[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

cyphrpunk cyphrpunk at gmail.com
Thu Oct 20 14:31:39 EDT 2005

Let's take a look at Daniel Nagy's list of desirable features for an
ecash system and see how simple, on-line Chaum ecash fares.

>  http://www.epointsystem.org/~nagydani/ICETE2005.pdf
>  One of the reasons, in the author s opinion, is that payment systems
>  based on similar schemes lack some key characteristics of paper-based
>  cash, rendering them economically infeasible. Let us quickly enumerate
>  the most important properties of cash:
>  1.  "Money doesn't smell."  Cash payments are -- potentially --
>  _anonymous_ and untraceable by third parties (including the issuer).

This is of course the main selling point of Chaum's system, where it
excels. I will point out that defining cash as merely "potentially"
anonymous leaves a loophole whereby fully non-anonymous systems get to
call themselves cash. This underplays the strength of Chaum's system.
It is not just "potentially" anonymous, it has a strong degree of

>  2. Cash payments are final. After the fact, the paying party has no
>  means to reverse the payment. We call this property of cash
>  transactions _irreversibility_.

Certainly Chaum ecash has this property. Because deposits are
unlinkable to withdrawals, there is no way even in principle to
reverse a transaction.

>  3. Cash payments are _peer-to-peer_. There is no distinction between
>  merchants and customers; anyone can pay anyone. In particular, anybody
>  can receive cash payments without contracts with third parties.

Again this is precisely how Chaum ecash works. Everyone can receive
ecash and everyone can spend it. There is no distinction between
buyers and vendors. Of course, transactions do need the aid of the
issuer, but that is true of all online payment systems including

>  4. Cash allows for "acts of faith" or _naive transactions_. Those who
>  are not familiar with all the antiforgery measures of a particular
>  banknote or do not have the necessary equipment to verify them, can
>  still transact with cash relying on the fact that what they do not
>  verify is nonetheless verifiable in principle.

I have to admit, I don't understand this point, so I can't say to what
extent Chaum ecash meets it. In most cases users will simply use their
software to perform transactions and no familiarity is necessary with
any antiforgery or other technical measures in the payment system. In
this sense all users are "naive" and no one is expected to be a
technical expert. Chaum ecash works just fine in this model.

>  5. The amount of cash issued by the issuing authority is public
>  information that can be verified through an auditing process.

This is the one aspect where Chaum ecash fails. It is a significant
strength of Daniel Nagy's system that it allows public audits of the
amount of cash outstanding.

However note that if the ecash issuer stands ready to buy and sell
ecash for "real money" then he has an incentive not to excessively
inflate his currency as it would create liabilities which exceed his
assets. Similarly, in a state of competition between multiple such
ecash issuers, any currency which over-inflates will be at a
disadvantage relative to others, as discussed in Dan Selgin's works on
"free banking".

Daniel Nagy also raised a related point about insider malfeasance,
which is also a potential problem with Chaum ecash, but there do exist
technologies such as hardware security modules which can protect keys
in a highly secure manner and make sure they are used only via
authorized protocols. Again, the operators of the ecash system have
strong incentives to protect their keys against insider attacks.

>  The payment system proposed in (D. Chaum, 1988) focuses on the first
>  characteristic while partially or totally lacking all the others.

In summary, I don't think this is true at all. At least the first
three characteristics are met perfectly by Chaumian ecash, and
possibly the fourth is met in practice as naive users can access the
system without excessive complications. Only the fifth point, the
ability for outsiders to monitor the amount of cash in circulation, is
not satisfied. But even then, the ecash mint software, and procedures
and controls followed by the issuer, could be designed to allow third
party audits similarly to how paper money cash issuers might be
audited today.

There do exist technical proposals for ecash systems such as that from
Sander and Ta-Shma which allow monitoring the amount of cash which has
been issued and redeemed while retaining anonymity and unlinkability,
but those are of questionable efficiency with current technology.
Perhaps improved versions of such protocols could provide a payment
system which would satisfy all of Daniel Nagy's desiderata while
retaining the important feature of strong anonymity.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list