How can e-cash, even on-line cleared, protect payee identity?

Sun Oct 22 21:35:23 PDT 1995

-----BEGIN PGP SIGNED MESSAGE-----

 I, Bryce <bryce at colorado.edu>, wrote:
>
> Is there a scheme which will prevent this collusive payee 
> identification, and if so where can I read about it? 

 The entity calling itself "Hal" <hfinney at shell.portal.com> allegedly wrote:
> 
> One proposal I have seen here is to have a "coin changer" service which
> turns the received coin in at the bank for you. Then the payer and the
> bank and the coin changer all have to collude to identify you.  However
> you have to trust the coin changer not to steal your money.  So it better
> be a pretty trustworthy organization.

Especially since you didn't want anyone to know that you had that
coin in the first place.  This makes it somewhat more difficult to
announce to the world "Hey!  He just stole my coin!".

 I, Bryce:
> Now even if it were the case that the payee is always identifiable
> by a collusion of the bank and the payer (such as is the case in
> DigiCash Ecash), all this means is that you shouldn't accept a coin
> using one nym, and deposit it in the bank using another.  You need
> one bank account per nym, as well as one bank account per
> anonymous transaction, and then you have complete control over
> revelation of your identit(y/ies).

 "'Hal'":
> 
> It would still be less than perfect to have all of a given nym's
> transactions known.  In an ideal electronic cash system no transactions
> are linkable if the participants don't want it.

Careful here.  A given nym's transactions are known only if the
person that they were dealing with chooses to collude with the bank
and reveal it.  Hopefully this would not be the status quo!  (If the
status quo is going to be non-privacy, then we will be using a
different scheme in the first place...)

I mean: it is always true that a person who gave you money can say
"yeah, that's the guy I gave it to."  The only way that this is 
different from tangible cash is that the payer can *prove* to the 
bank that you are the recipient of their money.  And probably the 
bank and the payer together can prove it to the rest of the world.  
(Hm.  Would they be able to prove it?  Perhaps the only way they 
would be able to prove that would be to time-stamp all their 
coins!...)

 "'Hal'":
> In such a system you don't need an "account" as such, but rather the bank
> simply allows used cash to be checked and exchanged for fresh cash via
> anonymous connections.  This would be the most privacy-protecting system.

Again I see an opportunity for "polymorphism".  A bank can use the
very same, or at least a very similar protocol to service both
account-holders and "check-in/check-out" customers.  (Perhaps the
only differences would be the speed with which the bank services the
requests, and the rate at which the bank charges for the service.)

I am excited about polymorphism (such as 
<a href="http://www.communities.com/paper/agnostic.html> Douglas
Barne's "identity-agnostic" idea </a>) because of
social-engineering, evolutionary reasons.  Flexible protocols will
encourage institutions to compete by offering as much privacy,
security, off-line capability, efficiency, etc. as the customers
want, rather than dictating their own terms and trying to define the
market that way.  To the degree to which each capability is
economically beneficial, that capability will become the market
standard.

Regards,

Bryce

signatures follow

            "To strive, to seek, to find and not to yield."   
    <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html">

                          bryce at colorado.edu                   </a>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMIsaU/WZSllhfG25AQE4DgP7BoRHvHCXkS70z/612TW+QFxt8ZG5pN2t
DDAlHGJrqmQarCwpOuYB9FuPFb4Nw2vNUgqWE30/q0oe0uJvkbgrFgMTvRPX9w0P
KfKoboTP7LqpPMJzbtsp4eES8Rqw8IF3j5ZQnsXxln5sdpQwztOT9HfXF62VoLsm
Ln3bmGb2vPc=
=1RxY
-----END PGP SIGNATURE-----