Cyphernomicon Index
Cyphernomicon 12.5

Digital Cash and Net Commerce:
David Chaum's "DigiCash"

   12.5.1. "Why is Chaum so important to digital cash?"
           - Chaum's name appears frequently in this document, and in
              other Cypherpunk writings. He is without a doubt the
              seminal thinker in this area, having been very nearly the
              first to write about several areas: untraceable e-mail,
              digital cash, blinding, unlinkable credentials, DC-nets,
           - I spoke to him at the 1988 "Crypto" conference, telling him
              about my interests, my 'labyrinth' idea for mail-forwarding
              (which he had anticipated in 1981, unbeknownst to me at the
              time), and a few hints about "crypto anarchy." It was clear
              to me that Chaum had thought long and deeply about these
           - Chaum's articles should be read by all interested in this
              area. (No, his papers are _not_ "on-line." Please see the
              "Crypto" Proceedings and related materials.)
           - [DIGICASH PRESS RELEASE, "World's first electronic cash
              payment over computer networks," 1994-05-27]
   12.5.2. "What's his motivation?"
           - Chaum appears to be a libertarian, at least on social
              issues, and is very worried about "Big Brother" sorts of
              concerns (recall the title of his 1985 CACM article).
           - His work in Europe has mostly concentrated on unlinkable
              credentials for toll road payments, electronic voting, etc.
              His company, DigiCash, is working on various aspects of
              digital cash.
   12.5.3. "How does his system work?"
           - There have been many summaries on the Cypherpunks list. Hal
              Finney has written at least half a dozen, and others have
              been contributed by Eric Hughes, Karl Barrus, etc. I won't
              be including any of them just takes too many
              pages to explain how digital cash works in detail.
           - (The biggest problem people have with digital cash is in
              not taking the time to understand the basics of the math,
              of blinding, etc. They wrongly assume that "digital cash"
              can be understood by common-sense reasoning about existing
              cash, etc. This mistake has been repeated in several of the
              half-assed proposals for "net cash" and "digi dollars.")
           + Here's the opening few paragraphs from one of Hal's
              explanations, to provide a glimpse:
             - "Mike Ingle asks about digicash.  The simplest system I
                know of that is anonymous is the one by Chaum, Fiat, and
                Naor, which we have discussed here a few times.  The idea
                is that the bank chooses an RSA modulus, and a set of
                exponents e1, e2, e3, ..., where each exponent ei
                a denomination and possibly a date.  The exponents must
                be relatively prime to (p-1)(q-1).  PGP has a GCD routine
                which can be used to check for valid exponents..
                "As with RSA, to each public exponent ei corresponds a
                secret exponent di, calculated as the multiplicative
                inverse of ei mod (p-1)(q-1).  Again, PGP has a routine
                to calculate multiplicative inverses.
                "In this system, a piece of cash is a pair (x, f(x)^di),
                where f() is a one-way function.  MD5 would be a
                reasonable choice for f(), but notice that it produces a
                128-bit result.  f() should take this 128-bit output of
                MD5 and "reblock" it to be an multi-precision number by
                padding it; PGP has a "preblock" routine which does this,
                following the PKCS standard.
                "The way the process works, with the blinding, is like
                this.  The user chooses a random x.  This should probably
                be at least 64 or 128 bits, enough to preclude exhaustive
                search.  He calculates f(x), which is what he wants the
                bank to sign by raising to the power di.  But rather than
                sending f(x) to the bank directly, the user first blinds
                it by choosing a random number r, and calculating D=f(x)
                * r^ei.  (I should make it clear that ^ is the power
                operator, not xor.)  D is what he sends to the bank,
                along with some information about what ei is, which tells
                the denomination of the cash, and also information about
                his account number."  [Hal Finney, 1993-12-04]
   12.5.4. "What is happening with DigiCash?"
           - "Payment from any personal computer to any other
              workstation, over email or Internet, has been demonstrated
              for the first time, using electronic cash technology. "You
              can pay for access to a database, buy software or a
              newsletter by email, play a computer game over the net,
              receive $5 owed you by a friend, or just order a pizza. The
              possibilities are truly unlimited" according to David
              Chaum, Managing Director of DigiCash TM, who announced and
              demonstrated the product during his keynote address at the
              first conference on the World Wide Web, in Geneva this
              week." [DIGICASH PRESS RELEASE, "World's first electronic
              cash payment over computer networks," 1994-05-27]
           - DigiCash is David Chaum's company, set up to commercialize
              this work. Located near Amsterdam.
           + Chaum is also centrally invovled in "CAFE," a European
              committee investigating ways to deploy digital cash in
             - mostly standards, issues of privacy, etc.
             - toll roads, ferries, parking meters, etc.
           - People have been reporting that their inquiries are not
              being answered; could be for several reasons.
   12.5.5. The Complexities of Digital Cash
           - There is no doubt as to the complexity: many protocols,
              semantic confusion, many parties, chances for collusion,
              spoofing, repudiation, and the like. And many derivative
              entities: agents, escrow services, banks.
           - There's no substitute for _thinking hard_ about various
              scenarios. Thinking about how to arrange off-line clearing,
              how to handle claims of people who claim their digital
              money was stolen, people who want various special kinds of
              services, such as receipts, and so on. It's an ecology
              here, not just a set of simple equations.

Next Page: 12.6 Online and Offline Clearing, Double Spending
Previous Page: 12.4 Smart Cards

By Tim May, see README

HTML by Jonathan Rochkind