(A copy of this message has also been posted to the following newsgroups: alt.cypherpunks, talk.politics.crypto,sci.crypt) At 1:19 PM -0800 2/12/97, Lee Tien wrote (on the Cypherpunks@toad.com list):

The NSA's research report on e-cash says:

"The ideal situation (from the point of view of privacy advocates) is that neither payer nor payee should know the identity of the other. This makes remote transactions using electronic cash totally anonymous: no one knows where Alice spends her money and who pays her.

"It turns out that this is too much to ask: there is no way in such a scenario for the consumer to obtain a signed receipt. Thus we are forced to settle for payer anonymity."

Keeping in mind I am only a lawyer, my skim of Schneier (2d ed.) didn't illuminate. The discussion of digital cash seemed to assume no payee anonymity. But the immediate previous section of dining cryptographers involved (it seemed) recipient untraceability.

Is payee anonymity technically possible? Under what conditions?

If so, is the issue social, e.g., as NSA notes, the lack of a signed receipt?

You missed a very good talk by Ian Goldberg of UC Berkeley at the Saturday Cypherpunks meeting at Stanford, where Ian talked for more than an hour on just this issue. (He also talked for an hour on his crack of the RSA challenge using 250 workstations...this was also a good talk.) It was explicitly stated in Chaum's 1985 paper that methods existed to ensure full untraceability. Chaum has in recent years emphasized a more "surveillance friendly" system in which some of the anonymity is lost. It was the intuition of some of us that "coin changers" could solve this problem, e.g, by having intermediaries to "mix" the coins and thus break the traceability chain. Lucky Green wrote some articles along these lines, and maybe Hal Finney, too. This was a couple of years ago. The notion is similar to what Ian showed, but our arguments were not formal and robust. In August of '95, Doug Barnes released a long article on "Identity Agnostic" systems. (His article is no longer at the www.communities.com Web site, so I can't refer you to it. Maybe he'll post it again.) About a year ago Ian Goldberg considered this issue and came up with a solution which has seemingly reproduced what Chaum was thinking about (but, apparently, did not make completely clear in his papers, for whatever reasons). Ian deals with the issue of "making change" and comes up with a system in which intermediaries, which we may call "e-cashiers" and "moneychangers," can take on the role of the mint/bank. By making "negative deposits" (submitting signed withdrawal slips, effectively), these intermediaries function as moneychangers. And so the one-way anonymous features become two-way (effectively, each of the transactions contributes a "one-way anonymous" component: one-way + one-way = two-way). It is much easier to understand digital cash with the usual diagram showing the usual triangle of CUSTOMER-MERCHANT-MINT and then analyzing the flow of information, who knows what, etc. Drawing such diagrams in e-mail is beyond my patience. This system used online clearing, of course. This "disintermediates" the process, and makes for an "everyone a mint" situation, which has some of the same nice properties that an "everyone a remailer" ecology of remailers and users has. And the principle can be extended further back, to where the usual distinctions between CUSTOMER and MERCHANT vanish (as it sort of does in the real world, where the two parties are merely exchanging one item for another item), and where the role of the MINT is minimal. In fact, Ian showed, the Chaum patents on blinding are NOT USED by the Mint/Bank; only the CUSTOMER uses the blinding patents (and the MERCHANT in some cases, not in other cases). This means that "anyone a mint" does not violate any of the Chaum/Digicash patents, and "mint clients" are likely to be written by third parties. (The _customer_ is presumably on the honor system to abide by the Chaum patents...except the patents are only being licensed to banks...go figure.) (This is where, as I recall, Doug's "agnostic" system came in...it is possible his thinking was similar to Ian's...I don't have Doug's paper handy.) Ian demonstrated this on an actual system, with real live connections to mints in various countries, but with the blinding not used (as I recall). Draw your own conclusions about what this means. It was heady stuff, seeing the result many of us believed to be implicit in Chaum's 1985 paper made real. Everyone a mint. This makes the spread of fully anonymous digital cash harder to stop. Issues of the mint denying one has an account are always real ones, but not important--I think--in the real world. The untraceability of the digital coins means that a mint never knows who is testing it for reliability and "honesty," and the mint cannot set out to "screw" a particular customer by declaring his account not to exist (as the mint almost certainly does not have to know who own which accounts, as deposits can be made anonymously). I hope this helps. I plan to use this result centrally in my talk at the panel discussion on "Governmental and Social Implications of Digital Cash" at the upcoming CFP. --Tim May -- Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."