From: Michael Froomkin <froomkin@law.miami.edu>
Date: Sun, 3 Dec 95 13:22:35 PST
To: Lucky Green <shamrock@netcom.com>
Subject: Re: Questions/Comments on ecash protocol
In-Reply-To: <v02120d05ace6ea8784af@[192.0.2.1]>
Message-ID: <Pine.SUN.3.91.951203161754.5019E-100000@viper.law.miami.edu>
MIME-Version: 1.0
Content-Type: text/plain


On Sun, 3 Dec 1995, Lucky Green wrote:

[..cuts...]

> At 22:40 12/2/95, Michael Froomkin wrote:
> 
> >3) Is there a way [how hard is it] for charlie to extract a coin and
> >either
> >   (i) copy it and/or
> >
> >   (ii) send it to David [3rd party] in such a way
> >that David could insert it into David's MTB software and then spend it to
> >Sam without Sam or the Bank noticing that anything was wrong.  If Charlie
> >and David do this, David now has a coin that is from his point of view
> >both payee and payor anonymous, although Charlie has a risk that David
> >will double-spend and expose Charlie to the bank's wrath.
> 
> I can't help the feeling that I am missing something whenever you bring up
> this question. Assuming it could be done. What would David gain? He as the
> payor is anonymous to Sam either way. Sam still would have to be worried
> about being identified, since if Charlie gives David access to Charlie's
> wallet, it is safe to assume that Charlie will give David (and the mint)
> access to his blinding factor. Which in turn would reveal Sam as the payee.
> 
> The protocol you suggest gives the parties exactly what they would have if
> they just used Ecash "out of the box": full payor anonymity, no payee
> anonymity. So why bother?
> 
These scenarios only matter if the blinded coins have payer info coded 
into them.  With zero payer info you are correct they are irrelevant.  I 
was operating under the (incorrect, it seems) assumption that the blinded 
coins followed what I now understand to be the OFF-LINE ONLY version of 
the protocol.  In that version, where the blinded coin issued to Alice 
has info about her coded on to it and/or there is information about payee 
encoded onto the coin, then such exchanges are necessary to create payee 
anonymity.

Even with the current protocol, you can achieve payee anonymity if you 
send a coin to a coin clearinghouse that deposits for you.  Alice gives 
Bob a coin for value.  Bob turns the coin over to Carol who, for a small 
fee, deposits the coin.  Now bank knows carol deposited the coin, but 
knows of neither Bob nor Alice.   Indeed Bob need have no account at the 
bank at all.  I recognize that there are issues here, esp. for Bob -- 
does he wait on line while Carol clears the coin before telling Alice 
that payment cleared (delays?).  Or does he bear the risk?

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law | 
U. Miami School of Law     | froomkin@law.miami.edu
P.O. Box 248087            | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.