From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: 8ecbe57b160dd63b908382658fb3f4c5ba2e22647d0f63e12eef20a1a8d9b21e
Message ID: <199510230253.TAA08888@jobe.shell.portal.com>
Reply To: <199510222320.RAA27764@nagina.cs.colorado.edu>
UTC Datetime: 1995-10-23 02:55:36 UTC
Raw Date: Sun, 22 Oct 95 19:55:36 PDT
From: Hal <hfinney@shell.portal.com>
Date: Sun, 22 Oct 95 19:55:36 PDT
To: cypherpunks@toad.com
Subject: Re: How can e-cash, even on-line cleared, protect payee identity?
In-Reply-To: <199510222320.RAA27764@nagina.cs.colorado.edu>
Message-ID: <199510230253.TAA08888@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
Bryce <wilcoxb@nagina.cs.colorado.edu> writes:
>In an on-line clearing e-cash scheme, Chaum's "double-spender
>identifier" fields are unnecessary, but a "serial number" type field
>to uniquely identify the e-coin is still necessary. Using blinding,
>this serial number may be unknown to the bank, but it will be known
>to the payer. If the payer and the bank are collaborating to
>identify the payee, then they can simply use this serial number to
>identify the recipient of the coin.
>
>Is there a scheme which will prevent this collusive payee
>identification, and if so where can I read about it? (On-line is
>preferable of course, but I don't expect to be that fortunate.)
One proposal I have seen here is to have a "coin changer" service which
turns the received coin in at the bank for you. Then the payer and the
bank and the coin changer all have to collude to identify you. However
you have to trust the coin changer not to steal your money. So it better
be a pretty trustworthy organization.
>Now even if it were the case that the payee is always identifiable
>by a collusion of the bank and the payer (such as is the case in
>DigiCash Ecash), all this means is that you shouldn't accept a coin
>using one nym, and deposit it in the bank using another. You need
>one bank account per nym, as well as one bank account per
>anonymous transaction, and then you have complete control over
>revelation of your identit(y/ies).
It would still be less than perfect to have all of a given nym's
transactions known. In an ideal electronic cash system no transactions
are linkable if the participants don't want it.
>I can imagine a future in which this requirement is not difficult to
>meet. Perhaps it will be the case that you can accept a coin, open
>up a new ("anonymous") account with the bank, deposit the coin,
>withdraw a new coin of the same amount, close the account, and now
>have an untraceable coin all in a fraction of a second.
In such a system you don't need an "account" as such, but rather the bank
simply allows used cash to be checked and exchanged for fresh cash via
anonymous connections. This would be the most privacy-protecting system.
Hal
Return to October 1995
Return to “Hal <hfinney@shell.portal.com>”