David Chaum's "DigiCash"

12.5.1. "Why is Chaum so important to digital cash?" - Chaum's name appears frequently in this document, and in other Cypherpunk writings. He is without a doubt the seminal thinker in this area, having been very nearly the first to write about several areas: untraceable e-mail, digital cash, blinding, unlinkable credentials, DC-nets, etc. - I spoke to him at the 1988 "Crypto" conference, telling him about my interests, my 'labyrinth' idea for mail-forwarding (which he had anticipated in 1981, unbeknownst to me at the time), and a few hints about "crypto anarchy." It was clear to me that Chaum had thought long and deeply about these issues. - Chaum's articles should be read by all interested in this area. (No, his papers are _not_ "on-line." Please see the "Crypto" Proceedings and related materials.) - [DIGICASH PRESS RELEASE, "World's first electronic cash payment over computer networks," 1994-05-27] 12.5.2. "What's his motivation?" - Chaum appears to be a libertarian, at least on social issues, and is very worried about "Big Brother" sorts of concerns (recall the title of his 1985 CACM article). - His work in Europe has mostly concentrated on unlinkable credentials for toll road payments, electronic voting, etc. His company, DigiCash, is working on various aspects of digital cash. 12.5.3. "How does his system work?" - There have been many summaries on the Cypherpunks list. Hal Finney has written at least half a dozen, and others have been contributed by Eric Hughes, Karl Barrus, etc. I won't be including any of them here....it just takes too many pages to explain how digital cash works in detail. - (The biggest problem people have with digital cash is in not taking the time to understand the basics of the math, of blinding, etc. They wrongly assume that "digital cash" can be understood by common-sense reasoning about existing cash, etc. This mistake has been repeated in several of the half-assed proposals for "net cash" and "digi dollars.") + Here's the opening few paragraphs from one of Hal's explanations, to provide a glimpse: - "Mike Ingle asks about digicash. The simplest system I know of that is anonymous is the one by Chaum, Fiat, and Naor, which we have discussed here a few times. The idea is that the bank chooses an RSA modulus, and a set of exponents e1, e2, e3, ..., where each exponent ei represents a denomination and possibly a date. The exponents must be relatively prime to (p-1)(q-1). PGP has a GCD routine which can be used to check for valid exponents.. "As with RSA, to each public exponent ei corresponds a secret exponent di, calculated as the multiplicative inverse of ei mod (p-1)(q-1). Again, PGP has a routine to calculate multiplicative inverses. "In this system, a piece of cash is a pair (x, f(x)^di), where f() is a one-way function. MD5 would be a reasonable choice for f(), but notice that it produces a 128-bit result. f() should take this 128-bit output of MD5 and "reblock" it to be an multi-precision number by padding it; PGP has a "preblock" routine which does this, following the PKCS standard. "The way the process works, with the blinding, is like this. The user chooses a random x. This should probably be at least 64 or 128 bits, enough to preclude exhaustive search. He calculates f(x), which is what he wants the bank to sign by raising to the power di. But rather than sending f(x) to the bank directly, the user first blinds it by choosing a random number r, and calculating D=f(x) * r^ei. (I should make it clear that ^ is the power operator, not xor.) D is what he sends to the bank, along with some information about what ei is, which tells the denomination of the cash, and also information about his account number." [Hal Finney, 1993-12-04] 12.5.4. "What is happening with DigiCash?" - "Payment from any personal computer to any other workstation, over email or Internet, has been demonstrated for the first time, using electronic cash technology. "You can pay for access to a database, buy software or a newsletter by email, play a computer game over the net, receive $5 owed you by a friend, or just order a pizza. The possibilities are truly unlimited" according to David Chaum, Managing Director of DigiCash TM, who announced and demonstrated the product during his keynote address at the first conference on the World Wide Web, in Geneva this week." [DIGICASH PRESS RELEASE, "World's first electronic cash payment over computer networks," 1994-05-27] - DigiCash is David Chaum's company, set up to commercialize this work. Located near Amsterdam. + Chaum is also centrally invovled in "CAFE," a European committee investigating ways to deploy digital cash in Europe - mostly standards, issues of privacy, etc. - toll roads, ferries, parking meters, etc. - http://digicash.support.nl/ - info@digicash.nl - People have been reporting that their inquiries are not being answered; could be for several reasons. 12.5.5. The Complexities of Digital Cash - There is no doubt as to the complexity: many protocols, semantic confusion, many parties, chances for collusion, spoofing, repudiation, and the like. And many derivative entities: agents, escrow services, banks. - There's no substitute for _thinking hard_ about various scenarios. Thinking about how to arrange off-line clearing, how to handle claims of people who claim their digital money was stolen, people who want various special kinds of services, such as receipts, and so on. It's an ecology here, not just a set of simple equations.

Next Page: 12.6 Online and Offline Clearing, Double Spending

Previous Page: 12.4 Smart Cards

By Tim May, see README

HTML by Jonathan Rochkind