About HashCash

HashCash is a digital cash system. It is fundamentally different from blockchain-based "crypto-currencies" such as Bitcoin. Unlike these systems which rely on public ledgers, HashCash is a digital cash system based on blind signatures.

In a HashCash system, a vault provides secure storage for some store of value (Bitcoin, precious metals, or anything else) and issues signed digital coins corresponding to the stored value.

These coins are similar to the gold and silver certificates that were used in the USA from 1865 till 1933. They are a form of representative money — they represent a claim on the item of value deposited with the vault, and may be presented back to the vault and exchanged for the item of value they represent, or for newly minted coins.

A gold certificate from 1926

A gold certificate from 1926. The text reads "This certifies that there have been deposited in the treasury of the United States of America Ten Dollars in Gold coin payable to the bearer on demand."

The vault that issues HashCash coins cannot track them, or connect coins that it issued to coins that it receives back for exchange. This high level of privacy is achievable thanks to the mathematics of blind signatures.

Blind Signatures

The full details about blind signatures can be found in Chaum's seminal paper (see 'References' sidebar), but the basic concept of a blind signature is readily illustrated through a physical analogy:

Imagine a sheet of paper that we want to have signed by a signer, Sam, without revealing to Sam what's written on it. This can be accomplished by placing a sheet of carbon paper on top of the paper to be signed, inserting them both into an envelope and sealing it, and then having Sam sign on the envelope. The signature will be copied onto the paper through the carbon paper above it, and we will have the signature on the paper without having revealed its contents to Sam.

This is a blind signature.

Now a blind signature might not seem like such a useful thing - why would anyone sign something when they don't know what it is they're signing? Well, it just so happens that the blind signature is the key concept that makes possible real digital cash systems such as HashCash.

How HashCash Works

Let's consider a simplified Bitcoin-backed HashCash system in which all coins are of the denomination 1 Bitcoin.

When you buy HashCash worth 1 Bitcoin from the vault, your HashCash wallet generates a random number, mathematically blinds it so the vault cannot see what it is (the equivalent of putting it in an envelope), and sends it to the vault. This is a coin request.

The vault checks that it received your 1 Bitcoin, and then cryptographically signs your blinded random number using a blind signature protocol. The result is a newly minted HashCash coin, which the vault sends back to you.

This coin isn't yet a spendable HashCash coin, as it is still blinded. It needs to go through another step, unblinding (the equivalent of discarding the envelope so the signature and the contents are visible). Your HashCash wallet automatically unblinds the blinded coin it receives from the vault, and it is now ready for use.

So a HashCash coin is simply a random number generated by a user's HashCash wallet, which is then signed by a HashCash vault using a blind signature protocol.

Verifying Coins

When the coin is later presented back to the vault to be exchanged back into 1 Bitcoin (or to be exchanged for another HashCash coin) the vault is able to verify that it is a valid coin by verifying its own signature on it. This enables it to detect and reject counterfeit coins.

The random number that was blind signed by the vault when the coin was minted provides a mechanism to prevent a coin from being spent twice, or double spent.

The vault keeps a list of numbers corresponding to spent coins. It checks to see if the number for this coin is already on the list. If so, that means the coin has already been spent and cannot be spent again. If this coin's number isn't in the list, it is added to the list, which now renders this coin spent. This way, the vault can ensure each coin is only spent once.

And with that, we have a private digital cash system that prevents both counterfeiting and double spending.

Coin Denominations

We still need coins of various denominations. That is easy enough to add by assigning a new signing key for each denomination of coin. Coins signed with the 1 Bitcoin key are 1 Bitcoin coins, while those signed with the 1000 Satoshi key are 1000 Satoshi coins, and so on.


The vault cannot match coins that it receives for exchange with those that it issued because the random number in the coin was blinded at the time the coin was minted, and the first time the vault sees that number is when the coin is presented for exchange. So the vault cannot track coins or monitor their movements in any way.

Digital Beats Paper

The coins in a HashCash system are much like real cash - they are objects that can be transferred directly from one person to another without the involvement of any third party. They can be represented as numbers or as QR codes, as they are by the HashCash wallet.

Being digital objects, however, they can also be transferred over the Internet or any other communications medium.

HashCash is to paper cash what email is to snail mail.

Protection Against Loss and Theft

HashCash coins can also be copied, and encrypted. They can be copied by their owner for backup purposes. If you lose one copy of your coins, you still have a backup. And unlike with paper cash, the copies are just as valid as the original coins.

A criminal could copy your coins too. In that case it's significant wether the coins are encrypted or not. Unencrypted coins copied by a criminal can be stolen and spent, whereas encrypted coins are secure from theft as long as the thief doesn't also have access to their decryption keys.


For more details on various aspects of HashCash, check out the Frequently Asked Questions, or email info at hashcash.com.


Chaum, David (1983). "Blind signatures for untraceable payments" (PDF). Advances in Cryptology Proceedings of Crypto. 82 (3): 199-203.

Butun, Ismail; Demer, Mehmet (2013). "A blind digital signature scheme using elliptic curve digital signature algorithm" (PDF). Turkish Journal of Electrical Engineering and Computer Sciences. 21 (4): 945-956.