Re: Is Chaum's System Traceable or Untraceable?
At 9:10 AM 5/20/96, Ian Goldberg wrote:
In article <199605190626.BAA62897@rs5.tcs.tulane.edu>, Matthew Carpenter <mcarpent@mailhost.tcs.tulane.edu> wrote:
My PDA receives back any coins as change if needed, and logs info about the transaction for my financial records.
When I get back home I 'deposit' my change using the same ATM interface. This also removes from my home computer the copies of the coins I spent, and automatically updates the transaction records on my PC.
So are there any flaws with above procedure?
Yup; with the current protocols, there's no way to do change. For the shop to pay you change, besides suddenly losing your anonymity as a payee, you would have to go online immediately to clear the coins, which assumedly is infeasable.
However, if you use the "fully anonymous" protocol, change becomes trivial. You don't have to go online; the payer (the shop) does, which it assumedly already is. Another benefit is that coins received in this way as change are immediately spendable by you, without having to go online in between.
The "fully anonymous" protocol turns out to be _exactly_ what is needed for situations like this.
Not that full anonymity isn't a Good Thing, but couldn't this be solved by having the merchant (who presumably is on-line) provide PDA <-> mint connectivitiy for the purposes of getting change, exchanging coins, etc.? My assumption is that all the ecash protocols are not subject to a MITM attack, which I would just presume to be good practice. Also, given the fully anonymous protocol as you've described it (both payor and payee blind the coins), what's to prevent the merchant from depositing your change before he gives it to you? Unless your PDA is online, you'll be home before you find out the hot dog vendor shorted you. (It's my understanding that the current digicash system does not support Chaum's method of revealing the identity of double-spenders). - Tim Tim Dierks -- timd@consensus.com -- www.consensus.com Head of Thing-u-ma-jig Engineering, Consensus Development
-----BEGIN PGP SIGNED MESSAGE----- In article <v02140b0aadc66b47f5b3@[206.170.39.104]>, Tim Dierks <tim@dierks.org> wrote:
Not that full anonymity isn't a Good Thing, but couldn't this be solved by having the merchant (who presumably is on-line) provide PDA <-> mint connectivitiy for the purposes of getting change, exchanging coins, etc.? My assumption is that all the ecash protocols are not subject to a MITM attack, which I would just presume to be good practice.
But if you go online, you give away your identity due to a timing coincidence.
Also, given the fully anonymous protocol as you've described it (both payor and payee blind the coins), what's to prevent the merchant from depositing your change before he gives it to you? Unless your PDA is online, you'll be home before you find out the hot dog vendor shorted you. (It's my understanding that the current digicash system does not support Chaum's method of revealing the identity of double-spenders).
That's another of the cool features of the "anon" protocol: the coin isn't complete until the protocol is finished. The hot-dog vendor doesn't have enough information to spend the coin. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaM5QUZRiTErSPb1AQH8FgP6A6eCI7dqEMUf27x/dsZjN5rp9fGWuhaf /DSQ2CAbdvBqpoYh4uMLkEMSD9WCD+NoV4Uy8MIkxLV+nUz2ZmkEqW+zHRy7zv9G Ag923kzlY8cLt3730EFz+WC64fOORz8UroBO53QDxvRP3RyiddZx4fw0LeP1YgiW urXhLYM3N+k= =axOu -----END PGP SIGNATURE-----
participants (2)
-
iang@cs.berkeley.edu -
Tim Dierks