From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 6 Sep 94 15:00:30 PDT
To: cypherpunks@toad.com
Subject: Digital Cash mini-FAQ for the layman
Message-ID: <9409062159.AA04339@bilbo.suite.com>
MIME-Version: 1.0
Content-Type: text/plain



I recently wrote a description of digital cash for Tom Steinert-Threlkeld,  
Technology Writer for the Dallas Morning News.  I figured I might as well  
post it here in case there are any newbies that are still coming up to  
speed.  Keep in mind that my intended audience is a person who is in touch  
with the latest commercially available technology, but is not an engineer,  
mathematician, or scientist.  I've intentionally generalized and  
oversimplified the descriptions to keep from getting bogged down in the  
details.  If I've made any gross errors let me know, but I think most of  
the information is accurate.


Q: How is digital cash possible?
A: Public-key cryptography and digital signatures (both blind and  
non-blind signatures) make digital cash possible.  It would take too long  
to go into detail how public-key cryptography and digital signatures work.   
But the basic gist is that banks and customers would have public-key  
encryption keys.  Public-key encryption keys come in pairs.  A private key  
known only to the owner, and a public key, made available to everyone.   
Whatever the private key encrypts, the public key can decrypt, and vice  
verse.  Banks and customers use their keys to encrypt (for security) and  
sign (for identification) blocks of digital data that represent money  
orders.  A bank "signs" money orders using its private key and customers  
and merchants verify the signed money orders using the bank's widely  
published public key.  Customers sign deposits and withdraws using their  
private key and the bank uses the customer's public key to verify the  
signed withdraws and deposits.  


Q: Are there different kinds of digital cash?
A: Yes.  In general, there are two distinct types of digital cash:  
identified digital cash and anonymous digital cash.  Identified digital  
cash contains information revealing the identity of the person who  
originally withdrew the money from the bank.  Also, in much the same  
manner as credit cards, identified digital cash enables the bank to track  
the money as it moves through the economy.  Anonymous digital cash works  
just like real paper cash.  Once anonymous digital cash is withdrawn from  
an account, it can be spent or given away without leaving a transaction  
trail.  You create anonymous digital cash by using numbered bank accounts  
and blind signatures rather than fully identified accounts and non-blind  
signatures.

[To better understand blind signatures and their use with digital cash, I  
highly recommend skimming through chapters 1 - 6 of Bruce Schneier's book  
_Applied Cryptography_ (available at Taylor's Technical Books).  It is  
quite readable, even to the layman.  He doesn't get into the heavy-duty  
math until later in the book.  Even if you don't write a digital cash  
column in the near future, I still recommend reading through chapters 1 -  
6 of _Applied Cryptography_.  Bruce does a very good job of describing the  
wide variety of interesting things you can do when you combine computers,  
networks, and cryptography.]

There are two varieties of each type of digital cash: online digital cash  
and offline digital cash.  Online means you need to interact with a bank  
(via modem or network) to conduct a transaction with a third party.   
Offline means you can conduct a transaction without having to directly  
involve a bank.  Offline anonymous digital cash is the most complex form  
of digital cash because of the double-spending problem.

Q: What is the double-spending problem?
A: Since digital cash is just a bunch of bits, a piece of digital cash is  
very easy to duplicate.  Since the copy is indistinguishable from the  
original you might think that counterfeiting would be impossible to  
detect.  A trivial digital cash system would allow me to copy of a piece  
of digital cash and spend both copies.  I could become a millionaire in a  
matter of a few minutes.  Obviously, real digital cash systems must be  
able to prevent or detect double spending.

Online digital cash systems prevent double spending by requiring merchants  
to contact the bank's computer with every sale.  The bank computer  
maintains a database of all the spent pieces of digital cash and can  
easily indicate to the merchant if a given piece of digital cash is still  
spendable.  If the bank computer says the digital cash has already been  
spent, the merchant refuses the sale.  This is very similar to the way  
merchants currently verify credit cards at the point of sale.

Offline digital cash systems detect double spending in a couple of  
different ways.  One way is to create a special smart card containing a  
tamper-proof chip called an "Observer" (in some systems).  The Observer  
chip keeps a mini database of all the pieces of digital cash spent by that  
smart card.  If the owner of the smart card attempts to copy some digital  
cash and spend it twice, the imbedded Observer chip would detect the  
attempt and would not allow the transaction.  Since the Observer chip is  
tamper-proof, the owner cannot erase the mini-database without permanently  
damaging the smart card.

The other way offline digital cash systems handle double spending is to  
structure the digital cash and cryptographic protocols so the identity of  
the double spender is known by the time the piece of digital cash makes it  
way back to the bank.  If users of the offline digital cash know they will  
get caught, the incidents of double spending will be minimized (in  
theory).  The advantage of these kinds of offline systems is that they  
don't require special tamper-proof chips.   The entire system can be  
written in software and can run on ordinary PCs or cheap smart cards.

It is easy to construct this kind of offline system for identified digital  
cash.  Identified offline digital cash systems can accumulate the complete  
path the digital cash made through the economy.  The identified digital  
cash "grows" each time it is spent.  The particulars of each transaction  
are appended to the piece of digital cash and travel with it as it moves  
from person to person, merchant to vender.  When the cash is finally  
deposited, the bank checks its database to see if the piece of digital  
cash was double spent.  If the digital cash was copied and spent more than  
once, it will eventually appear twice in the "spent" database.  The bank  
uses the transaction trails to identify the double spender.

Offline anonymous digital cash (sans Observer chip) also grows with each  
transaction, but the information that is accumulated is of a different  
nature.  The result is the same however.  When the anonymous digital cash  
reaches the bank, the bank will be able to examine it's database and  
determine if the digital cash was double spent.  The information  
accumulated along the way will identify the double spender.

The big difference between offline anonymous digital cash and offline  
identified digital cash is that the information accumulated with anonymous  
digital cash will only reveal the identity of the spender if the cash is  
double spent.  If the anonymous digital cash is not double spent, the bank  
can not determine the identity of the original spender nor can it  
reconstruct the path the cash took through the economy. 


With identified digital cash, both offline or online, the bank can always  
reconstruct the path the cash took through the economy.  The bank will  
know what everyone bought, where they bought it, when they bought it, and  
how much they paid.  And what the bank knows, the IRS knows.

By the way, did you declare that $20 bill your Grandmother gave you for  
your birthday?  You didn't?  Well, you wont have to worry about forgetting  
those sorts of things when everybody is using fully identified digital  
cash.  As a matter of fact, you wont even have to worry about filing a tax  
return.  The IRS will just send you a bill.

Jim_Miller@suite.com