transfer ownership. The consensus team, called miners because they get paid in Bitcoins for doing the consensus operation, check the validity of the operation and if everything is correct add the change of ownership to the new block that will be added to the Blockchain. It is this consensus process and the Blockchain that is designed to prevent the double spend. The Blockchain is protected by cryptographic hash functions.

The security of Bitcoin ignoring the value of the currency is dependent on the integrity of the cryptographic operations and the integrity of the consensus process. I am not aware of any patents protecting the Bitcoin scheme.

tibadoTibado (2014 - ) was designed by Tim Jones and David Everett as a close representation of physical cash. It only operates on-line and is based on the concept of digital coins, a true bearer instrument. A Tibado coin is a cryptographically protected message that represents a particular fiat value and currency. The digital coins have no association with the holder whether the current holder of the coin or a new holder of the coin. The users store and manage their Tibado coins as required. This digital coin model meets the characteristics of cash better than any of the other concepts described here.

Tibado provides an on-line digital cash box that allows the users to split or merge coins. So if a user wants to pay someone they use the cash box to take their existing coin and split in into one coin for the value of the payment and the other coin as effectively the value of the change. In reverse if somebody sends the user a coin they might send that coin and their existing coin to the cash box to have them merged into a single coin of the cumulative value. Tibado has the concept of a user pocket to manage these coin operations. The users can move coins amongst themselves using for example social media messaging entirely outside the Tibado space. The coins are usually represented as a PNG image of a coin containing a QR bar code to allow unimpeded network communications.

Each Tibado coin is protected by a dual cryptographic integrity function. All these cryptographic functions use symmetric cryptography. The digital cash box maintains a distributed live coin data base. This data base could be publicly accessible but Tibado has not currently enabled that operation. It is not clear why it needs to be publicly available.

Tibado is a fully distributed system and there are no payment intermediaries. For each currency there is an originator of the coins which may be directly distributed to the users or distributed by agents. The security of the Tibado system relies on the integrity of the coin cryptographic operations and the digital cash box. All cryptographic operations are undertaken in Hardware Security Modules that are stored in secure data centres.

The Tibado technology is protected by patent applications covering the core security operations.

Security Considerations  one of the biggest conceptual differences between these various digital cash schemes relates to the method by which payment transactions are validated. Most of the schemes effectively have a legal entity that provides the root of trust that provides the cryptographic hierarchy. Cryptographic operations within that security domain are trusted by all the participants.

Bitcoin and the Blockchain are conceptually different in that they have a security architecture and some form of consensus operation that is operated by a community. In the permissionless case of Bitcoin that community is totally unregulated and not identifiable as any form of legal identity. In practice users of the system have to trust the core of the community (perhaps 10 people or less) who set the operation and thereby the security of the system.

In the permissioned case there is some form of agreement as to the community responsible for the consensus operation. What is not clear is why one should trust such a community more than a legally defined entity (which may include more than one organisation) that operates the root of trust. The history of banking is based on the ability to define and agree such roots of trust and the rules and regulations by which they operate. It is difficult to understand how such a trust model can be viably circumvented.

Dr David Everett

User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

1.The Blockchain is a register or database containing statements (e.g. ownership, rights or a smart contract) provided by the participants to provide a complete history. The history cannot be modified or deleted you can only add new statements

  • The Bitcoin Blockchain contains statements of change of ownership - the first statement of a bitcoin ownership is the coinbase transaction inherent in each new Block (currently 25 new bitcoins per Block awarded to the validator

2. There are rules defined for a particular Blockchain that determine what statements and in what form can be added to a Block

  • The Bitcoin rules require the current ownership to be checked and the correctness of the digital signature (elliptic curve cryptography) provided by the owner to transfer ownership

3. The Block validator for each new statement checks the rules have been obeyed

  • In Bitcoin the validator is the community of miners, themselves constructed as pools or farms to get maximum processing capability

4. The Validator validates the Block and links it to the chain using hash functions in exchange for a reward

  • The Bitcoin reward to the validator or miner is currently 25 bitcoins per block validated but this will halve every 210,000 blocks (about 4 years) until 21m (arbitrary limit) bitcoins have been issued in about 2140. A bitcoin is currently worth $580

5. The Blockchain may be public (accessible to all) or private (accessible to the membership)

  • The Bitcoin Blockchain is public

6. The Blockchain may be centralised (validated by an entity) or decentralised (validated by a community)

  • The Bitcoin Blockchain is decentralised

7. A validation community has to reach consensus to validate a Block, an entity has intrinsic consensus

  • The Bitcoin consensus is reached by miners calculating a hash function (SHA256 applied twice) of the new block including a link to the existing blockchain with certain properties, it currently takes on average 10 minutes, and this Proof Of Work (POW) is manipulated every 2016 blocks (about 2 weeks) to always take about 10 minutes on average. The cost of mining (currently about $350m per year) is barely covered by the reward of bitcoins (currently about 1.3m X current value = $754m per year), but with high volatility. Transaction fees are currently optional.
  • Management of the Bitcoin Blockchain by the validators doesn't require secret cryptographic keys which is a very smart part of the security design. In most designs it is quite difficult to avoid the use of secret keys.

8. The Blockchain may be permissioned (validators have identity and have to be authenticated to participate in the consensus process) or permissionless (validators are anonymous or pseudo-anonymous with no prior relationship)

  • Bitcoin is permissionless, the miners are pseudo-anonymous - they are associated with the digital address representing the bitcoin ownership earned as a reward for validating a block which could allow some forms of tracking depending on how they are subsequently used.
  • A permissioned Blockchain is by default a private Blockchain because the validators are pre-established and have organisational community rules for validating the blocks. is a decentralised payment system using a permissioned Blockchain.

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

Bitcoin is a digital currency system that enables participants to create and transfer bitcoins using a blockchain which are the rails upon which the bitcoins are created and transferred.A bitcoin is a digital descriptor of a unit of value and its ownership, one bitcoin is currently worth about $255 and this represents the market forces of supply, demand and speculation. Unlike other currencies such as gold or platinum bitcoins have no other utility value they are an entry in a blockchain ledger. New transactions can be created to change the ownership of the bitcoins by forming new entries in the ledger or blockchain. A bitcoin can be subdivided by 8 orders of magnitude when it is then called a Satoshi named after the Bitcoin inventor or more likely his pseudonym (1 Satoshi = 0.00000001 bitcoin), most people really don’t know who he/she/they are.


Bitcoin and Blockchain


The Bitcoin rails are a decentralised ledger called the blockchain that is freely available in the cloud but what you can’t do is easily change it. A new block (think of it as a page in a ledger) is created every 10 minutes or so and contains all the transactions submitted by users since the last block was created. Each block has to be agreed by the community before it is added to the previous blocks, i.e. the block chain. So approximately every 10 minutes the block chain increases in size by one block. There are currently about 351,200 blocks in the chain and each block today has about 700 transactions. The blockchain effectively contains a record of every transaction from the start which is called the genesis block (of 50 bitcoins).

So how does a community manage the public decentralised blockchain? You can see from the previous comments that each page of the ledger or block of the blockchain needs to be verifiably signed in some shape or form in a way that the community will accept and that will not provide any viable vulnerability to hackers. With a centralised system this would probably just be a digital signature where everybody accepts the authority of the central source. However you cannot trust the individuals of a community even if all the members trust the club. So what is required is some form of consensus within the community about the correctness of a particular block.

The Bitcoin approach is core to the way the blockchain is constructed. Each block is hashed by members of the community called miners because their reward for hashing a block is to receive bitcoins, well at least until the limit of all 21 million bitcoins has been reached.

You will remember that a hash is a one way function that reduces an input message to a digest, it is easy to take a message and create a hash digest but the reverse is by design very difficult or in other words not economically viable. The Bitcoin approach to consensus is to make the hash calculation a proof of work by adding constraints.  For more more on hash functions and collisions go to Choosing a Cryptographic Hash Function.

The design requires the hash digest to have a leading number of zeros and since the output of the digest is practically random there is no short cut. The person creating the hash using the SHA256 algorithm needs to add a nonce into the input to the hash function where the nonce is consistently changed until the minimum desired number of leading zeros is achieved. The Bitcoin miners are effectively competing with each other to be the first to achieve a hash with the minimum number of leading zeros. Part of the input to the hash apart from the current transactions in the block is the hash from the last block of the chain by which means the blocks are all linked together to form the new blockchain which is now one block longer. The successful miner published the new blockchain to the community as soon as possible and if agreed by his peers then everybody moves on to validating the next block. The Bitcoin design deliberately alters the number of zeros required to increase the work function to stabilise the time taken to validate a block at about 10 minutes on average. You can see that it is not practically viable for a hacker to go back and alter transactions because as the length of the chain increases the work function is too high. The Bitcoin community always accept the longest validated chain as the true blockchain.

There is just a little loose end, how is a transaction created and validated? Each bitcoin owner has a public key/secret key pair. When you create a bitcoin transfer the current owner includes the address of the new owner, i.e. the one to which bitcoin value is being transferred. The current owner protects this transaction message by digitally signing the transaction (using elliptic curve cryptography) with their secret key. Anyone with access to the owner’s public key (a bitcoin address is a hash of the public key) can check that the signature is correct. You can effectively track back through the blockchain to follow the complete life cycle of a bitcoin. When the miner sets out to create the hash for the new block they do of course first check that the transaction signatures are valid and that the source of the transfer has title to that bitcoin from a previous transaction.

So far we have talked about an individual bitcoin but in practice transactions will be some multiple of a bitcoin, more or less than one. An individual transaction can have one or more inputs or outputs. A particular participant might have 3 bitcoins attached to their address from a previous transaction. Let’s say they want to transfer 2.5 bitcoins to the address of a new owner. The input would be the reference to the 3 bitcoins belonging to the source owner and there would be two outputs, 2.5 bitcoins to the address of the new owner and 0.5 bitcoins to the address of the current owner, in other words this is also a way of getting change.

We haven’t mentioned it but eventually the limit of 21 million bitcoins is reached, but it was the creation of new bitcoins that rewarded the miners for their efforts which is not insignificant in terms of cost, the time averages at 10 minutes but the computing power increases significantly. If you include the cost of the capital equipment and the electricity costs there are arguments that the average cost to mine a bitcoin is greater than $100, many think much higher. Anyway eventually the mining reward vanishes and the block validators need to collect transaction fees. The difference between the total output value and total input value which of course must be zero or positive is taken by the Bitcoin miners as a transaction fee. For validating a block today a miner earns 25 bitcoins (this reduces in time) with a current street value of $6,375 ($255 X 25) or about $9 per transaction validated assuming 700 transactions in a block. The current size of the blockchain is 27 GBytes.

Dr David Everett


User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

Hash functions are widely used for a number of reasons but in the world of cryptography they are the core of message authentication and data integrity functions, reducing a message to a relatively short digest or check sum to which some cryptographic operation involving a secret key is applied. Cryptographic algorithms such as DES and AES can be used to generate a hash and cryptographic check sum at the same time by using a secret key but here we are going to consider algorithms specifically designed for hash functions as widely used in the creation of digital signatures. We will look at HMAC (Hash Message Authentication Code) and CMAC (Cipher Message Authentication Code) in another article.

In the days of modern cryptography usually considered to be from the days NIST first published the DES algorithm in 1975 a number of hash algorithms have appeared and many have quickly fallen by the wayside. People generally assume that the strength of an algorithm for confidentiality is most difficult followed by the design of hash functions and last of all random numbers which anybody can create? Reality has it back to front, creating good random numbers is extremely difficult, collision free hash functions are very difficult and encipherment algorithms whilst difficult are the easiest of the set.

Professor Ron Rivest, the ‘R’ in RSA is one of the core pioneers in modern cryptography and introduced a number of hash functions (MD2, MD4, MD5) from1989 onwards in addition to his RCx (Ron’s Code) set of crypto algorithms. But as fast as he produced new hash algorithms other cryptographers and in particular Dan Coppersmith seemed to be very good at taking them apart. Although these MD hash algorithms are still widely used today they would be deprecated for any new system design.

Things really changed when NIST introduces SHA (Secure Hash Algorithm, sometimes the original form is referred to as SHA-0) in 1993 followed soon afterwards in 1995 by SHA-1 due to the discovery of an unknown weakness in SHA-0. Between 1998 and 2008 a number of analysts were able to show collisions with much lower than the expected complexity of 2^80 to as little as 2^33.6.
SHA-1 is widely used in many commercial cryptographic systems and is probably the most widely used hash function in current cryptographic systems. So how much do these collisions matter? Do you need to panic and change your system tomorrow?

Hash functions need to conform with a number of properties such as uniformity and non-determinism to ensure there is no short cut for manipulating the hash function but the core properties of a hash function with an n-bit output are normally defined as,

1) Collision resistant which means that the computational complexity of finding two messages M1 and M2 with the same hash value H0 should not be less than 2^n/2 which for SHA-1 would be 2^80

2) Pre-image resistant which means that the computational complexity of finding a message M2 given the hash value H1 from a message M1 should not be less than 2^n
3) Second pre-image resistant which means that the computational complexity of finding a message M2 given M1 such that hash(M2) = hash(M1) should not be less than 2^n

When you hear that a hash function has been broken it generally refers to the fact that somebody has found a lower computational complexity for the basic collision resistance (as per (1) above) defined as 2^n/2 and indeed this is what has happened to SHA-1.

What this means is that it would be possible for an attacker with SHA-1 in hand to find two effectively random messages that result in the same hash digest with a computational complexity lower than that deemed acceptable as per the table below,

Click here for Hash Function Complexity

Click here for NIST Computational Complexity Requirements

However in a commercial environment this is not normally the case when protecting say financial messages with digital signatures, in fact you might argue that it is even more stringent than the second pre-image attack referred to above because in general the messages are structured. What this means is that before a hash digest is even checked it is necessary for the message to pass the tests for structure. You cannot expect the receiver of a message to just accept any old random message it has to look right. I am not aware of any attacks on SHA-1 that would expose any practical computational complexity less than 2^n which for SHA-1 would be 2^160 and significantly in excess of the normal requirements.

There is a second however and that is the fact that NIST has deprecated the use of SHA-1 in favour of SHA-2, actually a set of algorithms with output sizes of 224, 256, 384 and 512 bits. There is also a SHA-3 family but that is relatively new and as any seasoned cryptographer will tell you give it a little time to be poked and prodded before adoption. It gets a little worse because many have argued that derivative attacks applied to SHA-1 may succeed against the SHA-2 family.

But to you and I what does all this mean? If we understand how the hash function is being used and it isn’t a straight collision problem (i.e. there is a security vulnerability if somebody is able to find two constructed messages with the same hash digest) then continuing to use SHA-1 really isn’t an immediate problem although you should be planning to change because determining the type of collision vulnerability is not always straightforward, digital certificates for example are vulnerable to a straight collision attack as has been demonstrated when using the MD5 hash function. When it comes to security, planning for change is the fundamental requirement and if you were designing a new system or upgrading an existing system then you would plan to use SHA-2 with 256 bits.

As we have said before the important thing with any security design is being able to provide changes to algorithms and keys which are transparent to the users.

Dr David Everett

Latest Tweets

Microexpert Limited
Smartphone makers join Apple’s battle against Qualcomm via @WSJ
Microexpert Limited
Mastercard enhances AI capability with acquisition of Brighterion Inc.
Follow Microexpert Limited on Twitter