From: Michael Froomkin <froomkin@law.miami.edu>
To: Lucky Green <shamrock@netcom.com>
Message Hash: bbaded53cc7241d508c6125bac4f1cf1e9fed94c8668d556b5a4f3a6bff4d680
Message ID: <Pine.SUN.3.91.951203161754.5019E-100000@viper.law.miami.edu>
Reply To: <v02120d05ace6ea8784af@[192.0.2.1]>
UTC Datetime: 1995-12-03 21:22:35 UTC
Raw Date: Sun, 3 Dec 95 13:22:35 PST
From: Michael Froomkin <froomkin@law.miami.edu>
Date: Sun, 3 Dec 95 13:22:35 PST
To: Lucky Green <shamrock@netcom.com>
Subject: Re: Questions/Comments on ecash protocol
In-Reply-To: <v02120d05ace6ea8784af@[192.0.2.1]>
Message-ID: <Pine.SUN.3.91.951203161754.5019E-100000@viper.law.miami.edu>
MIME-Version: 1.0
Content-Type: text/plain
On Sun, 3 Dec 1995, Lucky Green wrote:
[..cuts...]
> At 22:40 12/2/95, Michael Froomkin wrote:
>
> >3) Is there a way [how hard is it] for charlie to extract a coin and
> >either
> > (i) copy it and/or
> >
> > (ii) send it to David [3rd party] in such a way
> >that David could insert it into David's MTB software and then spend it to
> >Sam without Sam or the Bank noticing that anything was wrong. If Charlie
> >and David do this, David now has a coin that is from his point of view
> >both payee and payor anonymous, although Charlie has a risk that David
> >will double-spend and expose Charlie to the bank's wrath.
>
> I can't help the feeling that I am missing something whenever you bring up
> this question. Assuming it could be done. What would David gain? He as the
> payor is anonymous to Sam either way. Sam still would have to be worried
> about being identified, since if Charlie gives David access to Charlie's
> wallet, it is safe to assume that Charlie will give David (and the mint)
> access to his blinding factor. Which in turn would reveal Sam as the payee.
>
> The protocol you suggest gives the parties exactly what they would have if
> they just used Ecash "out of the box": full payor anonymity, no payee
> anonymity. So why bother?
>
These scenarios only matter if the blinded coins have payer info coded
into them. With zero payer info you are correct they are irrelevant. I
was operating under the (incorrect, it seems) assumption that the blinded
coins followed what I now understand to be the OFF-LINE ONLY version of
the protocol. In that version, where the blinded coin issued to Alice
has info about her coded on to it and/or there is information about payee
encoded onto the coin, then such exchanges are necessary to create payee
anonymity.
Even with the current protocol, you can achieve payee anonymity if you
send a coin to a coin clearinghouse that deposits for you. Alice gives
Bob a coin for value. Bob turns the coin over to Carol who, for a small
fee, deposits the coin. Now bank knows carol deposited the coin, but
knows of neither Bob nor Alice. Indeed Bob need have no account at the
bank at all. I recognize that there are issues here, esp. for Bob --
does he wait on line while Carol clears the coin before telling Alice
that payment cleared (delays?). Or does he bear the risk?
A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law |
U. Miami School of Law | froomkin@law.miami.edu
P.O. Box 248087 | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.
Return to December 1995
Return to “shamrock@netcom.com (Lucky Green)”