Re: Questions/Comments on ecash protocol
At 22:40 12/2/95, Michael Froomkin wrote:
thank you for the sterling analysis. I for one am following this with enormous interest, even though some of the details are lost on me right now.
[Well done, Ian!] [...]
1) What information about Charlie/customer is encoded onto the coin?
None.
(There must be some, right, since the serial number is blinded?) Since the bank doesn't know what serial number it is signing, it needs to put info about Charlie onto the coin so that it can track him down if he double spends. Lacking such info, the bank can refuse to honor a double-spent coin, but has no way to know who the double-spender is.
Since an online clearing protocol is being used, the bank has no need to identify double spenders. The bank will simply refuse to honor a double spent coin. In fact, cancelling a payment in this protocol is done by just depositing the coin yourself.
3) Is there a way [how hard is it] for charlie to extract a coin and either (i) copy it and/or
(ii) send it to David [3rd party] in such a way that David could insert it into David's MTB software and then spend it to Sam without Sam or the Bank noticing that anything was wrong. If Charlie and David do this, David now has a coin that is from his point of view both payee and payor anonymous, although Charlie has a risk that David will double-spend and expose Charlie to the bank's wrath.
I can't help the feeling that I am missing something whenever you bring up this question. Assuming it could be done. What would David gain? He as the payor is anonymous to Sam either way. Sam still would have to be worried about being identified, since if Charlie gives David access to Charlie's wallet, it is safe to assume that Charlie will give David (and the mint) access to his blinding factor. Which in turn would reveal Sam as the payee. The protocol you suggest gives the parties exactly what they would have if they just used Ecash "out of the box": full payor anonymity, no payee anonymity. So why bother? <insert standard disclaimer here> -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.
On Sun, 3 Dec 1995, Lucky Green wrote: [..cuts...]
At 22:40 12/2/95, Michael Froomkin wrote:
3) Is there a way [how hard is it] for charlie to extract a coin and either (i) copy it and/or
(ii) send it to David [3rd party] in such a way that David could insert it into David's MTB software and then spend it to Sam without Sam or the Bank noticing that anything was wrong. If Charlie and David do this, David now has a coin that is from his point of view both payee and payor anonymous, although Charlie has a risk that David will double-spend and expose Charlie to the bank's wrath.
I can't help the feeling that I am missing something whenever you bring up this question. Assuming it could be done. What would David gain? He as the payor is anonymous to Sam either way. Sam still would have to be worried about being identified, since if Charlie gives David access to Charlie's wallet, it is safe to assume that Charlie will give David (and the mint) access to his blinding factor. Which in turn would reveal Sam as the payee.
The protocol you suggest gives the parties exactly what they would have if they just used Ecash "out of the box": full payor anonymity, no payee anonymity. So why bother?
These scenarios only matter if the blinded coins have payer info coded into them. With zero payer info you are correct they are irrelevant. I was operating under the (incorrect, it seems) assumption that the blinded coins followed what I now understand to be the OFF-LINE ONLY version of the protocol. In that version, where the blinded coin issued to Alice has info about her coded on to it and/or there is information about payee encoded onto the coin, then such exchanges are necessary to create payee anonymity. Even with the current protocol, you can achieve payee anonymity if you send a coin to a coin clearinghouse that deposits for you. Alice gives Bob a coin for value. Bob turns the coin over to Carol who, for a small fee, deposits the coin. Now bank knows carol deposited the coin, but knows of neither Bob nor Alice. Indeed Bob need have no account at the bank at all. I recognize that there are issues here, esp. for Bob -- does he wait on line while Carol clears the coin before telling Alice that payment cleared (delays?). Or does he bear the risk? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here.
participants (2)
-
Michael Froomkin -
shamrock@netcom.com