Re: digital cash and identity disclosure
At 7:48 PM 10/19/95, Bryce wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Someone claiming to be the nym calling itself tcmay@got.net (Timothy C. May) wrote:
As Hal notes, there are a lot of issues and attacks to consider. I'm sorry that my brief section on Chaumian digital cash in the Cyphernomicon doesn't adequately cover the issues (and as the debates here show, confusion still reigns, and no doubt some of my points are misleading, wrong, or incomplete).
Boy, if I were you I would want to fix the inadequacy in C'nomicon in order to protect my positive rep...
To each their own. There's not enough time in my life to fix all the things that are wrong, even if I knew what they all were. My "positive rep," such as it is with certain people, does not depend on producing flawless documents. In fact, there are different kinds of people. Some favor "closely reasoned" arguments (A implies B implies C implies D....), some favor "imaginative leaps." Where I am depends on my mood. -
it tends to make identity-revealing attacks possible (such as the attack I alluded to, and that Hal more completely describes),
I hesitate to pipe up in such august company, but one of us is confused. The attack that we have been discussing is possible because Chaumian Ecash allows the payer to identify the payee. This would be true whether or not there were any protocols related to double-spending. (i.e., because the payer knows the actual ID number of the bill, she can choose to relate it to the bank and then the bank can identify who turns in that bill. Has nothing to do with double-spending. If the protocol provided for re-blinding before depositing the bill then this would not be possible, I think, and would still have nothing to do with double-spending.)
Oh, but it does. Suppose Alice pays out the same piece of digital cash to Bob, Charles, Ellen, Dave, etc. Each thinks they've been paid, each gets to the bank, each finds the bank will not honor the digital cash, as Alice has double spent. (Note: Any schemes for "re-blinding" must still allow "uniqueness"...and must still point back to Alice. Else the scheme/scam above will work. Online clearing, in which only the _first_ to present a digital cash claim gets paid, does not have this problem.)
Announcement: I'm about to fade out from c'punks list for a while, so be sure and Cc: me if you want me to see your post.
I will this time, but people generally should not expect out-of-band cc:ings. --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- I, Bryce <bryce@colorado.edu> wrote:
(i.e., because the payer knows the actual ID number of the bill, she can choose to relate it to the bank and then the bank can identify who turns in that bill. Has nothing to do with double-spending. If the protocol provided for re-blinding before depositing the bill then this would not be possible, I think, and would still have nothing to do with double-spending.)
Someone claiming to be the nym calling itself tcmay@got.net (Timothy C. May) wrote:
Oh, but it does.
<snip>
(Note: Any schemes for "re-blinding" must still allow "uniqueness"...and must still point back to Alice. Else the scheme/scam above [double-spending -B] will work. Online clearing, in which only the _first_ to present a digital cash claim gets paid, does not have this problem.)
Whoops, you're sure right. Alice will not be revealing the bill's ID, she will be revealing her "double-spending prevention" field. Hm. I suppose that her victim (the one who received the pre-spent bill and was "out"'ed) could have turned the bill in sans double-spending prevention field if the protocol allowed for it and if he didn't mind the risk of letting Alice get away with a bona fide double-spend. Of course, if the bank allows anon accounts you can launder your e-coin through these first. Also, suppose I start a payee-anonymity service? (a.k.a. e-laundering service). You send me the e-coin you received, I deposit it with the bank, check out a new coin, and send you the new coin. (Minus my percentage.) Of course, now *I* have the ability to sting you... Regrettably, Tim C. May is right and current Chaumian Ecash can't do off-line clearing without enabling stings in which payers can prove which bank account the payee used to deposit the coin. (Not quite the same as proving the payee's identity, but...) Marcel van der Peijl of DigiCash once bragged to me in private e-mail that they could probably do both-way anonymity in off-line clearing if they really wanted to. Does anyone else think that this is possible? Unlike Tim, I think that off-line clearing capability is a big plus. Regards, Bryce Announcement: I'm not reading cpunks very much. Cc: me if you want to be sure I'll read your post. signatures follow "To strive, to seek, to find and not to yield." <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html"> bryce@colorado.edu </a> -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01 iQCVAwUBMIbKx/WZSllhfG25AQEsFAQApkyEFvVhNAdUdOMBAXkFAq1ICKtw+J4Z 8rTJmkkjc2bCdl8Rh1K7jWQESxSFIrF5bLfAyJz/K2CXhVSCOZpRASSFH7vL9HHb 7M9Gv7ZfvJ5vqEvW/PpLlDoA5xjt3Q4Q3xMW1dsqOyW928kkXzZhqqKDhGlTFNoW +sMTuvi8X7c= =QLx5 -----END PGP SIGNATURE-----
participants (2)
-
Bryce -
tcmay@got.net