R.A. as A.J. (was Re: all about transferable off-line ecash (Re: Brands off-line tech))

[R. A. Hettinga]

At 8:30 AM +0200 on 4/11/02, Anonymous exfumed out of Vienna again:


> [By forwarding this mail to the DBS list,

Done...

> Robert Hettinga agrees that
>  he is an arrogant,

Check...

> obnoxious,

Check...

> power-hungry

Check...

> asshole

 Now yew wait jes' a gol'darn minute, here,
pardner. I thought we figgered out only yessidy that *yew* were th' only
tawlkin' asshole 'roun' these parts. (Okay, mebbe not th' *only* tawlkin'
asshole...) 

> with no moral
>  integrity whatsoever.]

and...check!.

Okay. 3 out of 4 isn't bad.

Thank you for playing.

I know it's only 75%, but at least this way you can say that you've passed
something besides gas...


Cheers,
RAH
(Three millidollars, payable whenever we print 'em, to whoever figures out
what the new subject header means...)

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Thu, Apr 11, 2002 at 08:30:07AM +0200, Anonymous wrote:
> > > Are you saying that if Alice pays Bob, he can anonymously exchange the
> > > coins and end up with new fresh coins with ALICE's identity in them?
> > > That's great, he can double spend all he wants and she ends up going
> > > to the pokey.  No thanks.
> >
> > No that is prevented.
> > [Description of how the final payee refreshes his 0-value coin up to
> >  the value of the transaction, without identifying himself]
>
> Okay, that sounds pretty good.  But it's specific to Brands cash, right?
> The generic transferable off-line cash you described earlier can't
> do that.

I think the only extra requirement is: you need the owner of a coin to
be able to prove that it's his coin.  With normal Ferguson extension
"single term off-line" to Chaum's coins you can't as there is no coin
private key as with Brands.  However I don't think it would be hard to
add one.  I may have said this in an earlier message: I think you
would just for example replace what is currently a random value by the
hash of a per coin public key.  Then a signature from the
corresponding private key on the challenge (which is the hash of the
0-valued coin) would have the same effect.

Also Okamoto et al's scheme uses the same generic transferable
technique, but their scheme is in addition divisible, though has the
limitation that you can recognize the divided coins as coming from the
same original coin.

So it is somewhat generic for off-line ecash systems if they either
already have a coin private key allowing proof of ownership and
binding one coin to the next 0-value coin, or if you can introduce a
private key for that purpose.  So that would be at least Okahmoto et
al, I think Ferguson's off-line-variant of Chaum's plus of course
Brands'.

Adam
--
http://www.cypherspace.org/adam/

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Anonymous]

[By forwarding this mail to the DBS list, Robert Hettinga agrees that
 he is an arrogant, obnoxious, power-hungry asshole with no moral
 integrity whatsoever.]

Adam Back wrote:
> On Tue, Apr 09, 2002 at 06:17:06PM +0200, Anonymous wrote:
> > And second, because the deposit is unlinkable to the withdrawal, there is
> > no way for the bank to know when it can safely release the escrow amount
> > back to the withdrawer.  How long is the bank going to hold onto those
> > escrowed funds?  A week?  A month?  
>
> I suppose the bank would have to hold onto the funds until the coins
> issued using that account as guarantee expired.

Again, this escrow idea really can't work.  Suppose Alice withdraws $100.
Exactly how much additional would have to be withdrawn and put into an
escrow account?  $100?  That would cover only one double-spend.  But if
someone is going to cheat and double-spend, knowing it will be detected
later, obviously they will grab for as much as they can.  Alice would
have to put aside enough for hundreds or thousands of double-spends,
or even more.  So every time she withdraws $100, she has to set aside
$100,000 in an escrow account.  Does that sound realistic?

Then, the money stays in the account for the expiration period of the
coins, which would presumably be for weeks or months at least.  You
don't want coins expiring more often than that or there is too much
danger of people's money going bad while they carry it.

> Aside from the problem with limit you identify, I think generally the
> precedent is already set by the non-electronic world: to engage in
> transactions which typically require reputation and identity for
> contract violation enforcement anonymously, you have to pony up cash
> up-front.

It's one thing to do this with pre-paid services, but quite another for
a banking system which aims to be universal.  Most people and businesses
would find it absolutely impossible to use a payment system which had
these properties.  Every time they got some income, they can spend only
a small fraction of it, depending on how big the escrow multiplier is.

Hopefully it is clear that escrow cannot work as a way of dealing with
double-spending after the fact.  The only other alternative is for the
bank to Know Its Customer intimately, and for there to be some kind of
worldwide police which can track and arrest people anywhere.  This would
entail strengthening and centralizing international law enforcement,
exactly the opposite of the trends we would want to encourage.


> > Are you saying that if Alice pays Bob, he can anonymously exchange the
> > coins and end up with new fresh coins with ALICE's identity in them?
> > That's great, he can double spend all he wants and she ends up going
> > to the pokey.  No thanks.
>
> No that is prevented.
> [Description of how the final payee refreshes his 0-value coin up to
>  the value of the transaction, without identifying himself]

Okay, that sounds pretty good.  But it's specific to Brands cash, right?
The generic transferable off-line cash you described earlier can't
do that.

Of course Brands is patented up the wazoo.  It's amazing the harm
he and Chaum have done to the world by locking up their best ideas.
And they didn't even get rich.  What a waste.  If either of them had
the balls to put their patents into the public domain, they could make
a very comfortable living just from consulting and speaking fees.


> A correction on something I said earlier about Chaum double-blinding:
>
> | (There is the double blind Chaum variant, but it is even less
> | convenient as both the payer and payee have to be online at what
> | becomes a simultaneous withdrawl, spend and deposit time.)
>
> This is innacurate, it is actually a simultaneous withdrawal and
> spend, followed by an arbitrarily later spend by the payee as the
> payee knows the payer does not see the coin due to the extra blinding.

Please, this is such ancient history.  MTB's ecash died a long time ago,
we don't need to keep rehashing how to work around its limitations.

The right way to do Chaum cash with two-sided anonymity is simply to allow
anonymous coin exchanges at the bank.  There is no issue in recognizing
the payee's deposited coins if he is fully anonymous and gets fresh coins
at that time.  In fact there don't need to be bank accounts at all, and in
further fact there doesn't need to be a bank; just a coin exchanging mint.

We talked about this a while ago.  You start it up and it emits one
coin, which represents all of the value of this mint's money supply.
>From then on it does only one operation: you give it $X in old coins,
and it gives you $X in new coins (possibly partitioned differently).
When someone pays Alice, she turns it in at the bank and gets new coins,
incidentally checking the old ones for validity and double-spending.
Her new coins are completely untraceable and ready for whatever use she
desires.  She keeps all her money in her wallet.  Third parties can offer
secure 

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Wed, 10 Apr 2002, Adam Back wrote:

> Is there anything specific PKILAB have said about Brands certs?

No, it was early in the set up when it was discussed.  Sounds like
they want to at least listen to him :-)

> btw I did a google search for PKILAB and Brands to see if I could find
> anything along the lines you mention and look what it said:
> 
> Mar 2001 "Welcome Stefan Brands to PKILabs Advisory Board"
> 
> http://www.cs.wisc.edu/~lists/archive/pkilab/msg00179.html

Yup, that's the place!  I told them I thought the math was valid, but I've
really no idea what the high level stuff is they are trying to do.  I
avoid large organizations when possible, and most of their stuff is aimed
at problems in that realm, so I'm not paying too close attention.  

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Tue, Apr 09, 2002 at 07:47:51PM -0700, Morlock Elloi wrote:
> > In the smart card setting with Brands protocols there is a host
> > computer (eg pda, laptop, mobile-phone main processor, desktop) and a
> > tamper-resistant smart-card which computes part of the coin transfer
> > and prevents double-spending (to the limit of it's tamper-resistance).
> 
> I don't understand which problem are you trying to solve.

The issue the smart-card setting addresses is that people don't, or
anyway shouldn't place great trust in closed systems that they, or
someone with the technical background necessary can not examine.  A
smart card is such a closed system.  The framework allows the use of
smartcards to resist fraud while not making it necessary to for the
users to trust the smart-card with their privacy.  Privacy is
controlled by the more auditable host computer.

Adam

> Apart for few cypherpunks, People With Real Money and mafia, all of whom
> already have all the anonymity they want, sheeple is handled by corporations
> whose income depends on non-anonymity. I don't see a market pressure for anon
> replacement for credit cards from the consumer side any more that I see
> pressure for IPSec'd traffic from Joe FivePack.

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Wed, Apr 10, 2002 at 06:50:24AM -0700, Mike Rosing wrote:
> Not everyone agrees with Brands that these credentials work.
> There's a group called "PKILAB" that's trying to make
> access/credentials to work across large organizations, and they kind
> of dismiss it.

Is there anything specific PKILAB have said about Brands certs?

I'm not sure what their claim could be, from what I can see the Brands
credentials provide or can equally be used with all of the common PKI
models (RAs, CAs, OCSP, short-lived certs, revocation lists) plus a
bunch of other options (blind refresh, update, privacy, etc) which are
not possible with X.509 identity and attribute certificate PKIX stuff.

btw I did a google search for PKILAB and Brands to see if I could find
anything along the lines you mention and look what it said:

Mar 2001 "Welcome Stefan Brands to PKILabs Advisory Board"

http://www.cs.wisc.edu/~lists/archive/pkilab/msg00179.html

Adam

> I haven't really
> sat down with them to find out why, but in general they feel that there's
> some high level conceptual problems.  I wish I had time to read all this
> stuff!!  But thanks for the pointers, at least I've got it copied so I
> can read a page or so when I get a chance.
> 
> Patience, persistence, truth,
> Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Wed, 10 Apr 2002, Adam Back wrote:

> You don't need the minter's secret key to identify the double-spender.
> Anyone who happens to see two coin transcripts answering different
> challenges with the same coin private key can recover all the
> attributes of the coin, including the identity attribute.
> 
> This is described on p23 of [1].
> 
> Adam
> 
> [1] "A Technical Overview of Digital Credentials", Stefan Brands, 
> to appear International Journal on Information Security
> 
> http://www.xs4all.nl/~brands/overview.pdf

Not everyone agrees with Brands that these credentials work.  There's a
group called "PKILAB" that's trying to make access/credentials to work
across large organizations, and they kind of dismiss it.  I haven't really
sat down with them to find out why, but in general they feel that there's
some high level conceptual problems.  I wish I had time to read all this
stuff!!  But thanks for the pointers, at least I've got it copied so I
can read a page or so when I get a chance.

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Ken Brown]

[EMAIL PROTECTED] wrote:
> 
> On 9 Apr 2002 at 16:54, Ken Brown wrote:
> 
> > But paper money is such a 20th-century thing! These days we're slowly
> > drifting back to higher value metal coins (2 pounds out for a few years
> > now, 5 pounds coming soon I think). Much more fun. Feels like real
> > treasure!  Less of the floppy stuff, we want our ecash to look like real
> > cash.
> >
> > Ken
> >
> Yeah, but is that because people want it, or because the treasury
> wants it?  They've been trying to foist dollar coins on
> US for years because they're cheaper (last forever and cost
> about a dime to make vs. last about a year and cost maybe 3 cents
> to make) but people hate them and don't use them.

Over here most people seem to prefer coins these days. Low-value notes
have a cheap-and-nasty feel to them. They get all furry.

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Tue, Apr 09, 2002 at 06:45:43AM -0700, Mike Rosing wrote:
> On Tue, 9 Apr 2002, Adam Back wrote:
> > If you use the normal approach of putting the identity in the coin,
> > you can't double-spend anonymously.
> 
> But it's not until the coin goes back online, you need the minter's secret
> key to decode the chain (maybe I have that wrong?).

You don't need the minter's secret key to identify the double-spender.
Anyone who happens to see two coin transcripts answering different
challenges with the same coin private key can recover all the
attributes of the coin, including the identity attribute.

This is described on p23 of [1].

Adam

[1] "A Technical Overview of Digital Credentials", Stefan Brands, 
to appear International Journal on Information Security

http://www.xs4all.nl/~brands/overview.pdf

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Tue, 9 Apr 2002, Morlock Elloi wrote:

> Apart for few cypherpunks, People With Real Money and mafia, all of whom
> already have all the anonymity they want, sheeple is handled by corporations
> whose income depends on non-anonymity. I don't see a market pressure for anon
> replacement for credit cards from the consumer side any more that I see
> pressure for IPSec'd traffic from Joe FivePack.

Here's the rub.  When we can trade e-cash the same way we trade meat cash
for illegal goods, it will fly.  Until then, forget it.  The pot head has
to be able to use it, without worry, before e-cash can really be anonymous
and trusted.  Once it works for the mafia, it works for everybody :-)

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Morlock Elloi]

> > And how will a regular consumer, with no math degree, verify that
> > her coins are indeed partially blinded ? Trust the bank ? No shit.
> 
> The regular consumer will rely on a third party to examine the source
> to see that they securely and correctly implement the protocols to
> assure privacy.

That doesn't work in meatspace. Take a look at much (mathematically) simpler
situations of so-called consumer PCs attached to the so-called Internet.
Consumer are clueless about war that goes on on "their" hardware between corps
and governments that want the control of that piece of equipment. But it's
mostly OK since nothing really serious is done with PCs - some e-mails, some
shopping.

Yet many people are already wary of computers, and we are not talking luddites
here. Using a piece of hardware with invisible transistors and uncomprehensible
firmware to store money doesn't seem likely at all.

Real cash has advantage that it does not need mediation of experts and
expert-built machinery for practical verification and use. It is itself in
human-readable form. While it is true that said experts try to insert their
products in everyday life to secure the regular income, prostituting their
professions, it is unlikely that it will be success when cash is the object.

More people that I know store gold today than ten years ago. General
disenchantment with computing machinery is obvious to all except those blinded
by their vested interests. If you want to find the real state of
computer-consumer economy njust look at the parking lot in front of Fry's. No,
it's not a helidrome, it used to be for cars.

To succeed in this situation the idea, or product, that modifies some very old
concepts has to be really good and sane. The e-checks, as discussed here, fail
to impress even "experts", and don't count that sheeple will be *that* dumb.

> In the smart card setting with Brands protocols there is a host
> computer (eg pda, laptop, mobile-phone main processor, desktop) and a
> tamper-resistant smart-card which computes part of the coin transfer
> and prevents double-spending (to the limit of it's tamper-resistance).

I don't understand which problem are you trying to solve.

Apart for few cypherpunks, People With Real Money and mafia, all of whom
already have all the anonymity they want, sheeple is handled by corporations
whose income depends on non-anonymity. I don't see a market pressure for anon
replacement for credit cards from the consumer side any more that I see
pressure for IPSec'd traffic from Joe FivePack.

> It may seem convoluted, but by comparison assurance of security of
> algorithms used with credit-cards over SSL, or even the authentication
> framework used by card swipe credit cards also would appear

The difference here is that large and capable entities - banks - stand to lose
if something goes wrong, and they handle the whole system. Privacy and
anonymity, on the other hand, is personal and no one is on your side. You have
to have all resources. Assuming that the bank will expend resources to protect
YOUR anonymity when you don't have any practical means of verifying it is
silly.

> For acceptance of privacy features similar issues will hold.  Do the
> privacy advocates, analysts, and experts agree that the system
> provides privacy.

I, for one, will try to avoid situations where advocates of any kind can
influence the amount and security of my cash.



=
end
(of original message)

Y-a*h*o-o (yes, they scan for this) spam follows:
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Tue, Apr 09, 2002 at 01:35:03PM -0700, Morlock Elloi wrote:
> > If you use the normal approach of putting the identity in the coin,
> > you can't double-spend anonymously.
> 
> And how will a regular consumer, with no math degree, verify that
> her coins are indeed partially blinded ? Trust the bank ? No shit.

The regular consumer will rely on a third party to examine the source
to see that they securely and correctly implement the protocols to
assure privacy.

In the smart card setting with Brands protocols there is a host
computer (eg pda, laptop, mobile-phone main processor, desktop) and a
tamper-resistant smart-card which computes part of the coin transfer
and prevents double-spending (to the limit of it's tamper-resistance).

You can't verify what the smart-card is doing so easily, however the
computation by the host computer assures that the smart-card even if
it is intentionally hostile to your privacy can not help the bank
trace your payments as everything it says is blinded by the host
computers calcluations which are more verifiable.

> Dollar bills in plain white envelope wiith no return address beat
> the crap out of all these convoluted schemes.

It may seem convoluted, but by comparison assurance of security of
algorithms used with credit-cards over SSL, or even the authentication
framework used by card swipe credit cards also would appear
complicated to many.  All that matters at the consumer level is that
it demonstrably works, the people running the system are confident
enough in it to deploy it, fraud is low, and that consumers gain trust
in it through whatever means.

For acceptance of privacy features similar issues will hold.  Do the
privacy advocates, analysts, and experts agree that the system
provides privacy.

Adam

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Tue, Apr 09, 2002 at 09:33:09PM +0200, Anonymous wrote:
> Ben Laurie wrote:
> > If they withdraw blinded coins, then although they were identified they
> > are not linked with the coins. Did I miss something?
> 
> Yes.  You missed the point that the lack of anonymity is not in the coins,
> but in the protocol.  An off-line system requires people to identify
> themselves to the bank at withdrawal time, so that their identities can
> be embedded in the coin.  That means no anonymous exchanges at the bank.
> 
> This is unlike an online system, which could allow someone to exchange
> coins for fresh ones who never identifies himself to the bank, who has
> no account at the bank, who in fact has never communicated with the bank
> in any way, shape or form ever before.  There are no records of this
> guy, his identity, how often he uses the bank, the amounts which he
> deposits and withdraws.
> 
> That's real anonymity.  Off-line systems can't do this because they
> need to track down double-spenders after the fact.  They accumulate
> all kinds of information about their customers.

OK so an additional feature you're arguing for is to hide the very
fact that one uses ecash, kind of like steganography, hiding ones
participation.  In this sense it is true that off-line requires one
expose one's participation in the payment system to the bank (aside
from the somewhat weak arguments about escrow accounts and is-a-person
credentials which may not be a very convincing deterent given
difficulty of limiting double-spending).

It would be technically possible to have a more user-trusted
Registration Authority verify identity and have the bank not learn
identity until coins are double spent, but I'm not sure this is very
comforting for users and it's not clear banks would like this either
as they usually want to control their own risks.

How meaningful participation-hiding is depends on the size of the
anonymity set.  If the number of users of anonymous cash is small then
hiding one's participation may be a feature some users place value in.
If there were lots of users however the benefits of
participation-hiding is more limited, and would tend to be outweighed
by the additional privacy risk for payees to make online deposits
(payers will also likely be payees some of the time).

Another option would be for people who wanted participation-hiding to
privately contract to use someone's identity, for example a money
changers.  The penalty clause for violating the contract would be
negotiated between those parties.  In event that the coin is double
spent and the identity-loaner is identified and approached by the
bank, the identity-loaner would show the private contract and identify
the true culprit.  Or follow some other outcome specified by the
contract.  Of course this is also inferior to simply not revealing
ones identity for the application of participation-hiding.


Anyway participation-hiding against the bank can also be offered by an
off-line transferable system.  Well more strictly I suppose you would
call this a hybrid of the two where users chose what kinds of coins
they want to get.  Off-line, off-line transferable and online coins
can all mix and be exchanged in the same payment network allowing
users individually to choose between the features they want, including
participation-hiding, payer anonymity, payee anonymity and trade-offs
between immediate fraud-prevention and options for higher latency more
anonymous connections and deferred deposit, spending and refresh.

In a hybrid system, online coins would be recognizable as online and
so payees would know the coin required online verification with the
bank to avoid risk of fraud-tracing free double-spending.

This hybrid system I think allows all features and advantages
previously discussed for payee privacy: particularly it allows both
higher latency and hence easier to anonymize communications, and also
facilitates participation hiding as an alternative for those that
value that privacy feature more.

Note that the differing possible privacy desires of the payer and
payee are not always ideally met.  For example online gives the payee
good participation-hiding anonymity as he can buy money from a
money-changer or other user (hopefully without having to trust them to
not also double-spend his coin before he can use it).  However the
online coins are less anonymous for the payee as they have to be
cashed online.  So there would be some negotiation between payer and
payee for the type of payment.

Conceivably a payer who insisted on participation-hiding online coins
and a payee who insisted on transferable off-line coins so he could
robustly hide identity and volume from the bank may have some trouble
agreeing.

> > Eric, your "fat ass moderator"
> 
> It's not you, it's Brian Minder.  Adam is on the cypherpunks-moderated
> list.  Note the almost 24 hour delay between the initial response to his
> message by Anonymous and Adam's reply.  This is almost certain

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Tue, Apr 09, 2002 at 06:17:06PM +0200, Anonymous wrote:
> Adam Back wrote:
> > [...] You could if you wished, rather than putting identity in the
> > coin, put an anonymous escrow account number in the coin.  [...]
> > If they double spend they are not identified but their escrow
> > account is frozen.  
> 
> Two problems with this escrow idea.  First, as noted before, there is no
> limit on how much can be double-spent in a short time, hence the escrow
> account can't cover it.  

Indeed.

> And second, because the deposit is unlinkable to the withdrawal, there is
> no way for the bank to know when it can safely release the escrow amount
> back to the withdrawer.  How long is the bank going to hold onto those
> escrowed funds?  A week?  A month?  

I suppose the bank would have to hold onto the funds until the coins
issued using that account as guarantee expired.  Normally coins anyway
expire to allow the bank to put a cap on the size of it's double-spend
database.  This makes ecash inconvenient for long-term off-line value
storage, even if they are denominated in for example Intel stock or
something.  Software would automate the process of exchanging old
epoch coins for current epoch coins -- for example Pr0duct Cipher's
magic money works like this.

One approach I think might be interesting for value storage is to
offer longer validity periods for high value tokens.  Small change can
expire more quickly, as you're typically spending that so it's less of
an inconvenience.

> And how many people are going to want to use a bank which makes them
> set aside an equal amount of every withdrawal for some extended
> period?  That is absolutely impossible given how most people and
> businesses manage their cash flow.

Aside from the problem with limit you identify, I think generally the
precedent is already set by the non-electronic world: to engage in
transactions which typically require reputation and identity for
contract violation enforcement anonymously, you have to pony up cash
up-front.  (eg. my secured credit card example which I can only
presume is because they worry that an untrusted foreigner will run up
the card and leave).

> > With Brands off-line coins you _can_ anonymously exchange off-line
> > coins at the bank if you choose to set it up that way.
> >
> > Technically how this works is using an attribute hiding refreshing
> > protocol which issues a new fresh coin with the same attributes
> > (identity, denomination) as the previous spent coin while revealing
> > only some negotiated sub-set of the attributes of the old coin (in
> > this case denomination), so the new coin is unlinkable for the bank
> > and yet the bank is assured that it will contain the same identity
> > that was certified originally so the bank will be able to recover the
> > identity if it is later double spent.  There is a description of this
> > protocol in section 5 of [3].  This works for off-line coins.  For
> > transferable off-line coins you need additionally to update the
> > 0-value last holder coin to match the value of the coin being
> > exchanged, using the updating protocol (see section 5.2.1 in [2], or
> > probably [1] may have some discussion).
> 
> Are you saying that if Alice pays Bob, he can anonymously exchange the
> coins and end up with new fresh coins with ALICE's identity in them?
> That's great, he can double spend all he wants and she ends up going
> to the pokey.  No thanks.

No that is prevented.  The user (the person who most recently received
the cash which now looks like [A_v-coin B_0-coin ... F_0-coin] where
v-coin is the original coin with value withdrawn unlinkably from the
bank by Alice, then Alice spends to Bob by binding to a 0-value coin
with Bob's identity in it, and Bob spends to Charlie... until Fred
gets the coin, and Fred decides to exchange it for a fresh coin from
the Bank, only Fred would prefer not to show this transaction in his
account, and doesn't want to identify himself to the bank again
either.  

So when Fred wants to exchange this coin for a fresh coin he first has
to convince the bank that he knows that coins private key by answering
a challenge.  Then the bank uses the refreshing protocol to issue a
new coin which shares attributes with the F_0-coin it is being
exchanged for.  Fred's identity is in the new coin, however the bank
doesn't learn Fred's identity, though it is just assured that it is
the same identity as that encoded in the F_0-coin.  

But if this is all we did it would not be useful because the new coin
would also have a 0-value as it's undisclosed attributes are cloned
from F_0-coin.  So in combination the bank must use the updating
protocol to change the value from 0 to the value v from the A_v-coin.


Note also the refreshing protocol could be used to get a batch of
fresh 0-value coins so the user would not need to identify himself
beyond whatever identity were leaked by his communication link to the
bank.


A correction on something I said earlier a

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Morlock Elloi]

> You can't outright counterfeit technically as the recipient of each
> coin checks that it's correctly formed, and authenticated by the bank,
> and that the chain of spends are all bound together.  By doing this
> the user is assured that either the coin will not be double-spent, or
> the bank will identify the double spender when the coin is deposited.

So now one must provide MORE information to get e-checks than for regular cash
or money orders ? I can walk in and buy the money order without providing ANY
info on myself. Credit cards work fine as it is.

Calling it a "coin" is deceptive.

What is exactly the purpose of this ? Partial anonymity ? AmEx already has that
(single-use CC numbers).


> If you use the normal approach of putting the identity in the coin,
> you can't double-spend anonymously.

And how will a regular consumer, with no math degree, verify that her coins are
indeed partially blinded ? Trust the bank ? No shit.

Dollar bills in plain white envelope wiith no return address beat the crap out
of all these convoluted schemes.


=
end
(of original message)

Y-a*h*o-o (yes, they scan for this) spam follows:
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[A. Melon]

Peter Trei writes:
> Speaking for myself and a few friends and relations, we'd
> be perfectly happy to use them, if they were available.

A good place to get Sacagawea dollars is from the stamp machine at your
local post office.  Put in a $20 bill and buy as small an amount of
stamps as you can, and many of the machines will give you golden dollars
in change.  Make sure you check the machine first; it should be labeled
about what kind of change it gives.  Otherwise you'll be hauling around
dozens of quarters.

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Faustine]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> Mike Rosing[SMTP:[EMAIL PROTECTED]] 
> On Tue, 9 Apr 2002, Ken Brown wrote:
> > I'd rather have stiff cards than floppy paper ones. At least you can put
> > them into  the slot of a machine easily.
> 
> But with an RF tag you'd not even have to pull it out of your pocket :-)
> 
>Putting RF Tags in cash is one of those ideas with Unintended Consequences.
>Muggers would love having a way of determining which victims are carrying a
>wad, as would many salesmen (and JBTs looking to perform a 'civil 
>confiscation' on 'a sum of currency'.)

Not to mention the possibility of a surreptitious centralized database tracking
purchases of people on a watch list. Sign up if you want to, but you might do
well to remember a point Lt. Gen. Hayden (who really ought to know) once made:
all SIGINT can be defeated and destroyed simply by putting the handset in the
receiver. Something to keep in mind while you're thinking this through,anyway.
  
As for the counterfeiting problem, nobody's said much about the kind of
sophisticated countermeasures used in casino chips, for example. Seems
workable. One of many interesting topics covered in a truly frightening pub
you might not have come across:

Global ID Magazine
http://web.tiscali.it/homeglobal/issues.htm

Global ID Magazine is a publication describing the activity and the products of
the leading Identification (ID) Technology Suppliers in the world.

Its scope encompasses state-of-the-art technologies, innovative concepts and
trends within the automatic identification systems industry that will have the
most significant impact on design and use of ID systems.

The editorial focus of Global ID Magazine is on the use of identification
systems based on radio frequency, biometrics, global positioning,
multifunctional systems, data communication and similar.

Global ID Magazine speaks to decision makers, both at a management and at a
technical level, within companies that use or could leverage from using ID
systems. It suggests innovative solutions, the improvement of existing
applications, describing trends and future possibilities.


~~Faustine.


***

He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself.

- --Thomas Paine

-BEGIN PGP SIGNATURE-
Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its 
affiliated companies. (Diffie-Helman/DSS-only version)

iQA/AwUBPLNWGvg5Tuca7bfvEQLRzQCg2iSdcpbXf/K+FQRzVNGYa9voHToAn3Jd
35JycT/4X0aUnT7bzWycwYEe
=sSz8
-END PGP SIGNATURE-

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[georgemw]

On 9 Apr 2002 at 16:54, Ken Brown wrote:

> But paper money is such a 20th-century thing! These days we're slowly
> drifting back to higher value metal coins (2 pounds out for a few years
> now, 5 pounds coming soon I think). Much more fun. Feels like real
> treasure!  Less of the floppy stuff, we want our ecash to look like real
> cash.
> 
> Ken
> 
Yeah, but is that because people want it, or because the treasury
wants it?  They've been trying to foist dollar coins on
US for years because they're cheaper (last forever and cost
about a dime to make vs. last about a year and cost maybe 3 cents
to make) but people hate them and don't use them.  

George

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Anonymous]

Ben Laurie wrote:
> Anonymous wrote:
> > It's not just an extra feature; an off-line system inherently requires
> > users to identify themselves to the bank at withdrawal time.  It cannot
> > allow users to anonymously exchange coins at the bank.  So it has an
> > inherent lack of anonymity which is not present in an online system.
>
> If they withdraw blinded coins, then although they were identified they
> are not linked with the coins. Did I miss something?

Yes.  You missed the point that the lack of anonymity is not in the coins,
but in the protocol.  An off-line system requires people to identify
themselves to the bank at withdrawal time, so that their identities can
be embedded in the coin.  That means no anonymous exchanges at the bank.

This is unlike an online system, which could allow someone to exchange
coins for fresh ones who never identifies himself to the bank, who has
no account at the bank, who in fact has never communicated with the bank
in any way, shape or form ever before.  There are no records of this
guy, his identity, how often he uses the bank, the amounts which he
deposits and withdraws.

That's real anonymity.  Off-line systems can't do this because they
need to track down double-spenders after the fact.  They accumulate
all kinds of information about their customers.

Eric Murray wrote:
> > [Copied to Adam so he doesn't have to wait for some moderator to get
> > off his fat ass and approve it.
>
> The LNE CDR isn't moderated in the usual sense. 
>
> However, postings from new users[1] don't go through until I look at them
> (since about 99.5% are spam).  I do this as often as possible, but
> I do have a life.  So if you (the generic you) feel the urge
> to forge a new cute name on every post, be warned that your posts may
> take a while to go through.  I suggest forging one cute name and sticking
> with it... besides, you will want all of us to have a pseudo to attach
> the appropriate reputation capital to.

Reputation is overrated.  Here's a clue: if you want to know what people
really think of your ideas, post anonymously.

> Eric, your "fat ass moderator"

It's not you, it's Brian Minder.  Adam is on the cypherpunks-moderated
list.  Note the almost 24 hour delay between the initial response to his
message by Anonymous and Adam's reply.  This is almost certainly due to
moderation-imposed delay (plus time zone issues).  We might as well try
to converse by carrier pigeon.  Moderated lists do not support lively
discussion.

RE: all about transferable off-line ecash (Re: Brands off-line tech)

[Jim Dixon]

On Tue, 9 Apr 2002, Trei, Peter wrote:

> I was living in Britain (and of an allowance-recieving age) when
> decimalization
> occured. While we lost the big penny, we gained the 50p piece. In those
> days,
> it was a large, heavy, seven-sided coin, bigger than a US half-dollar, and
> worth
> $1.20. It felt good in your pocket. Since then, the Brits have shrunk it to
> a
> much smaller size. Do they still call the 1 pound coins 'maggies'?

I have been living in the UK for 17 years and have never heard this term.

Younger people aren't sure who Maggie is anyway ;-)

(15-year old daughter sitting next to me:

"Who's Maggie?"

and then

"Why would a pound be called Margaret Thatcher?"

)
--
Jim Dixon  [EMAIL PROTECTED]   tel +44 117 982 0786  mobile +44 797 373 7881
-- THAT'S A CHANGE OF ADDRESS: I'm no longer [EMAIL PROTECTED] 

Burroughs' Revenge (was Re: all about transferable off-line ecash (Re: Brands off-line tech))

[R. A. Hettinga]

At 8:37 AM +0200 on 4/9/02, Some Anonymous Flatualist emitted the following
bit of flammable gas out of an Austrian remailer somewhere:


>  And BTW permission is NOT granted to
> forward this or any part of it to the DBS list because Hettinga is an
> asshole who kicks people off his list for spite.  He can piss in his
> own sandbox if he wants but we don't have to play in it.

Yup, that's me, Anonymous. Evil Bob. Violating copy protection "protocols"
like the above at the drop of the hat. The tragedy of the commons is that
no one owns the commons? It takes a village to forward an idiot's dreck?
:-).


Nonetheless, Anonymous, I'm also guy who forwarded your comment to my lists
anyway, methagenous ejaculata and all, because, like I'm doing with this
rejoinder to same, I can. :-). Also because it seems that, at the moment,
and exclusive of your noxious spew above, you apparently have a clue about
the present impossibility of, or at least economic impracticability of,
"off-line" bearer transactions.

Proving once again, like assholes, everyone has a clue at least once in a
while, no matter who they are -- or how badly they misuse their own in
public.


[I could also note that beggars who can't muster their own resources, or at
least an audience, can't be choosers, and thus have to post on others'
lists, anonymously, but, hey, that would be, um, Evil, right? ;-).]


Granted, Anonymous, I do tend to kick various "assholes" off of lists where
I am in charge of subscriptions. Apparently, this includes yourself, now
reduced to what looks like single-hop anonymous posting, most likely
because you've now Graduated From College, or even Grad School, or at least
a way-kewl down-the-toilet dot-com, and now you have an entry-level
cubicle-job somewhere that apparently doesn't appreciate free speech.

And, certainly, I kick people off of lists I run for any reason I feel like
it, including for spite, if not by absolute whim, because, like you seem to
have been, some people who end up on my lists, *are*, in fact, "assholes",
in my opinion, and, like I said, I either own, or at least, control the
subscription list. Call it Bourgeoisie Oblige, if you want :-). No tragedy
of the commons here, out in the land of actual property and responsibility
for same.


[As a further side note, anyone can subscribe to any list I run, and I
certainly don't subscribe anyone against their will, and, most important, I
don't actually "moderate" any lists, just play list.bouncer. So, as such,
if someone pisses me off when they get there, for any reason whatsoever,
even if I'm just having a bad day, they're out of there. Off with their
heads, out the airlock, game over, whatever. Also, lots of people's mail
addresses fail for various reasons, and, since I get to see all the bounced
mail on some lists I do, I have short patience with such things.]


As always, Anonymous, your definition of "asshole", like mine, may vary,
but only on *your* lists, please, if you can ever make that happen with
your otherwise clueful reputation, though one you keep pissing on with
comments like I've quoted above.

Unfortunately, just like that William Burroughs story in _Naked_Lunch,
about the guy who taught his asshole to talk, you keep trying to prove
that, once again, that one man's asshole is indeed another man's larynx.

Cheers,
RAH
"Napalm in the morning, by any other name, smells just as sweet as a
metaphor beaten like a dead horse..."
-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Eric Murray]

On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote:
> [Copied to Adam so he doesn't have to wait for some moderator to get
> off his fat ass and approve it.

The LNE CDR isn't moderated in the usual sense. 

However, postings from new users[1] don't go through until I look at them
(since about 99.5% are spam).  I do this as often as possible, but
I do have a life.  So if you (the generic you) feel the urge
to forge a new cute name on every post, be warned that your posts may
take a while to go through.  I suggest forging one cute name and sticking
with it... besides, you will want all of us to have a pseudo to attach
the appropriate reputation capital to.



[1] a 'new' user is the name in the From: line which isn't a subscriber
to a node and which hasn't already posted.


Eric, your "fat ass moderator"

RE: all about transferable off-line ecash (Re: Brands off-line tech)

[Trei, Peter]

> Mike Rosing[SMTP:[EMAIL PROTECTED]]
> 
> On Tue, 9 Apr 2002, Ken Brown wrote:
> 
> > I'd rather have stiff cards than floppy paper ones. At least you can put
> > them into  the slot of a machine easily.
> 
> But with an RF tag you'd not even have to pull it out of your pocket :-)
> 
Putting RF Tags in cash is one of those ideas with Unintended Consequences.
Muggers would love having a way of determining which victims are carrying a
wad, as would many salesmen (and JBTs looking to perform a 'civil 
confiscation' on 'a sum of currency'.)

> > But paper money is such a 20th-century thing! These days we're slowly
> > drifting back to higher value metal coins (2 pounds out for a few years
> > now, 5 pounds coming soon I think). Much more fun. Feels like real
> > treasure!  Less of the floppy stuff, we want our ecash to look like real
> > cash.
> 
> 18th century actually.  And the point is the same - people don't like to
> change (pun intended!)
> 
> Patience, persistence, truth,
> Dr. mike
> 
I was living in Britain (and of an allowance-recieving age) when
decimalization
occured. While we lost the big penny, we gained the 50p piece. In those
days,
it was a large, heavy, seven-sided coin, bigger than a US half-dollar, and
worth 
$1.20. It felt good in your pocket. Since then, the Brits have shrunk it to
a
much smaller size. Do they still call the 1 pound coins 'maggies'?

Actually, the mutability of British currency is quite astonishing to
Americans.
Bills and coins seem to change size and/or color every few years. Of 
course, there's a good chance Britain will join the Euro soon, which would
be another change.

Re going back to coins - it's not happening everywhere. The US Mint would 
love to get rid of the $1 bill, but the proposed replacements have been 
resounding failures. In the mid-70's they started minted 'pseudo-silver' 
dollars for the Bicentennial. While fun, these were just too big, and did 
not work in vending machines. A few years later they tried the 'Susan B 
Anthony' dollar, but it was rejected as well - it was similar in size and 
color to a quarter, and the two could be easily confused. Just about a 
year ago, they tried again, with the 'Sacagawea' or 'Golden Dollar'.
This is a very handsome coin, gold in color, but it was the same size
as a SBA dollar (to fit the machines). You can still confuse it with a
quarter in your pocket or in the dark. It's been months since I've seen
one.

Peter Trei

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Tue, 9 Apr 2002, Anonymous wrote:

> Are you saying that if Alice pays Bob, he can anonymously exchange the
> coins and end up with new fresh coins with ALICE's identity in them?
> That's great, he can double spend all he wants and she ends up going
> to the pokey.  No thanks.

Brands' paper that Adam refers to says that you can't double spend to
begin with.  That's in the first intro paragraph, I haven't read much
else yet.  

But let's take the smart card idea one step towards "real" money.  What
makes the money real?  The fact that a government produced it ( or
better, people believe whoever produced it will keep their promise). So if
the card is produced by a trusted party, and you can't actually double
spend (especially if you don't have access to the hardware), then
anonymous cash transfer off line can work.  But the trick here is the
trusted computing device - it *is* money.  People can certainly
counterfeit it, and the technology for detecting that will be fun,
but the basic principle is similar to real cash.  Each device can
have a serial number (just like real bills do) but there's no reason to
tie a device to any particular person, and people can trade devices or
transfer amounts between them as they please.

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Ken Brown]

Mike Rosing wrote:

[...]
 
> It'd be cool to have electronic paper bills - flexable/cloth electronics
> where the value of the bill is variable.  At each transaction, the bill
> reduces the amount it has (plain old smart card stuff) but it'd have
> the look and feel of paper money.  

I'd rather have stiff cards than floppy paper ones. At least you can put
them into  the slot of a machine easily.

> the transaction machines that work
> with the bills would all need to be online, but you could easily trade
> bills for anonymous barter.  It might even be easy to have a reader that
> just tells how much is left in the bill.  The point here isn't technology,
> it's psycology.  The bill "looks" like money, so people will trust that
> it is :-)

But paper money is such a 20th-century thing! These days we're slowly
drifting back to higher value metal coins (2 pounds out for a few years
now, 5 pounds coming soon I think). Much more fun. Feels like real
treasure!  Less of the floppy stuff, we want our ecash to look like real
cash.

Ken

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Anonymous]

Adam Back wrote:
> On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote:
> > an off-line system inherently requires
> > users to identify themselves to the bank at withdrawal time.  
>
> Not quite inherently, there are other things you could do.  (This has
> been discussed before I think in [1] at least from reference in the
> thesis).  You could if you wished, rather than putting identity in the
> coin, put an anonymous escrow account number in the coin.  Users who
> preferred to be anonymous at withdrawal would put a deposit which is
> held in escrow like a good behavior bond.  If they double spend they
> are not identified but their escrow account is frozen.  The account
> could optionally be based on is-a-person credentials as a further
> inconvenience for double-spenders to have an account frozen, though is
> a-person-credentials implies strong identification to a Registration
> Authority.  The actual withdrawal could then be made from the
> anonymous account hiding identity from the bank.  However similar
> effect can be achieved with accountless operation, which brings us to
> your next comment...

Two problems with this escrow idea.  First, as noted before, there is no
limit on how much can be double-spent in a short time, hence the escrow
account can't cover it.  This is not just a minor flaw, it makes the whole
escrow idea unworkable, because it completely fails to achieve its goal of
forcing the user to make good his double spends.

And second, because the deposit is unlinkable to the withdrawal, there is
no way for the bank to know when it can safely release the escrow amount
back to the withdrawer.  How long is the bank going to hold onto those
escrowed funds?  A week?  A month?  The withdrawer can simply wait until
after that time interval and then double spend without losing a cent.
And how many people are going to want to use a bank which makes them
set aside an equal amount of every withdrawal for some extended period?
That is absolutely impossible given how most people and businesses manage
their cash flow.

> With Brands off-line coins you _can_ anonymously exchange off-line
> coins at the bank if you choose to set it up that way.
>
> Technically how this works is using an attribute hiding refreshing
> protocol which issues a new fresh coin with the same attributes
> (identity, denomination) as the previous spent coin while revealing
> only some negotiated sub-set of the attributes of the old coin (in
> this case denomination), so the new coin is unlinkable for the bank
> and yet the bank is assured that it will contain the same identity
> that was certified originally so the bank will be able to recover the
> identity if it is later double spent.  There is a description of this
> protocol in section 5 of [3].  This works for off-line coins.  For
> transferable off-line coins you need additionally to update the
> 0-value last holder coin to match the value of the coin being
> exchanged, using the updating protocol (see section 5.2.1 in [2], or
> probably [1] may have some discussion).

Are you saying that if Alice pays Bob, he can anonymously exchange the
coins and end up with new fresh coins with ALICE's identity in them?
That's great, he can double spend all he wants and she ends up going
to the pokey.  No thanks.

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Tue, 9 Apr 2002, Ken Brown wrote:

> I'd rather have stiff cards than floppy paper ones. At least you can put
> them into  the slot of a machine easily.

But with an RF tag you'd not even have to pull it out of your pocket :-)

> But paper money is such a 20th-century thing! These days we're slowly
> drifting back to higher value metal coins (2 pounds out for a few years
> now, 5 pounds coming soon I think). Much more fun. Feels like real
> treasure!  Less of the floppy stuff, we want our ecash to look like real
> cash.

18th century actually.  And the point is the same - people don't like to
change (pun intended!)

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Ken Brown]

Adam Back wrote:

[...snip...]

> Another example would be having to give a deposit to get mobile phone
> for people with poor credit ratings.  Also in Europe pay as you go,
> cash only mobile phone usage is popular due to credit elegibility
> reasons also I think.  You can plunk down a 10 pound note and walk out
> with a mobile phone with air time on it, you can buy more air time
> similarly.)


Slightly off-topic, but credit eligibility isn't the main reason for
prepay. A lot of well-off people like it because it is easier to
administer. I know people with jobs and credit ratings who chose to move
to prepay, but I can't think of anyone who went the other way.   You
walk into the shop and buy airtime, which many people find easier than
having yet another "relationship" with yet another boring company.

Incidentally what they actually sell you is a card with a number printed
on it, which you then send to phone company - there would be a lot of
money for anyone who found a way to predict the numbers - this is
cypherpunk technology - millions of people all over the world are paying
cash money for large random numbers.   

They are also popular with parents who give them to their kids & don't
want to have to bankroll a serious teenage phone habit.

And some people even like anonymity.

The airtime numbers are available more or less anywhere, supermarket
checkouts, every little corner shop, sometimes even bars. There is also
a new breed of phonecard shops, sometimes doubling up as small Internet
cafes and/or the more traditional copier shops. For some reason many of
them are run by Africans (high-tech retail in UK is usually dominated by
Indians). Their main business is in long-distance discount phonecalls.
You get a certain amount of long-distance or international phone time
through a local number. 

If you'd asked me 15 years ago I might have guessed that reselling
bandwidth would be a big business in the first decade of the 21st
century, but I wouldn't have guessed that it would mostly be
over-the-counter in corner shops. Actually selling bits of plastic with
numbers printed on them (most of them don't even bother with mag
stripes) seems very low-tech and physical!

 
Ken Brown

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Tue, 9 Apr 2002, Adam Back wrote:

> You can't outright counterfeit technically as the recipient of each
> coin checks that it's correctly formed, and authenticated by the bank,
> and that the chain of spends are all bound together.  By doing this
> the user is assured that either the coin will not be double-spent, or
> the bank will identify the double spender when the coin is deposited.
> 
> You might reasonably expect the bank to deal with double-spending
> itself and give the depositor fresh money regardless of double spent
> status.

In this case "double spending" and "counterfeit" are the same thing -
you can spend the same coin 1000 times in a few seconds.  As anonymous
points out, it can be from half way across the planet too.  Banks aren't
going to deal nicely with double spent coins, they can't afford to.

> If you use the normal approach of putting the identity in the coin,
> you can't double-spend anonymously.

But it's not until the coin goes back online, you need the minter's secret
key to decode the chain (maybe I have that wrong?).

> Building up technology trust is harder yes.  But that I guess is
> largely marketing and reputation.  Most people probably don't
> understand the security mechanisms in place with credt-cards either
> (PIN offset on card etc.), or even more the more secure smart-card
> based credit cards used in some parts of the world.

I was thinking about this a bit while drifting off to sleep last night.
It'd be cool to have electronic paper bills - flexable/cloth electronics
where the value of the bill is variable.  At each transaction, the bill
reduces the amount it has (plain old smart card stuff) but it'd have
the look and feel of paper money.  the transaction machines that work
with the bills would all need to be online, but you could easily trade
bills for anonymous barter.  It might even be easy to have a reader that
just tells how much is left in the bill.  The point here isn't technology,
it's psycology.  The bill "looks" like money, so people will trust that
it is :-)

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote:
> Adam Back wrote:
> > On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote:
> > > First, off-line coins suck, as described above.  [...]
> >
> > Off-line coins just offer an extra optional feature for the user, any
> > user who chooses can instead use them as online coins.  So I would
> > argue off-line coins are better than online coins.
> 
> It's not just an extra feature; an off-line system inherently requires
> users to identify themselves to the bank at withdrawal time.  

Not quite inherently, there are other things you could do.  (This has
been discussed before I think in [1] at least from reference in the
thesis).  You could if you wished, rather than putting identity in the
coin, put an anonymous escrow account number in the coin.  Users who
preferred to be anonymous at withdrawal would put a deposit which is
held in escrow like a good behavior bond.  If they double spend they
are not identified but their escrow account is frozen.  The account
could optionally be based on is-a-person credentials as a further
inconvenience for double-spenders to have an account frozen, though is
a-person-credentials implies strong identification to a Registration
Authority.  The actual withdrawal could then be made from the
anonymous account hiding identity from the bank.  However similar
effect can be achieved with accountless operation, which brings us to
your next comment...

(btw There are some real world analogies to escrow accounts, though this
one has nothing to do with the anonymity aspect.  Upon moving to
Canada, not being a Canadian citizen, I found that I could only get a
credit card by providing a deposit of 2x the value of the "credit"
limit which is held in an escrow account.

Another example would be having to give a deposit to get mobile phone
for people with poor credit ratings.  Also in Europe pay as you go,
cash only mobile phone usage is popular due to credit elegibility
reasons also I think.  You can plunk down a 10 pound note and walk out
with a mobile phone with air time on it, you can buy more air time
similarly.)

> It cannot allow users to anonymously exchange coins at the bank.  So
> it has an inherent lack of anonymity which is not present in an
> online system.

With Brands off-line coins you _can_ anonymously exchange off-line
coins at the bank if you choose to set it up that way.

Technically how this works is using an attribute hiding refreshing
protocol which issues a new fresh coin with the same attributes
(identity, denomination) as the previous spent coin while revealing
only some negotiated sub-set of the attributes of the old coin (in
this case denomination), so the new coin is unlinkable for the bank
and yet the bank is assured that it will contain the same identity
that was certified originally so the bank will be able to recover the
identity if it is later double spent.  There is a description of this
protocol in section 5 of [3].  This works for off-line coins.  For
transferable off-line coins you need additionally to update the
0-value last holder coin to match the value of the coin being
exchanged, using the updating protocol (see section 5.2.1 in [2], or
probably [1] may have some discussion).

> Furthermore, off-line coins require a complex infrastructure to work.
> Unlike online systems, where cheating is impossible, off-line systems
> attempt to locate and punish cheaters after the fact.  How can that
> possibly work in an Internet system where people may be engaging in
> transactions all over the world?  If someone cheats you from Timbuktu
> do you really expect the cops over there to track him down for you?

The cops would not be tracking down a double-spending user for you
(the user who was left with a double-spent coin), they would be
tracking down the double-spending user for the bank of Timbuktu who
now owes the bank money.  The bank would expect the local cops to
track down someone who attempted to defraud them.

> Or maybe the bank will make good by forcing each person to keep a
> certain amount in their account to pay off creditors they have cheated?
> The problem there is that there is no limit to how fast people can cheat
> in an off-line system, so there is no way the bank can force people to
> keep enough in their account to cover cheating.

Agree, this is a limitation of the anonymous escrow account approach.

Also, much of this would be better limited with a smart-card setting
as the barrier to double-spending is much higher, and security is also
much higher (against rogue software on OSes with weak security).

> You talked about moneychangers, but the discussion was confusing.
> What exactly is a moneychanger?

In the case where a bank does not anyway directly provide accountless
operation (exchanging old coins for fresh coins without requiring the
association of the exchange with an account) a money changer is simply
another user or merchant who fulfils the same function -- exchanging
o

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Anonymous]

[Copied to Adam so he doesn't have to wait for some moderator to get
off his fat ass and approve it.  And BTW permission is NOT granted to
forward this or any part of it to the DBS list because Hettinga is an
asshole who kicks people off his list for spite.  He can piss in his
own sandbox if he wants but we don't have to play in it.]

Adam Back wrote:
> On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote:
> > First, off-line coins suck, as described above.  [...]
>
> Off-line coins just offer an extra optional feature for the user, any
> user who chooses can instead use them as online coins.  So I would
> argue off-line coins are better than online coins.

It's not just an extra feature; an off-line system inherently requires
users to identify themselves to the bank at withdrawal time.  It cannot
allow users to anonymously exchange coins at the bank.  So it has an
inherent lack of anonymity which is not present in an online system.

Furthermore, off-line coins require a complex infrastructure to work.
Unlike online systems, where cheating is impossible, off-line systems
attempt to locate and punish cheaters after the fact.  How can that
possibly work in an Internet system where people may be engaging in
transactions all over the world?  If someone cheats you from Timbuktu
do you really expect the cops over there to track him down for you?

Or maybe the bank will make good by forcing each person to keep a
certain amount in their account to pay off creditors they have cheated?
The problem there is that there is no limit to how fast people can cheat
in an off-line system, so there is no way the bank can force people to
keep enough in their account to cover cheating.

In short, off-line cash simply can't work in an Internet economy.
It violates the fundamental nature of the net, which is distributed and
anonymous.  An old cypherpunk aphorism says that any internet protocol
which ends with "then the cops track down the bad guy" is fundamentally
flawed.  Off-line cash is a non-starter by this criterion.

> > Transferred coins are recognizable and linkable.  Hence they suck
> > even worse than off-line coins.
>
> Tranferable off-line coins allow all kinds of cool anonymity features
> as described above, I also argued above that the linkability
> deficiency can somewhat defended against.

Most of the anonymity features are just as applicable in an online
system where people can exchange coins without identifying themselves.
This allows for fully anonymous transactions with the bank and accountless
operation.

You talked about moneychangers, but the discussion was confusing.
What exactly is a moneychanger?  You seem to have an unstated assumption
that moneychangers wouldn't be allowed by the bank and this was a way
around that.  But if transferrable off-line cash allows moneychangers,
which the bank won't allow, then such a bank probably wouldn't provide
for transferrable off-line cash either.

Anyway, what the hell is a moneychanger, and why wouldn't a bank allow
one?

As for hidden banks, there is no evidence yet that people are clamoring
to trust their hard earned savings to a bank which won't even show its
face and which could abscond with the entire money supply at any time
without penalty.

Turning to the fact that the off-line coin chains are linkable, that's
such an ugly blot on the whole idea that it deserves to kill it on those
grounds alone.  In one stroke you've gone from mathematical anonymity to
"somewhat" anonymity.  It's reminiscent of Dan Simon's fully linkable
"cash", where he offered the same sort of lame ideas like spending to
yourself a few times.  If all you want is pretend anonymity then don't
bother with the fancy mathematics.  Real anonymity means unlinkable coins.
End of story.

> And transferable off-line coins add yet more flexibility, while again
> not preventing online clearing for those that prefer it.  While some
> of the features have the linkability artifact, those features are
> optional and the user has free choice to select methods to avoid
> entirely or defend against linkability by any of the available methods
> respectively fetching fresh online coins, using money-changers to do
> the same more off-line, and self re-spending to add confusion.  Hence
> transferable off-line coins are already superior to both
> non-transferable off-line coins and online coins due to the selection
> of choice of new features and trade-offs offered to the users.  All we
> need now is a way to more robustly defeat linkability.

Linkability can't be defeated.  The Chaum&Pedersen paper implies that
anyone can collude with the bank to determine if a coin is a later
instance of one they held earlier.  They simulate a second spend of
their earlier coin, and let the bank determine if that produces a
double-spending match with the later one, which it would have to do
if they were both on the same chain.  Hence there is no way even in
principle to avoid chain linkability.

Let's face it, transferra

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

On Mon, Apr 08, 2002 at 07:52:32PM -0700, Mike Rosing wrote:
> While I agree with goal, it's not clear to me that it's physically
> possible.  What makes "money" useful is it's physical existance, people
> have been counterfiting coins since they were invented but it's been
> getting harder to do.  With off-line coins you could easily counterfit or

You can't outright counterfeit technically as the recipient of each
coin checks that it's correctly formed, and authenticated by the bank,
and that the chain of spends are all bound together.  By doing this
the user is assured that either the coin will not be double-spent, or
the bank will identify the double spender when the coin is deposited.

You might reasonably expect the bank to deal with double-spending
itself and give the depositor fresh money regardless of double spent
status.

> double spend and live off the float, especially if you do it all
> anonymously.  

If you use the normal approach of putting the identity in the coin,
you can't double-spend anonymously.

> And if you just do it once with some huge sum, you'd get
> away with it (like Enron guys did :-)
> 
> Money boils down to psycology - people trust that it trades their effort
> for somebody elses effort.  who's going to trust ephemeral bits?  Crossing
> that barrier is going to be a lot harder than any technology.

Building up technology trust is harder yes.  But that I guess is
largely marketing and reputation.  Most people probably don't
understand the security mechanisms in place with credt-cards either
(PIN offset on card etc.), or even more the more secure smart-card
based credit cards used in some parts of the world.

Adam

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Mike Rosing]

On Tue, 9 Apr 2002, Adam Back wrote:

> Tranferable off-line coins allow all kinds of cool anonymity features
> as described above, I also argued above that the linkability
> deficiency can somewhat defended against.
> 
> And transferable off-line coins add yet more flexibility, while again
> not preventing online clearing for those that prefer it.  While some
> of the features have the linkability artifact, those features are
> optional and the user has free choice to select methods to avoid
> entirely or defend against linkability by any of the available methods
> respectively fetching fresh online coins, using money-changers to do
> the same more off-line, and self re-spending to add confusion.  Hence
> transferable off-line coins are already superior to both
> non-transferable off-line coins and online coins due to the selection
> of choice of new features and trade-offs offered to the users.  All we
> need now is a way to more robustly defeat linkability.

While I agree with goal, it's not clear to me that it's physically
possible.  What makes "money" useful is it's physical existance, people
have been counterfiting coins since they were invented but it's been
getting harder to do.  With off-line coins you could easily counterfit or
double spend and live off the float, especially if you do it all
anonymously.  And if you just do it once with some huge sum, you'd get
away with it (like Enron guys did :-)

Money boils down to psycology - people trust that it trades their effort
for somebody elses effort.  who's going to trust ephemeral bits?  Crossing
that barrier is going to be a lot harder than any technology.

Patience, persistence, truth,
Dr. mike

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Adam Back]

Anonymous gives some comments on some deficiencies in the properties
of the transferable ecash schemes to date:

On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote:
> [...]
> And second, because they grow, it is possible to tell exactly how
> many hands a particular coin has passed through - just count the
> transcripts of previous spends.  So coins are not all that
> anonymous.  And further, there is no re-blinding of the earlier
> transcripts.  The Alice transcript is in the clear in all following
> uses of that same coin.  Transferred coins are recognizable and
> linkable.

While it is true that the coins are by unavoidably linkable, the
linkability will only leak information where a user happens to see the
same coin twice as it gets re-spent, as he can recognize this.  As the
chain length is also visible he knows how many hands it has gone
through since he spent it.  However he has no way to identify the
intermediate payers except the last payer.

The amount of identifying information the immediate payer discloses is
up to that payer, though some identification may be relatively hard to
avoid if there is no anonymous communication link used.

So in general the shorter the intermediate chain the more revealing
about the first and last payer in the intermediate chain the
observation is.  The more people who collude, the more chance their is
that the colluding group can find samples of respent coins and so
identify or gain information about the transactions of a target payer
or payee.

The transaction information leakage from the linkability may be fairly
limited in practice -- for example by comparison how much transaction
leakage would you expect to get as an individual or small group of
coluding individuals if you write down the serial number on a bank
note and wait until you see it again -- or even if a bank were to
perform the same experiment, and they are far more likely to see it
again due to volume.  The issue will tend to be worse in small payment
communities.

Clearly it's not ideal, and it is useful to think about things you
could do to improve the situation:

- One thing that could be done to obscure this is to add a few extra
random spending hops (say 0-2) which the user can do himself by
spending to himself, though this comes at some extra space overhead.
The recipient won't be able to distinguish self-spends from
third-party spends.

- Another defense would be to use third party money-changer to
exchange coins for different coins.  Basically to shuffle coins around
a bit so that receiving a coin from someone with a short enough chain
length between current and recognised spend to normally leak some
information will no longer gain useful information.

Ideas for more robustly fixing it:

- Perhaps there is a way to encrypt the original chain with the bank's
public key with a randomizable encryption algorithm such as Elgamal
and yet retain sufficient proofs that the encrypted chain contains
coin transcripts which would identify the appropriate part if the coin
were double spent, and such that people handling the coin are assured
of it's issue value.


Also here are some comments on the conclusions:

> So it works, but broadly speaking there are two problems.  First, off-line
> coins suck, as described above.  And second, because they grow, it is
> possible to tell exactly how many hands a particular coin has passed
> through - just count the transcripts of previous spends.  So coins are
> not all that anonymous.  And further, there is no re-blinding of the
> earlier transcripts.  The Alice transcript is in the clear in all
> following uses of that same coin.  Transferred coins are recognizable
> and linkable.  Hence they suck even worse than off-line coins.

Online actions are harder to perform anonymously, therefore added
flexibility to behave more off-line is good for anonymity.  Off-line
and transferable off-line coins add several new features which are
useful to an anonymous user:

- ability to transfer rather than deposit, so better hiding payee
identity from bank for payers that want this (there are good uses for
payee privacy as well as payer privacy)

- accountless operation is better for privacy than forcing payments to
be deposited and withdrawn as it also gives a user privacy of
transaction volume; however accountless operation where you have to
connect to the bank in real time (online protocol) makes it more
difficult to remain anonymous due to the need for interactive
low-latency communication

- a money changer is much easier and more realistic to operate with
off-line transferability -- it's basically impossible for the bank to
detect with off-line transferability.  With online coins a money
changer would stand out exchanging a lot of coins through it's account
(with forced-account option), plus even with accountless online
exchange of fresh coins at the bank it's harder for the money changer
to hide it's identity due to it's necessarily high bandwidth,
low-latency inter

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[Anonymous]

The issue with off-line cash is this: has the coin being offered already
been spent?

With on-line cash, the offered coin is immediately deposited at the bank,
hence doubly-spent coins are detected instantly.  With off-line cash
this cannot be done because by definition there is no connection to the
bank.  Hence there is no way to know, off-line, if a coin has already
been spent.

The solution is to embed the identity of the withdrawer into the coin
when it is withdrawn from the bank, in such a way that this identity
will only be revealed if the coin is double-spent.  That provides a
partial solution to the off-line scenario.

A coin is offered off-line, and the recipient again has no guarantee that
it hasn't been spent already.  He accepts the coin anyway, and later when
he gets on-line he tries to deposit it at the bank.  But he learns that
he was cheated; the coin had already been spent.  Now he has a fall-back
solution: the doubly-spent coin reveals the embedded identity of the
party who withdrew it (and who doubly-spent it).  He can call the cops
and try to track down and prosecute the cheater.

All off-line spending schemes work this way.  All they can offer is
the hope of tracking down cheaters after the fact.  They can never
offer the assurance of validity that an immediate on-line check can
provide.

With off-line coins, unlike on-line coins, the spender knows more than
he's telling.  He knows secrets about those coins which would reveal his
identity; that is, his identity is embedded in some secret information
associated with the coin.  When he spends it at a shop, he responds
to a random challenge from the shop, using his secret information.
The system is set up so that the shop, and later the bank, can validate
his response as being valid, proving that he truly owned a coin.  For the
double-spending detection, the system is further arranged that if two
different shops offer two different random challenges, then from the
responses to these two challenges, the user's secret information and
therefore his identity is revealed.

To turn this into a transferrable system, we would allow a chain of
transfers before the bank gets involved.  Alice spends the coin with Bob,
who spends it with Carol, who spends it with David, who deposits it at
the bank.  There are two problems.  First, only Alice knows the secret
information associated with the coin.  She can't give all the secrets to
Bob, or else he would know her identity.  So Bob only has a limited amount
of information about the coin.  Second, after this chain of transfers,
if there was double-spending, it might have been anyone along the chain.
The system for double-spending detection has to be able to identify
which person was the cheater.

The solution which Adam describes works as follows.  Each party
pre-withdraws a zero-value coin from the bank.  This is an off-line
coin which has their identity encoded in it, if they double-spend it.
Alice first spends her coin with Bob in the normal off-line way.  Bob ends
up with a transcript sufficient to prove that he received a presumably
valid coin from Alice (but one which might have been doubly-spent).

Now Bob wants to spend with Carol.  He does two things: he gives her
the transcript of Alice's spend with him, which implicitly identifies
the value of the coin; and also he engages in the regular off-line
coin spend with her, using his zero-value coin.

If Carol then spends the coin with David, she does the same two things:
she gives David the transcript of Bob's spend with her (which itself
included the two parts above), and also spends a zero-value coin with
him.  The resulting transcript now has three parts.

So it grows at each transfer, and in the end the transcript is deposited.
If there was a double-spend, someone spent his zero-value coin twice,
and his own identity is revealed.

There is one flaw, which is that Bob could use the same Alice transaction
with more than one zero-value coin, which he after all gets for free.
Carol can't tell that the Alice transaction she sees is the same one
someone else saw, and if Bob uses a unique zero-value coin for each spend,
then Bob's identity will not be revealed as it should be.

The fix for this is that when Bob receives the coin from Alice, knowing
that he is going to pass it on, he must link the specific zero-value coin
he will later use into the transcript he will receive of Alice's spend
with him.  This is done by including a hash of the coin information into
the random challenge he sends to Alice.  Then when he tries to pass the
coin on to Carol, she checks that the zero-value coin he is spending with
her matches the value used in the Alice transcript.  That prevents Bob
from using two different zero-value coins with a single Alice transcript.

So it works, but broadly speaking there are two problems.  First, off-line
coins suck, as described above.  And second, because they grow, it is
possible to tell exactly how many hands a particular coin has