Skip to content

How to make a mint: the cryptography of anonymous electronic cash

Spread the love


In 1996, the US government released a white paper entitled, “How to make a mint: the cryptography of anonymous electronic cash.” Released by the National Security Agency Office of Information Security Research and Technology, this document basically explains how a government agency could create something like Bitcoin or another cryptocurrency.

I encourage those interested to read the contents of the link above. This document was released during the dawn of the bubble before the technology existed to create such a currency. The NSA quickly realized that it could weaponize this technology to create a cashless society.

As explained in the introduction:

“Among the most important uses of this technology is electronic commerce: performing financial transactions via electronic information exchanged over telecommunications lines. A key requirement for electronic commerce is the development of secure and efficient electronic payment systems. The need for security is highlighted by the rise of the Internet, which promises to be a leading medium for future electronic commerce.

Electronic payment systems come in many forms including digital checks, debit cards, credit cards, and stored value cards. The usual security features for such systems are privacy (protection from eavesdropping), authenticity (provides user identification and message integrity), and nonrepudiation (prevention of later denying having performed a transaction) .

The type of electronic payment system focused on in this paper is electronic cash. As the name implies, electronic cash is an attempt to construct an electronic payment system modelled after our paper cash system. Paper cash has such features as being: portable (easily carried), recognizable (as legal tender) hence readily acceptable, transferable (without involvement of the financial network), untraceable (no record of where money is spent), anonymous (no record of who spent the money) and has the ability to make "change." The designers of electronic cash focused on preserving the features of untraceability and anonymity. Thus, electronic cash is defined to be an electronic payment system that provides, in addition to the above security features, the properties of user anonymity and payment untraceability..

In general, electronic cash schemes achieve these security goals via digital signatures. They can be considered the digital analog to a handwritten signature. Digital signatures are based on public key cryptography. In such a cryptosystem, each user has a secret key and a public key. The secret key is used to create a digital signature and the public key is needed to verify the digital signature. To tell who has signed the information (also called the message), one must be certain one knows who owns a given public key. This is the problem of key management, and its solution requires some kind of authentication infrastructure. In addition, the system must have adequate network and physical security to safeguard the secrecy of the secret keys.”


The introduction goes on to discuss the reasons they could present to the public to switch to a cashless society, including money laundering, convenience, and security. “The term electronic commerce refers to any financial transaction involving the electronic transmission of information. The packets of information being transmitted are commonly called electronic tokens,” the paper continues.

The NSA states that it would like to use “user identification” and “message integrity” to protect privacy in “nonrepudiation” transactions. “Eavesdropping” concerns appear numerous times throughout the document, which could be prevented by “not just privacy but anonymity” in the form of “payer anonymity” and “payment untraceability.” The government clearly states that hard currency, cash, provided these luxuries but could not be traced by the banks and, therefore, the government.

Again, this was released in 1996 before basic online banking. The document outlines basic online banking but takes it a step further by explaining how they could seemingly make payments seem “untraceable” to the public using “blind signatures” that allegedly cannot be seen by the bank. “This step is called “blinding” the coin, and the random quantity is called the blinding factor. The Bank signs this random-looking text, and the user removes the blinding factor.”

PROTOCOL 3: Untraceable On-line electronic payment.


  •      Alice creates an electronic coin and blinds it.
  •      Alice sends the blinded coin to the Bank with a withdrawal request.
  •      Bank digitally signs the blinded coin.
  •      Bank sends the signed blinded coin to Alice and debits her account.
  •      Alice unblinds the signed coin.


  •      Alice gives Bob the coin.
  •      Bob contacts Bank and sends coin.
  •      Bank verifies the Bank’s digital signature.
  •      Bank verifies that coin has not already been spent.
  •      Bank enters coin in spent-coin database.
  •      Bank credits Bob’s account and informs Bob.
  •      Bob gives Alice the merchandise.

“This makes remote transactions using electronic cash totally anonymous: no one knows where Alice spends her money and who pays her.” Full “payment anonymity” would be “too much to ask”, thus, “we are forced to settle for payer anonymity.” In other words, the illusion that no one knows who is making the transaction.

PROTOCOL 5: Off-line cash.


  •      Alice creates an electronic coin, including identifying information.
  •      Alice blinds the coin.
  •      Alice sends the blinded coin to the Bank with a withdrawal request.
  •      Bank verifies that the identifying information is present.
  •      Bank digitally signs the blinded coin.
  •      Bank sends the signed blinded coin to Alice and debits her account.
  •      Alice unblinds the signed coin.


  •      Alice gives Bob the coin.
  •      Bob verifies the Bank’s digital signature.
  •      Bob sends Alice a challenge.
  •      Alice sends Bob a response (revealing one piece of identifying info).
  •      Bob verifies the response.
  •      Bob gives Alice the merchandise.


  •      Bob sends coin, challenge, and response to the Bank.
  •      Bank verifies the Bank’s digital signature.
  •      Bank verifies that coin has not already been spent.
  •      Bank enters coin, challenge, and response in spent-coin database.
  •      Bank credits Bob’s account.

Note that, in this protocol, Bob must verify the Bank’s signature before giving Alice the merchandise. In this way, Bob can be sure that either he will be paid or he will learn Alice’s identity as a multiple spender.

The government begins to explain basic blockchain concepts, or at least how they’d like them to occur.

“When Alice spends her coins with Bob, his challenge to her is a string of K random bits. For each bit, Alice sends the appropriate piece of the corresponding pair. For example, if the bit string starts 0110. . ., then Alice sends the first piece of the first pair, the second piece of the second pair, the second piece of the third pair, the first piece of the fourth pair, etc. When Bob deposits the coin at the Bank, he sends on these K pieces.

If Alice re-spends her coin, she is challenged a second time. Since each challenge is a random bit string, the new challenge is bound to disagree with the old one in at least one bit. Thus Alice will have to reveal the other piece of the corresponding pair. When the Bank receives the coin a second time, it takes the two pieces and combines them to reveal Alice's identity…

Zero-Knowledge Proofs. The term zero-knowledge proof refers to any protocol in public-key cryptography that proves knowledge of some quantity without revealing it (or making it any easier to find it). In this case, Alice creates a key pair such that the secret key points to her identity. (This is done in such a way the Bank can check via the public key that the secret key in fact reveals her identity, despite the blinding.) In the payment protocol, she gives Bob the public key as part of the electronic coin. She then proves to Bob via a zero-knowledge proof that she possesses the corresponding secret key. If she responds to two distinct challenges, the identifying information can be put together to reveal the secret key and so her identity.”

The document then discusses ways to blind the signature, so that the payee may remain anonymous. Now, why would the government allow that to occur? “Even in anonymous, untraceable payment schemes, the identity of the multiple-spender can be revealed when the abuse is detected. Detection after the fact may be enough to discourage multiple spending in most cases, but it will not solve the problem. If someone were able to obtain an account under a false identity, or were willing to disappear after re-spending a large sum of money, they could successfully cheat the system.”


The document even discusses what we now would refer to as a crypto wallet. A seemingly safe offline method to store these electronic coins. They explain that at least one party must always reveal their hand. “When a coin is spent, the spender uses his secret to create a valid response to a challenge from the payee. The payee will verify the response before accepting the payment. In Brands’ scheme with wallet observers, this user secret is shared between the user and his observer. The combined secret is a modular sum of the two shares, so one share of the secret reveals no information about the combined secret.”


Who is the “observer” in this scenario? “An observer could also be used to trace the user’s transactions at a later time, since it can keep a record of all transactions in which it participates. However, this requires that the Bank (or whoever is doing the tracing) must be able to obtain the observer and analyze it. Also, not all types of observers can be used to trace transactions.”

In the event that a transaction was compromised, the bank would have to change its secret key and “INVALIDATE ALL COINS.”

The authors explain that tax evasion, per usual, is the key concern. They mention money laundering and “old crimes such as kidnapping and blackmail” as reasons to allow backdoor entry. Restoring traceability was a proposed solution, and if they could restore traceability in the first place, one must question if the payments were ever truly anonymous. Using Alice as their example, they explain that they could simply issue a warrant and track all her payment history. “Back~ard traceability is the ability to identify a withdrawal record (and hence the payer), given a deposit record (and hence the identity of the payee). Backward tracing will reveal who Alice has been receiving payments from.”

So, while the bank only sees the deposit in encrypted form, the public key must be used for withdrawal. “The ability to trace transactions in either direction can help law enforcement officials catch tax evaders and money launderers by revealing who has paid or has been paid by the suspected criminal. Electronic blackmailers can be caught because the deposit numbers of the victim’s ill-gotten coins could be decrypted, identifying the blackmailer when the money is deposited.”

“In conclusion, the potential risks in electronic commerce are magnified when anonymity is present. Anonymity creates the potential for large sums of counterfeit money to go undetected by preventing the identification of forged coins. Anonymity also provides an avenue for laundering money and evading taxes that is difficult to combat without resorting to escrow mechanisms. Anonymity can be provided at varying levels, but increasing the level of anonymity also increases the potential damages. It is necessary to weigh the need for anonymity with these concerns. It may well be concluded that these problems are best avoided by using a secure electronic payment system that provides privacy, but not anonymity.”

The US government released this document in 1996, 27 years ago. Bitcoin was allegedly anonymously created in 2009, and numerous other blockchain-based payment coins have followed. This, paired with the push for CBDC, where the government simply does not need to pretend payments are anonymous, should make one question the security and longevity of cryptocurrencies.