Frequently Asked Questions

Why another digital cash system?

Although there's an explosion of "crypto-currencies" these days, none of them are real digital cash systems. HashCash is one of the first true digital cash systems, and, to the best of my knowledge, the first with some critically important properties (more on that below).

Most of today's crypto-currencies are derived from Bitcoin, which is the original "blockchain" crypto-currency and the most well known. While Bitcoin provides a global and permissionless transaction platform, it has its drawbacks. One of the most significant of these is the lack of privacy, as every Bitcoin transaction is public, by definition, being published on the Bitcoin blockchain. That makes it easy to data-mine the blockchain for patterns, connections and networks, and leads to a large variety of potential risks.

Another issue with Bitcoin is that payments take some time to be confirmed, which can be quite an impediment to using it for everyday transactions. It's not really practical to wait around for possibly several hours till your payment is confirmed and you can walk out of the store with your purchases.

Bitcoin is also conceptually challenging for newcomers to understand. While introductory information (and even the name itself) refers to "coins" there really are no "coins" in Bitcoin. There are keys and addresses and a distributed transaction log where all transactions are recorded. Bitcoin is a distributed ledger-based virtual currency and transaction system, but not really a cash system. Specifically, there are no bearer tokens of convenient denominations that can be transfered directly from one person to another, which is what the terms "coin" and "cash" normally refer to. This conceptual mismatch between user expectations and the underlying technology severely limits Bitcoin's usability.

There are blockchain-based systems that are designed to offer higher privacy than Bitcoin does, but they are still ledger systems, in which every transaction must be recorded forever. Their privacy guarantees are premised on ways to obscure the specific details of recorded transactions.

A true cash system, however, does not consist of (or even include) a record of transactions, no matter how well obscured. HashCash is a true untraceable digital cash system based on blind signatures, as introduced by David Chaum in 1983. With HashCash there is no ledger of transactions at all, exactly the same as with physical coins and cash.

A HashCash coin is a bearer token, digitally signed by a HashCash vault. HashCash coins can be directly transferred from one person to another - just like physical coins and paper cash. Indeed, today's paper cash has its origins in the same concept - signed receipts by vaults for gold and silver, which could be exchanged on demand for the physical metal. Unfortunately today's cash notes are no longer vault receipts for precious metals, but just pieces of paper with fancy printing and no backing whatsoever. Which is, of course, The Big Problem, and a total impediment to anything remotely resembling real free markets.

The initial implementation of the HashCash vault is based on Bitcoin (i.e. the value stored by the vault is Bitcoin, rather than gold or silver). A HashCash vault could just as well be based on gold or silver though, and in the future hopefully some will be. Bitcoin currently works quite well as a permissionless value transfer mechanism that's globally accessible and designed to be resistant to some forms of manipulation or attack. Implementing a HashCash vault based on Bitcoin leverages these properties of Bitcoin, while adding those of true digital cash - privacy, direct transferrability, conceptual simplicity, efficiency, and even the potential of offline use (between people who trust each other).

HashCash is built around the simple, minimalist HashCash Protocol, in which every interaction with a vault includes its own fees. This enables HashCash to operate without user registration or accounts, as a permissionless system, accessible to anyone anywhere.

Although blind-signature based digital cash is nearly 35 year old idea, as far as I'm aware HashCash is the first complete working open software implementation of a blind signature cash system, as well as the first permissionless one, requiring no user accounts, registration or personal information. Anyone can just download the HashCash distribution and immediately begin to receive and send HashCash (or even start a vault).

What are the benefits of HashCash?

One of the primary benefits of HashCash is privacy. Using HashCash to make a payment is as or more private than using physical cash. That's because HashCash coins use blind signatures to ensure the vault has no identifying information about coins that would enable it to track them. When Alice gives Bob some HashCash, and Bob goes to the vault to exchange it for Bitcoin, the vault has absolutely no way of knowing that Bob got the coins from Alice.

Another major benefit is conceptual simplicity and ease of use. Because HashCash coins are much like regular cash, they can be used in similar ways. You can directly give HashCash to someone by printing it out and handing it to them. Normally you'd just transfer it to them electronically, but the fact that it is a close analog to physical cash makes things much easier for those who aren't comfortable with (or don't have easy access to) computers.

In communities with limited Internet access, for example, HashCash printed on paper could work just fine for a lot of people, who would be able to treat it almost identically as fiat cash. People in a remote community might receive HashCash from distant relatives at a cyber-cafe and print the coins for later use. Or an employer might pay employees with printed HashCash coins. They could then take the printed HashCash to the market and spend it at a store.

The store would need to connect to the vault to verify the coins, but from the perspective of the person spending the printed HashCash very little is different from how fiat cash works. One difference is that the HashCash could optionally be encrypted with a memorable passphrase, which would also need to be communicated to the recipient. Thanks to the passphrase encryption, printed HashCash would be useless to a thief if stolen (as long as the passphrase wasn't stolen along with the printed encrypted coins). Unlike fiat currency, HashCash can also be copied and backed up in multiple locations for safekeeping.

Conceptual simplicity also leads to a simple implementation. The entire code for HashCash - vault, mint, wallet and all - is a few thousand lines of Perl, fairly straightforward for anyone with basic crypto understanding to read and review. The wallet and vault can also run just fine on very basic hardware.

Which brings up another benefit: efficiency. HashCash coins can be verified in seconds, whereas Bitcoin transaction confirmation can take tens of minutes or even up to several hours. Where the Bitcoin network struggles to handle more than 5 transactions per second, HashCash can easily scale up to hundreds of transactions per second on very modest hardware. HashCash is also designed to minimize the data transfer required to verify coins. So it could potentially be used even without an Internet connection, with all communication with the vault conducted over SMS messaging. This opens up access to hundreds of millions of people who have cellphones but not data plans.

The ability to use HashCash from a device that is completely offline also provides an unprecedented level of security for your funds. The security of most end-user devices these days is low, especially for financial applications. Keeping your HashCash wallet on a completely offline device ensures that funds can't be stolen from the device via any network-based attack. Even if there were malware on the device, it wouldn't be able to steal and send your HashCash to a third party as it would have no way of connecting to the Internet. Similarly, a vault running on offline, air-gapped machines is well protected against network-based attacks, and even to a large extent from potential malware in its own execution environment.

What's more, HashCash can also be used for transactions in an offline mode, without verifying coins with the vault to check for double-spends, by people who trust each other (to not cheat by spending the same coin multiple times). In small communities, this often covers a large proportion of use cases. The efficiency of HashCash means that verification and exchange fees can be low to begin withbut payments can also be made with absolutely no fees at all. The vault only charges fees to issue new coins and to exchange HashCash to Bitcoin and vice-versa. So if Alice, Bob, and Carol all trust each other, Alice could give some HashCash coins to Bob, who could then pay the same coins to Carol (without first verifying and exchanging them with the vault) and none of these payments attracts any fees whatsoever. Just like physical cash.

How does HashCash ensure transaction privacy?

To begin with, a HashCash vault has no involvement whatsoever with transactions. The role of a HashCash vault is limited to securely storing Bitcoin and issuing and exchanging HashCash coins. HashCash coins are bearer tokens that can be transferred directly from one person to another. A payment occurs when one person gives some coins to another. Since the vault has no involvement with this, it has no way to even know that any transaction has occured, leave alone obtaining any information about it.

The vault is unable to link coins issued with coins received back for exchange, thanks to the mathematics of blind signatures. When a vault issues a coin it digitally signs a blinded version of the coin, in which the coin's uniqe identification number is mathematically obscured. This ensures that when the unblinded coin is later presented back to the vault for exchange, the vault has no way of linking it with the blinded coin that it originally issued.

So even if the vault had full identifying information on all its customers (which it doesn't as no personal information is required to interact with a HashCash vault) it would not be able to identify the partes in a transaction. The vault has no meaningful records susceptible to data-mining or subpoenas. Nor do the coins transferred reveal any information to the payer or the payee about the other party. This is complete transaction privacy for both parties, equivalent to the privacy offered by physical cash.

From the perpective of third parties monitoring communications between a vault and a wallet, all that's visible is messages encoded as random-seeming decimal numbers. Ephemeral keys are used in the communications between vaults and wallets, so recorded exchanges cannot later be decrypted even if the vault's secret key is compromised. Encrypted HashCash coins sent from one person to another are just random-seeming numbers as well, not identifiable as cash by third parties.

How secure is HashCash as compared to Bitcoin?

HashCash can provide an unprecedented level of security for users' funds, even for naive users with no idea about information security. This is because it is designed to be usable from a completely offline wallet, and the vault can run on offline, air-gapped computers as well. As a result, HashCash built upon Bitcoin could actually provide most users a much higher level of security than using Bitcoin directly.

A Bitcoin wallet needs to be online in order to send funds, which exposes users' funds to all manner of malware that might be present on the host device, as well as to incoming attacks over the network. There are some wallets (e.g. Electrum) that can create unsigned transactions which can then be signed by an offline wallet (and indeed this is exactly the mechanism that the HashCash vault uses to operate from offline servers) but configuring and managing this, along with the necessary secure backups to ensure that private keys (and thereby funds) aren't lost, isn't within the comfort-zone of most regular non-geek users. HashCash takes care of all this on the vault end and provides users with simple, flexible bearer tokens that are easier to secure.

With a HashCash wallet on an offline device, such as a Noodle Air, users' funds are completely safe, with zero effort on their part, other than to keep the MicroSD card containing their funds physically secure. Which is just about the same as keeping paper cash physically secure (actually it's even easier than that, given the size of a MicroSD card relative to stacks of cash). Malware can't steal funds as the device isn't connected to any network - there's no way to send any stolen coins anywhere.

So how do users send HashCash from an offline wallet on a Noodle Air? They just display the QR code for the coins on the screen, and let the payee scan them. If the payee is remote, the user can scan the coins using a mobile phone and then send them on to the payee. This is still secure even if the mobile phone used to scan the coins, the network used to send them across to the payee, and the payee's own mobile phone (used to display the coins back for scanning by the payee's offline wallet device) are all compromised. That's because the coins themselves are encrypted end-to-end from the payer's offline wallet to the payee's. The payer just needs to communicate the passphrase with which the coins are encrypted to the payee via a different communications channel, and they have an extremely secure transfer of funds between their offline wallets.

What's more, with a Noodle Air based offline wallet, many users can securely share a single device, so long as they all have their own individual MicroSD cards containing their individual wallets. A family could get by quite happily with a single device. A whole village could probably manage with a few shared devices. As the device itself has no built-in storage, there's no way for one user to steal another user's funds by persisting them across reboots, as long as each user boots up the device with their own MicroSD card. It's true that a shared device could be tampered with to introduce hardware to allow for that, but there are ways to detect this, and such an attack would require a pretty high level of technical sophistication, as well as repeated physical access to the device.

With an offline HashCash wallet, users effectively have an easy way to store their Bitcoin offline, yet securely spend them when needed. Without any worries about keys, key backups, shuttling unsigned transactions around securely for signing (and using a Bitcoin wallet that supports this), maintaining and always having accessible Bitcoin wallets on two different devices, etc.

While I was writing this FAQ answer I had an experience that's a great example of how complicated it is to use Bitcoin securely by itself. I use a Trezor in conjunction with Electrum to keep my Bitcoin keys offline. It's yet another device to carry around (and keep secure) but ok, it worked fine for many months. Then I upgraded Electrum and it stopped working. Said I should upgrade e Trezor's firmware. Of course I only discovered this when I wanted to send a time-critical payment urgently in the next 15 minutes.

OK, upgrading the Trezor firmware should be simple enough right? Turns out it is not, not by a long shot, unless you're using Trezor's own wallet. If you're using Trezor with Electrum you have to use pip install trezor from the command line on a Unix-like system to install the Trezor tools and then burn the new firmware into the device. The pip command doesn't natively exist on macOS so you need to find out how to install that first. Then when you do get it installed, the trezor package doesn't install. Nor does it install on Raspbian GNU/Linux on a Raspberry Pi.

Great, so now I can't spend my Bitcoin till I get this sorted out. I certainly wasn't able to send out the time-critical payment I needed to. And I'm a Unix and information security geek. This is a hopeless situation for most regular users.

HashCash is simpler, easier to use, private, and more secure.

Is HashCash a good long-term store of value?

Once there are a number of independent competing HashCash vaults in operation, that would depend on various factors - the reputation of the specific vault that issued it, the jurisdiction the vault is in, and the value backing for the coin being some of the most important ones. It's also important to remember that HashCash, Bitcoin and all crypto-currencies depend on the soundness and strength of the cryptographic protocols that they are based on. If ever any of these is broken, or revealed to be weaker than thought, or there's a serious exploitabe bug in their implementation, the funds in these systems could be at risk.

HashCash and Bitcoin make good mediums of exchange thanks to the attack resistance and financial privacy they can provide, but holding these long-term can expose you to risks due to the possibility of weaknesses in the cryptographic protocols they are based on, as well as other risks. On the other hand, cash deposits in banks are vulnerable to attack and theft as well, most proprietary bank IT systems are probably less secure than the free code of Bitcoin and HashCash which can benefit from open review, and fiat currencies almost inevitably lose value over time.

The best long-term stores of value historicaly have been gold and silver. For everyday transactions, HashCash is more convenient (and more secure in many ways). Of course, one could run a HashCash vault with precious metals. This was my initial idea when I first started work on HashCash, but it will require more legwork to implement. Nevertheless, HashCash could certainly be overlaid on a precious metals value base rather than Bitcoin. HashCash backed by precious metals, from a reputable vault, would not be a ad store of value. In my opinion that would be a better long-term store of value than Bitcoin or any distributed but unbacked currency.

Given the existence of reliable, stable, precious-metal backed HashCash vaults, and given adequate testing and review of the code, for most people HashCash could be one of the most secure means of long-term wealth storage. Precious metals would provide the stable long-term store of value. The vault would provide users professional security and insurance for their physical metal. Keeping multiple copies of their HashCash coins in multiple locations would ensure access to their funds despite most cases of theft, fire, water damage and so on. Offline wallet and vault machines provide security against malware and network attacks. And all this while maintaining ease of use, privacy and simplicity rivaling - in fact exceeding - that of paper cash.

Has the code been audited?

I'm requesting all crypto geeks I know to have a look at the code and let me know if they see any issues. Other than that, there has been no review of the code. I've kept it as simple as possible and put in lots of comments. Bug reports, patches, translation assistance, etc. are all welcome and much appreciated. There are a few known issues which I hope to sort out very soon.

The blind ECDSA protocol used in HashCash is from this paper. I'm not a mathematician and I really don't know if this scheme is secure. I will wait to hear the opinions of experts on that. The HashCash code also includes support for blind RSA signatures rather than blind ECDSA, but RSA based coins are much bigger, which limits the convenience of transferring them via QR codes. However if that's not a consideration then RSA-based coins are certainly an option as well.

It would also be possible to use RSA and ECDSA blind signatures together for the security of both algorithms combined, or to use other combinations of multiple different blind signatures.

What if something goes wrong?

There are a few possibilities for things to go wrong. Some of the major ones are:

  • A vault's keys could be compromised
  • A vault could be attacked or go offline for some reason
  • There could be a weakness in the code or the HashCash protocol

In case a vault's keys are compromised, it could be tricked into verifying coins that it didn't really sign, and Bitcoin could be stolen from the vault using these fake coins. Unfortunately because of the privacy afforded by blind signatures, there is no way for the vault to tell if a coin was signed by it or by someone else who has posession of its private keys. As a result compromise of the vault's private keys would aow an attacker to steal all the Bitcoin in a vault, and the vault might only discover this has happened when its Bitcoin balance is zero and it continues to receive valid coins for exchange. There's not much the vault can do in such a situation other than cease operations. This scenario is mostly preventable by running the vault on air-gapped servers, and by ensuring good physical security.

If a vault is attacked, either legally, physically, or over the network, and forced offline, this is again a worst-case scenario for customers holding its coins, as they now have no way of using their HashCash coins. Vaults can minimize this risk by decentralizing their own operations and using multiple redundant servers in multiple jurisdictions.

Of course, one potential risk is that the vault itself might be dishonest or unreliable. To help customers assess the reliability of different vaults, automated vault reputation rating systems are quite straightforward to implement. However, it's important to realize that theft is not a viable business model for a HashCash vault, as its untrustworthiness will certainly be discovered quickly, and that will be the end of any possible loot. An honest, reliable vault on the other hand, could make steady ongoing profits from a loyal customer base for decades, which is definitely much more lucrative. Just like FedEx makes inifintely more money delivering packages reliably than it ever could by stealing them.

If there's a weakness in the code or the protocols, much depends on how severe the weakness is, the circumstances of its discovery, wether it has already been used to attack a vault, and many other factors. At the worst-case end of the spectrum, a severe weakness could again result in the theft of all Bitcoin in the vault, and be discovered only when the vault's balance was zero and valid coins kept coming in for exchange.

Of course, other than vaults, users' wallets can also be targeted by criminals intent on stealing coins. Malware on desktop and mobile devices is a serious problem that's only going to get worse. The risks on this front can be minimized with an offline wallet. HashCash lends itself really well to use on an offline device as the wallet can easily be implemented on very modest hardware.

Can a payment be reversed?

A HashCash vault has no involvement with a payment transaction. A payment is simply someone directly transferring their HashCash coins to another person. So there is no possibility of a payment reversal by a payer or by a vault.

Why Bitcoin as the underlying unit of value?

Bitcoin just happens to work well as a value base at the moment, and is easy to automate. Fundamentally, though, HashCash is a digital cash system independent of the value base, which can be anything.

Bitcoin currently has a large market share in the crypto-currency market, and is the most widely used crypto-currency. Being decentralized, attack-resistant, and deflationary, it is a superior medium of exchange when compared to fiat alternatives (although, to be honest, that's a very low bar). It is also easy to work with, thanks to all of the existing support and infrastructure that exists. It is permissionless - accessible to anyone anywhere, without any forms to fill out or hoops to jump through, which means anyone anywhere can run a HashCash vault.

Can I use HashCash in my country?

You can use HashCash anywhere the Internet is available and the HashCash vault servers can be accessed. Eventually with SMS gateways it should be accessible anywhere where there is cellphone or satellite phone coverage. Some countries may place legal restrictions on the use of crypto-currencies and that might include HashCash. You would need to be a mindful of any restrictions in your country that might apply to HashCash.

How can I accept HashCash on my website, or in my app?

This is one of the areas in which the simplicity of HashCash is very useful. Accepting HashCash on your site is fast, safe and reliable. The Business::HashCash Perl module is available to provide a quick solution.

In fact, accepting HashCash is possibly the easiest way to accept Bitcoin on your site or in your app. Because HashCash can be verified instantly and simply, it's a lot easier to implement and integrate into your existing checkout flow than Bitcoin. Your customers only need to convert some Bitcoin to HashCash prior to placing their order on your site, which also provides them the benefit of strong privacy for the transction.

What's more, it's just as easy to accept HashCash over email, instant messaging systems, and SMS, or within social networking, gaming and IoT environments, which opens up a world of commercial possibilities in these areas, which have not yet had the benefit of easy payment mechanisms to the extent that the web has.

What about fees? And micropayments?

Every HashCash vault is free to set its own fees. There are four possible fees, and each vault is free to charge any or all of them. The four fees are:

  • Fixed minting fee per coin (abbreviated as MF below)
  • Minting fee per coin that's a percentage of the coin denomination (MP)
  • Fixed verification fee per coin (VF)
  • Verification fee per coin that's a percentage of the coin denomination (VP)

When exchanging coins for new coins, only the verification fees are charged, not the minting fees.

It is highly recommended that vaults set MF and VF appropriately to cover the fixed costs of coin minting and verification. The fixed per-coin fees will limit resource exhaustion attacks.

HashCash can certainly be used for micropayments, in fact it's ideal for them. The smallest accounting unit of Bitcoin-backed HashCash is 1 Satoshi. At current exchange rates, that is about 1/400 of a US cent. So one could potentially send HashCash payments as small as 1/400 of a cent. However note that a vault's per-coin fixed fees might be quite a bit higher than 1 Satoshi. A vault may also have a minimum coin denomination that's higher than 1 Satoshi. In fact it makes no economic sense to mint coins of any denomination lower than the sum of MF and VF.

HashCash vault fees are themselves an example of micropayments with HashCash. Vault fees for small transactions might be in the low hundreds of Satoshi (as of the last update to this document 100 Satoshi is about a quarter of a US cent) and are levied at at every interaction with the vault, rather than accumulated and charged together at one time. This enables the system operate in an account-less, permissionless manner. Vault fees for an interaction will be rounded up to the nearest whole number of lowest-denomination coins.

A vault may decide to change its fees at any time during its operations. However, vaults should make their policies around fee changes clear up front, and customers should take particular note of a vault's policy regarding fee structure changes. To prevent customers from being caught by surprise on fee structure changes, these should be announced on the vault's website and social media channels well in advance of the date the change will come into effect, and customers should always be able to sell coins they already hold at the original fee rates. In addition, a vault must switch to new keys whenever it makes a fee structure change. With each set of vault keys tied to a specific fee structure, the vault and wallet are always in agreement on what fees to apply to which coins.

Isn't HashCash centralized, and isn't that bad?

HashCash is polycentric, rather than centralized. Each independent HashCash vault operates its own HashCash system and is in absolute and sole control of its signing keys. However, as HashCash is free software, anyone can start a vault, and in time there should be many competing vaults all over the world. A network of independent HashCash vaults would provide a federated polycentric infrastructure, similar to how email works. Every email domain runs its own centralized system, but they all interoperate seamlessly over the most successful, open and popular global distributed network ever.

In addition, I do encourage you to think of and use HashCash, and Bitcoin, at least for now, as ephemeral, experimental mediums of exchange rather than as long-term stores of value, as detailed above under "Is HashCash a good long-term store of value?" Don't keep too much cash as HashCash, and use it primarily for making and receiving payments. That way you minimize your exposure to any long-term risks in the system.

In general, HashCash's polycentric model is possibly more resilient than Bitcoin's blockchain model (although in the current implementation with HashCash being layered on top of Bitcoin, the combination is vulnerable to the weaknesses of both, of course). The Bitcoin blockchain, though distributed, is nevertheless a single point of attack and failure for Bitcoin. Any entity able to take over 51% of the mining pool (many organizations probably do have this ability) would be able to cause problems with the Bitcoin network, and possibly affect the value of Bitcoin. In the HashCash federated model (assuming a value backing other than Bitcoin, such as precious metals), there is really no single point of attack - only a multitude of independent vaults that would need to be each attacked independently.

Because Bitcoin is one monolithic system any major systemic shock - a chain split, a crackdown on Bitcoin in China, or even the emergence of a more popular competing blockchain - could have global consequences on the stability and price of Bitcoin. In contrast, with a large number of HashCash vaults operating in multiple jurisdictions, with different value bases including precious metals, customers would have a wide variety of choices of vault jurisdictions and value bases to select from, allowing them to precisely control their exposure to the risks of different ones. And the effects of any issues with vaults would be localized to specific vaults rather than global.

Further, for most low-value transactions, the distributed blockchain approach is just overkill and extremely inefficient. For low-value transactions, convenience and ease of use are usually much more important than perfectly distributed trustlessness. As is privacy - all sorts of sensitive personal information can be gleaned by monitoring someone's regular small purchases. Such transactions really don't belong on a globally distributed public ledger that's already straining to keep up with transaction volume, even though crypto-currency adoption is still in its early stages. In the case of micropayments (where a good, working solution is decades overdue and urgently needed) distributed trustlessness is basically pointless, whereas a very high level of privacy is normally required, otherwise the privacy cost of transactions exceeds their monetary cost.

HashCash vs. Fiat Currency is a very close analogy to Email vs. Snail Mail. Bitcoin vs. Fiat is not. We don't look to create a globally distributed monolithic blockchain to use for email because it would be slow, inimical to privacy, absurdly wasteful of resources, and yes, a single point of failure (despite its massive distributedness). It's much better to have many independent email systems that can all talk to each other via an open protocol and send essages around. The same really goes for cash.

A HashCash vault is a "trusted third party". Isn't that bad?

A healthy market is full of "trusted third parties". Indeed the very essence of the division of labour that leads to markets in the first place is trusting service providers to provide the services that they specialize in.

In the context of money and currencies, most of the traditional "trusted third parties" that Bitcoin is a reaction against (central banks, fractional-reserve banks, fiat currencies) should never have been trusted in the first place. They were always "untrustworthy third parties" and never "trusted third parties" because their interests did not align with the interests of the users of the currency systems that they imposed by force.

Ironically, Bitcoin's own ecosystem, even in its strong distrust of third parties and centralization, depends heavily on a small group of trusted developers (who may not even be frequent or regular users of Bitcoin as a currency, or hold much Bitcoin themselves) to set the direction for the entire system. The technical details and ramifications of Bitcoin software development decisions are not easily accessible to regular Bitcoin users. As a result Bitcoin users do have to effectively trust the "third party" developers with not only the future of the ecosystem, but also with the value of their Bitcoin holdings, which could lose value due to decisions made by this small group of developers.

"Trustlessness" is not magic fairy dust that can be sprinkled on things to make them perfect. What's important is to ensure that the self-interests of the various participants in the system are aligned, so as to produce win-win scenarios that encourage the development of strong market relationships, which naturally do center around trust and reputation. In a crippled market, you can't trust anyone and everyone is out to rip you off. In a healthy market, most people and companies care far more about their reputation and trustworthiness than any possible ill-gotten one-off gains. Reputable providers in healthy markets will in fact usually accept even substantial financial losses to maintain customer goodwill.

Unlike a government central bank, a private vault isn't financed by taxes and inflation. Its legitimate profits arise from productive business operations - from the service fees voluntarily paid by customers for the secure storage of their assets. The vault's and customers' interests are aligned in ensuring the security of assets stored in the vault. If a vault fails in ensuring this it will suffer a loss of reputation in the market which will transate to business losses or failure. The only way a vault can stay in business and stay profitable over the long term is by providing excellent and reliable service to customers.

In fact the quest for "trustless" cash systems is itself a symptom of the highly crippled market we find ourselves with today, thanks to decades of imbecilic economic interventions by governments. The concept of the market has been so distorted that most people (including, it seems, many crypto-currency enthusiasts) are now conditioned to view all "greedy capitalists" with a jaundiced eye. Naturally people so untrusting of (government-crippled) markets would look for a "completely trustless" cash system.

However there is absolutely no problein trusting reputable service providers in the market and we do it all the time in all aspects of our lives. One reason there is an impression that cash is different is the history of attacks by governments on private cash systems, such as e-gold. Absent this threat (and while it may not be possible to entirely eliminate it, it's certainly possible to reduce exposure to it a lot better than e-gold did), a federated polycentric model is more efficient, more flexible, and simpler to understand and verify than blockchain based approaches.

Of critical importance in choosing a digital cash system, from a user's perspective, is being able to understand at least in broad strokes, how the system works. A system that is so complex that regular users can't readily understand it or directly assure themselves about its privacy and other guarantees is just another another situation where millions of people have to ultimately trust a handful of elites.

There are certainly genuine reasons to be concerned about a single point of failure, which a vault could potentially be. A vault might be attacked and forced offline, or have its keys compromised. Its data-center could suffer damage as a result of a natural disaster. But most of these risks arise in all sorts of other businesses as well, and there are well-known ways to mitigate them. The one risk that is somewhat unique to digital cash is that of attacks by powerful governments. However such attacks can be pretty devastating against blockchain systems as well - in many scenarios more so than against a polycentric cash system.

Finally, when considering wether to trust a service provider it's important to consider what exactly you're trusting them with. With most banks and even many Bitcoin online wallets, you're trusting them not only with your funds but also with your personal information - your name, email address, phone number, home address, and most likely even a photo-ID. And all your transaction details. That requires a very high level of trust in the provider, which the majority of providers that require this kind of information really do not deserve, given their privacy policies and the privacy-hostile laws they are subject to.

On the other hand, to use a HashCash vault you need to trust it with zero information - no ID, no name, no email address, no account. Just the funds you're storing with the vault in any specific instance, only for the duration for which you're storing them (which can be minimized down to a few seconds or minutes). That's a very reasonable level of trust to place in a reputable provider. In the case of micropayments, in particular, the concern of trusting a vault is far outweighed by the benefits offered by a simple, private digital cash system.

How can I start a HashCash vault?

Starting a HashCash vault couldn't be simpler from a technical standpoint. All the software you need is in the HashCash distribution. You just need to obtain and set up the hardware (at a cost of about $700 for a basic air-gapped vault), install the vault server code, generate mint keys and your vault's Bitcoin wallet, set a few configuration parameters (including your vault's fees), and you're ready to go. To begin with you can play around with a test vault, as described on the Download page.

It's not that simple from a security, reliability and reputation point of w. Running a vault is a serious responsibility. Your vault will be trusted by customers to securely store their Bitcoin (or other units of value) corresponding to the HashCash you issue them. You need take all possible security measures, both online and offline, to protect your vault keys and servers.

You also need to be committed both to running the vault with absolute honesty and integrity, and to keeping it available to process interactions with customers 24/7. If you fail on either of these, your "vault" isn't really one, which will lead to loss of reputation and customers, at the very minimum. If you don't think you have the resources or skills to ensure high availability of your vault, you really shouldn't start one.

That said, it is actually fairly easy to run a vault, and if you can ensure the basics - electricity, network link and security - you should be able to run one without much trouble. A HashCash vault could be a profitable little money spinner humming away quietly in the background, requiring not much everyday involvement from its owner. It's also a more individually scalable business than Bitcoin mining. As a HashCash vault operator your business is completely independent, and can be scaled up to whatever level you are able to achieve. Your profits aren't determined solely by hashing power as they are in Bitcoin mining, but are much more responsive to your vault's individual characteristics, including location, reputation, reliability, security measures, fee structure, marketing effort, and so on.

Stay tuned for more details on starting a vault, including specifics for an air-gapped vault.

Why are HashCash coins decimal numbers, rather than Base58 / Base32 strings?

I spent some time considering the different options possible here, which turned out to be surprisingly numerous.

I initially opted for Base85 representation for serialized coins and messages, as this is a fairly compact representation that should be transmissible via any channel that can handle ASCII text. However this only uses 85 characters of the potential 255 one could encode as QR codes using the QR code binary mode. It's also not easy to communicate verbally, and the punctuation characters will not permit the whole string to be selected for copy-pasting with a double click.

Another option is Base58, which is what's used for Bitcoin addresses. This has the advantage of being easily selectable as it excludes punctuation characters, but Base58 strings are longer and even less efficient in QR codes.

Base32 offers the advantages of easy conversion from/to binary, and somewhat better QR code optimization using alphanumeric mode, which can represent 45 characters. But Base32 still wastes more than a quarter of the characters available in alphanumeric mode. So maybe Base45? Or Base44 (Base45 minus the space character).

But Base45/Base44 strings can't be selected with a double-click. Maybe stick with Base32 then. However the official Base32 alphabet seems somewhat sub-optimal in that it drops the digits 0, 1 and 8 because of their potential to be confused with the letters O, I and B, but also drops 9 for no good reason, while 5, which can be confused with S, stays in the alphabet. And by the same token, can't 2 be confused with Z? So maybe drop 2 and 5 as well and go to Base31?

So - Base85, Base58, Base45, Base44, official Base32, modified Base32 dropping 5 instead of 9, modified Base32 dropping 2 instead of 9, or Base31? These were just the main options (the last 4 could also have a variant where all the numerals are used but some of the letters dropped), and none of them is quite optimal. That's when I hit upon the crazy idea of using good-ol' decimal.

Unlike with Bitcoin addresses, it's very rarely that someone will need to manually copy or verbalize a HashCash coin. And losing another 22 characters from Base32 (going from 5 bits per character to around 3.3) does increase the length of strings by about 50%, but here's what decimal encoding buys:

  • Perfect representation using QR code numeric mode with no wasted capacity
  • Easy to select with a double-click
  • Still human-readable to those unfamiliar with latin alphabet
  • Can be manually handled (and spoken) by those unfamiliar with latin alphabet
  • Can be entered using only a numeric keypad, and sent using DTMF tones
  • Can easily be split into small groups of digits (think phone numbers) and hidden in plain sight
  • Possibly invokes less paranoia and harder to spin`FUD about than "strange sequences of random characters"
  • Can be spoken over audio calls without having to resort to the International Radiotelephony Spelling Alphabet

Given that the only major drawback is a 50% increase in string length over Base32, it seems clear that the many benefits of decimal are worth the trade-off.

There's already another Hashcash, why the same name?

Yes, there is a project named Hashcash (with a lowercase 'c'), by Adam Back. The project on this site is HashCash (uppercase 'C'). Hashcash is a "proof of work" (PoW) system, rather than what we normally think of as cash. Hashcash (with some modifications) is in fact the PoW function used in mining Bitcoin.

I'd been thinking about and working on HashCash for quite some time before I came across Adam's project. I registered the domains,, and in March 2001. Around mid-2003, Adam contacted me to check if I would sell him the domain. I decided to give him the domain gratis, and he acknowledged, and promised never to interfere with, my ownership of and, which I planned to use for this project.

I think the two projects are sufficiently different that there's little possibility of confusing one for the other. In written form there's also the clear difference in capitalization. This project has always been HashCash to me so that's how it stays.

I wrote some of the code for HashCash back in 2001, but I thought there were a number of major outstanding issues to be resolved before I could implement even an experimental version of it for real world use, not least of which was the issue of what would provide its value backing. I had no idea then, of course, that Adam's Hashcash would eventually play a key role in doing that.

Coincidentally, Hashcash was originally designed as an anti-spam solution with PoW postage 'stamps' for email, and it would be very easy implement postage stamps for email using HashCash to achieve the same goal. The recipient of the message would get to keep the value of the HashCash postage stamp in exchange for accepting delivery of the message. So you could get paid to receive advertising messages, or set a price at which strangers could send you email. This is probably the only real solution to spam (and many other network situations where services should require payment in order to limit vulnerability to resource exhaustion and denial of service attacks).

What is the HashCash logo?

The HashCash logo is a "#" character enclosed by square brackets:


It's an ASCII pictograph of a cash note with a # on it.