1993-08-27 - Digital Gold, a bearer instrument?

Header Data

From: hfinney@shell.portal.com
To: cypherpunks@toad.com
Message Hash: 244b3246a193766c04ff5fc4d49f4f663ea9389d403e1b8c314f5c070eccaa17
Message ID: <9308270511.AA25625@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1993-08-27 05:23:12 UTC
Raw Date: Thu, 26 Aug 93 22:23:12 PDT

Raw message

From: hfinney@shell.portal.com
Date: Thu, 26 Aug 93 22:23:12 PDT
To: cypherpunks@toad.com
Subject: Digital Gold, a bearer instrument?
Message-ID: <9308270511.AA25625@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


][adon Nash's digital gold concept is interesting, however I think it is
harder to use than existing cash systems in the literature.

In order to know whether to accept a given piece of digital gold in payment
for a product or service, a vendor must check a central database which
records all transactions anywhere in the world.  It must trace through
the chain of possession for that piece of digital gold in order to verify
that the ownership is legitimate.

In particular, if the person passing the gold is a cheater he may be spending
it twice, perhaps very close together in time.  This means that the database
must be updated and checked in real time.

This is the same communications requirement for the simplest form of
digital cash based on Chaum blinded signatures.  We have discussed this
cash several times on this list.  It is basically just an RSA-signed
certificate from a trusted bank, but one which has had the "blinding"
technique (which Karl has been describing) applied so that the bank won't
recognize the cash when it is returned.  For a vendor to know whether
to accept a digital coin, he has to check with the bank to make sure the
coin hasn't been spent before.  This is analogous to ][adon's check of
the gold-claim database.  The bank's job seems somewhat easier, as it
just has to look up whether the coin's number is present in a list.

Also, Chaum provides "offline" variants on his system in which the vendor
just trusts the person passing the cash, because he knows that if the
customer cheats, his anonymity will be automatically broken and he can be
sued.  It's not clear how the digital gold approach could provide any
such generalization.

As for the notion of transferring assets from person to person, using
aliases to provide for privacy, this has been discussed by Barry Hayes
in Anonymous One-Time Signatures and Flexible Untraceable Electronic
Cash, in the AusCrypt proceedings.  He describes a system, in some ways
an elaboration of Chaum's ideas, which works like checks which get
endorsed from person to person.  Just the other day I got a check which
was made out to person A but endorsed over to me.  I could endorse it
over to someone else if I want.  This chain can continue until someone
cashes it.  Hayes's system, like Chaum's, retains anonymity as long as
no one cheats.  If someone tries to pass the same check twice, their
identity will be revealed.

It's too bad that these papers aren't more widely available.  The math is
not that complicated.  If you can understand RSA, you can understand
digital cash, at least the simpler systems.  But the papers are mostly
only in the crypto proceedings, and not all libraries have them.

I have to say, though, that although I don't really think the digital
gold proposal is technically feasible, the proposal to own numbers shows
tremendous chutzpah and is quite creative.

Hal Finney
hfinney@shell.portal.com





Thread