nobody at rosebud.ee.uh.edu nobody at rosebud.ee.uh.edu
Wed Dec 2 09:12:11 PST 1992

Subject: Digital Cash

One point of digital cash is to allow electronic payments, so printing
it on paper would not be useful as other than a novelty.  People would
have to scan the bit patterns back in, which would be inconvenient.

How big will a piece of digital cash be?

An electronic "dollar bill" in the simple scheme of Chaum's consists
of two parts:  (x, f(x)^(1/e).  X is a random number, f(x) is a one-way
function like MD5, and e is the exponent which could be taken to represent
the denomination of the bill.  MD5 takes 64 bytes as an input "chunk"
so that would be a natural size for x.  f(x)^(1/e) is f(x) "signed" by
the bank using exponent e, so that would be about the size of the bank's
modulus n, say 1024 bits or 128 bytes.  Probably there would be some
control information as well.  So the total size of an electronic banknote
would be 128 + 64 + a few, or about 200 bytes, maybe a little more.
To print this you'd have to Ascii-encode it, which generally expands
things by 1/3, so you'd get about 270 to 300 characters per bill/coin.
This would be around four or five lines of text, comparable to a PGP
key (and looking about as interesting - totally jumbled letters and

"Forgery" is in one sense hard and in one sense easy.  It's hard because
to create new dollar bills because you have to forge a signature using
the bank's public key (n, e).  This is equivalent to breaking at least
some uses of RSA.

But it's easy to reproduce existing electronic dollars, and you don't even
need a Xerox machine.  Just "copy dollar1 dollar2" on your PC, and repeat
the process.  Presto, plenty of dollars, all exactly the same.  Send one
to the butcher, one to the baker, and you've still got plenty more
where those came from.

Keeping this kind of re-use from occurring is one of the things that
makes electronic cash tricky.  Chaum's simple scheme has the receiver
of cash calling the bank or sending the cash there right away.  The
bank has a list of "serial numbers" for all the cash that's ever been
deposited, which it compares against to see if this is a re-use.  The
first person to deposit a dollar with a given serial number gets credit
for it; the others are told that it's worthless.

Another area that people seem a little unclear about is the difference
between electronic cash and electronic checking accounts.  A checking
account could be managed by simple RSA-signed messages (e.g. created with
PGP) saying, please transfer $X.00 to account number XYZ.  If you wanted
to buy something from someone, you'd find out what his account number
is with the bank, write up a little note like this, sign it using your
public key with PGP, and email it to the person that you wanted to buy
from.  He'd send it on to the bank and his account would get credited.
Again, you'd want to put a serial number on your check so that the guy
couldn't send it again tomorrow and get another $X.00.

Or, you could just send it directly to the bank and request the bank to
notify the seller that the funds had been transferred.  This would seem
to avoid the re-use problem.

The difference between this system and electronic cash is that the bank
knows exactly what is going on.  It sees all transactions, so it knows
which accounts are making payments to which other accounts.  This is
true of ordinary paper checking accounts as well, of course.

Electronic cash is designed so that not even the bank can tell who is
paying whom.  I withdraw some cash, say, $100.00, and I pay you $35.00
by mailing you the electronic bills.  You deposit them.  The bank has
no way of determining which particular withdrawal produced those bills
which you are depositing.  This is, more or less, how real cash works.

74076.1041 at compuserve.com

More information about the cypherpunks-legacy mailing list