There is still no perfectly anonymous currency
-----BEGIN PGP SIGNED MESSAGE----- It occurs to me that even in an on-line-cleared system, that a collusion of Ursula the Underwriter and Bob the Payer can identify Alice the Payee by traffic analysis based on time contraints. Alice has to turn in the coin that Bob gave her in order to get it on-line- cleared *before* she can close the deal with Bob assuming that she believes there is a chance Bob's coin is bad (pre-spent). So Bob and Ursula can do some simple traffic-analysis-style coin-watching over the course of several transactions between Bob and Alice. This could become infeasible for Bob and Ursula in the case that there are very many such transactions going on at the same time and Alice (and some of the other payees) prudently add a traffic-analysis- foiling delay between acceptance of Bob's coin and turning it over to the bank, and between receiving confirmation from the bank and letting Bob know that the bank said "OK". (Of course all this, and in fact all conversations on this subject, presume the existence and proper usage of identity-protecting communication protocols between Alice and Ursula and between Alice and Bob.) Now in some applications it might be a problem for Alice to add these delays. (She might need to complete a great many transactions in a limited amount of time.) In this case Alice will have to choose between efficiency and identity-protection. Her tactic will further be hampered by the fact that only Ursula knows how many similar transactions are going on at any given time. Alice will have to guess. In sum, I have still not seen a proposal for an electronic currency scheme which ensures unconditional identity-protection for both payer and payee. On the other hand, if a bank allows pseudonymous accounts, or if coin-re-paying systems can be implemented, then some lesser degree of identity-protection is still attainable. On the third hand, if a bank allows instant, cheap, anonymous accounts or, equivalently, if the bank issues coins in return (or as Tony Eng has suggested, issues "deposit-vouchers" in return) instead of accessing the payee's account, then ensuring unconditional identity-protection for both parties is easy under several protocols, including the Chaumian Ecash protocol. (That is: auto-coin-laundering via an instant, one-use anonymous account that you control or via a new coin or a deposit voucher whose blinding factors you chose.) Bryce signatures follow "To strive, to seek, to find and not to yield." <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html"> bryce@colorado.edu </a> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMJbM0vWZSllhfG25AQG1MgP/UhbGC2Afih+/hrQcjvc4lOQBAWXQ8lDL HpMRI1002odcEQ3LX/Dy2H7+LwsnMQweVtQU3Q9Q8cVWOeSXSReoKAZinbjAvvfH Hf7xKZcmgX4xBhRmOeLxH2/noGL5iRkjONuMfQUFE85Rkc3ilh7IQr+UC8sGLUY1 2p/tXgsFJbM= =RzYl -----END PGP SIGNATURE-----
participants (1)
-
Bryce