Tim writes:
If Frank the Forger, to pick a standard sort of crypto example, takes a set of bits (possibly made with the elaborate system Mike Duvos described in an earlier posting) and copies that set of bits n times and then "spends" them n times, how can any of his recipients know that parallel transactions are happening, that the "same" money is being spent n times and that it is very likely that n - 1 of the recipients will be screwed?
I didn't mean to oversell the degree to which the scheme deters multiple spending. It doesn't prevent multiple spending. It merely breaks the anonymity of the perpetrator if two or more people he has transacted the same note with break their own anonymity and voluntarily cooperate with the bank. There is nothing to prevent you from making N copies of your floppy, spending each one, and hopping the next plane to Argentina. Sad but true. In the real world, there would have to be some sort of limit on the number of times such a spoofed transaction could propagate before being cleared with the central bank, much like restrictions on multiple-party checks today. Merchant cooperation would also be necessary. Probably easy to get with the corner store than with the local cocaine dealer.
The other main approach is to build in to the blinding protocols which protect anonymity ways to detect the identity of those who spend a unit of digital money more than the specified number of times. "Double spenders" is the common term. This can avoid online clearing, but at the expense of additional protocol complexity and some peculiar wrinkles which can develop.
This is really all I had in mind. Again, double spending is discouraged but not prevented. If you are leaving town and never returning, you can go on a shopping spree. -- Mike Duvos $ PGP 2.3a Public Key available $ mpd@netcom.com $ via Finger. $
Just a thought on ways to deter all of this multiple spending gunk - when you start off, have a centralized bank server. While traffic is low, you can have each individual certificate cleared with the bank server upon creation and execution. After that, things start getting tricky. Maybe a network of bank servers linked by high priority internet links (i don't suppose there really is such a thing, but this is dreamland, after all). This would mean that to cash a certificate more than once would require very fast and accurate timing, and if you combine this with a fairly low upper limit for certificate value, it becomes a waste of time try. Oh well. Just my A$0.02. MJH * * Mikolaj J. Habryn dichro@tartarus.uwa.edu.au * "Life begins at '040." PGP Public key available by finger * "Spaghetti code means job security!"
We've recently had a flurry of postings about digital money, and the apparently new realization by some that "double spending" is a serious issue. Folks, this is not a new issue---this is the core issue of all serious efforts on digital money (and, indeed, is the core issue of money, period). I urge everone interested in digital money to dig up and read the various articles that have appeared, including one of David Chaum's in the July or August of 1992 "Scientific American." The usual places apply, as always" - the usual books: Schneier, Brassard, Denning, etc. - Proceedings of the Crypto Conferences, aka "Advances in Cryptology," part of the Springer-Verlag series "Lecture Notes in Computer Science." (A series of silver-grey paperbacks, available in many technical bookstores, and in many university bookstores and libraries). - ditto for Eurocrypt and other crypto conferences. I urge this because there is little to be gained by slowly reinventing the wheel. The recent realization here by some that "double spending" is a Big Issue is indicative of this. Double spending, and related issues, is obviously just the _start_ of the really interesting problems with any digital money scheme. This is the _starting point_ of most discussions, not a belated realization. As I often say, I don't want to sound snippy or holier-than-thou here. It's just that there's a basic corpus of papers on the highly-technical areas of crypto that everyone working in these areas has to be assumed to be familiar with. Rocket scientists have to know that rockets don't work by pushing on air, and cryptologists have to know what's already been written about. With more than 700 people on the Cypherpunks list---though a far smaller group appears to be actively posting--it is natural that a range of backgrounds, interest levels, and dedication to the issues will exist. I'm not saying that only "experts" in digital money should speak on these issues, only that the basic papers ought to at least be skimmed. Best wishes for all, --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."
participants (3)
-
Mikolaj Habryn -
mpd@netcom.com -
tcmay@netcom.com