About HashCash

HashCash is different from most crypto-currencies currently in vogue. Unlike Bitcoin, Ethereum and other blockchain based systems, HashCash is a real digital cash system based on blind signatures, as introduced by David Chaum in 1983.

In HashCash's implementation, a vault provides secure storage for some unit of value (for now, that's Bitcoin, but it could just as well be precious metals or anything else) and issues signed digital coins corresponding to the stored amount. These coins can be presented back to the vault at any time and exchanged back for the Bitcoins stored by the vault, or for newly minted HashCash coins.

Being fully interchangeable with Bitcoin, HashCash coins could be used to make payments in place of Bitcoin, providing greatly enhanced privacy, speed and flexibility. The vault that issues HashCash coins cannot track them, or connect coins that it issued to coins that it receives back for exchange.

How this is ensured is via the mathematics of blind signatures. The full details can be found in Chaum's seminal paper (see 'References' sidebar), but the basic concept of a blind signature is readily illustrated through a physical analogy:

Imagine a sheet of paper that we want to have signed by a signer, Sam, without revealing to Sam what's written on it. This can be accomplished by placing a sheet of carbon paper on top of the paper to be signed, inserting them both into an envelope and sealing it, and then having Sam sign on the envelope. The signature will be copied onto the paper through the carbon paper above it, and we will have the signature on the paper without having revealed its contents to Sam. This is a blind signature.

Now a blind signature might not seem like such a useful thing - why would anyone sign something when they don't know what it is they're signing? But it turns out that blind signatures are a key enabling technology that make true digital cash possible.

Here's how it works:

For simplicity let's assume all coins in our HashCash system are of the denomination 1 Bitcoin.

When you buy HashCash worth 1 Bitcoin from the vault, your HashCash wallet generates a random number, mathematically "blinds" it so the vault cannot see what it is (the equivalent of putting it in an envelope), and sends it to the vault. This is a "coin request".

The vault checks that it received your 1 Bitcoin, and then signs your blinded random number (thereby "minting" a coin) and sends it back to you.

This coin isn't yet a spendable HashCash coin, as it is still blinded. It needs to go through another step, "unblinding" (the equivalent of removing the envelope and the carbon paper so the signature and the contents are visible). Your HashCash wallet automatically unblinds the blinded coin it receives from the vault, and it is now ready for use.

So a HashCash coin is basically a random number generated by a user's wallet app, which is then signed by the vault using a blind signature protocol.

When the coin is later presented back to the vault to be exchanged back into 1 Bitcoin (or to be exchanged for another HashCash coin) the vault is able to verify that it is a valid coin by verifying its own signature on it. This enables it to detect and reject counterfeit coins.

The random number (which is what was blind signed by the vault when the coin was minted) now comes into play, as this is the way to check if this coin has already been spent before. The vault checks its list of numbers corresponding to spent coins, and if the number for this coin is already on the list that means the coin has already been spent and cannot be spent again. If this coin's number isn't in the list, it is added to the list, which now renders this coin spent. This way, the vault can ensure each coin is only spent once.

And with that, we have a private digital cash system that prevents both counterfeiting and double spending. We still need coins of various denominations. That is easy enough to add by assigning a new signing key for each denomination of coin. Coins signed with the 1 Bitcoin key are 1 Bitcoin coins, while those signed with the 1000 Satoshi key are 1000 Satoshi coins, and so on.

Notably, the vault cannot match coins that it receives for exchange with those that it issued because the random number in the coin was blinded at the time the coin was minted, and the first time the vault sees that number is when the coin is presented for exchange. So the vault cannot track coins or monitor their movements in any way.

The coins in a HashCash system are much like real cash - they are objects that can be transferred directly from one person to another without the involvement of any third party. They can be represented as numbers or as QR codes, as they are by the HashCash wallet. They can be printed on paper. Being digital objects, they can be transferred over the Internet or any other communications medium.

They can also be encrypted and decrypted, copied, and deleted. HashCash coins can be copied by their owner for backup purposes, and unlike with paper fiat currency, the copies are just as valid as the original coins. A criminal could copy your coins too. In that event it's significant wether the coins are encrypted or not. Unencrypted coins copied by a criminal can be spent and stolen, whereas encrypted coins are secure from theft as long as the thief doesn't also have access to their decryption keys.

For more details on various aspects of HashCash, check out the list of Frequently Asked Questions.


Chaum, David (1983). "Blind signatures for untraceable payments" (PDF). Advances in Cryptology Proceedings of Crypto. 82 (3): 199-203.

Butun, Ismail; Demer, Mehmet (2013). "A blind digital signature scheme using elliptic curve digital signature algorithm" (PDF). Turkish Journal of Electrical Engineering and Computer Sciences. 21 (4): 945-956.