There is no silver bullet! Here are some comments about why there are no easy to use "digital coins," and why the digital money protocols are so complicated and involve banks, tamper-resistant modules, and other things that may not be make difficult some of our Cypherpunks goals. I agree with Hal Finney's basic point about David Chaum's current direction: it is not precisely the direction I'd like to see. However, in Chaum's defense, his is only one group and can only do so much. I don't see other groups pursuing digital cash with the same vigor and depth, save for the occasional paper about "electronic wallets" and so forth, and so Chaum is doing what he is doing. It is possible that someone here in Cypherpunks will develop some form of competing system. (Bear in mind, though, that these protocols are notoriously complicated, and involve issues of forgery, spoofing, denial (that a transaction occurred), tax laws, and so on.) One of Hal's points deserves special comment: (speaking of the observer protocol)
Now, this approach has the obvious advantage that it allows solving certain problems which can't be solved otherwise. There appears to be no way to provide for secure, off-line digital cash, for example, other than with something like an observer.
There are no digital coins. A physical piece of gold, the canonical piece of money, is essentially imposssible to counterfeit/forge, so coins can be passed from person to person, person to shop, to banks, to tax collectors, etc. It is the ultimate "bearer instrument." Importantly, the flow of such money is "conservative" in that the total amount of such money is constant...no amount of trickery or protocol complexity can increase the amount present, and only loss of the physical coins can reduce the amount. Paper currency is ostensibly a parallel to physical money (at least in countries on a gold or silver standard, which the U.S. is not any longer). Strong currencies (DM, yen, dollar, SF...though this is all debatable) still have some of the "conservative" nature, because the bills/notes are very difficult to counterfeit and are exchanged as physical items or tokens. I won't get into things like VISA transactions, promissory notes, etc., except to say they are quite a bit less "tangible" (anyone who has gotten unexpected VISA transactions, triggered by someone out there, understands that the transactions are much less straightforward and tangible). A problem with digital money has always been that there apparently is no close equivalent to a digital coin, a token which can be passed around freely, as a quarter or a dollar bill can be. The reasons are obvious: a cryptographic number can be trivially duplicated (counterfeited/forged) and presented to a second or third person. Thus, the receiver of such a piece of digital money must confirm that it has not already been spent, that some bank will redeem it for "real" money, etc. Digital coupons have this same problem. (Real coupons are made fairly counterfeit-resistant, as are such things as lottery tickets. Lottery tickets also use a clever scheme whereby the winning number, the thing that gets announced, is hashed/transformed into another number with a secret key, and this second number is also printed on the ticket, but would-be spoofers are unable to generate the second number.) The complicated Chaum protocols, which now are going in the direction of the tamper-resistant "observer" chips (in smartcards, PDAs, etc.), address these issues of spoofing, denial, counterfeiting, etc., in various ways. Later, Hal makes another good point:
A related point is that there have already been comparisons on sci.crypt between Chaum's observers and the Clipper chip, in that both rely on tamper-resistant technology to implement features which are not entirely in their owner's best interests. Assuming we do manage to successfully defeat Clipper, the taint of this association may increase resistance to observers.
I wish Chaum and his group would stop directing their efforts towards protocols which require an observer chip to be effective. Granted, there are some things that don't work as nicely without observers. But I think that a realistic appraisal of the pros and cons suggests that non-observer protocols are more likely to further our ultimate goal of personal privacy.
It seems likely to me that even now a group within the bowels of the NSA and NIST is developing a "digital money clipper" (a euphonious pun?), that is, a standard for digital money with similar sorts of backdoors, emergency doors, etc., that Clipper has. NSA/NIST surely knows of the pressures for digital money, and could plan to introduce their own standard. Instead of "LEAFs" for the FBI and other law enforcement, this one could have "IRS observers" and "money-laundering observers" (this is wild speculation, I'll grant you) which tie-in to currency exchange reporting, sales tax, and income tax law enforcement systems. It may be that Chaum, who is eager to actually get some sales to groups within Europe and elsewhere, is already responding to some pressures for "accountability" (the digital money version of "wire-tappability") by various European governments and the observer protocols are an effort to satisfy some of these concerns. (I am not accusing Chaum of anything, just speculating that some groups developing digital money--and Chaum is the clear leader here--may have market or legal constraints which are shaping their focus away from the digital money = untraceable cash = crypto anarchy direction many of us favor.) A "Cypherpunks digital money" system may be more urgent than ever. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it.