Re: anonymity and e-cash

[Tim May <tcmay@got.net>]

(A copy of this message has also been posted to the following newsgroups:
alt.cypherpunks, talk.politics.crypto,sci.crypt)



At 1:19 PM -0800 2/12/97, Lee Tien wrote (on the Cypherpunks@toad.com list):
>The NSA's research report on e-cash says:
>
>  "The ideal situation (from the point of view of privacy advocates)
>is that neither payer nor payee should know the identity of the other. This
>makes remote transactions using electronic cash totally anonymous:  no one
>knows where Alice spends her money and who pays her.
>
>  "It turns out that this is too much to ask: there is no way in such
>a scenario for the consumer to obtain a signed receipt.  Thus we are forced
>to settle for payer anonymity."
>
>Keeping in mind I am only a lawyer, my skim of Schneier (2d ed.) didn't
>illuminate.  The discussion of digital cash seemed to assume no payee
>anonymity.  But the immediate previous section of dining cryptographers
>involved (it seemed) recipient untraceability.
>
>Is payee anonymity technically possible?  Under what conditions?
>
>If so, is the issue social, e.g., as NSA notes, the lack of a signed receipt?

You missed a very good talk by Ian Goldberg of UC Berkeley at the Saturday
Cypherpunks meeting at Stanford, where Ian talked for more than an hour on
just this issue. (He also talked for an hour on his crack of the RSA
challenge using 250 workstations...this was also a good talk.)

It was explicitly stated in Chaum's 1985 paper that methods existed to
ensure full untraceability. Chaum has in recent years emphasized a more
"surveillance friendly" system in which some of the anonymity is lost. 

It was the intuition of some of us that "coin changers" could solve this
problem, e.g, by having intermediaries to "mix" the coins and thus break
the traceability chain. Lucky Green wrote some articles along these lines,
and maybe Hal Finney, too. This was a couple of years ago. The notion is
similar to what Ian showed, but our arguments were not formal and robust.

In August of '95, Doug Barnes released a long article on "Identity
Agnostic" systems. (His article is no longer at the www.communities.com Web
site, so I can't refer you to it. Maybe he'll post it again.)

About a year ago Ian Goldberg considered this issue and came up with a
solution which has seemingly reproduced what Chaum was thinking about (but,
apparently, did not make completely clear in his papers, for whatever
reasons). Ian deals with the issue of "making change" and comes up with a
system in which intermediaries, which we may call "e-cashiers" and
"moneychangers," can take on the role of the mint/bank. 

By making "negative deposits" (submitting signed withdrawal slips,
effectively), these intermediaries function as moneychangers. And so the
one-way anonymous features become two-way (effectively, each of the
transactions contributes a "one-way anonymous" component: one-way + one-way
= two-way).

It is much easier to understand digital cash with the usual diagram showing
the usual triangle of CUSTOMER-MERCHANT-MINT and then analyzing the flow of
information, who knows what, etc. Drawing such diagrams in e-mail is beyond
my patience.

This system used online clearing, of course.

This "disintermediates" the process, and makes for an "everyone a mint"
situation, which has some of the same nice properties that an "everyone a
remailer" ecology of remailers and users has.

And the principle can be extended further back, to where the usual
distinctions between CUSTOMER and MERCHANT vanish (as it sort of does in
the real world, where the two parties are merely exchanging one item for
another item), and where the role of the MINT is minimal.

In fact, Ian showed, the Chaum patents on blinding are NOT USED by the
Mint/Bank; only the CUSTOMER uses the blinding patents (and the MERCHANT in
some cases, not in other cases). This means that "anyone a mint" does not
violate any of the Chaum/Digicash patents, and "mint clients" are likely to
be written by third parties. (The _customer_ is presumably on the honor
system to abide by the Chaum patents...except the patents are only being
licensed to banks...go figure.)

(This is where, as I recall, Doug's "agnostic" system came in...it is
possible his thinking was similar to Ian's...I don't have Doug's paper
handy.)

Ian demonstrated this on an actual system, with real live connections to
mints in various countries, but with the blinding not used (as I recall).
Draw your own conclusions about what this means.

It was heady stuff, seeing the result many of us believed to be implicit in
Chaum's 1985 paper made real. Everyone a mint. This makes the spread of
fully anonymous digital cash harder to stop.

Issues of the mint denying one has an account are always real ones, but not
important--I think--in the real world. The untraceability of the digital
coins means that a mint never knows who is testing it for reliability and
"honesty," and the mint cannot set out to "screw" a particular customer by
declaring his account not to exist (as the mint almost certainly does not
have to know who own which accounts, as deposits can be made anonymously).

I hope this helps. I plan to use this result centrally in my talk at the
panel discussion on "Governmental and Social Implications of Digital Cash"
at the upcoming CFP.

--Tim May

-- 
Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,  
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets, 
Licensed Ontologist         | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."