Thursday, December 14, 2017

That Time The National Security Agency Invented Bitcoin

One of the commenters in the post immediately below, "The FT's Izabella Kaminska Explores the Numéraire and Why It Matters" mentions the fairly widely known fact that the NSA is the home of the SHA-2 (Secure Hash Algorithm 2) and includes the link.

There is another link that I think is even more interesting, this one hosted at:
The link goes to:

Anonymous: Fried, Frank got NSA's permission to make this report available. They have offered to make copies available by contacting them at <21stcen""> or (202) 639-7200. See:

Received October 31, 1996

With the Compliments of Thomas P. Vartanian
Fried, Frank, Harris, Schriver & Jacobson
1001 Pennsylvania Avenue, N.W.
Washington, D.C. 20004-2505
Telephone: (202) 639-7200


Laurie Law, Susan Sabett, Jerry Solinas
National Security Agency Office of Information Security Research and Technology
Cryptology Division
18 June 1996

1.1 Electronic Payment
1.2 Security of Electronic Payments
1.3 Electronic Cash
1.4 Multiple Spending
2.1 Public-Key Cryptographic Tools
2.2 A Simplified Electronic Cash Protocol
2.3 Untraceable Electronic Payments
2.4 A Basic Electronic Cash Protocol
3.1 Including Identifying Information
3.2 Authentication and Signature Techniques
3.3 Summary of Proposed Implementations
4. 1 Transferability
4.2 Divisibility
5.1 Multiple Spending Prevention
5.2 Wallet Observers
5.3 Security Failures
5.4 Restoring Traceability


With the onset of the Information Age, our nation is becoming increasingly dependent upon network communications. Computer-based technology is significantly impacting our ability to access, store, and distribute information. Among the most important uses of this technology is electronic commerce: performing financial transactions via electronic information exchanged over telecommunications lines. A key requirement for electronic commerce is the development of secure and efficient electronic payment systems. The need for security is highlighted by the rise of the Internet, which promises to be a leading medium for future electronic commerce.

Electronic payment systems come in many forms including digital checks, debit cards, credit cards, and stored value cards. The usual security features for such systems are privacy (protection from eavesdropping), authenticity (provides user identification and message integrity), and nonrepudiation (prevention of later denying having performed a transaction) .

The type of electronic payment system focused on in this paper is electronic cash. As the name implies, electronic cash is an attempt to construct an electronic payment system modelled after our paper cash system. Paper cash has such features as being: portable (easily carried), recognizable (as legal tender) hence readily acceptable, transferable (without involvement of the financial network), untraceable (no record of where money is spent), anonymous (no record of who spent the money) and has the ability to make "change." The designers of electronic cash focused on preserving the features of untraceability and anonymity. Thus, electronic cash is defined to be an electronic payment system that provides, in addition to the above security features, the properties of user anonymity and payment untraceability..

In general, electronic cash schemes achieve these security goals via digital signatures. They can be considered the digital analog to a handwritten signature. Digital signatures are based on public key cryptography. In such a cryptosystem, each user has a secret key and a public key. The secret key is used to create a digital signature and the public key is needed to verify the digital signature. To tell who has signed the information (also called the message), one must be certain one knows who owns a given public key. This is the problem of key management, and its solution requires some kind of authentication infrastructure. In addition, the system must have adequate network and physical security to safeguard the secrecy of the secret keys.

This report has surveyed the academic literature for cryptographic techniques for implementing secure electronic cash systems. Several innovative payment schemes providing user anonymity and payment untraceability have been found. Although no particular payment system has been thoroughly analyzed, the cryptography itself appears to be sound and to deliver the promised anonymity.
These schemes are far less satisfactory, however, from a law enforcement point of view. In particular, the dangers of money laundering and counterfeiting are potentially far more serious than with paper cash. These problems exist in any electronic payment system, but they are made much worse by the presence of anonymity. Indeed, the widespread use of electronic cash would increase the vulnerability of the national financial system to Information Warfare attacks. We discuss measures to manage these risks; these steps, however, would have the effect of limiting the users' anonymity.

This report is organized in the following manner. Chapter 1 defines the basic concepts surrounding electronic payment systems and electronic cash. Chapter 2 provides the reader with a high level cryptographic description of electronic cash protocols in terms of basic authentication mechanisms. Chapter 3 technically describes specific implementations that have been proposed in the academic literature. In Chapter 4, the optional features of transferability and divisibility for off-line electronic cash are presented. Finally, in Chapter 5 the security issues associated with electronic cash are discussed.

The authors of this paper wish to acknowledge the following people for their contribution to this research effort through numerous discussions and review of this paper: Kevin Igoe, John Petro, Steve Neal, and Mel Currie.


We begin by carefully defining "electronic cash." This term is often applied to any electronic payment scheme that superficially resembles cash to the user. In fact, however, electronic cash is a specific kind of electronic payment scheme, defined by certain cryptographic properties. We now focus on these properties....