Digital Cash Mini-FAQ

By Jim Miller

I recently wrote a description of digital cash for Tom Steinert-Threlkeld, Technology Writer for the Dallas Morning News. I figured I might as well post it here in case there are any newbies that are still coming up to speed. Keep in mind that my intended audience is a person who is in touch with the latest commercially available technology, but is not an engineer, mathematician, or scientist. I've intentionally generalized and oversimplified the descriptions to keep from getting bogged down in the details. If I've made any gross errors let me know, but I think most of the information is accurate.

Q: How is digital cash possible?

A: Public-key cryptography and digital signatures (both blind and non-blind signatures) make digital cash possible. It would take too long to go into detail how public-key cryptography and digital signatures work. But the basic gist is that banks and customers would have public-key encryption keys. Public-key encryption keys come in pairs. A private key known only to the owner, and a public key, made available to everyone. Whatever the private key encrypts, the public key can decrypt, and vice verse. Banks and customers use their keys to encrypt (for security) and sign (for identification) blocks of digital data that represent money orders. A bank "signs" money orders using its private key and customers and merchants verify the signed money orders using the bank's widely published public key. Customers sign deposits and withdraws using their private key and the bank uses the customer's public key to verify the signed withdraws and deposits.

Q: Are there different kinds of digital cash?

A: Yes. In general, there are two distinct types of digital cash: identified digital cash and anonymous digital cash. Identified digital cash contains information revealing the identity of the person who originally withdrew the money from the bank. Also, in much the same manner as credit cards, identified digital cash enables the bank to track the money as it moves through the economy. Anonymous digital cash works just like real paper cash. Once anonymous digital cash is withdrawn from an account, it can be spent or given away without leaving a transaction trail. You create anonymous digital cash by using numbered bank accounts and blind signatures rather than fully identified accounts and non-blind signatures.

[To better understand blind signatures and their use with digital cash, I highly recommend skimming through chapters 1 - 6 of Bruce Schneier's book _Applied Cryptography_ (available at Taylor's Technical Books). It is quite readable, even to the layman. He doesn't get into the heavy-duty math until later in the book. Even if you don't write a digital cash column in the near future, I still recommend reading through chapters 1 - 6 of _Applied Cryptography_. Bruce does a very good job of describing the wide variety of interesting things you can do when you combine computers, networks, and cryptography.]

There are two varieties of each type of digital cash: online digital cash and offline digital cash. Online means you need to interact with a bank (via modem or network) to conduct a transaction with a third party. Offline means you can conduct a transaction without having to directly involve a bank. Offline anonymous digital cash is the most complex form of digital cash because of the double-spending problem.

Q: What is the double-spending problem?

A: Since digital cash is just a bunch of bits, a piece of digital cash is very easy to duplicate. Since the copy is indistinguishable from the original you might think that counterfeiting would be impossible to detect. A trivial digital cash system would allow me to copy of a piece of digital cash and spend both copies. I could become a millionaire in a matter of a few minutes. Obviously, real digital cash systems must be able to prevent or detect double spending.

Online digital cash systems prevent double spending by requiring merchants to contact the bank's computer with every sale. The bank computer maintains a database of all the spent pieces of digital cash and can easily indicate to the merchant if a given piece of digital cash is still spendable. If the bank computer says the digital cash has already been spent, the merchant refuses the sale. This is very similar to the way merchants currently verify credit cards at the point of sale.

Offline digital cash systems detect double spending in a couple of different ways. One way is to create a special smart card containing a tamper-proof chip called an "Observer" (in some systems). The Observer chip keeps a mini database of all the pieces of digital cash spent by that smart card. If the owner of the smart card attempts to copy some digital cash and spend it twice, the imbedded Observer chip would detect the attempt and would not allow the transaction. Since the Observer chip is tamper-proof, the owner cannot erase the mini-database without permanently damaging the smart card.

The other way offline digital cash systems handle double spending is to structure the digital cash and cryptographic protocols so the identity of the double spender is known by the time the piece of digital cash makes it way back to the bank. If users of the offline digital cash know they will get caught, the incidents of double spending will be minimized (in theory). The advantage of these kinds of offline systems is that they don't require special tamper-proof chips. The entire system can be written in software and can run on ordinary PCs or cheap smart cards.

It is easy to construct this kind of offline system for identified digital cash. Identified offline digital cash systems can accumulate the complete path the digital cash made through the economy. The identified digital cash "grows" each time it is spent. The particulars of each transaction are appended to the piece of digital cash and travel with it as it moves from person to person, merchant to vender. When the cash is finally deposited, the bank checks its database to see if the piece of digital cash was double spent. If the digital cash was copied and spent more than once, it will eventually appear twice in the "spent" database. The bank uses the transaction trails to identify the double spender.

Offline anonymous digital cash (sans Observer chip) also grows with each transaction, but the information that is accumulated is of a different nature. The result is the same however. When the anonymous digital cash reaches the bank, the bank will be able to examine it's database and determine if the digital cash was double spent. The information accumulated along the way will identify the double spender.

The big difference between offline anonymous digital cash and offline identified digital cash is that the information accumulated with anonymous digital cash will only reveal the identity of the spender if the cash is double spent. If the anonymous digital cash is not double spent, the bank can not determine the identity of the original spender nor can it reconstruct the path the cash took through the economy.

With identified digital cash, both offline or online, the bank can always reconstruct the path the cash took through the economy. The bank will know what everyone bought, where they bought it, when they bought it, and how much they paid. And what the bank knows, the IRS knows.

By the way, did you declare that $20 bill your Grandmother gave you for your birthday? You didn't? Well, you wont have to worry about forgetting those sorts of things when everybody is using fully identified digital cash. As a matter of fact, you wont even have to worry about filing a tax return. The IRS will just send you a bill.

Jim Miller (