* [Doors of Perception] *

Digital Money
DAVID CHAUM

The question I'd like to address is an urgent one, in my view. It may be a design question and it's one we can all have a significant amount of influence on. Today, in the physical world, you may have only a few grocery stores, insurance agents, travel agents, banks and so forth that you visit. Each one of those goes out into a much broader community of possible sources of groceries and sales, perhaps on a national market.

You may be connected to only one cable TV system, but they have access to programming material from all over the world. The real question is: how can that be organised in cyberspace? More fundamentally, what are the restrictions? What structure can be imposed on cyberspace? And how can people protect themselves in cyberspace? These issues are really one and the same.

5 0 0 . C h a n n e l s . v s . T h e . Op e n . N e t . M o d e l

Let me begin very concretely by looking at two scenarios, the first of which you may have heard about this morning. According to these people's vision of cyberspace, there are intermediaries between you and the rest of the world, much like in the physical world today. They choose which services to offer you, which information to provide and so forth and send you a bill at the end of the month. This is the so-called 500 channels model.

There's a fundamentally different model that I call the open net model. Essentially, in this model, people can go out onto the whole Net and get whatever services they want. So you can choose a bank out of the whole set of the banks in the world, for example. And there's no intermediary between you and the Net. I'll return to those two models after dealing with some theoretical aspects of these issues.

Several types of information protection mechanisms are available to us. I'll start with this one, which bears some resemblance to the headend model. In this diagram, each one of these captions may be considered as a person with their own computer. They're able to exchange messages with some party they all trust. Of course, that's a unrealistic model, because it assumes that there is one person or one computer in the world that everyone trusts fully. And if everyone can communicate with that computer securely, then you can solve any information security problem. For instance, suppose we wanted to have an election here in this auditorium. If there was one party that everyone trusted completely, we could each tell him our vote. He would stand up and say who won the election. And we would trust him not to reveal who voted which way and not to mislead us about the outcome. But I never heard of an election being run that way. It's sort of the Clipper model of how to do information security. But it's a very powerful model. It's like the Turing machine of information security. Because if you have this situation, you can solve any information security problem whatsoever. Just like the Turing machine can do any computation.

But there is a fundamentally different approach to solving these information security problems, one based on new types of cryptography and coding called public key protocols. Essentially, what my group in Amsterdam and others have been able to prove mathematically is that with these coding techniques, it's possible to do everything that you could do with that mutually trusted party but without any mutually trusted party, simply by exchanging properly coded messages according to an agreed protocol. More specifically, we assume all the participants agree on what that trusted party should be doing. We write a computer program to do that and by exchanging encryptic messages, we simulate the running of that computer program without ever actually having run it on any physical machine. It's just simulated by the interaction between the parties. What we've really proven is that with modern information technology we can solve any information security problem just by letting each person have their own computer. Let them use their own computer to protect their own interests. There is no need at all to have any mutually trusted mechanism. I'll show you some examples of that later.

Let's revisit the headend and the other model briefly and see what this means. In the headend model, the implicit assumption is that you need a headend to find out how much each person uses and to bill them. How else could you securely find an accounting system or access information?

C h a n g e . M o n e y . f o r . N u m b e r s

A situation like this can also occur if credit cards are used to pay on the Internet. There is no actual intermediary between you and the parties you're dealing with, but there's one central party, the credit card company, that administers all the accounting. So they know every single thing you buy, of course. And they can decide if your credit is still good and who can be a merchant on the Internet. So it's almost the same thing as having them in the middle of each transaction. This model doesn't really depend on how the messages flow, but on the trust relationships. So if we want to have the completely open net world, we will at least need a way for people to pay in cyberspace that doesn't require any mutually trusted mechanism that knows who's paying for what and when and is able to decide who can pay and who can't, revoke people's ability to pay and so forth. We need something like cash, but in bits. Essentially, we'd like to replace paper bank notes by numbers. I've been examining that problem for quite a number of years and we've found some nice solutions to it.

I'd like to briefly describe how Digital Cash works. Let's suppose you want to make an electronic cash system. The first idea that occurs to me is that when the bank wants to issue an electronic bank note, it would simply make up a number at random and sell it to me for a dollar, for example. Later, when I wanted to spend it at a shop, the shop would send the number to the bank because the shop wouldn't be able to tell if it's valid or not. The bank would look at the list of numbers it had issued, see that number, cross it off the list and send a message back to the shop that the payment was credited to the shop's account. The shop would then give me the candy bar. That's the most basic, simplest electronic cash scheme I know of. It has some problems, one of which is that it's not secure. It's secure only in the sense meant by banks and the like: it protects the bank from people. To them, security means protecting their interests. But it doesn't protect the interest of individuals because the bank could cheat people. For example, the bank could give the number to two different people. The first one trying to spend the number at a shop would succeed, but the second would be rejected because the bank would say that the number had already been spent. That person would then be falsely accused of trying to spend their money more than once. And the bank would make a one-dollar profit. Similarly, a bank could falsely claim that a number had already been spent. So the money interests of the individual are not protected in a system like that.

There is also no protection of their privacy whatsoever because the bank already knows which number it issued to which person. Therefore, when those numbers come in from the shops, it knows exactly who was there at that moment buying that stuff.

P u b l i c . K e y . D i g i t a l . S i g n at u r e s

We've found some new cryptographic techniques that allow us to overcome those problems using so-called Public Key Digital Signatures. Perhaps you're familiar with this notion in the form of the IRA Public Key Scheme, which is the most publicly hyped public key scheme. It's certainly not the best, the cheapest or the most available, but it's the most widely known.

Using a secret starting point, the bank creates a special number system. The bank does some coin flips, finds a random seed and uses that to create the number system. And because it knows how the number system was created, it is able to perform certain cube root operations in the number system that no one else can. Everyone can multiply and divide in the number system, but by virtue of the fact that it created this operation, only the bank can perform the cube root operations.

The system works as follows. Initially, the person creates their own number n. Instead of getting a number from the bank, you create your own valid piece of paper that the bank will turn into a valid bank note. But you don't want the bank to see it because they'll recognise it later when it's used to pay. So you hide it in an envelope: number r or cube of r, a second random number chosen by the payer. It's that product which is sent to the bank. R hides n perfectly. Even if the bank had infinite computing power, they couldn't find out because it contains just as much r information as n information. To validate this bank note, the bank sends back the cube root of the number it received from you. And that's like stamping a validated mark on that blank piece of paper. For that service, the bank takes a dollar from your account.

Remember: anyone can divide in this system. The only thing they cannot do is compute cube roots. Only the bank can do that. But since the person has created r, the blinding factor, the person can divide it out and cancel it. The person knows both n and the cube root f of n; f is just a technical thing to protect n.

A person can then send that pair in and the cube root f of n to the shop when they want to make a payment at a later time. The shop can then send the cube root to the bank, for example. Unlike in the previous scheme, the bank will only keep a list of the numbers it has already received in payments. It does not have to remember the numbers it issued. In fact, those won't do it any good because the r' s are gone. It just keeps a list of the numbers it has already received and gives a conditional receipt saying: we're going to accept this because it's not on our list, provided the shop will send us n shortly. And when the shop does send n, the bank is able to verify its Public Key Digital Signature. In other words, these pairs are things that you can only form if you're able to abstract a few roots. It's the validating mark. So when the bank gets one thing or another, it's able to check the validity of its own validating mark, like the shop did when it received this pair. So the bank knows that it must have issued this pair of numbers and that it must have signed this for someone, but it has no idea who, because that was hidden by the r.

The essential thing with this digital form of cash is that if persons use their own computer to withdraw this money and later to pay it, their computer is able to protect their privacy perfectly. And with the Public Key Digital Signature technique, the bank is able to protect its interests as long as people aren't able to counterfeit the money. However, there is a fine point I'd like to mention: if someone could break the Public Key Signature scheme, counterfeiting could take place and the bank could lose money. But the privacy of individuals is protected unconditionally. That means that even with infinite computing power, even if you could break every cryptoism known, you couldn't find out who paid with which number or who withdrew with which number. So this protects not only the payer, but also the shop. The merchant doesn't have to reveal its clients to the bank.

As concerns security, this creates a nice balance. A person's privacy is protected perfectly and forever. We can prove that rigorously. Whereas the system for the security of the bank is based on cryptography, like most current banking systems. The Swift network in Europe and most high-value banking systems and such use Public Key cryptography to secure large value payments, so banks are accustomed to relying on this sort of protection.

In principle, it seems impossible to protect both parties unconditionally, so I've chosen to protect the interest of the person--privacy--perfectly. Because you wouldn't want someone at some future time to learn how to break this code and invade your privacy. Privacy is something you'd like to remain in force for a long time. And people should be quite sure that there's no secret government agency actually able to break these codes. This is something else we achieve with this unconditional privacy protection.

I s . i t . R e a l ?

You may say that this is all well and good, rather interesting, but so what? How can I use this? Is this real or just theory? Until just a few days ago, I would have had to answer that it's just theory, but recently we launched an actual implementation of this very technology on the Internet and it's in trial now. We've issued a million cyberbucks and we promise not to issue any more than that. And we are generously giving them to people who show interest in our project. Those who sign up are receiving a hundred cyberbucks each to play with.

Now for a little computer-technical stuff. We have client software for Macs and MS-Windows and various ex-Windows platforms. And its very nicely integrated with the World Wide Web and Mosaic.

This is our E-cash home page. It's just www. digicash.com. Here you see the announcement of the million cyberbucks we've issued and you can find all kinds of other information. There are about twenty places where you can spend E cash around the world. You can buy newspaper articles from South Africa and people will send you post cards from Canada. You can look at Encylopaedia Britannica articles, all manner of things. This is what the client software looks like. You just have a tiny window on your screen and it shows you how much cash you have at the moment.

Each client can make and receive payments. Once you have a client, you're also a shop. There are sale and show scripts on our sites that allow you to hook up to your Web server and accept payments for data automatically.

These are some of the places where you can spend your E-cash. Of course, at the Digicash cybershop. There is also a gambling casino, grocery store and other shops. So these are some of the various people who have brought their E cash shops and have been kind enough to send us their logos and so forth.

In closing, I'd like to tell you that E-cash is real and that there is a lot happening in the E-cash world. There is tremendous interest in this product and we'll announce some banks and other institutions that will actually be issuing it. I cannot talk about everything that is happening, but suffice is to say that things are moving very rapidly. But this is just a first step, really. It's an important thing to have cash for the Internet. It will give the Internet a payment dimension. If it doesn't have that, you can't pay twenty-five cents for a chocolate cookie recipe or fifty cents for an article or wager on a poker game. The Internet won't really be able to compete with the five-hundred-channel guys because there will be money flowing in those systems and the content there will probably be serious competition. I think it is very important and I would like to urge you to look into it and give it your support. Don't accept a payment system for the Internet that doesn't protect your privacy. It's up to everyone. We're now determining the direction things will take.

Another point is that we can generalise this notion of cash. It's just a starting point. Remember the very general theorem that I showed you. It says that people can protect all of their information on the Net using these protocols. So you could keep all of your medical records, all of your insurance and banking and educational records yourself. Using these protocols, if you received a query from an organisation that you wished to answer, you could prove that you were answering it correctly without revealing any additional information whatsoever. For example, if there were complex criteria by which you could qualify to enter a university, you could prove that you were qualified without revealing anything about how you met their criteria. You could maintain your own data base with all the information about yourself and approve all the queries that are requested from it in a perfectly convincing and secure manner, while actually giving cleaner and better data to the organisations. That is a generalisation of E cash we call credential mechanism. I'm afraid I don't have time to go into that.

C o n c l u s i o n

Let me come back to what I mentioned at the beginning. We're now at a cross-roads. Things are moving very rapidly and can only have one of two outcomes. Either you have a system in which people are identified with trusted common mechanisms--intermediaries and that sort thing-- or you have an open system where people are able to use these coding techniques to protect their own interests. In which they've realised that they have this power and consider it to be a kind of human right. This is quite a different direction for things to take. Perhaps it's really up to those of us who are at the leading edge of all of this to influence the direction in which things go. Because if we don't, the five-hundred-channel guys will.