ghsvax!hal at uunet.UU.NET
Wed Nov 25 13:04:57 PST 1992
Some time back Tim May suggested that we should do some experiments
with electronic cash. He offered to do some Xeroxing if people would
There are lots of proposals for electronic cash in the literature,
mostly very complex. I think one of Chaum's simpler proposals would be
adequate for email "banking". This proposal, from the beginning of
his paper "Untraceable Electronic Cash" in Crypto 88(?), goes like
1. Alice chooses a random x and r, and supplies the bank with
B=r^3*f(x) mod n, where f is a one-way function (like MD5), and n is
the modulus for the bank's public key.
2. The bank takes the third root of B (e.g. via an RSA decryption) and
sends it back to Alice: D = r * f(x)^(1/3), and withdraws one dollar from
3. Alice extracts C = f(x)^(1/3) by dividing D by r. (Note that
division can be done mod n without knowing the factors of n, but it's
4. To pay Bob one dollar, Alice gives him (x, C).
5. Bob can verify that C = f(x)^(1/3), but he still has to send (x, C)
to the bank in order to make sure that x hasn't been used before.
Otherwise Alice could spend (x, C) twice. The bank increases Bob's
account by one dollar.
This scheme is pretty simple and provides untraceability - the bank
saw B and D but not C, so although it can verify that (x, C) is legit,
it can't correlate that with Alice's withdrawal.
The main disadvantage of this approach is that Bob has to send (x, C)
to the bank right away (or at least before sending Alice anything in
return for her cash) to verify that the cash hasn't been used before.
But in email, where turnarounds of a day or more aren't unusual, this
should be tolerable.
Alice and Bob could be pseudonyms, using anonymous addresses to
communicate with each other and with the bank.
Different denominations of cash could correspond to different
exponents than "3" in the example above. (That is, $1 would use
C=f(x)^(1/3), $2 would use C=f(x)^(1/5), $4 would use C=f(x)^(1/7),
and so on.)
Technically, this would be quite easy to implement, using the code in
PGP for the arithmetic, and MD5 for the one-way function. We'd need
to define a few message formats. The RFC1113 ascii encoding from PGP
could be used as well.
The "social" problems are more challenging, it seems to me. What is
the backing for this electronic money? Why do people care what their
bank balances are? Is this stuff really worth anything?
One possibility is to base digital cash on real money. People would
open a pseudonymous account via email, then postal-mail dollars to the
bank, enclosing their account number so the bank would know whom to
credit with the deposit. Later, if someone wanted to withdraw "real
money" from their account they would have to give a real postal
address where it could be mailed. Now the electronic money is worth
real dollars. Even if people didn't deposit or withdraw very often,
it still has value because of the backing.
Unfortunately, this approach would currently be illegal (at least,
unless you actually were a real bank!). If there were some way the
bank itself could be anonymous, it might survive, but I don't see how
to mail it money while keeping the anonymity. Still, we could
consider experimenting with this on a small scale with accounts of no
more than a few dollars. As long as it was clearly an experiment I
doubt that any prosecutions would result even if it attracted
government attention, because the expense involved in court costs
would be so disproportionate to the few dollars involved in this
technically illegal act.
Another approach would be not to try backing the digital cash at all,
or rather backing it implicitly by the determination of various people
to accept it and perform services or supply goods in return for it.
Tim's offer to Xerox papers in return for digital cash would be one
example. Perhaps others could provide some other services. It would
be great if some shareware author would accept digital cash as a
symbol of support for crypto anonymity.
One problem that I see with this approach is how you determine the
size of the money supply. Or, in other words, how does new digital
cash get started circulating? How do people get new accounts, and how
much money is in them?
If these problems can be solved, a big advantage of this approach is
that the banker can be anonymous. He would be known only by his
anonymous address and his public key(s). This would provide some
safety in the event that even a small-scale experiment like this
was targetted for a crackdown.
Another issue is the prospect of multiple "banks", each issuing their
own (incompatible) cash. How would they compete? Perhaps in terms of
rapid turnaround? Some might choose to be anonymous, others would go
public. The latter would have the advantage that people might trust
them more, but OTOH there is more chance of your bank account
disappearing after a crackdown for a public bank than an anonymous
Lots to think about here!
74076.1041 at compuserve.com
More information about the cypherpunks-legacy