On Wed, Jul 11, 2001 at 01:30:44PM -0700, Ray Dillinger wrote:
[Anonymous, everyone a mint, floating exchange rates problem...]
The problem I'm running into is that while all kinds of e-cash protocols exist that protect the anonymity of the buyer and a lot protect the anonymity of the seller, there are none that protect the anonymity of the currency issuer, which would be ideal in this circumstance. With the techniques I know of, the issuer can have only "Nym" protection.
The basic problem with anonymizing the issuers (beyond technique alone) would be how the scrip gets redeemed when you don't necessarily know whom the issuer is.
Probably people would be willing to accept other issuers currencies even if they don't know the issuer so long as they had the reputation rating for the currency / issuer. But anonymous reptuations alone aren't any use as a rational issuer would refuse to redeem if the action didn't adversely affect his reputation -- you need to be assured that the rating of the anonymous issuer will be downrated if they refuse to redeem. So then perhaps you could proceed by having unlinkably anonymous credentials for reputation with a trap-door for the rating party so that the rating party can identify the pseudonym behind the unlinkable credential and downrate it. You also want the unlinkable rating credentials to need to be refreshed by the rating credential issuer in order to re-show. Brands' credentials have this property if you reshow without collaboration with the issuer, they are linkable (and hence would be linkable to the transaction gone bad which triggered the downrating). One might desire also that the rating credential issuer not be able to link general transactions, even with collusion from all parties except the issuer. However I'm not sure if this is going to be possible; the rating issuer must be able to link to the nym in event of foul play by the currency issuer, and clearly ability to link from unlinkable payments to a nym links the payments. The only avenue I see is if the foul play were mathematically encapsulatable and could be combined with the protocol so that the rating issuer is only able to link payments to nyms in the event of foul play. Do you think you can encapsulate foul play formally generally enough to be useful in your application? Adam