Declan misses the mark on ecash

lcs Mixmaster Remailer mix at anon.lcs.mit.edu
Thu Jun 14 12:00:21 PDT 2001 

Declan McCullagh reports in Wired Online,
http://www.wired.com/news/ebiz/0,1272,44507,00.html:

   The more important patent for digital cash, titled "Blind signature
   systems," was granted in July 1988 and expires in July 2005.

   Chaum's method preserved anonymity through a statistical technique. It
   can be thought of this way: A customer of a virtual bank would create
   a $1 coin by sending, say, 100 coins with random serial numbers first
   stuffed into electronic envelopes.

   The bank randomly would open 99 of the 100 envelopes to verify that the
   denominations were in fact $1 and the customer wasn't trying to commit
   fraud. After the bank owner was satisfied that the last remaining
   envelope was likely to be a $1 denomination too, the bank would sign
   the envelope -- marking it as digital cash -- and return it unopened.

Of course this is a completely incorrect description of Chaum's cash
system as it has been fielded in DigiCash and eCashTechnologies.

It is a botched attempt to describe the "cut and choose" mechanism.
But that was only designed for an offline cash system.  The purpose
of cut and choose was to check that the customer had properly encoded
*his identity* in the cash, not that the denomination was correct as is
described here.  The reason the customer encoded his identity was that
if he then double-spent, the bank could determine after the fact which
customer had done it because double-spending would reveal his identity.

But of course DigiCash was always implemented as an online system,
where double-spending is not possible, since coins are always verified
at the time they are spent.  It never used a cut and choose mechanism
for withdrawals, which would have been painfully inefficient.

Instead, the customer simply sent one "enveloped" version of a random
serial number to the bank.  The bank signed the envelope, and the type
of signature determined the denomination of the coin.  The customer then
took the serial number out of the envelope to get his cash.  It's far
simpler than the description above would suggest.

The article also contains a recap of the Chaum/Brands patent wars.
It would have been more interesting if there were some reference
to new approaches to ecash that avoid the patents, such as the
Lucre software by Ben Laurie, based on David Wagner's blinding
(http://anoncvs.aldigital.co.uk/lucre/), or the recent proposal at
Eurocrypt for a cash/credential system based on zero knowledge proofs
without blinding (http://eprint.iacr.org/2001/019.ps or .pdf).

More information about the cypherpunks-legacy mailing list