][adon Nash's digital gold concept is interesting, however I think it is harder to use than existing cash systems in the literature. In order to know whether to accept a given piece of digital gold in payment for a product or service, a vendor must check a central database which records all transactions anywhere in the world. It must trace through the chain of possession for that piece of digital gold in order to verify that the ownership is legitimate. In particular, if the person passing the gold is a cheater he may be spending it twice, perhaps very close together in time. This means that the database must be updated and checked in real time. This is the same communications requirement for the simplest form of digital cash based on Chaum blinded signatures. We have discussed this cash several times on this list. It is basically just an RSA-signed certificate from a trusted bank, but one which has had the "blinding" technique (which Karl has been describing) applied so that the bank won't recognize the cash when it is returned. For a vendor to know whether to accept a digital coin, he has to check with the bank to make sure the coin hasn't been spent before. This is analogous to ][adon's check of the gold-claim database. The bank's job seems somewhat easier, as it just has to look up whether the coin's number is present in a list. Also, Chaum provides "offline" variants on his system in which the vendor just trusts the person passing the cash, because he knows that if the customer cheats, his anonymity will be automatically broken and he can be sued. It's not clear how the digital gold approach could provide any such generalization. As for the notion of transferring assets from person to person, using aliases to provide for privacy, this has been discussed by Barry Hayes in Anonymous One-Time Signatures and Flexible Untraceable Electronic Cash, in the AusCrypt proceedings. He describes a system, in some ways an elaboration of Chaum's ideas, which works like checks which get endorsed from person to person. Just the other day I got a check which was made out to person A but endorsed over to me. I could endorse it over to someone else if I want. This chain can continue until someone cashes it. Hayes's system, like Chaum's, retains anonymity as long as no one cheats. If someone tries to pass the same check twice, their identity will be revealed. It's too bad that these papers aren't more widely available. The math is not that complicated. If you can understand RSA, you can understand digital cash, at least the simpler systems. But the papers are mostly only in the crypto proceedings, and not all libraries have them. I have to say, though, that although I don't really think the digital gold proposal is technically feasible, the proposal to own numbers shows tremendous chutzpah and is quite creative. Hal Finney hfinney@shell.portal.com