double-spending prevention w. spent coins

Bill Stewart bill.stewart at pobox.com
Thu Apr 24 22:10:15 PDT 2003 

At 04:15 AM 04/25/2003 +0100, Adam Back wrote:
>On Thu, Apr 24, 2003 at 11:10:20PM -0400, Patrick Chkoreff wrote:
> > All right, I can generally understand the purpose here, to make it
> > impossible to correlate an old coin with a new one issued in its place.
>...

>The bank checks deposited coins
>and can tell which users double spent coins if any after the fact.
>What you do about double spending when you detect a given user has
>done it is a policy question for the bank -- eg fine user, prosecute
>user for fraud to recuperate costs etc.

As Doug Barnes put it, if your algorithm has to exercise the
"then haul them off to jail" step, you've failed.
The two basic models of digital cash clearing have been
- embed some identity model into the coins, which is revealed by
         double-spending, and then do something grouchy if you detect it
- always honor the first use of a coin and reject future uses,
         and let the users fight over failed spending attempts.

Depending on what you're trying to accomplish with your digital cash,
one mode or the other may be useful.  Hettinga would probably contend that
the first-use model is much cheaper and more efficient,
because it avoids the costs of creating and tracking user identities
and tieing it to the world in book-entry fashion.
If you're trying to use it for something like remailer tokens
rather than real cash, that's certainly the case.

On the other hand, the identity-embedding models have tended to be
more prominent around Cypherpunks, partly because it has its own
technically interesting characteristics, and may have problems
that it can solve, but also because it prevents some kinds of fraud,
such as making it harder for the bank to claim that a coin has already been 
spent.

>(You can also use the same protocol for online checking, so the
>recipient has the choice of convenience of using peer-to-peer without
>going via the bank, or the choice to deposit now and get a fresh coin
>and be sure there won't be any dispute resolution later.)

Offline is much much harder than online.

>Patrick wrote:
> > Well hell, that wasn't so hard.

Sure it was :-)  But it's stuff that's been done now, mathematically.
Doing it in practice is still hard, which is why almost nobody's done it
in practice, and not for very long.  Back when this stuff was new and exciting,
there was an attempt to form an Austin Cypherpunks Credit Union,
and the proprietors found that not only was doing business with David Chaum
a difficult unsolved problem (:-), but in fact finding a business model
that would let them make money at it was even harder.

More information about the cypherpunks-legacy mailing list