Cyphernomicon Index
Cyphernomicon 12.6

Digital Cash and Net Commerce:
Online and Offline Clearing, Double Spending

   12.6.1. (this section still under construction)
   12.6.2. This is one of the main points of division between systems.
   12.6.3. Online Clearing
           - (insert explanation)
   12.6.4. Offline Clearing
           - (insert explanation)
   12.6.5. Double spending
           - Some approaches involve constantly-growing-in-size coins at
              each transfer, so who spent the money first can be deduced
              (or variants of this). And N. Ferguson developed a system
              allowing up to N expenditures of the same coin, where N is
              a parameter. [Howard Gayle reminded me of this, 1994-08-29]
           - "Why does everyone think that the law must immediately be
              invoked when double spending is detected?....Double
              spending is an informational property of digital cash
              systems. Need we find malicious intent in a formal
              property?  The obvious moralism about the law and double
              spenders is inappropriate.  It evokes images of revenge and
              retribution, which are stupid, not to mention of negative
              economic value." [Eric Hughes, 1994-08-27]  (This also
              relates to Eric's good point that we too often frame crypto
              issue in terms of loaded terms like "cheating," "spoofing,"
              and "enemies," when more neutral terms would carry less
              meaning-obscuring baggage and would not give our "enemies"
              (:-}) the ammunition to pass laws based on such terms.)
   12.6.6. Issues
           + Chaum's double-spending detection systems
             - Chaum went to great lengths to develop system which
                preserve anonymity for single-spending instances, but
                which break anonymity and thus reveal identity for double-
                spending instances. I'm not sure what market forces
                caused him to think about this as being so important, but
                it creates many headaches. Besides being clumsy, it
                require physical ID, it invokes a legal system to try to
                collect from "double spenders," and it admits the
                extremely serious breach of privacy by enabling stings.
                For example, Alice pays Bob a unit of money, then quickly
                Alice spends that money before Bob can...Bob is then
                revealed as a "double spender," and his identity revealed
                to whomver wanted it...Alice, IRS, Gestapo, etc. A very
                broken idea. Acceptable mainly for small transactions.
           +  Multi-spending vs. on-line clearing
             - I favor on-line clearing. Simply put: the first spending
                is the only spending. The guy who gets to the train
                locker where the cash is stored is the guy who gets it.
                This ensure that the burden of maintaining the secret is
                on the secret holder.
             - When Alice and Bob transfer money, Alice makes the
                transfer, Bob confirms it as valid (or verifies that his
                bank has received the deposit), and the transaction is
             - With network speeds increasing dramatically, on-line
                clearing should be feasible for most transactions. Off-
                line systems may of course be useful, especially for
                small transactions, the ones now handled with coins and
                small bills.
   12.6.7. "How does on-line clearing of anonymous digital cash work?"
           - There's a lot of math connected with blinding,
              exponentions, etc. See Schneier's book for an introduction,
              or the various papers of Chaum, Brands, Bos, etc.
           - On-line clearing is similar to two parties in a transaction
              exchanging goods and money. The transaction is clearled
              locally, and immediately. Or they could arrange transfer of
              funds at a bank, and the banker could tell them over the
              phone that the transaction has cleared--true "on-line
              clearing." Debit cards work this way, with money
              transferred effectively immediately out of one account and
              into another. Credit cards have some additional wrinkles,
              such as the credit aspect, but are basically still on-line
           - Conceptually, the guiding principle idea is simple: he who
              gets to the train locker where the cash is stored *first*
              gets the cash. There can never be "double spending," only
              people who get to the locker and find no cash inside.
              Chaumian blinding allows the "train locker" (e.g., Credit
              Suisse) to give the money to the entity making the claim
              without knowing how the number correlates to previous
              numbers they "sold" to other entities. Anonymity is
              preserved, absolutely. (Ignoring for this discussion issues
              of cameras watching the cash pickup, if it ever actually
              gets picked up.)
           - Once the "handshaking" of on-line clearing is accepted,
              based on the "first to the money gets it" principle, then
              networks of such clearinghouses can thrive, as each is
              confident about clearing. (There are some important things
              needed to provide what I'll dub "closure" to the circuit.
              People need to ping the system, depositing and withdrawing,
              to establish both confidence and cover. A lot like remailer
              networks. In fact, very much like them.)
           - In on-line clearing, only a number is needed to make a
              transfer. Conceptually, that is. Just a number. It is up to
              the holder of the number to protect it carefully, which is
              as it should be (for reasons of locality, or self-
              responsibility, and because any other option introduces
              repudiation, disavowal, and the "Twinkies made me do it"
              sorts of nonsense). Once the number is transferred and
              reblinded, the old number no longer has a claim on the
              money stored at Credit Suisse, for example. That money is
              now out of the train locker and into a new one. (People
              always ask, "But where is the money, really?" I see digital
              cash as *claims* on accounts in existing money-holding
              places, typically banks. There are all kinds of "claims"--
              Eric Hughes has regaled us with tales of his explorations
              of the world of commericial paper. My use of the term
              "claim" here is of the "You present the right number, you
              get access" kind. Like the combination to a safe. The train
              locker idea makes this clearer, and gets around the
              confusion about "digimarks" of "e$" actually _being_ any
              kind of money it and of itself.)

Next Page: 12.7 Uses for Digital Cash
Previous Page: 12.5 David Chaum's "DigiCash"

By Tim May, see README

HTML by Jonathan Rochkind