1994-03-25 - Re: Digital Cash

Header Data

From: tcmay@netcom.com (Timothy C. May)
To: cypherpunks@toad.com
Message Hash: b9bcc330ef67da0f0ac96a71799523011f06c61d54ac21b2e381a30a4143e366
Message ID: <199403250739.XAA05683@mail.netcom.com>
Reply To: <199403242359.PAA17401@mail.netcom.com>
UTC Datetime: 1994-03-25 07:25:29 UTC
Raw Date: Thu, 24 Mar 94 23:25:29 PST

Raw message

From: tcmay@netcom.com (Timothy C. May)
Date: Thu, 24 Mar 94 23:25:29 PST
To: cypherpunks@toad.com
Subject: Re: Digital Cash
In-Reply-To: <199403242359.PAA17401@mail.netcom.com>
Message-ID: <199403250739.XAA05683@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain

I'm having a hard time understanding the approach to digital money
that Mike Duvos described here.

Mike writes:

> If multiple transactions involving the same instrument reveal the 
> double-spender, then appropriate action may be taken.  One could
> of course do the exact same transaction twice with the exact same person 
> using identical copies of the tamperproof module, but that would
> yield no more data than having done the transaction only one time, and 
> certainly wouldn't create any additional value.

The whole issue with digital cash has been centered around exactly
this issue: detecting double-spending or, more properly, finding ways
to give the receiver of such digital cash high confidence that the
digital cash he receives will be honored/redeemed/converted to other
forms of money.

As David Chaum puts it, "there is no digital coin." That is, there is
no representation of "digital money" that behaves like an
unforgeable coin. So far as we know, of course.

If Frank the Forger, to pick a standard sort of crypto example, takes
a set of bits (possibly made with the elaborate system Mike Duvos
described in an earlier posting) and copies that set of bits n times
and then "spends" them n times, how can any of his recipients know
that parallel transactions are happening, that the "same" money is
being spent n times and that it is very likely that n - 1 of the
recipients will be screwed?

One approach is online clearing. Essentially, Roger the Recipient
insists on "clearing" the digital money at the point of transaction,
ensuring that some form of money he trusts (may be real money, the
word of his banker, coupons, whatever) has been transferred into his
account. At that point, the transaction is completed and Roger could
care less about what happens later. (This is still a useful protocol,
especially has communications bandwidths increase, as physical
anonymity--the main feature of cash--is still possible. And the
transfers are electronic, so stealable amounts of physical cash need
not be carried, locked up, etc.)

This approach resembles wire transfers of money, checks with immediate
clearing, and lots of other financial instruments of one flavor or

The other main approach is to build in to the blinding protocols which
protect anonymity ways to detect the identity of those who spend a
unit of digital money more than the specified number of times. "Double
spenders" is the common term. This can avoid online clearing, but at
the expense of additional protocol complexity and some peculiar
wrinkles which can develop.

Hal Finney has several times posted summaries of this approach and the
issues involved.

I must be missing something in Mike Duvos's explanation of how the
system he describes can be used as a "digital coin" (my terminology,
after Chaum). I can see the use for protecting algorithms--indeed,
executable code that cannot be disassembled practically is the main
way many programs are currently "protected" (that's what we mean when
we say "source" is or is not provided). I just can't see how some set
of bits representing a piece of money, however complex the bits may
be, are protected from being copied and "spent" multiple times.

Think of this form of digital money as the combination to a train
locker containing money, or as a treasure map: whoever uses the number
_first_ to get to the money, gets it. The others are out of luck.

They may try to go after the guy who double-crossed them, but remember
that he has anonymity (else, why bother?).

Reputations do matter, of course, even digital reputations
(_especially_ digital reputations, actually), and there are some
fascinating approaches to digital money that involve third-party
anonymous escrow services, reputation capital, etc.

Lots of work to be done, and the crypto folks are generally now
working on these issues of markets, reputations, and webs of trust.

--Tim May

Timothy C. May         | Crypto Anarchy: encryption, digital money,  
tcmay@netcom.com       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."