[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

Thu Oct 20 13:23:55 PDT 2005

Thank you for the detailed critique!

I think, we're not talking about the same Chaumian cash. The referred 1988
paper proposes an off-line system, where double spending compromises
anonymity and results in transaction reversal. I agree with you that it was
a mistake on my part to deny its peer-to-peer nature; should be more careful
in the future.

I strongly disagree that potentially anonymous systems do not deserve to be
called cash. For the past approx. 100 years, banknotes have been used as
cash and there seems to be no preference on the market for coins, even
though banknotes have unique serial numbers and are, therefore, traceable.
I maintain, that anonymity and untraceability are primarily not privacy
concerns but -- to some extent -- necessary conditions for irreversibility,
which is the ture reason why cash is such a mainstay in commerce and why I
would expect its electronic equivalent would be a desirable financial instrument
in the world of electronic commerce. In a low-trust environment,
irreversible payments are preferable to reversible ones.

Simple on-line Chaumian blinded tokens, where the value is determined by the
public key and the signed content is unimportant, as long as it is unique,
are more like coins. And the most serious problem with them is that of
transparent governance. Unfortunately, those hyperinflating their currency
are not caught early enough. One way to handle this problem is by expiring
tokens. For example, for each value, keys can be introduced in a brick-wall
pattern: keys are replaced in regular intervals with two keys being valid at
all times, with one expiring in the middle of the lifetime of the other.
Tokens signed by the old key are always excahnged for those signed by the
new one. This would allow a regular re-count of all tokens in circulation
(by the time a key expires, at most as many tokens would have been exchanged
for the next key as have been issued), but it raises other concerns.

With simple blinded tokens, naive transactions are possible only with the
already unblinded ones. One can accept them on faith, and pass on without
exchanging. This does not require additional equipment/software.

I know of no protocol for transfering blinded tokens with a receipt, but I
do not rule out the possibility of its existence.

Without it, however, the blinded tokens are useful for a very narrow range
of transaction values. Namely, those small enough not to be bothered about
receipts, but large enough so that the effort of making a payment does not
exceed the transaction value. This confines their usability to part of the
micropayment market.

To reiterate, the main advantage of the proposed system is that it allows
for a very large range of transaction values by providing adequate security
for high-value ones, while requiring extremely little effort for low-value
ones. And all that at the sole discretion of the users.

Regards,

-- 
Daninel