At 10:49 PM 9/15/95, Nick Szabo wrote:
Hal & Tim have made some interesting comments about payee untraceability. I suspect it will clarify things to point out the orthogonality in two of the major design choices:
* Clearing: Offline vs. online * Settlement: Deposit to payee's account vs. sending new cash to payee
Because DigiCash wants their product to have payer, but not payee, privacy, the current ecash(tm) software from DigiCash uses online clearing and deposit to payee's account, but the three other combinations are also quite doable if somebody wanted to implement them. The design that allows symmetric untraceability combines online clearing with sending new cash. This way the bank need not ID the payee Bob in order to credit
Thanks, Nick, for summarizing this clearly in terms of these two axes. This symmetric untraceability is what I was getting at with my point about Bob clearing the transaction and getting back blinded cash. It's apparent that if Alice can get untraceable cash, and she tells her bank to go ahead and give the same kind of untraceable cash to Bob, then Bob can also get untraceable cash. ....
Offline clearing requires the potential to ID the payer in order to punish double-spending after the fact.
Offline clearing has many hurdles to overcome, and this "True Name" (ID) issue is not very attractive. Fortunately, the vast increases in Net speeds are on the side of online clearing, even for relatively small transactions.
Online systems without observers (such as ecash(tm)) don't need to worry about trying to find multiple spenders, because this is prevented by the online clearing. In fact, purposeful second-spending is used to recover from some error conditions, specifically to determine whether the payee in fact received the "coin" or not when there has been a network error in the middle of a transaction. Distinguishing between mistaken and fraudulent double spending is a very complex, not completely tractable problem, so the current ecash(tm) punts it, which is reasonable because it is online. An offline system would need an elaborate
Sounds pretty compelling to me to concentrate on online clearing systems.... I can imagine limited needs for offline clearing, such as road toll systems, or parking tokens, etc. The amounts of money there can be somewhat limited, and the implications of double spending revealing identity are less serious. (Though I can imagine a worrisome scenario where a highway toll system "deliberately double spends" received tokens to track motorists...there may be precautions built into such systems that I just don't know about.) --Tim May ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."