[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

Daniel A. Nagy nagydani at epointsystem.org
Wed Oct 19 04:44:55 PDT 2005 

On Tue, Oct 18, 2005 at 11:27:53PM -0700, cyphrpunk wrote:
> >  Just presented at ICETE2005 by Daniel Nagy:
> >
> >  http://www.epointsystem.org/~nagydani/ICETE2005.pdf
> 
> This is a thorough and careful paper but the system has no blinding
> and so payments are traceable and linkable. The standard technique of
> inserting dummy transfers is proposed, but it is not clear that this
> adds real privacy. Worse, it appears that the database showing which
> coins were exchanged for which is supposed to be public, making this
> linkage information available to everyone, not just banking insiders.
> 
> Some aspects are similar to Dan Simon's proposed ecash system from
> Crypto 96, in particular using knowledge of a secret such as a hash
> pre-image to represent possession of the cash. Simon's system is
> covered by patent number 5768385 and the ePoint system may need to
> step carefully around that patent.  See
> http://www.mail-archive.com/cpunks@einstein.ssz.com/msg04483.html for
> further critique of Simon's approach.

At the time of writing, I was already familiar with Simon's proposal and its
above mentioned critique (I learnt about them from Stefan Brands' blog). At
that time, the design and the implementation were already complete and the
process of writing up the paper was also well advanced. Wishing to postpone
the discussion of patents for as long as possible, I decided against citing
Dan Simon's work in references, which may be regarded as an act of academic
dishonesty on my part. Mea culpa. I am reasonably confident that I can
legally defend the point that there are sufficient differences between my
proposal and Simon's, but I might not be ready to fight off a legal assault
from Microsoft (lack of time and money) right now. Leaving the patent issue
at that, let us proceed to the substance.

I will probably need to write another paper, clarifiing some of these
issues. Let me, however, re-emphasize some of the points already present in
the paper and perhaps cast them in a slightly different light.

In my paper, I am explicitly and implicitly challenging Chaum's assumptions
about the very problem of digital cash-like payment. One can, of course,
criticize my proposal under chaumian assumptions, but that would miss the
point entirely. I think, a decade of consistent failure at introducing
chaumian digital cash to the market is good enough a reason to re-think the
problem from the very basics.

Note that nowhere in my paper did I imply that the issuer is a bank (the
only mentioning of a bank in the paper is in an analogy). This is because I
am strongly convinced that banks cannot, will not and should not be the
principal issuers of digital cash-like payment vehicles. If you need
explaination, I'm willing to provide it. I do not expect payment tokens to
originate from withdrawals and end their life cycles being deposited to
users' bank accounts.

Insider fraud is a very serious risk in financial matters. A system that
provides no safeguards against a fraudulent issuer will sooner or later be
exploited that way. Financial systems (not just electronic ones) often fall
to insider attacks. They must be addressed in a successful system. All
chaumian systems are hopelessly vulnerable to insider fraud.

And now some points missing from the paper:

Having a long-term global secret, whose disclosure leads to immediate,
catastrophic failure of the whole system is to be avoided in security
engineering (using Schneier's terminology, it makes a hard system brittle).
The private key of a blinding-based system is exactly such a component. Note
that in the proposed system, the digital signature of the issuer is just a
fancy integrity protection mechanism for public records, which can be
supplemented and even temporarily substituted (while a new key is phased in
in the case of compromise) by other mechanisms of integrity protection. It
is the public audit trail that provides most of the security.

Using currency is, essentially, a credit operation, splitting barter into
the separate acts of selling and buying, thus making the promise to
reciprocate (that is the eligibility to buy something of equal value from the
buyer) a tradeable asset itself. It is the trading of this asset that needs
to be anonymous, and the proposed system does a good enough job of
protecting the anonymity of those in the middle of the transaction chains.

Hope, this helps.

-- 
Daniel

More information about the cypherpunks-legacy mailing list