12.5.1. "Why is Chaum so important to digital cash?"
- Chaum's name appears frequently in this document, and in
other Cypherpunk writings. He is without a doubt the
seminal thinker in this area, having been very nearly the
first to write about several areas: untraceable e-mail,
digital cash, blinding, unlinkable credentials, DC-nets,
etc.
- I spoke to him at the 1988 "Crypto" conference, telling him
about my interests, my 'labyrinth' idea for mail-forwarding
(which he had anticipated in 1981, unbeknownst to me at the
time), and a few hints about "crypto anarchy." It was clear
to me that Chaum had thought long and deeply about these
issues.
- Chaum's articles should be read by all interested in this
area. (No, his papers are _not_ "on-line." Please see the
"Crypto" Proceedings and related materials.)
- [DIGICASH PRESS RELEASE, "World's first electronic cash
payment over computer networks," 1994-05-27]
12.5.2. "What's his motivation?"
- Chaum appears to be a libertarian, at least on social
issues, and is very worried about "Big Brother" sorts of
concerns (recall the title of his 1985 CACM article).
- His work in Europe has mostly concentrated on unlinkable
credentials for toll road payments, electronic voting, etc.
His company, DigiCash, is working on various aspects of
digital cash.
12.5.3. "How does his system work?"
- There have been many summaries on the Cypherpunks list. Hal
Finney has written at least half a dozen, and others have
been contributed by Eric Hughes, Karl Barrus, etc. I won't
be including any of them here....it just takes too many
pages to explain how digital cash works in detail.
- (The biggest problem people have with digital cash is in
not taking the time to understand the basics of the math,
of blinding, etc. They wrongly assume that "digital cash"
can be understood by common-sense reasoning about existing
cash, etc. This mistake has been repeated in several of the
half-assed proposals for "net cash" and "digi dollars.")
+ Here's the opening few paragraphs from one of Hal's
explanations, to provide a glimpse:
- "Mike Ingle asks about digicash. The simplest system I
know of that is anonymous is the one by Chaum, Fiat, and
Naor, which we have discussed here a few times. The idea
is that the bank chooses an RSA modulus, and a set of
exponents e1, e2, e3, ..., where each exponent ei
represents
a denomination and possibly a date. The exponents must
be relatively prime to (p-1)(q-1). PGP has a GCD routine
which can be used to check for valid exponents..
"As with RSA, to each public exponent ei corresponds a
secret exponent di, calculated as the multiplicative
inverse of ei mod (p-1)(q-1). Again, PGP has a routine
to calculate multiplicative inverses.
"In this system, a piece of cash is a pair (x, f(x)^di),
where f() is a one-way function. MD5 would be a
reasonable choice for f(), but notice that it produces a
128-bit result. f() should take this 128-bit output of
MD5 and "reblock" it to be an multi-precision number by
padding it; PGP has a "preblock" routine which does this,
following the PKCS standard.
"The way the process works, with the blinding, is like
this. The user chooses a random x. This should probably
be at least 64 or 128 bits, enough to preclude exhaustive
search. He calculates f(x), which is what he wants the
bank to sign by raising to the power di. But rather than
sending f(x) to the bank directly, the user first blinds
it by choosing a random number r, and calculating D=f(x)
* r^ei. (I should make it clear that ^ is the power
operator, not xor.) D is what he sends to the bank,
along with some information about what ei is, which tells
the denomination of the cash, and also information about
his account number." [Hal Finney, 1993-12-04]
12.5.4. "What is happening with DigiCash?"
- "Payment from any personal computer to any other
workstation, over email or Internet, has been demonstrated
for the first time, using electronic cash technology. "You
can pay for access to a database, buy software or a
newsletter by email, play a computer game over the net,
receive $5 owed you by a friend, or just order a pizza. The
possibilities are truly unlimited" according to David
Chaum, Managing Director of DigiCash TM, who announced and
demonstrated the product during his keynote address at the
first conference on the World Wide Web, in Geneva this
week." [DIGICASH PRESS RELEASE, "World's first electronic
cash payment over computer networks," 1994-05-27]
- DigiCash is David Chaum's company, set up to commercialize
this work. Located near Amsterdam.
+ Chaum is also centrally invovled in "CAFE," a European
committee investigating ways to deploy digital cash in
Europe
- mostly standards, issues of privacy, etc.
- toll roads, ferries, parking meters, etc.
- http://digicash.support.nl/
- info@digicash.nl
- People have been reporting that their inquiries are not
being answered; could be for several reasons.
12.5.5. The Complexities of Digital Cash
- There is no doubt as to the complexity: many protocols,
semantic confusion, many parties, chances for collusion,
spoofing, repudiation, and the like. And many derivative
entities: agents, escrow services, banks.
- There's no substitute for _thinking hard_ about various
scenarios. Thinking about how to arrange off-line clearing,
how to handle claims of people who claim their digital
money was stolen, people who want various special kinds of
services, such as receipts, and so on. It's an ecology
here, not just a set of simple equations.
By Tim May, see README
HTML by Jonathan Rochkind