1997-02-13 - Re: anonymity and e-cash

Header Data

From: Hal Finney <hal@rain.org>
To: tien@well.com
Message Hash: b784200af58e4373c4e22b37f76894bb2724cc3bb2f6f431b634c35684bb4b18
Message ID: <199702130157.RAA13355@toad.com>
Reply To: N/A
UTC Datetime: 1997-02-13 01:57:26 UTC
Raw Date: Wed, 12 Feb 1997 17:57:26 -0800 (PST)

Raw message

From: Hal Finney <hal@rain.org>
Date: Wed, 12 Feb 1997 17:57:26 -0800 (PST)
To: tien@well.com
Subject: Re: anonymity and e-cash
Message-ID: <199702130157.RAA13355@toad.com>
MIME-Version: 1.0
Content-Type: text/plain

From: tcmay@got.net (Tim May)
> You missed a very good talk by Ian Goldberg of UC Berkeley at the Saturday
> Cypherpunks meeting at Stanford, where Ian talked for more than an hour on
> just this issue. (He also talked for an hour on his crack of the RSA
> challenge using 250 workstations...this was also a good talk.)

I wish I could have heard that, it sounds good...

A simple idea we have discussed for full anonymity uses the idea of
exchanging coins at the bank.  You make an anonymous connection to
the bank, supply some ecash you have received along with some blinded
new ecash.  The bank verifies that the ecash is good and signs your
blinded ecash, sending it back to you.  You unblind it and have good,
fresh smelling ecash which you can keep, spend, or later deposit in
your account.

If the merchant performs this exchange operation on-line as soon as
he receives ecash, then his anonynmity is protected.  The customer is
protected too, by the blinding he used when he withdrew the ecash earlier.
So both sides remain anonymous.

It sounds like Ian may have worked out details of a system where third
parties do these exchanges.  Banks may be reluctant to allow them for
liability reasons, and the market, abhoring the vacuum, will supply
intermediaries who perform exchanges for a fee.

Resolving the various forms of cheating is the hard part.  When Lee asks
about a signed receipt, it is hard to understand what is the point if the
seller is fully anonymous!  A signed receipt from a freshly-minted key
is not of much use to anyone.

If the participants are using persistant pseudonyms then whatever
reputation capital they have can be put on the line when cheating happens,
although it still may be hard to tell who cheated whom.  Did the customer
pass bad cash and claim it was good, or did the merchant deposit good
cash and claim it was bad?

The same thing could happen every day at the supermarket, of course.
A customer insists they paid $20 but got change for a $10.  If dozens of
customers say the same thing has happened to them, we start to mistrust
the market, while if several businesses say this particular customer
has made the same claim to them, we blame the customer.