[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: why ecash is traceable




Hal & Tim have made some interesting comments about payee untraceability.
I suspect it will clarify things to point out the orthogonality in 
two of the major design choices:

* Clearing: Offline vs. online
* Settlement: Deposit to payee's account vs. sending new cash to payee

Because DigiCash wants their product to have payer, but not payee, privacy,
the current ecash(tm) software from DigiCash uses online clearing
and deposit to payee's account, but the three other combinations are 
also quite doable if somebody wanted to implement them.  The design that 
allows symmetric untraceability combines online clearing with sending new 
cash.  This way the bank need not ID the payee Bob in order to credit 
him with the value of the transaction; Bob and the bank can complete 
the clearing and settlement via anonymous channel.  (The bank will 
also want to receive an anonymous payment from Bob for the service,
and Chaum has described a second blinding step the payee must
perform for the symmetric case, complications which I won't go into 
here).

Offline clearing requires the potential to ID the payer in 
order to punish double-spending after the fact.
Online systems without observers (such as ecash(tm)) don't
need to worry about trying to find multiple spenders, because this is
prevented by the online clearing.  In fact, purposeful second-spending
is used to recover from some error conditions, specifically to determine 
whether the payee in fact received the "coin" or not when there has been a
network error in the middle of a transaction.   Distinguishing between
mistaken  and fraudulent double spending is a very complex, not completely 
tractable problem, so the current ecash(tm) punts it, which is reasonable
because it is online.  An offline system would need an elaborate
blacklisting system as well as active support of law enforcement in
all jurisdictions using the ecash, would need to come up with 
reasonable ways to distinguish between fraudulent and 
mistaken double-spending, and would need more elaborate and 
specialized error-recovery protocols.  If hardware "observers", based 
on "tamper-proof" hardware instead of mathematical protocol, and which
prevent double-spending at the source, can be made harder to crack than
the maximum a cracked card is allowed to spend, then such small-value 
transactions might be feasible offline.  (This is the major avenue being 
pursued commercially, because online transactions are perceived to
be too expensive, which is false in the case of the Internet IMHO).

Nick Szabo					[email protected]