"Simon Spero" <ses@tipper.oit.unc.edu> wrote:
If so, there's an obvious way to get two way anonymity with an on-line system. If Alice wants to pay Bob $10, then Bob could prepare the usual squillion copies of the note, each with a serial number known only to Bob, then blind them and send them to Alice.
Alice would then reblind them and send them to Nick, the banker. Nick would then pick one of the notes, and ask Alice for the blinders for the rest. Alice would then ask Bob for his blinders for the rejected notes, and would forward both sets on to Nick, who would check them, and if they're legit, sign the remaning copy, and return it to Alice. Alice cound then remove her blinding factor, and sent the result on to Bob. Bob then removes his blinding factor, and can now spend the coin.
This is an interesting idea but it is more complicated than necessary, I think. The denomination can be carried in the exponent, in which case there is no need for cut and choose and nobody can cheat the bank. A coin suitable for deposit is a signed number of some special form. To pay Bob, Alice does not withdraw anything ahead of time. Rather, Bob gives her a blinded coin, which she reblinds and gives to the bank. The bank signs it (debiting Alice's account) and gives it back to her. She strips off her blinding and gives it to Bob. He strips off his own blinding and verfifies that he is left with a signed number of the appropriate form. This system is in some ways the inverse of regular ecash. Instead of Alice withdrawing a coin ahead of time, and Bob checking it with the bank right away, it is Alice who does the bank interaction at payment time, and Bob who waits before interacting with the bank. The computational and communications costs do not seem much worse than ecash. There is no way Alice can double-spend because she cannot anticipate Bob's blinding factor and give him a previously-spent coin which will unblind to the proper form. There could be an issue of fraud, though, where Bob insists that Alice's coin was no good even though it actually was. Since he has blinded it she will have no way of recognizing it when he eventually deposits it. In the current system this does not arise as Alice can always give him another copy of the coin and prove that it is good, and she can further determine if Bob has deposited it. So some of the trust in the bank necessary with regular ecash gets replaced by trust between payee and payor in Simon Spero's system. Still, I think this scheme has considerable merit and is worth exploring further. It seems to provide superior privacy protection over Chaum's ecash. The fraud issue can perhaps be dealt with by reputations and credentials as we have often discussed. Hal