From: szabo@netcom.com (Nick Szabo)
Date: Sun, 7 Nov 93 02:03:05 PST
To: MIKEINGLE@delphi.com (Mike Ingle)
Subject: Mostly Offline Digicash
In-Reply-To: <01H50ID1IWXU9AN48T@delphi.com>
Message-ID: <199311071002.CAA13037@mail.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



Mike Ingle:
> After-the-fact detection probably won't fly, because organized multiple
> spending could kill it. There are people who are dumb enough to write
> their PIN numbers on their ATM cards.

Nevertheless, millions use ATM cards, with substantially less loss to
fraud than with credit cards.  Improvement in privacy and reduction
of incidence of fraud over credit cards are sufficient goals for a 
digital cash system.

For Pretty Good Digicash, which would probably far exceed those
goals, how about a "mostly offline" system as follows:

* Modify offline cash to be "stochastically online", so that
1 out of every N coin transactions are checked for double spending 
online, and the remainder of the coins are kept offline.  The chances 
of getting away with K+1-spending a coin are (1-1/N)^K.  The chances of 
getting away with K+1-spending each of M different coins are (1-1/N)^MK.
In general, with a fixed upper limit on coin denominations, the chances of
getting caught at the scene of double-spending increase exponentially
with the amount double-spent.  This means penny-ante fraud will
be easy to get away with (at the scene), but large scale fraud
quickly becomes impractical.  This also means that most 
low-value transactions will be offline and most high-value
transactions online.   Note that above formulae are the odds
of getting the goods before being caught.  Even if by chance all
coins are kept offline during the fraudulent transactions, the odds
of two making it back to the bank increase exponentially
with the number of times they change hands.  Thus even penny-ante
double-spenders will soon be caught, with odds quickly approaching 
certainty, after the fact.  The double-spender's 'nym is then 
revealed, and its reputation damaged or destroyed.

* N is the credit rating of the customer. 'Nyms with good,
solid credentials and/or long-standing reputations can be trusted 
to spend large amounts of digital cash per online check.
New 'nyms, 'nyms with bad credit ratings, and anonymous spenders 
have lower N and are thus checked more often.  Attempting
to defraud via rapid turnover of penny-ante double-spending
'nyms won't pay, because the odds of a new 'nym getting caught
online can be placed as high as needed to make this strategy a loser.

At the first sign of double-spending, or if other signs of
bad credit accumulate, credit rating N is lowered for the customer.  
N should be set by credit rating agencies so that
(Max coin denomination)*MK*(1-1/N)^MK is less than the 'nym's
accumulated "reputation capital", so that it does not pay to build a 
reputation and then "cash in the reputation chips" with a spectacular 
act of digicash fraud.  Since the reputation capital of most customers
will dwarf the average size of their purchases, in practice
the vast majority of purchases will be offline, with only
a few (mostly large) purchases held up for online verification
(which need not take any longer than online verification of
credit cards today).

I envision a decentralized credit-rating system, so that the
integrity of ratings cannot be jeopardized by corrupting one or a 
related few credit rating agencies with false information.  (The IP 
paradigm: an economy should be able to route around node failures).

Nick Szabo				szabo@netcom.com
HEx symbol: N  :-)