double-spending prevention w. spent coins
Tim May
timcmay at got.net
Fri Apr 25 15:32:42 PDT 2003
On Thursday, April 24, 2003, at 10:10 PM, Bill Stewart wrote:
> Depending on what you're trying to accomplish with your digital cash,
> one mode or the other may be useful. Hettinga would probably contend
> that
> the first-use model is much cheaper and more efficient,
> because it avoids the costs of creating and tracking user identities
> and tieing it to the world in book-entry fashion.
> If you're trying to use it for something like remailer tokens
> rather than real cash, that's certainly the case.
>
> On the other hand, the identity-embedding models have tended to be
> more prominent around Cypherpunks, partly because it has its own
> technically interesting characteristics, and may have problems
> that it can solve, but also because it prevents some kinds of fraud,
> such as making it harder for the bank to claim that a coin has already
> been spent.
I have a _completely_ different impression of which model has been more
prominent around Cypherpunks.
I agree that Chaum and Brands have had more regime-friendly schemes,
heavily involving identity revealing under some circumstances, but I
would hardly say that they are either prominent Cypherpunks or that
their approaches are prominent _around_ Cypherpunks. The earliest Chaum
system, circa 1985-89, sought to preserve full 2-way untraceability via
online clearing. Later Chaum systems--and Brands systems at all times,
as I recall--made various compromises in what I think were ill-fated
attempts to be more palatable to the various dictators in the world.
I also disagree that a model where identity is embedded in digital
money has more technically interesting characteristics than a pure,
first-class system has. More cruft and more baroqueness, yes, as all
such systems somehow requiring identity or "is-a-person" credentials,
no matter how well disguised, have more cruft and baroqueness.
A clean system requiring no identity would be much more interesting to
see today. It's how bearer bonds and "markers" and various other forms
of money (IOUs, chop marks, warehouse receipts, "pay to the holder of"
forms) work. Systems based on identity, even when the identity is only
findable via alleged double spending, are more like certain kinds of
checks.
This is also cleaner in that the security for not letting the digital
money leak out (be copied) belongs where it should belong: with the
holder. If the would-be double spender was merely careless with his
digital money, by allowing the critical numbers to be seen by others,
then he is justly punished by having another "get to the train station
locker" before he did.
If he _himself_ attempts to double spend...well, this is impossible in
a system where the first presenter (first to the train locker) gets the
money (contents of the locker).
Online clearing also offers the best way to "ping" digital cash
systems. (Which is the protection against a bank attempting with any
regularity to make claims that money was already withdrawn, that a
digital money token was already "spent.")
From my 1994 Cyphernomicon (accessible via searching with Google, of
course):
"12.6.5. Double spending
- Some approaches involve constantly-growing-in-size coins at
each transfer, so who spent the money first can be deduced
(or variants of this). And N. Ferguson developed a system
allowing up to N expenditures of the same coin, where N is
a parameter. [Howard Gayle reminded me of this,
1994-08-29]
- "Why does everyone think that the law must immediately be
invoked when double spending is detected?....Double
spending is an informational property of digital cash
systems. Need we find malicious intent in a formal
property? The obvious moralism about the law and double
spenders is inappropriate. It evokes images of revenge
and
retribution, which are stupid, not to mention of negative
economic value." [Eric Hughes, 1994-08-27] (This also
relates to Eric's good point that we too often frame
crypto
issue in terms of loaded terms like "cheating,"
"spoofing,"
and "enemies," when more neutral terms would carry less
meaning-obscuring baggage and would not give our "enemies"
(:-}) the ammunition to pass laws based on such terms.)
12.6.6. Issues
+ Chaum's double-spending detection systems
- Chaum went to great lengths to develop system which
preserve anonymity for single-spending instances, but
which break anonymity and thus reveal identity for
double-
spending instances. I'm not sure what market forces
caused him to think about this as being so important,
but
it creates many headaches. Besides being clumsy, it
require physical ID, it invokes a legal system to try to
collect from "double spenders," and it admits the
extremely serious breach of privacy by enabling stings.
For example, Alice pays Bob a unit of money, then
quickly
Alice spends that money before Bob can...Bob is then
revealed as a "double spender," and his identity
revealed
to whomver wanted it...Alice, IRS, Gestapo, etc. A very
broken idea. Acceptable mainly for small transactions.
+ Multi-spending vs. on-line clearing
- I favor on-line clearing. Simply put: the first spending
is the only spending. The guy who gets to the train
locker where the cash is stored is the guy who gets it.
This ensure that the burden of maintaining the secret is
on the secret holder.
--Tim May
"He who fights with monsters might take care lest he thereby become a
monster. And if you gaze for long into an abyss, the abyss gazes also
into you." -- Nietzsche
More information about the Testlist
mailing list