On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote: > Adam Back wrote: > > On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote: > > > First, off-line coins suck, as described above. [...] > > > > Off-line coins just offer an extra optional feature for the user, any > > user who chooses can instead use them as online coins. So I would > > argue off-line coins are better than online coins. > > It's not just an extra feature; an off-line system inherently requires > users to identify themselves to the bank at withdrawal time.
Not quite inherently, there are other things you could do. (This has been discussed before I think in [1] at least from reference in the thesis). You could if you wished, rather than putting identity in the coin, put an anonymous escrow account number in the coin. Users who preferred to be anonymous at withdrawal would put a deposit which is held in escrow like a good behavior bond. If they double spend they are not identified but their escrow account is frozen. The account could optionally be based on is-a-person credentials as a further inconvenience for double-spenders to have an account frozen, though is a-person-credentials implies strong identification to a Registration Authority. The actual withdrawal could then be made from the anonymous account hiding identity from the bank. However similar effect can be achieved with accountless operation, which brings us to your next comment... (btw There are some real world analogies to escrow accounts, though this one has nothing to do with the anonymity aspect. Upon moving to Canada, not being a Canadian citizen, I found that I could only get a credit card by providing a deposit of 2x the value of the "credit" limit which is held in an escrow account. Another example would be having to give a deposit to get mobile phone for people with poor credit ratings. Also in Europe pay as you go, cash only mobile phone usage is popular due to credit elegibility reasons also I think. You can plunk down a 10 pound note and walk out with a mobile phone with air time on it, you can buy more air time similarly.) > It cannot allow users to anonymously exchange coins at the bank. So > it has an inherent lack of anonymity which is not present in an > online system. With Brands off-line coins you _can_ anonymously exchange off-line coins at the bank if you choose to set it up that way. Technically how this works is using an attribute hiding refreshing protocol which issues a new fresh coin with the same attributes (identity, denomination) as the previous spent coin while revealing only some negotiated sub-set of the attributes of the old coin (in this case denomination), so the new coin is unlinkable for the bank and yet the bank is assured that it will contain the same identity that was certified originally so the bank will be able to recover the identity if it is later double spent. There is a description of this protocol in section 5 of [3]. This works for off-line coins. For transferable off-line coins you need additionally to update the 0-value last holder coin to match the value of the coin being exchanged, using the updating protocol (see section 5.2.1 in [2], or probably [1] may have some discussion). > Furthermore, off-line coins require a complex infrastructure to work. > Unlike online systems, where cheating is impossible, off-line systems > attempt to locate and punish cheaters after the fact. How can that > possibly work in an Internet system where people may be engaging in > transactions all over the world? If someone cheats you from Timbuktu > do you really expect the cops over there to track him down for you? The cops would not be tracking down a double-spending user for you (the user who was left with a double-spent coin), they would be tracking down the double-spending user for the bank of Timbuktu who now owes the bank money. The bank would expect the local cops to track down someone who attempted to defraud them. > Or maybe the bank will make good by forcing each person to keep a > certain amount in their account to pay off creditors they have cheated? > The problem there is that there is no limit to how fast people can cheat > in an off-line system, so there is no way the bank can force people to > keep enough in their account to cover cheating. Agree, this is a limitation of the anonymous escrow account approach. Also, much of this would be better limited with a smart-card setting as the barrier to double-spending is much higher, and security is also much higher (against rogue software on OSes with weak security). > You talked about moneychangers, but the discussion was confusing. > What exactly is a moneychanger? In the case where a bank does not anyway directly provide accountless operation (exchanging old coins for fresh coins without requiring the association of the exchange with an account) a money changer is simply another user or merchant who fulfils the same function -- exchanging old coins for fresh coins, presumably in this case for some transaction charge. > Linkability can't be defeated. The Chaum&Pedersen paper implies that > anyone can collude with the bank to determine if a coin is a later > instance of one they held earlier. They simulate a second spend of > their earlier coin, and let the bank determine if that produces a > double-spending match with the later one, which it would have to do > if they were both on the same chain. A second spend would allows the person to prove that it was their coin. But simple text comparison already allows them to recognize it was their coin. However if the bank offers accountless exchange for example, it's not clear what colluding with the bank achieves for an isolated user, they won't by doing so be able to directly identify anyone. If anything transferable off-line cash in this sense offers more payee anonymity, not less than the standard online Chaum protocol as implemented by digicash for example. (Recall it was a designed feature of that system that a payer could collude with the bank to identify the person they spent the money with in case they felt they a victim of fraud by the merchant). In this case the person who would be somewhat idenitifed (only in as much as he is anyway identified by his connection to the bank with accountless operation) is likely to be someone entirely unrelated to your spending as the coin would most probably have changed hands a number of times. (There is the double blind Chaum variant, but it is even less convenient as both the payer and payee have to be online at what becomes a simultaneous withdrawl, spend and deposit time.) > Hence there is no way even in principle to avoid chain linkability. It may still be interesting to prevent chain linkability without collusion from the bank by individuals or groups of colluding users. > Let's face it, transferrable off-line coins have so many limitations and > weaknesses that they are not worth pursuing. Going forward, everyone > will be online all the time via wireless connections, as with the current > Blackberry handhelds. Online systems can provide more anonymity than > off-line, including accountless, transfer based payments, with no need > ever to identify yourself to a bank. And you don't have to rely on the > Keystone Kops to catch the guy who passed you a bad coin, because you > can protect yourself from getting ripped off in the first place. Note as I described above accountless is possible with transferable off-line (and with off-line) coins also (depending on the scheme -- it is with Brands, but I don't know of anyway to do that with Ferguson's single term off-line coin variant of Chaum's off-line protocol). This seemed to be the only feature you claimed that suggested online only coins offered a feature with anonymity advantage not available with off-line or off-line transferable coins. So I still maintain off-line and off-line transferable give you _everything_ you get from online coins as a user choice, as the user can still use them as online coins if they choose, plus as I argued in my previous message they give you a number of extra features and extra flexibility. Adam [1] "An Efficient Off-line Electronic Cash System Based on the Representation Problem, Stefan Brands, CWI tech report CS-R9323 http://www.cwi.nl/ftp/CWIreports/AA/CS-R9323.ps.Z [2] "Rethinking public key infrastructures and digital certificates - building in privacy", Stefan Brands, PhD Thesis, MIT press [3] "A Technical Introduction to Digital Credentials", Stefan Brands, to appear Journal of Information Security, http://www.xs4all.nl/~brands/overview.pdf