Controlled nymity

James A. Donald jamesd at echeque.com
Fri Aug 15 21:38:06 PDT 2003 

    --
James A. Donald:
> > What we want of a payment system, is that Alice can prove 
> > she paid Bob, even if Bob wants to deny it, but no one else 
> > can prove that Alice paid Bob unless Alice takes special 
> > action to make it provable.

Major Variola (ret)
> Does it help if: Alice generates a secret key for each 
> payment Alice *anonymously* deposits an *encrypted* message 
> containing payment details into Bob's acct Only Alice can 
> reveal the key for a particular transaction in Bob's account, 
> thereby stripping anonymity but also revealing payment.  For 
> only that transaction.

Presumably Alice prepares a bunch of unblinded tokens, marks 
them "for Bob" and encrypts them so that only the bank can read 
them.

Bob then gives that message to the bank, and the bank then 
tells Bob "yes, its a valid payment for 25 grams of gold to 
Bob"

Since Alice knows the secrets embedded in that message, she can 
prove that she originated that message, so she can prove she 
paid Bob, but no one else can prove it.  She can prove that to 
Bob, or to anyone, assuming the bank cooperates.

Of course this means the bank knows how much money everyone is 
paying Bob, even if it does not know who is paying Bob.

Also Alice cannot prove that the money was accompanied by the 
message "OK Bob, here is the twenty five grams of gold, deliver 
the Maltese falcon tonight." and thus cannot prove that Bob, by 
accepting the tokens valid for the gold, agreed to deliver the 
Maltese Falcon.

Perhaps these two problems can be fixed.

Alice encrypts a message to the bank containing the unblinded 
tokens.  It also contains instructions 'accept this deposit 
only if accompanied by a number whose hash is X, and only if 
the message is signed with the private key corresponding to 
this public key 89798759754.

Alice puts this encrypted message to the bank inside a a 
message to the Bob, which contains the instructions: "OK Bob, 
here is the twenty five grams of gold, deliver the Maltese 
falcon tonight.  Here is a cheque made out to cash, for 25 
grams of gold, valid if accompanied by the hash of this 
message, and signed with private key 1764383486*b, where b is 
whatever your private key is.   Signed Alice."

Bob delivers the cheque, (an encrypted message to the bank) and 
the bank validates it as correctly formed and containing valid 
unspent unblinded tokens, and gives him blinded tokens for 25 
grams of gold.

To prove that it was Bob who did indeed deposit this money, 
Alice reveals to the bank the message corresponding to the 
hash, and thus reveals that 89798759754.= B^1764383486, where B 
is Bob's public key, and thus, if the bank keeps a record of 
the exchange, proves that it was Bob who made the exchange, and 
that the money was from Alice, and was for the Maltese falcon. 

    --digsig
         James A. Donald
     6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
     t9GmbLxgymh192YQzp+e8St5v1yhN1n014TZ3Fyf
     4k6B1/EGsY+IBb0q+xTsr05v3am+86d6UlAzY51Cz

More information about the cypherpunks-legacy mailing list