Promise her anything...

Hal hfinney at
Thu Mar 24 08:58:07 PST 1994

From: Duncan Frissell <frissell at>
> The Black Letter phrase from my Commercial Paper class in law school:
> ----------
> Negotiable Instrument:  A promise to pay to order or bearer a sum certain 
> in money on or after a date certain.
> ----------

The other night at the library I had a chance to browse through the
Uniform Commercial Code as enacted by the state of California.  It had a
large section on promissory notes and commercial paper in general.

The basic definition of a promissory note did include a variation on what
Duncan quoted.  It would appear that the legal requirements and restrictions
on the issuing and sale of such notes are pretty flexible.

However, in the digital realm, it is not clear whether a promissory note would
truly be enforceable, in the event that the debtor refused to pay.  The main
question is the digital signature.

One thing I wonder about is this.  Suppose I simply create a file saying that
I promise to pay the bearer $100 on demand.  I then sign this using my PGP
public key, and give it to someone in exchange for $100.  This would be the
electronic analogue of the issuing of a paper promissory note.

The problem is, "forgery" of such notes, in the sense of duplication, is
both trivial and undetectable.  With paper, someone could Xerox a note and
end up with two, both claiming to be worth $100.  But in practice we could
distinguish the original from the copy.  Better forgeries might be harder
to detect but in principle experts should be able to tell the difference.
But with the PGP-signed document, any copies made would be completely in-
distinguishable from the original.  How could the debtor know to honor such
a note without being able to tell whether it was the original or not?  How
could the holder of the note sell it to someone without them kmnowing whether
it is valid?

Because of this uncertainty, it seems to me that in this simplest sense
digitally-signed promissory notes do not work.  Such a note, even though
signed, cannot be considered to carry value in and of itself because it
is too easy to forge.  The digital signature is of no value in preventing
forgeries since copies of valid notes are just as useful as plain forgeries.

Now, the more elaborate technology of digital cash can actually go a long
way towards solving this problem, at least in theory.  With this approach,
each note has a unique serial number, and part of the agreement is that only
the first presentation of a note with any given serial number will be
honored.  Then if the holder of a note wants to sell it to someone else,
they go through a protocol with the borrower in which he verifies that the
note has not been spent, and a new note is issued with a new serial number
that nobody has seen before.  This way the buyer of the note is protected
against being sold an already-sold note.  Plus, the digital cash technology
allows this to be done without the debtor finding out who is selling his
old notes to whom.  There is no reason for him to have this information; the
holder of the note ought to be able to sell it privately, and this is
a good way of preserving that aspect of the transaction.

So, the digital cash technology works pretty well for this application.  The
problem is that there have to be many additional restrictions and rules in
the handling of the notes - notes have to be transferred using the special
protocol, and only previously-unseen notes will be honored.  It is not clear
to me how these additional contractual restrictions can be incorporated into
the note without violating the simplicity that Duncan quoted above.

Also, in the technical sense, the blinded signatures used in digital cash
do not allow the signing of a textual document.  Instead, what is signed is
a simple number in a specified form, and the *exponent* used in the signature
is what determines the "sum certain".  So the formal structure of a piece of
digital cash does not match the requirement for a promissory note.  There
would have to be some additional documents which, for example, map the
signing exponents to the note values.  But again, there is no place in the
note itself to put pointers to such additional documents.  It is possible
that the note could consist in effect of two documents, one part which is
a PGP-signed text document laying out the terms and conditions which are
relevant, and which states that it only has value when accompanied by a
digital-cash data item, signed with the proper exponent, not previously seen
by the debtor, etc.

Again, then, you have to worry about fraud by the debtor, in which he claims
to have seen a note before when one is presented for redemption.  In order
for note holders to protect themselves against this fraud there would have
to be some way for debtors to prove that various notes had been spent.  This
might be difficult, especially if the people presenting notes for redemption
are anonymous to the debtor.  It's going to be hard to distinguish between
the twin frauds of a holder presenting the same note for redemption twice,
possibly at almost the same time from two different addresses, and the debtor
who receives a note for redemption, then quickly sends it to himself as
though from another holder, back-dating it a few seconds so he claims that
one arrived first.

Perhaps some form of registered mail for note redemptions, plus a requirement
that when a conflict like this arises both presenters must identify themselves,
could address some of these problems.  (These problems arise for digital cash
just as much, by the way.)


More information about the cypherpunks-legacy mailing list