Declan McCullagh reports in Wired Online, http://www.wired.com/news/ebiz/0,1272,44507,00.html: The more important patent for digital cash, titled "Blind signature systems," was granted in July 1988 and expires in July 2005. Chaum's method preserved anonymity through a statistical technique. It can be thought of this way: A customer of a virtual bank would create a $1 coin by sending, say, 100 coins with random serial numbers first stuffed into electronic envelopes. The bank randomly would open 99 of the 100 envelopes to verify that the denominations were in fact $1 and the customer wasn't trying to commit fraud. After the bank owner was satisfied that the last remaining envelope was likely to be a $1 denomination too, the bank would sign the envelope -- marking it as digital cash -- and return it unopened. Of course this is a completely incorrect description of Chaum's cash system as it has been fielded in DigiCash and eCashTechnologies. It is a botched attempt to describe the "cut and choose" mechanism. But that was only designed for an offline cash system. The purpose of cut and choose was to check that the customer had properly encoded *his identity* in the cash, not that the denomination was correct as is described here. The reason the customer encoded his identity was that if he then double-spent, the bank could determine after the fact which customer had done it because double-spending would reveal his identity. But of course DigiCash was always implemented as an online system, where double-spending is not possible, since coins are always verified at the time they are spent. It never used a cut and choose mechanism for withdrawals, which would have been painfully inefficient. Instead, the customer simply sent one "enveloped" version of a random serial number to the bank. The bank signed the envelope, and the type of signature determined the denomination of the coin. The customer then took the serial number out of the envelope to get his cash. It's far simpler than the description above would suggest. The article also contains a recap of the Chaum/Brands patent wars. It would have been more interesting if there were some reference to new approaches to ecash that avoid the patents, such as the Lucre software by Ben Laurie, based on David Wagner's blinding (http://anoncvs.aldigital.co.uk/lucre/), or the recent proposal at Eurocrypt for a cash/credential system based on zero knowledge proofs without blinding (http://eprint.iacr.org/2001/019.ps or .pdf).