[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
There is still no perfectly anonymous currency
-----BEGIN PGP SIGNED MESSAGE-----
It occurs to me that even in an on-line-cleared system, that a
collusion of Ursula the Underwriter and Bob the Payer can identify
Alice the Payee by traffic analysis based on time contraints. Alice
has to turn in the coin that Bob gave her in order to get it on-line-
cleared *before* she can close the deal with Bob assuming that she
believes there is a chance Bob's coin is bad (pre-spent). So Bob
and Ursula can do some simple traffic-analysis-style coin-watching
over the course of several transactions between Bob and Alice.
This could become infeasible for Bob and Ursula in the case that
there are very many such transactions going on at the same time and
Alice (and some of the other payees) prudently add a traffic-analysis-
foiling delay between acceptance of Bob's coin and turning it over
to the bank, and between receiving confirmation from the bank and
letting Bob know that the bank said "OK". (Of course all this, and
in fact all conversations on this subject, presume the existence and
proper usage of identity-protecting communication protocols between
Alice and Ursula and between Alice and Bob.)
Now in some applications it might be a problem for Alice to add
these delays. (She might need to complete a great many transactions
in a limited amount of time.) In this case Alice will have to
choose between efficiency and identity-protection. Her tactic will
further be hampered by the fact that only Ursula knows how many
similar transactions are going on at any given time. Alice will
have to guess.
In sum, I have still not seen a proposal for an electronic currency
scheme which ensures unconditional identity-protection for both payer
and payee. On the other hand, if a bank allows pseudonymous accounts,
or if coin-re-paying systems can be implemented, then some lesser
degree of identity-protection is still attainable. On the third
hand, if a bank allows instant, cheap, anonymous accounts or,
equivalently, if the bank issues coins in return (or as Tony Eng has
suggested, issues "deposit-vouchers" in return) instead of accessing
the payee's account, then ensuring unconditional identity-protection
for both parties is easy under several protocols, including the
Chaumian Ecash protocol.
(That is: auto-coin-laundering via an instant, one-use anonymous
account that you control or via a new coin or a deposit voucher
whose blinding factors you chose.)
Bryce
signatures follow
"To strive, to seek, to find and not to yield."
<a href="http://ugrad-www.cs.colorado.edu/~wilcoxb/Niche.html">
[email protected] </a>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.01
iQCVAwUBMJbM0vWZSllhfG25AQG1MgP/UhbGC2Afih+/hrQcjvc4lOQBAWXQ8lDL
HpMRI1002odcEQ3LX/Dy2H7+LwsnMQweVtQU3Q9Q8cVWOeSXSReoKAZinbjAvvfH
Hf7xKZcmgX4xBhRmOeLxH2/noGL5iRkjONuMfQUFE85Rkc3ilh7IQr+UC8sGLUY1
2p/tXgsFJbM=
=RzYl
-----END PGP SIGNATURE-----