There is still no perfectly anonymous currency

Bryce wilcoxb at nagina.cs.colorado.edu
Tue Oct 31 18:10:09 PST 1995



-----BEGIN PGP SIGNED MESSAGE-----

It occurs to me that even in an on-line-cleared system, that a 
collusion of Ursula the Underwriter and Bob the Payer can identify 
Alice the Payee by traffic analysis based on time contraints.  Alice 
has to turn in the coin that Bob gave her in order to get it on-line-
cleared *before* she can close the deal with Bob assuming that she 
believes there is a chance Bob's coin is bad (pre-spent).  So Bob 
and Ursula can do some simple traffic-analysis-style coin-watching 
over the course of several transactions between Bob and Alice.


This could become infeasible for Bob and Ursula in the case that
there are very many such transactions going on at the same time and
Alice (and some of the other payees) prudently add a traffic-analysis-
foiling delay between acceptance of Bob's coin and turning it over 
to the bank, and between receiving confirmation from the bank and 
letting Bob know that the bank said "OK".  (Of course all this, and 
in fact all conversations on this subject, presume the existence and 
proper usage of identity-protecting communication protocols between 
Alice and Ursula and between Alice and Bob.)


Now in some applications it might be a problem for Alice to add
these delays.  (She might need to complete a great many transactions
in a limited amount of time.)  In this case Alice will have to
choose between efficiency and identity-protection.  Her tactic will
further be hampered by the fact that only Ursula knows how many
similar transactions are going on at any given time.  Alice will
have to guess.


In sum, I have still not seen a proposal for an electronic currency
scheme which ensures unconditional identity-protection for both payer 
and payee.  On the other hand, if a bank allows pseudonymous accounts,
or if coin-re-paying systems can be implemented, then some lesser 
degree of identity-protection is still attainable.  On the third 
hand, if a bank allows instant, cheap, anonymous accounts or, 
equivalently, if the bank issues coins in return (or as Tony Eng has
suggested, issues "deposit-vouchers" in return) instead of accessing
the payee's account, then ensuring unconditional identity-protection 
for both parties is easy under several protocols, including the 
Chaumian Ecash protocol.  
(That is:  auto-coin-laundering via an instant, one-use anonymous 
account that you control or via a new coin or a deposit voucher
whose blinding factors you chose.)



Bryce

signatures follow

            "To strive, to seek, to find and not to yield."   
    <a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html">

                          bryce at colorado.edu                   </a>


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01

iQCVAwUBMJbM0vWZSllhfG25AQG1MgP/UhbGC2Afih+/hrQcjvc4lOQBAWXQ8lDL
HpMRI1002odcEQ3LX/Dy2H7+LwsnMQweVtQU3Q9Q8cVWOeSXSReoKAZinbjAvvfH
Hf7xKZcmgX4xBhRmOeLxH2/noGL5iRkjONuMfQUFE85Rkc3ilh7IQr+UC8sGLUY1
2p/tXgsFJbM=
=RzYl
-----END PGP SIGNATURE-----






More information about the cypherpunks-legacy mailing list