I sent mail to Stefan Brands yesterday asking about what kind of information is retained by the (hardware-based) observer in his digital cash system. Brands has worked with Chaum in the past and is now seeking funding (via Usenet, apparently) for development of his own digital cash and anonymous transaction technology, which he claims is greatly improved over existing systems in terms of memory and computation requirements.

Brands explained that the way his system works, the user *never* has all the information needed to represent the "digital coin". Instead, the user has part of the information, and the tamper-resistant observer chip has the other part. To spend the coin, the user and the chip have to cooperate in the protocol. Then the chip can mark its own information about that coin as having been spent, or even erase it altogether. It is this change in the internal state of the observer chip which lets it prevent double-spending (and which arguably could be defeated in any software representation of an observer).

I have always been skeptical of this observer-chip approach, because it wasn't clear that it was feasible to make a tamper-resistant chip economically, and because the specialized hardware that would be required would prevent the system from being used on widely-available PCs. However, now we see that our military rulers apparently trust tamper-resistant technology well enough to put it into thousands of public hands, without fear that even one chip will be opened and read. Breaking an observer only lets you double-spend the coins it holds, while breaking Clipper allows you to permanently defeat the escrow provisions of the whole system. So this suggests that the technology is adequate for observers.

As for the specialized hardware, probably a more realistic picture of the digital cash user of the future is someone holding a PDA in his hand, with possibly an infrared or cellular modem link, rather than the hacker sitting at home in front of his PC. In that context it may be realistic to imagine custom PDA's which support secure offline cash as a practical product.

Hal
hfinney@shell.portal.com
.