[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems

[Daniel A. Nagy]

On Fri, Oct 28, 2005 at 02:18:43PM -0700, cyphrpunk wrote:

> In particular I have concerns about the finality and irreversibility
> of payments, given that the issuer keeps track of each token as it
> progresses through the system. Whenever one token is exchanged for a
> new one, the issuer records and publishes the linkage between the new
> token and the old one. This public record is what lets people know
> that the issuer is not forging tokens at will, but it does let the
> issuer, and possibly others, track payments as they flow through the
> system. This could be grounds for reversibility in some cases,
> although the details depend on how the system is implemented. It would
> be good to see a critical analysis of how epoints would maintain
> irreversibility, as part of the paper.

I agree, this discussion is missing, indeed. I will definitely include it,
should I write another paper on the subject.

Irreversibility of transactions hinges on two features of the proposed
systetm: the fundamentally irreversible nature of publishing information in
the public records and the fact that in order to invalidate a secret, one
needs to know it; the issuer does not learn the secret at all in some
implementnations and only learns it when it is spent in others.

In both cases, reversal is impossible, albeit for different reasons. Let's
say, Alice made a payment to Bob, and Ivan wishes to reverse it with the
possible cooperation of Alice, but definitely without Bob's help. Alice's
secret is Da, Bob's secret is Db, the corresponding challenges are,
respectively, Ca and Cb, and the S message containing the exchange request
Da->Cb has already been published.

In the first case, when the secret is not revealed, there is simply no way to
express reverslas. There is no S message with suitable semantics semantics,
making it impossible to invalidate Db if Bob refuses to reveal it.

In the second case, Db is revealed when Bob tries to spend it, so Ivan can,
in principle, steal (confiscate) it, instead of processing, but at that
point Da has already been revealed to the public and Alice has no means to
prove that she was in excusive possession of Da before it became public
information.

Now, one can extend the list of possible S messages to allow for reversals
in the first scenario, but even in that case Ivan cannot hide the fact of
reversal from the public after it happened and the fact that he is prepared
to reverse payments even before he actually does so, because the users and
auditors need to know the syntax and the semantics of the additional S
messages in order to be able to use Ivan's services.

-- 
Daniel