At 04:15 AM 04/25/2003 +0100, Adam Back wrote:
On Thu, Apr 24, 2003 at 11:10:20PM -0400, Patrick Chkoreff wrote:
All right, I can generally understand the purpose here, to make it impossible to correlate an old coin with a new one issued in its place. ...
The bank checks deposited coins and can tell which users double spent coins if any after the fact. What you do about double spending when you detect a given user has done it is a policy question for the bank -- eg fine user, prosecute user for fraud to recuperate costs etc.
As Doug Barnes put it, if your algorithm has to exercise the "then haul them off to jail" step, you've failed. The two basic models of digital cash clearing have been - embed some identity model into the coins, which is revealed by double-spending, and then do something grouchy if you detect it - always honor the first use of a coin and reject future uses, and let the users fight over failed spending attempts. Depending on what you're trying to accomplish with your digital cash, one mode or the other may be useful. Hettinga would probably contend that the first-use model is much cheaper and more efficient, because it avoids the costs of creating and tracking user identities and tieing it to the world in book-entry fashion. If you're trying to use it for something like remailer tokens rather than real cash, that's certainly the case. On the other hand, the identity-embedding models have tended to be more prominent around Cypherpunks, partly because it has its own technically interesting characteristics, and may have problems that it can solve, but also because it prevents some kinds of fraud, such as making it harder for the bank to claim that a coin has already been spent.
(You can also use the same protocol for online checking, so the recipient has the choice of convenience of using peer-to-peer without going via the bank, or the choice to deposit now and get a fresh coin and be sure there won't be any dispute resolution later.)
Offline is much much harder than online.
Patrick wrote:
Well hell, that wasn't so hard.
Sure it was :-) But it's stuff that's been done now, mathematically. Doing it in practice is still hard, which is why almost nobody's done it in practice, and not for very long. Back when this stuff was new and exciting, there was an attempt to form an Austin Cypherpunks Credit Union, and the proprietors found that not only was doing business with David Chaum a difficult unsolved problem (:-), but in fact finding a business model that would let them make money at it was even harder.