Following a comment at Samizdata about using cryptography to implement a system of money the governments of the world couldn’t get their hands on, I was motivated to talk a bit about digital cash. This idea has been around for a while now, and there have even been real-world implementations of it. The version I’m going to discuss is a bit non-standard.
This is a way to build your own system of money that can be transmitted over the internet and is secure against fraud but is untraceable and anonymous.
I am going to be using blind signatures again, which I’ve discussed before, and it may be useful to review what I said then. (This post is a bit technical, so those who are not into heavy crypto stuff might wish to take my word for it that it’s possible and drop out now. Talking about what you could do with it may be more interesting.)
Making basic digital payments is easy. You write what you might call a digital cheque – the text string “Cheque No 4242: Pay Mr Arthur Dent the sum of $42 from my account.” for example – and then you sign it with your digital signature that the bank has a copy of the public key for. (Encrypt it in a way only you have the secret keys to do, but that anybody can decrypt.) The bank can check it was really you that wrote it, and nobody else can forge the signature. But of course, the transaction can be traced to you, recorded, and taxed.
The distinction between digital cash and digital money is that cash is anonymous. It cannot be traced. And I mean – not ever. If you look at a bank note, you will see it has a unique serial number on it. Even coins can be identified by the pattern of scratches on their surface. But digital cash relies on cryptography for its untraceability. Nothing in this universe is certain, but so far as we know it’s much safer than $5 bills.
OK, suppose Alice wants to pay Bob $5 for some service – say, a bit of software Bob has written – but neither wants anybody to know they are conducting business, or who they are. Not even each other. They are known on the internet only by pseudonyms. First, Bob writes for himself a bit of digital cash: “$5 belonging to Bob – acct No 123456. Random serial number: 340653405873.” This has his real details in it. But then he blinds it, using the method for blind signatures with the bank’s public key, and sends it to Alice. Alice can no more read it than the bank can, because of the blinding, so she still does not know Bob’s identity. Alice blinds it again herself and then passes it to the bank and says “sign this and take $5 out of my account”. The bank uses a special key they only use for $5 notes (as they can’t tell what the contents of the message are) and passes the signed note back. Alice still can’t read it. Now Alice removes her own added blind and sends the signed banknote to Bob in exchange for the goods. Note, she doesn’t have to know who Bob is, and there’s nothing in the bank note to say who Alice is. Bob unblinds the bank note and checks the contents are intact and the bank’s signature is valid. Now Bob has a $5 banknote signed by the bank, that he can pay in whenever he chooses. The bank of course know it is one of their notes, because it has their signature on it, and they know Bob hasn’t paid it in already because of the unique random serial number, which Bob made up and they’ve never seen before.
The disadvantage of this variant over the usual scheme is that you can’t so easily pass the money on. You have to pay it into the bank and take it out again to spend it. The advantage is that nobody has to know who anybody else is. In the usual scheme, the bank can’t trace the money, but Alice and Bob do have to know each other.
And it’s perfectly feasible for Bob to delay paying the money in to his bank account indefinitely. He can leave it sat on his hard drive, and the bank can have no idea where the money is or who owns it. For that matter, Bob could run the above process to pay himself, and delay paying the money back in. That would be an equivalent of withdrawing your cash and keeping it under the mattress. For all the banks knows, you might have spent it all. If you didn’t trust the bank, you could keep most of your money in digital form, and only pay a little of it back in when you need to pay anyone. Nobody will know how much you have got.
I said above that you couldn’t pass the money on – this isn’t quite true. Bob could write himself $5 notes and blind them, but then pass them out speculatively to any of his regular customers that he is expecting to trade with in the future. Then when they want to trade with other people, instead of writing their own banknotes, they can use Bob’s. Those other people get their banks to sign them, and then Bob’s customers have something to pay Bob with next time they do business. The people in the middle don’t have to mention any of this to the bank. The chain can be indefinitely extended.
Extending the chain does require additional degrees of trust/risk that have to be enforced or insured against somehow, but has the major advantage that it can get round the scheme’s biggest flaw. While the authorities cannot tell how much you’ve got, they could tax how much went in and out of your bank account, on the assumption that it represented your transactions. Of course it doesn’t since you could be taking it out to keep “under the mattress”, but they’re unlikely to take your word for it. However, by setting up extended chains of cash transfers only the beginning and end of the chain, where it crosses the boundary with the mainstream system, are visible. (There are other ways too, like individuals setting up as banks themselves. The only requirement for a bank is to be trusted by your customers.)
There’s a lot more could be said about it, but that’s the basic idea. A form of digital cash that the bank can’t repudiate, but where everybody can trade anonymously. The government can’t tell how much anyone has or who they are trading with, and has only a limited idea of how much trade is going on. I expect the governments would find a way to muscle in on it somehow, but it would be extremely difficult to do practically.
At the same time, such a scheme would be tricky to organise on a large scale, and so far ordinary (sane) people don’t seem very interested. They’re content with the current system. But I do like to know it’s there, though, just in case.
I understand the technology but technology for technologies sake isn’t right. There are so many things where this could go wrong I could never see myself getting involved in it.
Real cash is much better with few of the disadvantages
Ooops. Forget to mention. The reason cash is so popular is it keeps you off the radar of government and you ‘disappear’ off the grid. This will not allow that and until a scheme comes up that does coins, paper or equivalents will always be needed despite what the government tries to do to remove it.
Lord T,
I appreciate the comment. And I like the criticism. But respectfully, I must disagree.
Real cash is traceable. Believe me. They record the serial numbers, and if you steal large quantities, you have to be very careful about where you get rid of it. You don’t think they can’t scan serial numbers in at high speed? You don’t think there is a database of every bill issued, and where it passes in and out of banking officialdom? Haven’t you seen kidnappers in the movies asking for unmarked bills with non-consecutive serial numbers? Do you know how small they can make RFID trackers these days? For most situations it’s too much bother, but they can do it if they want to, and advancing technology will only make it easier.
The point of this scheme is precisely to keep you off the government’s radar. We send each other encrypted emails, or blog comments, or bluetooth/wifi messages from phone to phone that the government cannot see. It might be able to find out what cash you have withdrawn, or paid in, but the same goes for cash from a hole in the wall. The point is to stay on the grid, because it’s where everything is, but to move across it like a ghost. Invisible.
There is still a big problem with trust in this scheme - most people cannot write the software, or check the maths, and so must trust someone. Nothing’s perfect. But you potentially have more choices than just the government.
I can see what you say but still think it is less secure.
OK, Serial numbers can be scanned but not at your local shops or when you pay your local drug dealer for your tobacco. Same with RFID you can detect the tags and crush, EMP or remove them.
Why do you think kidnappers ask for cash? It’s because it is virtually untraceable.
I don’t see having to have a computer, and a reliable one at that, keeps you off the radar when all EMail is monitored and recorded. You will leave a trail between all the parties which can be retraced years later.
Now for legal documents and binding agreements that you want to keep off the radar of anyone but the govenment then this is great and is probably already in use but as a replacement for cash I still stand by my statement and I’m confident I could write the code if I needed to from my experience and books I have.
Most local shops pay their takings straight into the bank at the end of every day. It’s not unusual for some shops to keep the cash coming in and the float used to give change separate, as it makes the accountancy easier, so it’s quite likely that the bank can determine where a lot of the money you took out was spent. And if your drug dealer is daft enough to pay the money straight into the bank, same applies. Again, if you’re careful you can avoid that, but it’s something most people don’t even think about. Destroying the RFID potentially invalidates the money. If the bank refuses to take it, somebody is going to be unhappy. Better hope your drug dealer doesn’t know where you live.
The monitoring of email is a separate issue, which requires other means to secure. You can get round the monitoring - either by relatively simple measures like using Tor to access anonymous drop-boxes or blog comments, or if you’re really serious you can run anonymous broadcast protocols on darknets. I haven’t got around to talking about all that yet. An alternative to that approach is to use steganography to hide the fact that you’re communicating at all. I intend to talk about that too, at some point. But I’m spacing out these technical posts because I suspect most people are not interested and I don’t want to put people off.
Eventually, I’ll be able to talk about the applications and the implications of these schemes, and refer questioners to the relevant technical post. But I’ve found in the past that if you try to argue that you really can operate your own currency on the internet, people won’t believe it, because it’s too far outside the controlled, statist way they know the world works. I’ve found myself trying to argue along too many lines at once, because there’s just too much to explain.
I don’t know whether this approach will work, but it’s worth a try.
I’d like to see our local bank refusing to take a perfectly valid £50 because RFID didn’t work on some notes. There would be riots and people would refuse to accept them for anything. Personally I would just keep passing it around outside the system anyway.
I’ll agree that digital cash is workable, with my caveats about government, so you can move on. Your posts are always interesting and these have real world applications that should be in use, but probably won’t because of our KGB style government.
Let’s keep people informed about how they can put some sand in the machine. I try and do that at my blog but your articles are much better. Can we see more of these real world applications than quantum mechanics or at least a 1 to 1 ratio. Theoretical stuff gives me headaches despite how well written you do it.
Hm, doesn’t seem like there’s much stopping a scheme like this from just springing into existence. How could we bootstrap our own digital cash system? Could we avoid having to do currency exchange with national currencies? Would we need to back our cash with gold, like in Cryptonomicon, or could we create it out of nothing, like governments do?
Lord T,
Thanks. I’ll see what I can do, but I’m planning to take it slow, partly for the reasons above, partly because I’d like to have something to post on in the coming months, and in large part because I’ve got other things to do and other interests. Writing clearly about complicated stuff this way takes significant time and effort, and I want it to be enjoyable, not a chore, otherwise I’ll get fed up of it and give it up. There’s more to life than blogging; having now tried it, I don’t know how Cats and Nick keep it up. They’re amazing.
But don’t let my slowness stop you thinking about it or discussing it. I’d be very happy if other people can contribute any ideas, too. And the more it’s discussed, the more it prods me to write the next bit.
Rob,
I’m also planning a long post on the economic side of creating money, but there are some aspects I still need to think through properly. Yes, we can (and do) create money like governments do, although it isn’t exactly out of nothing. Government money is, in a sense, ‘backed’ by future tax revenue - although that’s a gross simplification and I really need to take the time to explain it properly.
As for where one might start, I was thinking of MMORPGs as an obvious possibility. That would be a way to set up the infrastructure and build public familiarity with the concept.
Mon chere pere uses this:
http://webee.mobi/
and this:
http://www.cipherme.net/info/gb1/index.htm
The structure and security are there - someone writes a digital cash application, and you’re off …