From: Hal <hfinney@shell.portal.com>
Date: Mon, 23 Oct 95 16:51:20 PDT
To: cypherpunks@toad.com
Subject: Re: How can e-cash, even on-line cleared, protect payee identity?
In-Reply-To: <199510232023.OAA10038@nag.cs.colorado.edu>
Message-ID: <199510232350.QAA17025@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


"Simon Spero" <ses@tipper.oit.unc.edu>  wrote:
>> If so, there's 
>> an obvious way to get two way anonymity with an on-line system. If Alice 
>> wants to pay Bob $10, then Bob could prepare the usual squillion copies 
>> of the note, each with a serial number known only to Bob, then blind them 
>> and send them to Alice. 
>> 
>> Alice would then reblind them and send them to Nick, the banker. Nick
>> would then pick one of the notes, and ask Alice for the blinders for the
>> rest. Alice would then ask Bob for his blinders for the rejected notes,
>> and would forward both sets on to Nick, who would check them, and if
>> they're legit, sign the remaning copy, and return it to Alice.  
>> Alice cound then remove her blinding factor, and sent the result on to
>> Bob. Bob then removes his blinding factor, and can now spend the coin. 

This is an interesting idea but it is more complicated than necessary, I
think.  The denomination can be carried in the exponent, in which case
there is no need for cut and choose and nobody can cheat the bank.  A
coin suitable for deposit is a signed number of some special form.  To
pay Bob, Alice does not withdraw anything ahead of time.  Rather, Bob
gives her a blinded coin, which she reblinds and gives to the bank.  The
bank signs it (debiting Alice's account) and gives it back to her.  She
strips off her blinding and gives it to Bob.  He strips off his own
blinding and verfifies that he is left with a signed number of the
appropriate form.

This system is in some ways the inverse of regular ecash.  Instead of
Alice withdrawing a coin ahead of time, and Bob checking it with the bank
right away, it is Alice who does the bank interaction at payment time,
and Bob who waits before interacting with the bank.  The computational
and communications costs do not seem much worse than ecash.

There is no way Alice can double-spend because she cannot anticipate
Bob's blinding factor and give him a previously-spent coin which will
unblind to the proper form.  There could be an issue of fraud, though,
where Bob insists that Alice's coin was no good even though it actually
was.  Since he has blinded it she will have no way of recognizing it when
he eventually deposits it.  In the current system this does not arise as
Alice can always give him another copy of the coin and prove that it is
good, and she can further determine if Bob has deposited it.  So some of
the trust in the bank necessary with regular ecash gets replaced by trust
between payee and payor in Simon Spero's system.

Still, I think this scheme has considerable merit and is worth exploring
further.  It seems to provide superior privacy protection over Chaum's
ecash.  The fraud issue can perhaps be dealt with by reputations and
credentials as we have often discussed.

Hal