T-Cash: Transferable Fiat Backed Coins

05/10/2021 ∙ by Hitesh Tewari, et al. ∙ Trinity College Dublin 0

Numerous electronic cash schemes have been proposed over the years - however none have been embraced by financial institutions as an alternative to fiat currency. David Chaum's ecash scheme was the closest to something that mimicked a modern day currency system, with the important property that it provided anonymity for users when purchasing coins from a bank, and subsequently spending them at a merchant premises. However it lacked a crucial element present in current fiat-based systems - the ability to continuously spend or transfer coins. Bitcoin reignited the interest in cryptocurrencies in the last decade but is now seen as more of an asset store as opposed to a financial instrument. One interesting thing that has come out of the Bitcoin system is blockchains and the associated distributed consensus protocols. In this paper we propose a transferable electronic cash scheme using blockchain technology which allows users to continuously reuse coins within the system.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

In today’s increasingly digital world we are surrounded by electronic payment systems in everyday life. People regularly use debit and credit cards to make payments at point-of-sale terminals, and on the Internet with e-commerce retailers. More and more people are also starting to make use of electronic funds transfer mechanisms, as banks try to reduce their costs and eliminate the use of cheques. Near field communications systems combined with mobile technology promises to bring more convenient and quicker ways for users to pay and conduct peer-to-peer (P2P) funds transfer. However, for all the technological advances over the past three decades cash still remains king. According to a recent report by the San Francisco Federal Reserve Bank two-thirds of all transactions below $10, and nearly half of all transactions below $25 are in cash [1].

It is clear that what is required is an electronic version of cash that is anonymous and with the ability to transfer coins between users without the oversight of a central authority. A scheme that was proposed by David Chaum [4] more than thirty years ago fulfilled some of these requirements - however it failed to take off as a real alternative to physical cash. One of the reasons for its failure was that the scheme lacked an important property that most users associate with fiat currency - transferability of coins. Within the scheme it was possible to anonymously withdraw coins from a bank, and at a later date spend them at a merchant. In order for the coins to be accepted by the merchant they had to be deposited with the bank for verification. However, once deposited the merchant was not able to reuse the coins i.e. transfer them to another user as change, reuse them to buy more goods etc.

Since then the arrival of Bitcoin [2] has changed the cryptocurrency landscape beyond imagination. However, as we have seen in the past few years there is huge amounts of volatility with the value of Bitcoin. One of the contributing factors for this volatility is that Bitcoin and other Altcoins [3] have an upper limit on the number of coins that can be minted. This has led to the “hoarding” of coins, in the anticipation that the future value of the coins will be greater than their current purchase price.

In this paper, we introduce a fiat backed, transferable electronic cash scheme with limited identification properties. Our system uses a blind signature protocol such as the ones proposed in [4] [5] to hide the coin transaction parameters (e.g. the serial number of the coin from the bank). We make use of blockchain technology to collectively verify the authenticity of transactions to prevent double-spending and for the transfer coins within the system, without the need to employ the services of a trusted third party (TTP).

Ii Related Work

In this section we provide the reader with a brief background on the blind signature protocol, and some aspects of distributed ledger technologies that we make use of in the proposed protocol.

Ii-a Blind Signature Protocol

The first electronic cash protocol that gained widespread notice by the cryptographic community was proposed by David Chaum [6]. The scheme was essentially an on-line software solution whereby a buyer could spend ecash coins with any merchant participating in the system. By examining the coins (alone) neither the issuer nor the merchant were able to determine the identity of the customer. The protocol was designed such that the issuer was not able to detect the serial numbers of coins that it issued to users of the system (at the time of issue), even if it colluded with other participants in the system.

The scheme uses a blind signature protocol which allows a user (Alice) to mint a coin and hide the serial number of the coin using a blinding factor. Alice forwards the unsigned blinded coin to the bank. As long as the coin satisfies certain criteria, the bank signs the coin with its private coin signing key, without knowledge of the serial number. This feature allows for anonymous cash. On receiving the signed coin back from the bank, Alice removes the blinding factor, and uses the coin to pay for goods at a merchant (Bob) participating in the system. The blinding factor is a random number used to obfuscate the serial number of the electronic coin from the bank. On receipt of the coin, Bob immediately forwards it to the bank for verification. The bank maintains an ever-growing database of the serial numbers of all coins that have been spent in the system and is thus able to detect double-spending.

Mathematically the blind signature scheme comprises of the following steps:

  • A set which is the encrypted and non-encrypted message data and two functions which are an asymmetric encryption/decryption pair:

    • and for all in ;

    • is relatively easy to compute for all in ;

    • ’s effect on an in is extremely difficult to undo (invert) without knowing , i.e. if we are given an in which is the image of some in under () and where this is unknown then it is extremely difficult to compute without knowing .

  • There is a binary ‘product’ on the set of encrypted and decrypted message data which forms a group with unit 1 (identity element) over .

  • The decryption function distributes over the binary product on i.e. is a group homomorphism.

Let be the coin’s serial number, be the bank’s asymmetric encryption/decryption key pair, is a random element chosen from the group . The sender encrypts using the bank’s public key forming the blinding factor , and computes the product of the serial number with this blinding factor to form the blinded coin serial number:

The bank in turn signs the blinded serial number with its private key:

Returns the coin to the user who removes blinding factor:

The user now has a coin signed with the bank’s private key:

Ii-B Bitcoin and Blockchains

Bitcoin is a decentralized, pseudo-anonymous electronic cash scheme [2]. The Bitcoin protocol is decentralized in the sense that the participants collectively verify all of the transactions in the network. The security of Bitcoin is based around the assumptions that a majority of the nodes in the network are honest to protect against sybil attacks [7], and that the computational resources required to thwart the proof-of-work (PoW) algorithm will be greater than 50%.

All transactions on a Bitcoin network are stored in a public ledger known as the blockchain. The blockchain is an immutable, timestamped public ledger of all transactions that have ever been conducted on the Bitcoin network. A block in the blockchain consists of a block header and a number of associated individual transactions which are readable by all parties within the Bitcoin network.

The first block in the chain is known as the “genesis block”, followed by blocks that have been created by miners. Miners in the Bitcoin network are nodes that compete to try to be the first to add the next valid block into the blockchain, so that they can earn some bitcoins and or transaction fees. Valid transactions are irreversibly locked into the blockchain using the PoW [8] algorithm by the miners, who work for a reward for solving the next PoW problem.

Each new block contains one or more new transactions that have been received by the miner within a specified time interval (e.g. every ten minutes). These are repeatedly hashed in pairs to form a Merkle tree [9]. The root of the Merkle tree along with the hash of the previous block is stored in the block header thereby chaining all the blocks together. This ensures that a transaction cannot be changed without modifying the block that records it and all previous blocks. This property of the blockchain makes double spending of bitcoins difficult.

Alternative consensus mechanisms to forge the next block based on proof-of-stake (PoS) [10], directed acyclic graphs (DAGs) etc. have been gaining attention in the cryptographic community in recent years.

Iii System Overview

We combine a blind signature protocol, along with the discrete logarithm problem (DLP) and a distributed ledger to allow for the transfer of coins from one user to another, without the need for a TTP to approve the transactions. The design allows for multiple independent banks to operate and mint coins in the system, such that it mirrors current global financial networks.

Briefly a user creates a coin transaction with a number of parameters, the hash of which he blinds using a secret random quantity. He then presents this blinded hash to his bank along with his account details for the bank sign i.e. mint a coin. The bank deducts the user’s account for the value of the coin, signs the hash using its secret signing key for the specified value, and returns the signature. Each bank in the system will deposit the corresponding amount of fiat currency for the coins that it mints into a common escrow account monitored by the participating banks in the system111When a coin is deposited back into a user’s bank account, their account will be credited from the escrow account - thereby allowing users associated with different banks to accept coins from each other.

The user is able to remove the blinding factor and is left with a signed hash of the coin parameters. The user then forms the coin which includes the coin parameters in plaintext along with the bank’s signature. The coin is broadcast to the P2P network, and once its authenticity has been verified by the nodes in the network it is queued up by the mining nodes to be included in the next block.

In order for a user to transact with the coin they must reveal the secret DLP component to the payee who will locate the coin on the blockchain and verify that it belongs to the payer. The payee will then create a new coin transaction which will consist of a number of parameters including the revealed DLP secret, and a hash of the previous transaction, and will ask the payer to blindly sign a hash of the new transaction parameters in order to complete the coin transfer. The payee will then broadcast the new coin to the P2P network for verification and inclusion in the blockchain.

By including the secret DLP parameter and the hash of the previous transaction we are able to link various instances of the coin on the blockchain, and ensure that the coin is transferred correctly from one user to another. In essence our blockchain consists of a series of linked transactions associated with valid coins in the network.

In the subsequent sections we provide the reader with details of our coin structure, the coin minting process, and the steps involved in transferring a coin from a payer to a payee.

Iii-a Coin Structure

A coin in our system is a tuple which comprises of the coin transaction parameters in plaintext and the associated blind signature, where the blind signature is of the general form - where is the hash of the transaction.222In the case of first transaction the blind signature by the minting bank is of the form - where represents the fiat value of the coin. Each subsequent coin transaction entry on the blockchain reveals a secret quantity associated with the previous transaction (proving ownership of the coin to the intended recipient), and also ties in a new coin secret and public coin transfer key of the new owner - thereby transferring ownership of the coin. The first three components of the coin’s transaction parameters are used to uniquely index the coin within the global blockchain.


  • A serial number for the coin.

  • The fiat value associated with the coin.

  • The identifying financial institution that minted the coin.

  • A discrete logarithm which we denote as where:

    • is a large prime which allows the formation of the multiplicative group . must be chosen in such a way that the multiplicative group contains a large subgroup of prime cardinality (as the cardinality of is which is not prime). Doing this prevents Pholig-Hellman attack on the DLP [11].

    • Elements and from the subgroup with prime cardinality where is chosen to be a primitive element of the subgroup (which will exist because has been chosen to have prime cardinality).

    • is the secret quantity which must only be revealed when transferring the coin to another user.

  • is the DLP secret associated with the previous transaction.

  • The public key component of a RSA coin transfer key pair .

    • This is an ephemeral key pair which is generated by the current coin owner on a per transaction basis. This allows the owner of a coin to create a delegated signature when transferring the coin.

    • The public key is embedded into the coin transaction entry and is locked into the transaction by the blind signing of the previous coin’s owner or the bank when the coin is minted. During subsequent coin transfers each owner creates their own delegated signature on the transaction parameters, thereby eliminating the need to contact a TTP.

  • The hash of the previous transaction data .

The value is the DLP secret of the previous coin transaction and is only revealed when proving ownership of the coin. In the case of the value of is null as this is the first coin transaction. In addition, we chain all of the coin transactions on the blockchain together by including the hash of the previous transaction in the next transaction . Again for transaction the value of is null as it is the first coin transaction.

Iii-B Minting a Coin

Figure 1 shows the steps of how Alice gets her bank to blindly sign the first coin transaction where with its private signature key for a particular coin value .

Alice constructs the coin’s first transaction and then creates a hash of the transaction . She blinds this value with a random secret to construct , and sends this value to her bank along with her account number, and the value of the coin she requires.

Alice’s bank has a number of signature keys for different denominational values ($1, $5, $10, …), and uses the private signature key corresponding to the parameter supplied by Alice during the first message exchange333All communications between Alice and her bank are conducted over a secure channel (e.g. SSL), and the bank has no record of the coin transactions that it just signed,444It is Alice’s responsibility to ensure that she forms a correct coin transaction, as badly formed coins (e.g. where the parameter does not match the bank signature key ) will not be accepted as a valid coin by the other nodes in the system. The bank deducts the corresponding amount of fiat currency from Alice’s account, and signs the coin’s blinded first transaction with its private signature key . The bank then sends the blind signature in the second message exchange to Alice.

Fig. 1: Minting of Coins by a Bank

Alice removes her blinding factor from to reveal the hash of the coin’s first transaction signed by her bank. Alice now has the coin’s first transaction signed by her bank without having revealed the contents of the transaction parameters to the bank. Only she knows the DLP secret which must be revealed by her in order to prove ownership of the coin. In addition, she alone knows the private ephemeral coin transfer key which is used to transfer ownership of the coin to another user in the network. Alice broadcasts the newly minted coin on the P2P network to be included in the next transaction block of the global blockchain.

Iii-C Coin Transfer

A coin in our scheme is a “series of linked transactions” on the blockchain such that each subsequent coin transaction reveals the secret DLP parameter associated with the previous transaction which allows the payee to have the confidence that the payer is the owner of the coin. In addition, the transaction also consists of a signature by the previous owner assigning the coin to the new owner (i.e. payee) of the coin. This is achieved by the recipient by first downloading the latest version of the coin from the blockchain, using the coin’s public parameters as an index.

The first transaction is always signed by the bank whose public key for value 555 = $1, $5, $10 … is known to all participants in the network. A user that asked the bank to mint the coin embeds their public coin transfer key into the transaction . During subsequent coin transfers, the public key of the recipient of the coin is locked into the next transaction by the owner when they create a blind signature, using their coin transfer private key . We make use of a global ledger and the PoW algorithm to lock in valid coins into the blockchain, and prevent the double-spending of coins.

In order for Alice to transfer a coin to another user or spend coins at a merchant premises, she needs to fulfill the following two requirements:

  • Alice must be able to prove ownership of the coin that she trying to spend by revealing the DLP secret for the last transaction for the coin.

    • Once the recipient (Bob) has verified the DLP , he generates a new transaction to be signed with Alice’s private coin transfer key . He does this by applying Alice’s public coin transfer key to a random number to form a blinding factor 666Alice’s public coin transfer key can be found in the last coin instance on the blockchain.

    • Bob blinds the hash of his new coin transaction with the blinding factor to produce and sends this to Alice.

  • Alice must transfer the coin to Bob. Alice applies her private coin transfer key to to produce and returns the blindly signed value.

    • Bob removes to reveal the new coin transaction () signed with the private coin transfer key of Alice.

    • Bob broadcasts the new version of the coin to the P2P network to be included in the next transaction block on the blockchain. Only when Bob sees the new version of the coin appearing in the blockchain does he complete the transaction.

Fig. 2: Coin Transfer Protocol

Figure 2 shows in detail the coin transfer steps between Alice and Bob. In the first message exchange Alice sends the coin’s serial number , its value , the financial institution that minted the coin , and the DLP secret for the last transaction . Bob downloads the coin from the blockchain using the tuple as an index into the blockchain. He verifies that is the solution to the discrete logarithm problem of the last transaction . As Alice did previously, Bob generates a new coin transaction which consists of a new set of DLP parameters and secret such that , and a new ephemeral coin transfer key pair which are only know to him such that the next transaction is a follows:

The new transaction consists of the serial number , the value of the coin , the financial institution that minted the coin, Bob’s DLP public parameters , his public coin transfer key , the DLP secret for the previous transaction , and a hash of the previous transaction , thereby linking the two transactions together. He then blinds a hash of the new coin transaction by multiplying a blinding factor , where is a random number and is Alice’s public coin transfer key, which can be obtained from the previous transaction to produce . Alice blindly signs with her private coin transfer key and returns the blinded new transaction to Bob. Bob removes the blinding factor to reveal the new signed coin transaction and broadcasts the new coin to the P2P network.

Once the coin is locked into the blockchain Bob knows that the transaction on the coin has been accepted by the network as being valid and he can now spend the coin, as only he knows the two secret quantities that allow him to prove ownership of the coin, and to transfer the coin legitimately to another user.

Iii-D Size of Coins

We recall from section III-A, that a coin in our system has the structure whereby the first three parameters of the coin remain constant, while the transaction list grows with each coin transfer:


  • Params - 3 256 bits

  • DLP public params - 3 1024 bits

  • Public key modulus - 2048 bits

  • Public key exponent and DLP secret - 2 256 bits

  • Hash of previous transaction - 256 bits

  • Blind signature - 2048 bits

We require 1088 bytes of storage for each instance of the coin on the blockchain. A user stores the tuple for each coin that they currently own - which amounts to the No. of coins 256+1024+2048 bits or 416 bytes of storage.

Iv Conclusion

In this paper, we have presented an electronic cash scheme with unlimited transferability of coins. Our scheme prevents double-spending of coins within the system by making use of a blockchain to lock-in all valid transactions into a global ledger.


  • [1] B. Bennett, D. Conover, S. OBrien, and R. Advincula, “Cash Continues to Play a Key Role in Consumer Spending: Evidence from the Diary of Consumer Payment Choice”, San Francisco Federal Reserve Bank, April 2014.
  • [2] S. Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System”, http://www.bitcoin.org, 2008.
  • [3] G. Hileman and M. Rauchs, “Global Cryptocurrency Benchmarking Study”, University of Cambridge - Judge Business School, 2017.
  • [4] D. Chaum, “Blind Signatures for Untraceable Payments”, In D. Chaum, R. Rivest, and A. Sherman, editors, Advances in Cryptology - CRYPTO 82, Lecture Notes in Computer Science, pages 199-203, Springer-Verlag,1982.
  • [5] M. Abe, T. Okamoto, “Provably Secure Partially Blind Signatures”, In: Bellare M. (eds) Advances in Cryptology Ñ CRYPTO 2000, vol 1880, Lecture Notes in Computer Science, pages 271-286, Springer-Verlag, 2000.
  • [6] D. Chaum, A. Fiat and M. Naor, “Untraceable Electronic Cash”, In S. Goldwasser, editor, Advances in Cryptology - CRYPTO 88, vol 403, Lecture Notes in Computer Science, pages 319-327, Springer-Verlag,1988.
  • [7] J. Douceur, “The Sybil Attack”, Proceedings of First International Workshop, IPTPS 2002, Peer-to-Peer Systems, Springer-Verlag, pages 251-260, 2002.
  • [8] A. Black, “Hashcash Proof-of-Work System”, http://www.hashcash.org/, May 1997.
  • [9] R.C. Merkle,“Protocols for Public Key Cryptosystems”, Proceedings of the Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980.
  • [10] V. Buterin, “Proof of Stake: How I Learned to Love Weak Subjectivity”, Etherum Blog, https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/.
  • [11] S. Pohlig and M. Hellman, “An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance”, IEEE Transactions on Information Theory, vol 24, pages 106-110, Jan 1978.