[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[cyphrpunk]

As far as the issue of receipts in Chaumian ecash, there have been a
couple of approaches discussed.

The simplest goes like this. If Alice will pay Bob, Bob supplies Alice
with a blinded proto-coin, along with a signed statement, "I will
perform service X if Alice supplies me with a mint signature on this
value Y". Alice pays to get the blinded proto-coin Y signed by the
mint. Now she can give it to Bob and show the signature on Y in the
future to prove that she upheld her end.

A slightly more complicated one starts again with Bob supplying Alice
with a blinded proto-coin, which Alice signs. Now she and Bob do a
simultaneous exchange of secrets protocol to exchange their two
signatures. This can be done for example using the commitment scheme
of Damgard from Eurocrypt 93. Bob gets the signature necessary to
create his coin, and Alice gets the signed receipt (or even better,
perhaps Bob's signature could even constitute the service Alice is
buying).

I would be very interested to hear about a practical application which
combines the need for non-reversibility (which requires a degree of
anonymity) with the need to be able to prove that payment was made
(which seems to imply access to a legal system to force performance,
an institution which generally will require identification).

CP