Re: Polymorphic e-cash schemes was: digital cash and identity disclosure

[Hal <hfinney@shell.portal.com>]

Bryce <wilcoxb@nag.cs.colorado.edu> writes:

>Perhaps a similar "polymorphism" could be implemented with regard to
>on-line/off-line clearing.  When you as a payee receive a Chaumian
>Ecash coin, you can choose based on several factors (including
>reputation of the payer if he chooses to make his nym known to you,
>size of the transaction, time of day, or whatever) to either accept it
>immediately and credit the payer with whatever it is you are selling,
>or to delay completion of the transaction while you attempt to deposit
>the coin with your e-bank.  (If you are wary of "payee-ID proof
>stings" like Lucky Green is, then you can go ahead and launder your
>coin through an anon account during this interval...)  If your payer
>has already spent this coin, then the bank will inform you immediately
>and you can cancel the transaction.  (And take whatever other actions
>you consider appropriate...)

Unfortunately, in order for a coin to be POTENTIALLY spent in an off-line
way, the protocols require that the identity of the withdrawer be
embedded, in blinded form, within the coin data.  It is this step that
Tim and others object to, because among other things it requires
participants to securely identify themselves to the bank, hence does not
work well in a fully anonymous society.  The reason for this requirement
is that if the coin is double-spent, this is not found out until
afterwards, and so the identity of the cheater has to be available so the
bank can go after him.

So letting the payee choose whether to deposit the coin right away or
wait until later will not address this basic privacy problem with offline
cash.

Hal