digital cash and identity disclosure
-----BEGIN PGP SIGNED MESSAGE----- Hi... In the Cyphernomicon, section 12.6.6, Tim May writes: - Chaum went to great lengths to develop system which preserve anonymity for single-spending instances, but which break anonymity and thus reveal identity for double- spending instances. I'm not sure what market forces caused him to think about this as being so important, but it creates many headaches. Besides being clumsy, it require physical ID, it invokes a legal system to try to collect from "double spenders," and it admits the extremely serious breach of privacy by enabling stings. For example, Alice pays Bob a unit of money, then quickly Alice spends that money before Bob can...Bob is then revealed as a "double spender," and his identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very broken idea. Acceptable mainly for small transactions. But as far as I got Chaums idea, Alice would not reveal Bobs identity, but rather her own. Am I missing a point here? Andreas -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAgUBMIVd0EyjTSyISdw9AQFvAQP/bLDQV1JEIXPlUxbUqMVffv62YQf4j6Wu IkTr0qMjP4PLpLZFyKus+uf3JQIYsK660LdDykmcKafdYMH8LW6Z4SxDkkd2HwyY Hsf5xW3aIfnyQ5bPcI5dhWz4hao9RJ23Hc7sjzvHVgTcrQCLf7ADixhPCm7xnq3n YffnXg5slHU= =pLXN -----END PGP SIGNATURE-----
Andreas Bogk writes:
-----BEGIN PGP SIGNED MESSAGE-----
Hi...
In the Cyphernomicon, section 12.6.6, Tim May writes:
- Chaum went to great lengths to develop system which preserve anonymity for single-spending instances, but which break anonymity and thus reveal identity for double- spending instances. I'm not sure what market forces caused him to think about this as being so important, but it creates many headaches. Besides being clumsy, it require physical ID, it invokes a legal system to try to collect from "double spenders," and it admits the extremely serious breach of privacy by enabling stings. For example, Alice pays Bob a unit of money, then quickly Alice spends that money before Bob can...Bob is then revealed as a "double spender," and his identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very broken idea. Acceptable mainly for small transactions.
But as far as I got Chaums idea, Alice would not reveal Bobs identity, but rather her own. Am I missing a point here?
You're right. Tim's wrong. Bob can't spend the money Alice gave him without depositing it in the bank and getting new money issued. Each coin has "This money was issued to Alice" as an invisible imprint which only shows up when two coins with the same serial number are together.
Andreas Bogk <andreas@artcom.de> writes:
In the Cyphernomicon, section 12.6.6, Tim May writes:
- Chaum went to great lengths to develop system which preserve anonymity for single-spending instances, but which break anonymity and thus reveal identity for double- spending instances. I'm not sure what market forces caused him to think about this as being so important, but it creates many headaches. Besides being clumsy, it require physical ID, it invokes a legal system to try to collect from "double spenders," and it admits the extremely serious breach of privacy by enabling stings. For example, Alice pays Bob a unit of money, then quickly Alice spends that money before Bob can...Bob is then revealed as a "double spender," and his identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very broken idea. Acceptable mainly for small transactions.
But as far as I got Chaums idea, Alice would not reveal Bobs identity, but rather her own. Am I missing a point here?
There is an attack here, but the text doesn't go into detail about it. You have to assume that (as with the current ecash implementation from Digicash) people have non-anonymous accounts with the bank. If Alice wants to know Bob's identity she can collude with the bank to find out. As Tim describes, she gives Bob some money, then quickly deposits the coins herself. In effect, she intentionally double-spends (with the bank's permission). When Bob makes his deposit, his coins are recognized as matching those which Alice double-spent. So if Alice was, say, an agent involved in a government "sting", and bought bootleg software from Bob, his identity can in fact be learned when he deposits the money. Actually with the DigiCash system and in fact all of the ecash systems I know about, you don't have to get so fancy; Alice can simply give the bank a record of her transaction with Bob (the coins she sent him) and these will be recognized when Bob deposits them. Lucky Green has been discussing ways in which people could exchange coins anonymously even with DigiCash's ecash in order to provide some immunity from such attacks. Hal
participants (3)
-
Andreas Bogk -
Hal -
Scott Brickner