Figure 5: Simplified digital cash protocol.
Figure 5 contains our simplified digital cash protocol. The protocol consists of three parts: withdrawal of the coin (steps 1 - 2), spending of the coin (steps 3 - 6), and coin deposit (steps 7 - 8). We now describe each step in turn. The consumer C starts the protocol by requesting a withdrawal from the bank. The bank B responds with an electronic coin of the requested value. Before spending it, C ``blinds'' the coin to prevent the bank from tracing her payments. To spend the coin, C sends the coin to merchant M, and then responds to a challenge randomly selected by M (importantly, C maintains certain secret information about the coin so that only C can correctly respond to a random challenge). M locally verifies the consistency of the challenge/response pair, and then sends the goods. Finally, M deposits the coin by sending the coin and challenge/response pair to B, who responds with a deposit slip, assuming the coin is valid.
Observe that the essential part of spending the coin is not sending the coin to M, but responding to M's challenge. A consumer must take care not to respond to two different challenges for the same coin, because this will be considered evidence of fraudulent double spending: two challenge/response pairs for one coin are (with very high probability) sufficient for the bank to recover the identity of the consumer.
The protocol is clearly not goods atomic because M can omit step 6 but still deposit the coin. Also, note that the withdrawal part of the protocol (the first two messages) actually consists of a cut-and-choose protocol that involves a large number of message exchanges. These details are irrelevant for our analysis and are omitted.
