[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why ecash is traceable



I first reacted to Hal's posting about the way Tim did.
I got confused by the "Charlie" issue, but I think I see it.

>Why not "online clearing" as the preferred model, then?

It's probably still possible to do _some_ tracing in an online system.
As in the previous example, Alice is going to conspire with the
bank to catch Bob, _before_ she pays Bob the money; afterwards is 
too late.  Alice creates an account Alice2 and spends the cash.
Then she pays Bob the same cash.  When Bob tries to deposit it,
the bank notices it's already been spent, and does one of
1) rejects the payment using the normal double-spending prevention
   (not very useful for kidnapping/ransom cases, since Bob
    may kill the victim or whatever)
2) detects the double-spending but uses special-case software to
   tell Bob they're accepting the payment, and trace his account
   or trace the place he's depositing it from, or not actually credit
   it the money they're sending him a receipt for, or whatever.

If Bob wants to prevent the bank from tracing his deposit back to him,
he'll need an anonymous on-line connection; this would probably need
to be some sort of packet laundry, which is easy enough to implement,
or at least a fancy firewall.  If Bob is a real Bad Guy (as opposed
to Alice being the Bad Guy), Bob will probably set up some kind
of temporary account at the bank to deposit the money in,
followed rapidly by withdrawing the money and abandoning/closing
the account.  If Bob is a kidnapper, he probably kills the kid;
if he's just an undocumented retailer, he may not ship the pharmaceuticals,
or may start announcing that Alice is a probable narc.

>[online clearing vs. double-spender detection]
>I'm persuaded that the second approach, involving protocols for revealing
>double spending, is much messier than the "he who gets there first"
>protocol. The online clearing model largely emulates how real physical cash

There are difficulties, with online clearing, though - with physi-cash,
Bob can look at it and say "it looks good/bad" without actually
possessing it; with online clearing, he can lie about "it was pre-spent",
and there's no way to let him check the cash except by either giving it
to him or using messy all-or-nothing-disclosure-of-secrets techniques
(e.g. Alice and Bob flip a coin to decide whether Bob gets to spend
a pre-committed digibuck or Alice gets to demonstrate that it's ok
and spend it first) though an online system could reduce this problem
substantially by recording the time that a given digicash was spent
and reporting that time in double-spending rejections (a first-spending
at approximately the same that Alice gives Bob the money and he deposits it
is obviously suspicious; it doesn't actually identify which one
of them cheated, though they'll both know (unless it was the bank cheating). 
A first-spending time substantially before that implicates Alice.)

>Well, since Alice knows her own blinding factors, she will always be able
>to say to the bank: "My cash will look like this. Watch for it."

Unfortunately, it's probably a lot harder to design a blinding system
that lets the payee blind the cash without allowing him to create
forged bills (at least forged bills based on a hard-to-identify
original bill.)

>My hunch, just a hunch, is that Chaum has been concentrating on the
>particular protocols which avoid online clearing and which avoid avoid the
>payer/payee untraceability for pragmatic reasons.  Pragmatic as in
>"politically wise."
maybe so...
#---
# Bill Stewart, Freelance Information Architect, [email protected]
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---