[Cryptography] [ANNOUNCE] HashCash Digital Cash

[Ashish Gulhati]

> Tumblebit isn't /just/ a mixer - it's also a payment channel based hub for sending off-chain transactions. Including microtransactions.

OK, I didn’t notice that the first time I read about it. However on a quick scan of the
paper it does seem that there's a time / privacy tradeoff even in the payment channel 
mode. The more thoroughly you want your transactions anonymized, the longer you’d 
need to keep the payment channel open.

It also seems that both payer and payee need to commit funds to escrow for this 
mode to work, and keep those funds committed as long as they’d like the payment
channel open. So if you have 20 payment hubs you use, you have to have funds 
on escrow with all of them. I don’t think that would work for most users.

HashCash needs none of that. You could exchange Bitcoin to HashCash and
then exchange back to Bitcoin seconds later, and the Bitcoin you receive will
come from the set of ALL UTXOs belonging to the vault, not just the ones linked to
a particular payment channel, or limited by a specific timeframe. (And in a HashCash
system based on precious metals the backing value is itself completely private and 
fungible).

However, my main point was that since HashCash is a full cash system, not a payment 
channel or a tumbler, and more convenient to use than Bitcoin, you would probably just 
sling HashCash around all day long rather than converting to Bitcoin. Bitcoin might just 
be a thin interface between HashCash and fiat for most people. Once exchangers
started doing Fiat <-> HashCash directly, most end users wouldn’t even need to know
that there was Bitcoin in there in the middle too.

And once you have HashCash backed by precious metals, you can just dispense with
both fiat and bitcoin.

HashCash is a real *cash* system. It has real coins. Bitcoin isn’t a real cash
system. A real cash system has all sorts of versatility that ledger-based systems 
don’t.

It’s also super easy to understand (and use securely). I can explain it to a total non-techie
in under 10 minutes. If users can’t directly understand how a system works, you’re 
asking them to trust the developers and crypto-geeks. So you haven’t taken
trust out of the equation at all. You’ve also lost 90% of your potential users because it’s 
all just too complicated. 

If users can’t easily use a system securely, that system is just putting their funds up for 
grabs by the next criminal to come along. I don’t believe most regular users can use
Bitcoin securely.

Also, when you cut through the hype, blockchain currencies themselves are speculative 
bubbles (probably short-lived) premised on artificial (and unreal) scarcity. As such, I find 
most attempts to bolt privacy onto them somewhat pointless (although it’s true of course 
that they may result in interesting ideas that could have applicability elsewhere).

HashCash is not an attempt to bolt privacy onto Bitcoin. It’s a totally distinct, true digital 
cash system that can be layered on top of Bitcoin (and maybe Litecoin and others as 
well in the future) as a way to help vaults bootstrap themselves.

> When using a mixer it is better to use one with a large user base to increase your anonymity set.

Yes, and as mentioned above, with HashCash the anonymity set is all transactions,
ever, in a HashCash vault, vs. transactions within a payment channel or within a specific
timeframe, as I understand the case to be with TumbleBit.

As TumbleBit requires payees and payers to both escrow funds, whereas HashCash 
doesn’t, that would also seem to make it more likely that HashCash vaults will have more 
users.

And really, once all this matures a bit, with HashCash you’d never think of Bitcoin at all,
whereas with TumbleBit you need to think and know about both Bitcoin and TumbleBit.

> One added bonus is that unlike HashCash there is no counterparty risk because the mixer itself does not take custody of your funds.

This is the only benefit, if you’re comparing the two solely as Bitcoin anonymization
methods. But HashCash is a cash system, and looking at it only as a Bitcoin anonymization
solution is missing most of the point.

I also totally disagree with the notion that trusted third parties are the worst thing ever. 
E-gold was a trusted third party based system that worked for longer than Bitcoin has so far (with
instant transactions, low fees, and a real value backing). In the end it didn’t go down because 
E-Gold was untrustworthy, it went down because it was ridiculously vulnerable to regulatory 
takedown. That’s a separate risk from the risk of trusting a third party, and that risk exists 
with Bitcoin and blockchains as well. It still remains to be seen if Bitcoin survives even as
long as E-gold did.

E-gold was also a proprietary system that couldn’t easily be cloned by hundreds or thousands
of free-market competitors (though it did still have some competitors). HashCash is free 
software and a vault can be set up by anyone.

The market has been in the business of decentralizing and keeping providers honest a lot
longer than blockchains, and it does a mighty fine job of it when it’s free to operate.

> Assuming that you can convince your counterparty to trust whatever vault you're using, right?

Not really. If they don’t want to trust the vault you can just send them a HashCash
-> Bitcoin payment. It will just cost more and be slower than sending HashCash.

Interestingly, you could even do that right now using your own vault (no 3rd party trust 
needed). You run a vault at home just for your own use, put some Bitcoin in it, it issues 
you some HashCash coins. Now you can spend those HashCash coins as Bitcoin from your 
offline HashCash wallet any time, and the Bitcoin will be sent by your vault. That’s already a 
much more secure and convenient way to use your Bitcoin than to have a Bitcoin wallet 
on any normal connected device.

However that’s a degenerate case where you can achieve the same result in a simpler way. 
But extending it a bit further, you could also run a home vault for your family. Your kids’ 
allowance, cash for chores, etc, gets paid to them in HashCash and they can spend it as 
Bitcoin any time. You might provide HashCash coins to friends and family members who don’t 
have the best infosec habits to use Bitcoin securely, and they'd be able to use them securely 
from an offline HashCash wallet. If your vault’s users make transactions between each other 
using HashCash from your vault, you can’t track those transactions.

Extend it a bit further, and a respected and generally trusted person or group within a 
small community might run a vault for that community, which permits them to have a truly 
local cash system that depends on no external parties in any way, and could even run 
independent of the Internet. This could be pretty useful in large parts of the third world, 
including places where the local fiat currency is literally worth less than toilet paper.

You see where this is going? You can have HashCash vaults running at various different 
scales, providing many independent cash systems that can all interoperate. Much like
email and the ‘net.

Also if someone doesn’t want to trust a vault long-term but they’re ok to do so on a shorter
timescale, they can minimize the amount of time they trust the vault for by immediately 
converting received HashCash to Bitcoin.

> Seems like a bit of a bootstrapping problem in order to gain much network effect.

Same bootstrapping problem TumbleBit would have, but less, because being a full cash
system that’s more versatile, easier to understand and use (and even more secure, for 
most users, see FAQ) than Bitcoin, HashCash has many more use cases other than just 
privacy, so it should gain traction faster.

> In order to maximize utility, wouldn't HashCash likely consolidate into a smaller number of
> highly trafficked vaults?

How would that happen, when anyone who runs a vault stands to profit?

The profits to be gained from running a vault, and the low barrier to entry, should help
ensure a large number of vaults and lots of competition between them. Vaults targeting different 
countries, local communities, specific requirements of certain user groups, with different fees, 
different value bases… We see such a proliferation of blockchain currencies, the same should
happen with HashCash vaults (possibly in higher numbers, as a HashCash vault is much easier 
to start).

However with Blockchain currencies this is a problem, as every new blockchain currency 
brings closer the day of reckoning when it becomes generally understood that each individual 
currency’s coin minting limit (if it even has one) is meaningless, and that all of them are minted 
by fiat and have zero scarcity or reason to have any value. On the other hand the proliferation 
of HashCash vaults would only strengthen and diversify the HashCash ecosystem.

Nor would it be a problem to have hundreds of vaults, as long as there are also good automated
systems to test and rate them, which are pretty easy to set up. Most people might accept
HashCash from (let’s say) the Top 100 vaults so you’d just be able to use coins from any of
those vaults. But if you had specific requirements (use a vault in a specific jurisdiction, or
with a specific value base, or with especially low fees for micropayments) you could 
use a specifically selected vault.

> Why would TumbleBit nodes be any easier or harder to takedown than HashCash vaults? Either can presumably be operated anonymously.

Yes, my point was that with a system that has more use-cases other than just privacy,
those other use-cases could embed in the ‘net in a way that makes takedown
difficult. If HashCash micropayments become a common way of paying for network
resources to prevent resource exhaustion attacks (which, IMO, is an excellent application
for HashCash) that will make it more difficult to take down HashCash vaults without messing 
up a lot of network infrastructure that depends on them.

> Some people see Bitcoin "losing market share" while others see a vibrant cryptoeconomy blooming. :-)

The bubble is still inflating but Bitcoin’s share of it is reducing. That’s just proof (if any was ever
needed) that Bitcoin’s 21 million limit is meaningless, because the real limit on cryptocurrency 
volume is the total of the limits of all cryptocurrencies, which is infinity.

There is no limit on cryptocurrency issuance. Blockchain cryptocurrencies are fiat, whereby anyone
can issue funny money, not just nation states. The only truly scarce goods on the planet that are 
suitable for use as money are precious metals. (Well, it’s possible there are others we’ve missed 
for centuries, or which HashCash itself will make usable, and innovative HashCash vaults might 
reveal them).

> Hm, an interesting thought. Though the nice thing about a Bitcoin-backed vault is that it could easily publish cryptographic proof of reserves, while a precious metals vault would have to publish audits by some other trusted entity.

I thought about this, but realized that proof of reserves are meaningless in a HashCash
system. Nobody other than the vault knows the total value of its coins in circulation, 
so what would you compare the reserves against?

The really nice thing about a Bitcoin-based vault is that it’s easy to buy and sell HashCash
for Bitcoin. With precious metals the question is how to get the metals into and out of the vault.
You could use Bitcoin for the buy and sell parts, and the vault converts to metal for storage on
the back-end. That would work as long as Bitcoin holds value. Eventually exchangers and
ATMs could fill the role of providing the interface.

The other really great thing about a bitcoin-backed vault is that it could switch jurisdictions
with the click of a button, if needed. With a metal-backed vault, the metal wouldn’t be easy 
to move quickly, although a vault could keep it geographically dispersed to begin with.

Cheers

#!