[118345] in Cypherpunks
Sander & Ta-Shma's ecash is revocable
daemon@ATHENA.MIT.EDU (Adam Back)
Sat Sep 25 17:05:33 1999
Date: Sat, 25 Sep 1999 21:47:06 +0100
Message-Id: <199909252047.VAA06778@server.cypherspace.org>
From: Adam Back <adam@cypherspace.org>
To: cypherpunks@cyberpass.net
Cc: dbs@philodox.com
Reply-To: Adam Back <adam@cypherspace.org>
Reading Sander & Ta-Shma's ecash system "Auditable, Anonymous
Electronic Cash." [1] there an unusual feature as compared to other
anonymous ecash systems, which is that it's tokens are anonymously
revocable.
With Chaum's cash or other online anonymous cash systems, settlement
is argued to be instant and final, because the cash is irrevocable --
the payer can't demand the money back because he doesn't know who has
it, and the bank can't help him find out, as it won't recognise the
coin when it is presented because of the blind signature process.
(Actually ecash systems fielded by digicash are only payer anonymous
-- the bank and payer can collude to identify the payee).
Sander & Ta-Shma's ecash system uses a different approach with the
following properties:
- there effectively is no mint (coin validity is based on a publically
auditable database).
The payer (A) can revoke the payment, but can not identify the payee
(B).
Even if the coin by B giving the coin to C, A can still revoke both
payment A->B, and payment B->C again without identifying B or C.[2]
Sander & Ta-Shma claim this anonymous revocability function is good
because it prevents the "blackmail attack" [3].
However, while perhaps it is nice to be able to diffuse the blackmail
attack argument, it seems to me that this method of doing so means
that you no longer have instant final settlement, because the payer
can go demand refund from the bank, and the bank in this case does
have recourse -- it can revoke the payment, even though it can't
identify the payee.
Adam
[1] www.icsi.berkeley.edu/~sander/publications/audit.ps
[2] This works because there is a publically verifiable audit trail
showing payments in the audit log A->B->C etc. but where a given coin
can not be linked by the bank to the corresponding audit log entry.
The "coin" is a zero knowledge proof that the owner holds a preimage
of the audit log entry, without revealing to the bank which entry in
the list it corresponds to.
[3] "blackmail attack" is a scenario presented by critics untraceable
cash to argue that perfect payee anonymity is dangerous -- the
blackmailer is perfectly protected from being traced through the
payment.
