On Thursday, April 24, 2003, at 10:10 PM, Bill Stewart wrote:
Depending on what you're trying to accomplish with your digital cash, one mode or the other may be useful. Hettinga would probably contend that the first-use model is much cheaper and more efficient, because it avoids the costs of creating and tracking user identities and tieing it to the world in book-entry fashion. If you're trying to use it for something like remailer tokens rather than real cash, that's certainly the case.
On the other hand, the identity-embedding models have tended to be more prominent around Cypherpunks, partly because it has its own technically interesting characteristics, and may have problems that it can solve, but also because it prevents some kinds of fraud, such as making it harder for the bank to claim that a coin has already been spent.
I have a _completely_ different impression of which model has been more prominent around Cypherpunks. I agree that Chaum and Brands have had more regime-friendly schemes, heavily involving identity revealing under some circumstances, but I would hardly say that they are either prominent Cypherpunks or that their approaches are prominent _around_ Cypherpunks. The earliest Chaum system, circa 1985-89, sought to preserve full 2-way untraceability via online clearing. Later Chaum systems--and Brands systems at all times, as I recall--made various compromises in what I think were ill-fated attempts to be more palatable to the various dictators in the world. I also disagree that a model where identity is embedded in digital money has more technically interesting characteristics than a pure, first-class system has. More cruft and more baroqueness, yes, as all such systems somehow requiring identity or "is-a-person" credentials, no matter how well disguised, have more cruft and baroqueness. A clean system requiring no identity would be much more interesting to see today. It's how bearer bonds and "markers" and various other forms of money (IOUs, chop marks, warehouse receipts, "pay to the holder of" forms) work. Systems based on identity, even when the identity is only findable via alleged double spending, are more like certain kinds of checks. This is also cleaner in that the security for not letting the digital money leak out (be copied) belongs where it should belong: with the holder. If the would-be double spender was merely careless with his digital money, by allowing the critical numbers to be seen by others, then he is justly punished by having another "get to the train station locker" before he did. If he _himself_ attempts to double spend...well, this is impossible in a system where the first presenter (first to the train locker) gets the money (contents of the locker). Online clearing also offers the best way to "ping" digital cash systems. (Which is the protection against a bank attempting with any regularity to make claims that money was already withdrawn, that a digital money token was already "spent.") From my 1994 Cyphernomicon (accessible via searching with Google, of course): "12.6.5. Double spending - Some approaches involve constantly-growing-in-size coins at each transfer, so who spent the money first can be deduced (or variants of this). And N. Ferguson developed a system allowing up to N expenditures of the same coin, where N is a parameter. [Howard Gayle reminded me of this, 1994-08-29] - "Why does everyone think that the law must immediately be invoked when double spending is detected?....Double spending is an informational property of digital cash systems. Need we find malicious intent in a formal property? The obvious moralism about the law and double spenders is inappropriate. It evokes images of revenge and retribution, which are stupid, not to mention of negative economic value." [Eric Hughes, 1994-08-27] (This also relates to Eric's good point that we too often frame crypto issue in terms of loaded terms like "cheating," "spoofing," and "enemies," when more neutral terms would carry less meaning-obscuring baggage and would not give our "enemies" (:-}) the ammunition to pass laws based on such terms.) 12.6.6. Issues + Chaum's double-spending detection systems - Chaum went to great lengths to develop system which preserve anonymity for single-spending instances, but which break anonymity and thus reveal identity for double- spending instances. I'm not sure what market forces caused him to think about this as being so important, but it creates many headaches. Besides being clumsy, it require physical ID, it invokes a legal system to try to collect from "double spenders," and it admits the extremely serious breach of privacy by enabling stings. For example, Alice pays Bob a unit of money, then quickly Alice spends that money before Bob can...Bob is then revealed as a "double spender," and his identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very broken idea. Acceptable mainly for small transactions. + Multi-spending vs. on-line clearing - I favor on-line clearing. Simply put: the first spending is the only spending. The guy who gets to the train locker where the cash is stored is the guy who gets it. This ensure that the burden of maintaining the secret is on the secret holder. --Tim May "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you." -- Nietzsche