Re: Is the following digicash protocol possible?

```[email protected] (James A. Donald) writes:

>Is it possible to arrange digicash as follows:
(I have rearranged James' two paragraphs)

>If A, the original issuer, issus a unit of digicash to
>to B, and B gives it to C, and C gives it to D, and D,
>gives it to E, and E cashes it with A,  --  and
>C double spends it to D', who then gives it to E'
>who then attempts to cash it with A, -- then A
>will detect the double spending and rebuff the attempt,
>E' will complain to D', and D', with information
>supplied by E' and A, can then prove that C dishonorably
>double spent the money, without discovering that C gave
>the money to D, and hence without discovering that D
>gave the money to E.

There are protocols to do essentially this, although they get
rather complicated.  It is necessary for each person in the chain
to have some knowledge of the person he is passing the money to,
so that he can confirm that that person is in fact revealing something
about himself that will incriminate him if he double-spends.  If all
parties in the transactions are totally anonymous then there is no
hope of tracking down a double-spender.

>If A, the original issuer, issues a unit of digicash to
>to B, and B gives it to C, and C gives it to D, and D,
>gives it to E, and E cashes it with A,  --  and
>everyone colludes except C and D, it is impossible
>to prove that C got this unit from D.

My reading of Chaum's paper "Transferred Cash Grows in Size" is that
if you have a system to satisfy the 1st paragraph, it cannot also satisfy
this.  It appears that if B, E and the bank collude, and B knows he gave
the cash to C and E knows that he got it from D, then they can tell that
C gave it to D.  Basically B recognizes the money E got from D, with
the bank's help.  Although Chaum wrote as though his results applied to
any conceivable transferrable double-spending-detecting cash system,
it wasn't clear to me how general his results really were.

Hal Finney

```