What is cash
Cash is a bearer instrument which means it carries no record of ownership. The holder of the cash is assumed to be the owner and they may pass that to another person who then becomes the new owner. This leads to a number of properties that define the use of cash in our environment,
- The owner holds the cash (it is not held in an account managed by a third party)
- It is an anonymous transaction (or as anonymous as the participants agree)
- There is no payment intermediary (e.g. no bank is involved in the transfer of ownership), no permission is required to make a payment, it is censorship resistant
- It is irrevocable (there is no concept of charge backs or dispute resolution)
- There are no financial status requirements (you don’t have to have a bank account or credit card - financial inclusion)
- The transfer of ownership is immediate (when you pass a $ bill to somebody they have it and you don’t, as before nobody else is involved and nobody else knows about the transaction)
The security model for physical cash is relatively straightforward, the owner must provide adequate physical protection of the cash in their possession and when they receive cash from another party they must be adequately assured that it is genuine. There is an implied authenticity check.
What is digital cash?
By definition any digital cash instrument must have the same properties as physical cash, it must be a bearer instrument so all the properties described for a physical cash instrument must apply to a digital cash instrument. You might think of digital cash as physical cash just in a different form factor, Instead of notes and metal coins digital cash is digital data.
The security model for digital cash can be equally described, the holder must provide adequate digital security protection against loss and it must be possible for the holder to be assured of its authenticity. The necessary requirements for protecting physical cash are of course well understood but the digital equivalent requires further elaboration,
The properties of notes and coins include security techniques to make them difficult to counterfeit. It is this feature that enables the acceptor to detect a fake note or coin. A digital coin however can be easily duplicated and would be imperceptible to the original digital coin. Detection of duplicate coins is a necessary security requirement of a digital cash system and this is often referred to as the double spend problem. The security requirements for digital cash can be defined as,
- It should not be economically viable to create an apparently authentic digital coin
- The users of digital cash must be protected from the double spend problem
Digicash (1990 – 1998) was really the first serious attempt to provide a digital cash product. Dr David Chaum was the pioneer who actively promoted the ideas through the 1980s which culminated in the formation of Digicash in 1990. It eventually led to a product launch by the Mark Twain bank in the US in 1996 but never really caught on and quietly slipped away at the end of the 90s.
The concept was very simple, rather than have a $1 bill protected by special paper and inks etc why not have a $1 digital data block protected by a digital signature. In the case of the physical $1 bill the system relies on the users spotting fakes and declining to accept them. However you could easily copy a $1 electronic data block with its digital signature and such a copy would be perfect so you must have a way of rejecting the double spend as it is called. It is the “protection against the double spend” that is the security core of all digital cash products.
The core intellectual property of Digicash was the idea of mathematically blinding the digital $1 data message when it was created by the bank so that it could not be correlated with the user. This would make the electronic bill anonymous thereby achieving one of the core characteristics of cash. In operation users would go to their bank to get digital $1 bills to the value required in this sense just like real paper bills. Each of these $1 bills were prepared using public key cryptography and the blinding techniques mentioned earlier and sent back to the consumer. The consumer would go to the merchant and hand over the digital $1 bills to the value required. At this point the merchant doesn’t know if the $1 bills are authentic or whether they have already been given to somebody else, i.e. the double spend. So the merchant sends the digital $1 bills to the bank to get confirmation the digital cash is valid and that their account will be credited accordingly. The bank keeps a data base of the $1 bills in circulation and removes the spent $ bills as they are handed in.
Digicash is a remote asset transfer model, the issuing bank holds the fiat currency taking it from the payer’s account when the digital $ bills are issued and crediting the merchants account when the digital $ bills are presented and accepted.
Mondex (1990 – 2001) which was invented by Tim Jones and Graham Higgins and architected by Dr David Everett also used public key cryptography but was designed to operate off line. Each user of the system would have a secure store of digital cash which they would use to create a digital value message. This digital value message could be for any value as long as it was no more than the value stored in the secure store. Such value messages were protected by digital signatures. In order to make a payment the payer would instruct their secure store to create a digital value message which they would then pass to the payee. The payee would then present this message to their secure store for acceptance. The value of the payer’s store would be decremented and the payee’s store incremented for the common amount. These secure stores were implemented in smart cards each containing a special security hardened integrated circuit chip.
The double spend problem was resolved by using a protocol. In essence the payee would generate a unique request message and on receipt the payer would generate a value message based on the data in the request message. This asynchronous protocol was enforced to ensure that each value message was only accepted once. All messages in the protocol were digitally signed.
Although the Mondex protocol was well capable of operating on-line its promotion by the member banks was focussed on the physical world and of course it pre-dated the introduction of the internet as we know it today.
This was the first real asset transfer model for digital cash. The users had a representation of fiat currency in their secure stores and could move such value as required to any other system user. There was no third party involvement in the individual payments. Each currency had an originator of value which was distributed to the users through the various partner banks.
The IPR surrounding Mondex was focussed on the concept of the float representing the value in circulation and its operation as well as the value transfer protocol. The security of Mondex relied on the integrity of the cryptographic protocols and the integrity of the secure stores.
MintChip (2008 - ) was designed and architected by Dr David Everett for the Royal Canadian Mint as an updated version of Mondex. It was designed around the use of secure asset stores to provide a distributed asset model. Each user of the system would own a secure asset store which they could individually manage or assign to an agent who might manage a large set of secure asset stores. Each currency has a minter of value which is distributed to the users through MintChip brokers.
MintChip is also an asset transfer model, value is moved from one store to another using digitally signed value messages. When a value message is created the value of that store is decremented and when a value message is accepted the value of that store is incremented accordingly. As with Mondex this is a fully distributed model because each secure asset store operates independently. There is no need for a central ledger or database and in fact you couldn’t create one because only the owner of the store or their agent has that knowledge.
MintChip is a payment push model, the payer creates the value message independently of the payee’s secure asset store but they do need prior information on the identity of the payee store which is used to create the message uniqueness. The double spend is prevented by each store only accepting a value message once, they effectively keep a log of all transactions each of which is unique. It should be noted however that this log is totally associated with the particular secure asset store and has no value outside this domain. As previously all value messages are protected by digital signatures using public key cryptography.
The MintChip IPR is centred on the asset transfer protocol and the cryptographic security techniques used to protect the integrity of the system. The security of the system is dependent on the integrity of the cryptographic operations and the Secure Asset Store.
Bitcoin (2008 - ) was designed and architected by Satoshi Nakamoto which is a pseudonym for who some people now believe is Dr Craig Wright. It was designed as a peer to peer digital cash system which introduced the concept of the Blockchain. In addition to the concepts of cash discussed previously it was a core design concept to avoid a centralised regulatory entity such as central banks, it was a new virtual currency independent of the existing national payment instruments. This currency is not collateralised and its volatility cannot be predicted. This is true of all virtual uncollateralised currencies.
Bitcoin is actually a transfer of ownership model, the Blockchain which is a publicly readable distributed ledger or data base holds the current ownership of every Bitcoin. When a user wants to make a payment they (or they may use an agent) issue a digitally signed command to the Bitcoin community stating their intention to transfer ownership. The consensus team, called miners because they get paid in Bitcoins for doing the consensus operation, check the validity of the operation and if everything is correct add the change of ownership to the new block that will be added to the Blockchain. It is this consensus process and the Blockchain that is designed to prevent the double spend. The Blockchain is protected by cryptographic hash functions.
The security of Bitcoin ignoring the value of the currency is dependent on the integrity of the cryptographic operations and the integrity of the consensus process. I am not aware of any patents protecting the Bitcoin scheme.
Tibado (2014 - ) was designed by Tim Jones and David Everett as a close representation of physical cash. It only operates on-line and is based on the concept of digital coins, a true bearer instrument. A Tibado coin is a cryptographically protected message that represents a particular fiat value and currency. The digital coins have no association with the holder whether the current holder of the coin or a new holder of the coin. The users store and manage their Tibado coins as required. This digital coin model meets the characteristics of cash better than any of the other concepts described here.
Tibado provides an on-line digital cash box that allows the users to split or merge coins. So if a user wants to pay someone they use the cash box to take their existing coin and split in into one coin for the value of the payment and the other coin as effectively the value of the change. In reverse if somebody sends the user a coin they might send that coin and their existing coin to the cash box to have them merged into a single coin of the cumulative value. Tibado has the concept of a user pocket to manage these coin operations. The users can move coins amongst themselves using for example social media messaging entirely outside the Tibado space. The coins are usually represented as a PNG image of a coin containing a QR bar code to allow unimpeded network communications.
Each Tibado coin is protected by a dual cryptographic integrity function. All these cryptographic functions use symmetric cryptography. The digital cash box maintains a distributed live coin data base. This data base could be publicly accessible but Tibado has not currently enabled that operation. It is not clear why it needs to be publicly available.
Tibado is a fully distributed system and there are no payment intermediaries. For each currency there is an originator of the coins which may be directly distributed to the users or distributed by agents. The security of the Tibado system relies on the integrity of the coin cryptographic operations and the digital cash box. All cryptographic operations are undertaken in Hardware Security Modules that are stored in secure data centres.
The Tibado technology is protected by patent applications covering the core security operations.
Security Considerations one of the biggest conceptual differences between these various digital cash schemes relates to the method by which payment transactions are validated. Most of the schemes effectively have a legal entity that provides the root of trust that provides the cryptographic hierarchy. Cryptographic operations within that security domain are trusted by all the participants.
Bitcoin and the Blockchain are conceptually different in that they have a security architecture and some form of consensus operation that is operated by a community. In the permissionless case of Bitcoin that community is totally unregulated and not identifiable as any form of legal identity. In practice users of the system have to trust the core of the community (perhaps 10 people or less) who set the operation and thereby the security of the system.
In the permissioned case there is some form of agreement as to the community responsible for the consensus operation. What is not clear is why one should trust such a community more than a legally defined entity (which may include more than one organisation) that operates the root of trust. The history of banking is based on the ability to define and agree such roots of trust and the rules and regulations by which they operate. It is difficult to understand how such a trust model can be viably circumvented.
Dr David Everett