1993-11-07 - Real-world digicash

Header Data

From: Mike Ingle <MIKEINGLE@delphi.com>
To: cypherpunks@toad.com
Message Hash: c58c4d91f249d5892bc4d7083a046a52e4e45c7983d9622489b7b4081d73d61f
Message ID: <01H50ID1IWXU9AN48T@delphi.com>
Reply To: N/A
UTC Datetime: 1993-11-07 06:58:05 UTC
Raw Date: Sat, 6 Nov 93 22:58:05 PST

Raw message

From: Mike Ingle <MIKEINGLE@delphi.com>
Date: Sat, 6 Nov 93 22:58:05 PST
To: cypherpunks@toad.com
Subject: Real-world digicash
Message-ID: <01H50ID1IWXU9AN48T@delphi.com>
MIME-Version: 1.0
Content-Type: text/plain

I've been reading digicash papers lately, and it appears there are three
approaches to preventing double-spending:

1) Catch the cheater after the fact, by matching up two copies of the
   same coin in such a way as to reveal his identity. This requires a
   challenge-response sequence between the user and the shop.

2) Combine (1) with an observer, a piece of secure hardware which
   signs transfers and prevents double spending.

3) Use an online server which checks off coins as they are spent.

After-the-fact detection probably won't fly, because organized multiple
spending could kill it. There are people who are dumb enough to write
their PIN numbers on their ATM cards. Such people will also be careless
with their digicash and any secret keys used to protect it. A thief could
compromise a few coins belonging to such careless people, distribute
them to a network of many thieves, and spend them hundreds of times before
being detected. This would make the shops either abandon digicash or
refuse to deliver merchandise until the coins cleared the bank, making it
effectively an online system. Using this type of digicash over the net
would be particularly troublesome. A person receiving a double-spent coin
would be in the same situation as a person receiving a bad check from
another state. Legally, he has all kinds of rights. Practically, he is
flat out of luck. It will cost him more to take action than the amount
of the coin or check.
Observer-based protocols can protect privacy. All data going to and from
the observer is blinded by the user's software so the observer cannot
learn anything about the user. The design of the observer can be public;
the only secret in the observer is a key. Observer-based protocols also
include the after-the-fact detection, so anyone who cracked his observer
(i.e. extracted the secret key) would still be caught later. To cheat,
you would have to steal someone else's observer, extract the key, and use
it. If the time required to crack an observer was longer than what it
would take a person to notice and report his stolen observer, fraud would
be uncommon. Because the observer is hard to crack, it would be much like
counterfeiting paper money: possible, but requiring a large organization
to be profitable. Such an organization would be susceptible to traditional
methods of law enforcement.

Since observers require hardware, this method cannot easily be used on a
guerrilla basis. The banking industry could do it, but since people are
willing to use credit cards, which are online, insecure, and a
dossier-builder's dream, there is no particular motive for the banks
to create such a system. Most people, if surveyed, will say that they
are concerned about their privacy. But when made to choose between
privacy and convenience, they choose convenience.

That leaves online digicash as the most practical system for use on the
net right now. Online digicash will probably be the only system
trustworthy enough for large transactions in any case. Are there any
published online systems which include strong privacy and which allow
multiple banks/servers? NetCash does not provide strong anonymity;
the user has to trust the coin issuer not to record who gets which coins.
An investigator could go to the coin issuer and demand that the issuer
track a particular user's coins.

--- MikeIngle@delphi.com