1994-03-25 - Re: Digital Cash

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: faba5a340cf9fb665f0b9ab7a74356aef436239f3730d79b8439662b5f188233
Message ID: <199403251556.HAA22964@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-03-25 15:44:27 UTC
Raw Date: Fri, 25 Mar 94 07:44:27 PST

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Fri, 25 Mar 94 07:44:27 PST
To: cypherpunks@toad.com
Subject: Re: Digital Cash
Message-ID: <199403251556.HAA22964@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


I sent mail to Stefan Brands yesterday asking about what kind of information
is retained by the (hardware-based) observer in his digital cash system.
Brands has worked with Chaum in the past and is now seeking funding (via
Usenet, apparently) for development of his own digital cash and anonymous
transaction technology, which he claims is greatly improved over existing
systems in terms of memory and computation requirements.

Brands explained that the way his system works, the user *never* has all
the information needed to represent the "digital coin".  Instead, the
user has part of the information, and the tamper-resistant observer chip
has the other part.  To spend the coin, the user and the chip have to
cooperate in the protocol.  Then the chip can mark its own information about
that coin as having been spent, or even erase it altogether.  It is this
change in the internal state of the observer chip which lets it prevent
double-spending (and which arguably could be defeated in any software rep-
resentation of an observer).

I have always been skeptical of this observer-chip approach, because it
wasn't clear that it was feasible to make a tamper-resistant chip
economically, and because the specialized hardware that would be
required would prevent the system from being used on widely-available
PCs.  However, now we see that our military rulers apparently trust
tamper-resistant technology well enough to put it into thousands of
public hands, without fear that even one chip will be opened and read.
Breaking an observer only lets you double-spend the coins it holds,
while breaking Clipper allows you to permanently defeat the escrow
provisions of the whole system.  So this suggests that the technology
is adequate for observers.

As for the specialized hardware, probably a more realistic picture of the
digital cash user of the future is someone holding a PDA in his hand, with
possibly an infrared or cellular modem link, rather than the hacker sitting at
home in front of his PC.  In that context it may be realistic to imagine
custom PDA's which support secure offline cash as a practical product.

Hal






Thread