Digital Cash

Adam Back adam at cypherspace.org
Wed Jul 11 22:23:14 PDT 2001 

On Wed, Jul 11, 2001 at 01:30:44PM -0700, Ray Dillinger wrote:
> [Anonymous, everyone a mint, floating exchange rates problem...]
> 
> The problem I'm running into is that while all kinds of 
> e-cash protocols exist that protect the anonymity of 
> the buyer and a lot protect the anonymity of the seller, 
> there are none that protect the anonymity of the currency 
> issuer, which would be ideal in this circumstance.  With 
> the techniques I know of, the issuer can have only "Nym" 
> protection. 
> 
> The basic problem with anonymizing the issuers (beyond 
> technique alone) would be how the scrip gets redeemed 
> when you don't necessarily know whom the issuer is.

Probably people would be willing to accept other issuers currencies even if
they don't know the issuer so long as they had the reputation rating for the
currency / issuer.

But anonymous reptuations alone aren't any use as a rational issuer would
refuse to redeem if the action didn't adversely affect his reputation -- you
need to be assured that the rating of the anonymous issuer will be downrated
if they refuse to redeem.

So then perhaps you could proceed by having unlinkably anonymous credentials
for reputation with a trap-door for the rating party so that the rating
party can identify the pseudonym behind the unlinkable credential and
downrate it.  You also want the unlinkable rating credentials to need to be
refreshed by the rating credential issuer in order to re-show.  Brands'
credentials have this property if you reshow without collaboration with the
issuer, they are linkable (and hence would be linkable to the transaction
gone bad which triggered the downrating).

One might desire also that the rating credential issuer not be able to link
general transactions, even with collusion from all parties except the
issuer.  However I'm not sure if this is going to be possible; the rating
issuer must be able to link to the nym in event of foul play by the currency
issuer, and clearly ability to link from unlinkable payments to a nym links
the payments.  

The only avenue I see is if the foul play were mathematically encapsulatable
and could be combined with the protocol so that the rating issuer is only
able to link payments to nyms in the event of foul play.

Do you think you can encapsulate foul play formally generally enough to be
useful in your application?

Adam

More information about the cypherpunks-legacy mailing list