Conditional e-payments with transferability

doi:10.1016/j.jpdc.2010.07.004

Journal of Parallel and Distributed Computing

Volume 71, Issue 1, January 2011, Pages 16-26

https://doi.org/10.1016/j.jpdc.2010.07.004 Get rights and content

Abstract

We introduce a novel conditional e-cash protocol allowing future anonymous cashing of bank-issued e-money only upon the satisfaction of an agreed-upon public condition. Payers are able to remunerate payees for services that depend on future, yet to be determined outcomes of events. Moreover, payees are able to further transfer payments to third parties. Once the payment is complete, any double-spending attempt by the payer will reveal its identity; no double spending by any of payees in the payee transfer chain is possible. Payers cannot be linked to payees or to ongoing or past transactions. The flow of cash within the system is thus both correct and anonymous. We discuss several applications of conditional e-cash including online trading of financial securities, prediction markets, and betting systems.

Research highlights

This paper provides the following contributions: ► It proposes the concept of conditional e-cash, where transferred payments are conditioned on the outcome of a future event. ► It includes a solution extension to handle an offline bank. ► It extends the original solution to enable the transferability of conditional payments.

Introduction

Electronic cash (e-cash) instruments allow digital payment for goods and services. Desirable properties of such protocols include: the ability to effect anonymous payments, the detection and prevention of malicious behavior (e.g., double spending), as well as the transactional consistency of the participants’ financial state. A multitude of e-cash protocols have been proposed in the recent past. The main desideratum in such efforts has often been achieving digitally, levels of similarity and ease of use comparable to physical cash.

There are scenarios however, where basic e-cash properties are not sufficient. Here we consider the case of payments conditional on unknown future outcomes. In such settings, payers require the ability to anonymously remunerate payees for items that depend on future, yet to be determined outcomes of events. Prominent examples include trading of financial market instruments such as futures and securities [1], [2], [29], and other online protocols involving deferred conditional payments such as betting.

Correctness assurances are essential. Payees need to be confident that payment will occur with certainty for favorable future event outcomes. Payers should be able to cash back uncashed issued conditional payments for events with unfavorable outcomes. Overall monetary consistency needs to be preserved.

We note that trivial designs for such mechanisms can be envisioned, e.g., involving the e-cash issuing institution (i.e., bank) as a trusted arbitrator. Such assumptions, however, are rarely desirable. Requiring knowledge about the semantics of each and every considered future event at the bank is not scalable for even moderate transaction throughputs, considered events, and number of parties.¹ Moreover, an important concern in such scenarios is the privacy of participants. It is important to protect the privacy of interactions between payer and payee entities. Revealing identities should only be possible as a counter-incentive for faulty behavior (e.g., double spending) and specifically not during a correct run of the protocol.

Thus, one of the main challenges of a sound design is assuring participants’ privacy while guaranteeing the conditional nature of payments. Payers and payees will naturally know each other, either by knowing each other’s identity or at least by having access to a pre-authenticated channel through which to transfer public keys. No other party however should be able to associate them with each other and the conditional payments. While many existing e-cash protocols provide for participant anonymity, they cannot be directly deployed for payments of a conditional nature.

In this paper we introduce a new conditional e-cash protocol featuring the following properties. A payer can ask her bank to issue an anonymous payment token that can be cashed by any potential payee, once and if and only if a trusted publisher² will publish a specific secret (which only the publisher can do) in the future. In effect, payers are now able to remunerate payees (e.g., merchants) anonymously, for services that depend on future, yet to be determined outcomes of events. Moreover, the payee, can further transfer the payment to a third party with full assurances. Once the payment is complete, any double-spending attempt by the payer will reveal its identity. Moreover, no double spending by any of the payees (in the payee-to-payee transfer chain) is possible. Payers cannot be linked to payees or to ongoing or past transactions. The flow of cash within the system is thus both correct and anonymous.

We explore a series of applications for conditional payments, including the online trading of securities, prediction markets, and online betting protocols.

The paper is organized as follows. We discuss the operational and adversarial models in Section 2 and related work in Section 3. We introduce and analyze the basic payment protocol in Section 4 and discuss transferability in Section 5. We explore applications such as anonymous online betting in Section 6 and conclude in Section 7.

Section snippets

Model

A payer remunerates a payee by providing a payment token that can be activated and cashed at a specific bank, but only when a secret is published by a trusted publisher upon the completion of a certain agreed-upon event with a “favorable” outcome (e.g., stock price below given threshold, horse won race). Events with two possible outcomes will be considered (“favorable”—payment should be honored, and “unfavorable”). No other party but the publisher can generate the secret (under computational

Related work

E-cash. The use of blind signatures and of the cut-and-choose protocol for providing untraceable electronic cash payments was proposed in [13], [14], [15], [16]. The problem of transferable e-cash was analytically studied first by Chaum and Pedersen [17]. The work of Brands [6] proposes a primitive called restrictive blind signatures to replace the high cost of blind signatures that use the cut-and-choose technique. While in our work we have used the latter technique to illustrate our protocol,

Conditional anonymous payments

The solution is composed of a set of logical sub-components: the generation of conditional payments, the validated transfer of the payments from the payer to the payee, and their spending by the payee in the case of a successful event outcome, or the cashing of the un-spent payments by the payer otherwise (see Fig. 1). All the above will also be designed to prevent double spending by both the payer and the payee.

As mentioned in Section 2.1 for any party $X$ , we denote by $id (X)$ its identity, by $N_{X}$

E-cash transferability

We discussed above a solution providing single-hop e-cash payments. We now turn to the issue of multi-hop transfers. This is important in a multitude of scenarios, e.g., in financial securities/options trading where securities and options are subject to multiple sell–buy cycles before maturation.

We introduce a mechanism that allows $C$ to anonymously transfer the e-cash payment from $A$ ⁴ to a participant $D$ , while still satisfying the properties discussed

Applications

In this section we briefly overview just a few of the application scenarios requiring conditional e-cash payments: financial securities, prediction markets, and anonymous online betting.

Conclusions

In this paper we introduce a novel conditional payment protocol that allows future anonymous cashing of bank-issued e-money only upon the satisfaction of an agreed-upon public condition. Moreover, such payments can be anonymously transferred further by any payee, before their respective condition outcome is known. Application scenarios include online trading of financial securities, prediction markets, and betting systems.

Acknowledgments

The authors would like to thank Miles Jackson and Moti Yung for insightful discussions. Radu Sion was in part supported by the NSF through awards CT CNS 0627554, CRI CNS 0708025 and CT CNS 0716608. Sion would also like to thank Motorola Labs, NOKIA, IBM Research, CEWIT and the Stony Brook VP Office for Research for their support.

Bogdan Carbunar is a principal staff researcher in the Applied Research Center of Motorola, where he is working on video on demand technologies. He received his BS in Computer Science from Politehnica University of Bucharest, Romania in 1999, and a Ph.D. Degree in Computer Science from Purdue University in 2005. His research interests include various aspects of security, such as secure data outsourcing and electronic payments. He is a member of IEEE.

References (36)

K.J. Arrow et al.
The existence of an equilibrium for a competitive economy
Econometrica
(1954)
Y. Balasko, Foundations of the theory of general equilibrium,...
I.F. Blake et al.
Scalable, server-passive, user-anonymous timed release cryptography
M. Blanton, Improved conditional e-payments, in: ACNS’08,...
D. Boneh, M.K. Franklin, Identity-based encryption from the weil pairing, in: CRYPTO’01: Proceedings of the 21st Annual...
S. Brands, Untraceable off-line cash in wallets with observers (extended abstract) in: CRYPTO,...
J. Camenisch et al.
Compact e-cash
J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in: CRYPTO’04,...
J. Camenisch, A. Lysyanskaya, M. Meyerovich, Endorsed e-cash, in: SP’07,...
J. Camenisch et al.
Digital payment systems with passive anonymity-revoking trustees

B. Carbunar, M. Tripunitara, Conditional payments for computing markets, in: CANS’08,...

J. Cathalo, B. Libert, J.-J. Quisquater, Efficient and non-interactive timed-release encryption, in: ICICS, 2005, pp....

D. Chaum

Blind signatures for untraceable payments

D. Chaum

Security without identification: transaction systems to make big brother obsolete

Communications of the ACM

(1985)

D. Chaum, Privacy protected payments: unconditional payer and/or payee untraceability, in: SmartCard 2000,...

D. Chaum et al.

Untraceable electronic cash

D. Chaum, T.P. Pedersen, Transferred cash grows in size, in: EUROCRYPT,...

G.I. Davida et al.

Anonymity control in e-cash systems

Cited by (0)

Weidong (Larry) Shi received his Ph.D. of Computer Science from Georgia Institute of Technology where he did research in computer architecture and computer system. Mr. Shi was previously a senior research staff engineer at Motorola Research Lab, and co-founder of a technology startup. Currently, he is employed by Nokia Research Center at Palo Alto. In the past, he contributed to design of multiple Nvidia platform products and was credited to published Electronic Art console game. In addition, he authored and co-authored over 30 journal/conference/workshop papers covering research problems in computer architecture, computer system, multimedia/graphics system, mobile computing, and computer security. He has 7 issued and pending USPTO patents.

Radu Sion is heading the Stony Brook Network Security and Applied Cryptography (NSAC) Lab. His research lies in Information Assurance and Efficient Computing. He builds systems mainly, but enjoys elegance and foundations, especially of the very rare practical variety. Sponsors and collaborators include IBM, IBM Research, NOKIA, Xerox, as well as the National Science Foundation which also awarded the CAREER Award. Radu is on the steering board and organizing committees of conferences such as NDSS, Oakland S&P, CCS, USENIX Security, SIGMOD, ICDE, FC a.o.

View full text