[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

Mon Nov 28 00:14:07 PST 2005

On 11/23/05, Daniel A. Nagy <nagydani at epointsystem.org> wrote:
> The basic idea with coins (which are less traceable than notes, but are less
> flexible, too, and may weigh your pocket down, if you keep large sums in
> coins) is that the blind signature key is regularly changed (e.g. annually,
> so it is possible to tell a 2005 ePoint coin from a 2006 ePoint coin, just
> like in the "real world"), and while coins are accepted indefinitely, they are
> only issued during the validity period of the key. This means that one can
> limit the damage caused by a leaked secret key or a malicious issuer. After
> the validity period of the key, it is possible to keep count of the coins in
> circulation and accept only that limited amount (and sound alarms, if
> unaccounted-for coins emerge).

These are good ideas to reduce the impact of a stolen key, and
possibly to detect if one has been stolen.

> Another important idea is that of spot-checks: from time to time (determined
> partly by the users, partly by the issuer in such a way that the issuer
> cannot control and the users cannot predict it) coins are accepted only with
> the user identifiing the coin's (published) proto-coin and reveal the
> corresponding blinding factor. If it happens rarely enough, it won't
> compromise the general untraceability of coins, but it may catch a counterfeit
> coin and thus reveal the compromise of the secret key.

As a potential user of such a system, if anonymity were important to
me I would refuse to honor a request to reveal this linkage
information. I would accept that the coin was lost and pay with a
different one. Depending on the frequency of such spot checks, this
would constitute an effective transaction cost for the use of the
system.

> In the electronic cash literature, governance issues have rarely been
> raised, let alone properly addressed. Systematic treatment of transparent
> governance in digital payments begun, AFAIK, with the research of Ian Grigg.

One example is the Sander and Ta-Shma paper I mentioned earlier:
http://citeseer.ist.psu.edu/sander98auditable.html

> In short, the basic idea is for the issuer to _publish_ in an undeniable
> manner the responses (with some additional info) to exchange requests
> instead of sending the information back to the requesting party using a private
> channel. I do think (in agreement with several reviewers of my work) that
> the setup proposed in the discussed paper, where the communication between
> the users and the issuer is such that the issuer's responses to users'
> requests are broadcast and archived in public records is novel.

It will be interesting to see more details of how this works. Sander
and Ta-Shma also had the server publish information for every issued
coin, and then used zero knowledge techniques for the depositor to
show that the coin was on the list. This added great complexity to the
system.

CP