On 11/23/05, Daniel A. Nagy <nagydani@epointsystem.org> wrote:
The basic idea with coins (which are less traceable than notes, but are less flexible, too, and may weigh your pocket down, if you keep large sums in coins) is that the blind signature key is regularly changed (e.g. annually, so it is possible to tell a 2005 ePoint coin from a 2006 ePoint coin, just like in the "real world"), and while coins are accepted indefinitely, they are only issued during the validity period of the key. This means that one can limit the damage caused by a leaked secret key or a malicious issuer. After the validity period of the key, it is possible to keep count of the coins in circulation and accept only that limited amount (and sound alarms, if unaccounted-for coins emerge).
These are good ideas to reduce the impact of a stolen key, and possibly to detect if one has been stolen.
Another important idea is that of spot-checks: from time to time (determined partly by the users, partly by the issuer in such a way that the issuer cannot control and the users cannot predict it) coins are accepted only with the user identifiing the coin's (published) proto-coin and reveal the corresponding blinding factor. If it happens rarely enough, it won't compromise the general untraceability of coins, but it may catch a counterfeit coin and thus reveal the compromise of the secret key.
As a potential user of such a system, if anonymity were important to me I would refuse to honor a request to reveal this linkage information. I would accept that the coin was lost and pay with a different one. Depending on the frequency of such spot checks, this would constitute an effective transaction cost for the use of the system.
In the electronic cash literature, governance issues have rarely been raised, let alone properly addressed. Systematic treatment of transparent governance in digital payments begun, AFAIK, with the research of Ian Grigg.
One example is the Sander and Ta-Shma paper I mentioned earlier: http://citeseer.ist.psu.edu/sander98auditable.html
In short, the basic idea is for the issuer to _publish_ in an undeniable manner the responses (with some additional info) to exchange requests instead of sending the information back to the requesting party using a private channel. I do think (in agreement with several reviewers of my work) that the setup proposed in the discussed paper, where the communication between the users and the issuer is such that the issuer's responses to users' requests are broadcast and archived in public records is novel.
It will be interesting to see more details of how this works. Sander and Ta-Shma also had the server publish information for every issued coin, and then used zero knowledge techniques for the depositor to show that the coin was on the list. This added great complexity to the system. CP