On Tue, Apr 09, 2002 at 09:33:09PM +0200, Anonymous wrote: > Ben Laurie wrote: > > If they withdraw blinded coins, then although they were identified they > > are not linked with the coins. Did I miss something? > > Yes. You missed the point that the lack of anonymity is not in the coins, > but in the protocol. An off-line system requires people to identify > themselves to the bank at withdrawal time, so that their identities can > be embedded in the coin. That means no anonymous exchanges at the bank. > > This is unlike an online system, which could allow someone to exchange > coins for fresh ones who never identifies himself to the bank, who has > no account at the bank, who in fact has never communicated with the bank > in any way, shape or form ever before. There are no records of this > guy, his identity, how often he uses the bank, the amounts which he > deposits and withdraws. > > That's real anonymity. Off-line systems can't do this because they > need to track down double-spenders after the fact. They accumulate > all kinds of information about their customers.
OK so an additional feature you're arguing for is to hide the very fact that one uses ecash, kind of like steganography, hiding ones participation. In this sense it is true that off-line requires one expose one's participation in the payment system to the bank (aside from the somewhat weak arguments about escrow accounts and is-a-person credentials which may not be a very convincing deterent given difficulty of limiting double-spending). It would be technically possible to have a more user-trusted Registration Authority verify identity and have the bank not learn identity until coins are double spent, but I'm not sure this is very comforting for users and it's not clear banks would like this either as they usually want to control their own risks. How meaningful participation-hiding is depends on the size of the anonymity set. If the number of users of anonymous cash is small then hiding one's participation may be a feature some users place value in. If there were lots of users however the benefits of participation-hiding is more limited, and would tend to be outweighed by the additional privacy risk for payees to make online deposits (payers will also likely be payees some of the time). Another option would be for people who wanted participation-hiding to privately contract to use someone's identity, for example a money changers. The penalty clause for violating the contract would be negotiated between those parties. In event that the coin is double spent and the identity-loaner is identified and approached by the bank, the identity-loaner would show the private contract and identify the true culprit. Or follow some other outcome specified by the contract. Of course this is also inferior to simply not revealing ones identity for the application of participation-hiding. Anyway participation-hiding against the bank can also be offered by an off-line transferable system. Well more strictly I suppose you would call this a hybrid of the two where users chose what kinds of coins they want to get. Off-line, off-line transferable and online coins can all mix and be exchanged in the same payment network allowing users individually to choose between the features they want, including participation-hiding, payer anonymity, payee anonymity and trade-offs between immediate fraud-prevention and options for higher latency more anonymous connections and deferred deposit, spending and refresh. In a hybrid system, online coins would be recognizable as online and so payees would know the coin required online verification with the bank to avoid risk of fraud-tracing free double-spending. This hybrid system I think allows all features and advantages previously discussed for payee privacy: particularly it allows both higher latency and hence easier to anonymize communications, and also facilitates participation hiding as an alternative for those that value that privacy feature more. Note that the differing possible privacy desires of the payer and payee are not always ideally met. For example online gives the payee good participation-hiding anonymity as he can buy money from a money-changer or other user (hopefully without having to trust them to not also double-spend his coin before he can use it). However the online coins are less anonymous for the payee as they have to be cashed online. So there would be some negotiation between payer and payee for the type of payment. Conceivably a payer who insisted on participation-hiding online coins and a payee who insisted on transferable off-line coins so he could robustly hide identity and volume from the bank may have some trouble agreeing. > > Eric, your "fat ass moderator" > > It's not you, it's Brian Minder. Adam is on the cypherpunks-moderated > list. Note the almost 24 hour delay between the initial response to his > message by Anonymous and Adam's reply. This is almost certainly due to > moderation-imposed delay (plus time zone issues). We might as well try > to converse by carrier pigeon. Moderated lists do not support lively > discussion. Actually I think most of the delay is because I post in the morning before work (I'm on EST, it's just I get up early so I can log some hours before work) or in the evening after work. Professionalism dictates I don't spend much time reading personal email at work. (I work at ZKS, and as readers who followed recent anonymous rumors will have noticed Brands is no longer at ZKS, so discussing ecash stuff is no longer even tangentially relevant for me to spend work time on.) Cc's are of course most welcome, but in addition if I'm actively following an interesting thread (such as this one), and the flow of posts runs dry while I have time, such as at the weekend for example, I check the threaded posts on the web archive. Adam
