Now let’s turn to cash. I compared cash and credit earlier and noted that a cash system needs to be bootstrapped, but the benefit is that it avoids the possibility of a buyer defaulting on her debt. Cash offers two additional advantages. The first is better anonymity. Since your credit card is issued in your name, the bank can track all your spending. But when you pay in cash, the bank doesn’t come into the picture, and the other party doesn’t need to know who you are. Second, cash can enable offline transactions where there’s no need to phone home to a third party to get the transaction approved.
Maybe the seller later uses a third party like a bank to deposit the cash, but that’s much less of a hassle. Bitcoin doesn’t quite offer these two properties, but it comes close enough to be useful. Bitcoin is not anonymous to the same level as cash is. You don’t need to use your real identity to pay in Bitcoin, but it’s possible that your transactions can be tied together using clever algorithms based on the public ledger of transactions and then further linked to your identity if you’re not careful.
The earliest ideas about applying cryptography to cash came from David Chaum in 1983. Consider this concept by means of a physical analogy. Let’s say I start giving out pieces of paper that say: “The bearer of this note may redeem it for one dollar by presenting it to me” with my signature attached. If people trust that I’ll keep my promise and consider my signature unforgeable, they can pass around these pieces of paper just like banknotes. In fact, banknotes themselves got their start as promissory notes issued by commercial banks.
It’s only in fairly recent history that governments stepped in to centralize the money supply and legally require banks to redeem notes. I can do the same thing electronically with digital signatures, but that runs into the annoying “double-spending” problem—if you receive a piece of data representing a unit of virtual cash, you can make two (or more) copies of it and pass it on to different people. To stick with this analogy, let’s stretch it a little bit and assume that people can make perfect copies and we have no way to tell copies from the original.
You write it down on the piece of paper but cover it so that I can’t see it. Then I’ll sign it, still unable to see the serial number. This is called a “blind signature” in cryptography. It’ll be in your interest to pick a long, random serial number to ensure that it will most likely be unique. I don’t have to worry that you’ll pick a serial number that’s already been picked—you only shoot yourself in the foot by doing so and end up with a note that can’t be spent. This was the first serious digital cash proposal. It works, but it still requires a server run by a central authority, such as a bank, and for everyone to trust that entity. Moreover, every transaction needs the participation of this server to be completed. If the server goes down temporarily, payments grind to a halt. A few years later, in 1988, Chaum in collaboration with two other cryptographers, Amos Fiat and Moni Naor, proposed offline electronic cash. At first sight, this might seem impossible: if you try to spend the same digital note or coin at two different shops, how can they possibly stop this double-spend unless they’re both connected to the same payment network or central entity?
The clever idea is to stop worrying about preventing double-spending and focus on detecting it, after the fact, when the merchant reconnects to the bank server. After all, this approach is why you’re able to use your credit card on an airplane even if there is no network connection up in the skies. The transaction processing happens later when the airline is able to reconnect to the network. If your card is denied, you’ll owe the airline (or your bank) money.
If you think about it, quite a bit of traditional finance is based on the idea of detecting an error or loss, followed by attempting to recover the money or punish the perpetrator. If you write someone a personal check, they have no guarantee that the money is actually in your account, but they can come after you if the check bounces. Conceivably, if an offline electronic cash system were widely adopted, the legal system would come to recognize double-spending as a crime.