[118351] in Cypherpunks
Re: Sander & Ta-Shma's ecash is revocable
daemon@ATHENA.MIT.EDU (Anonymous)
Sat Sep 25 19:28:13 1999
Date: Sun, 26 Sep 1999 00:59:20 +0200 (CEST)
Message-Id: <199909252259.AAA16560@mail.replay.com>
From: Anonymous <nobody@replay.com>
To: cypherpunks@cyberpass.net, dbs@philodox.com
Reply-To: Anonymous <nobody@replay.com>
Adam Back writes:
> Reading Sander & Ta-Shma's ecash system "Auditable, Anonymous
> Electronic Cash." [1] there an unusual feature as compared to other
> anonymous ecash systems, which is that it's tokens are anonymously
> revocable.
There is a list of issued coins. When a new coin is created (by the
bank, in their system) it gets added to the list. To revoke a coin
it is removed from the list. To deposit or spend a coin the holder
offers a ZK proof that it is in the issued coin list.
> The payer (A) can revoke the payment, but can not identify the payee
> (B).
More exactly, whomever controls the issued coin list can revoke a payment.
Whatever policies they follow will determine who can revoke payments.
It is not necessarily the payer (A). For example a bank might allow a
government to request that they revoke certain payments.
> Even if the coin by B giving the coin to C, A can still revoke both
> payment A->B, and payment B->C again without identifying B or C.[2]
>
> [2] This works because there is a publically verifiable audit trail
> showing payments in the audit log A->B->C etc. but where a given coin
> can not be linked by the bank to the corresponding audit log entry.
> The "coin" is a zero knowledge proof that the owner holds a preimage
> of the audit log entry, without revealing to the bank which entry in
> the list it corresponds to.
This does not seem right. A gets a coin from the bank. It is in the
issued coin list. He gives it to B, offering a zero knowledge proof
that the coin's serial number is in the issued coin list. B deposits
it and then gets a new coin to give to C.
Now A decides to revoke his coin. He gets the bank to remove it from
the issued coin list. But that has no effect. There is no way to know
which deposited coin corresponded to A's coin. The deposit transcript
was zero knowledge so it can not be linked to the withdrawal.
> However, while perhaps it is nice to be able to diffuse the blackmail
> attack argument, it seems to me that this method of doing so means
> that you no longer have instant final settlement, because the payer
> can go demand refund from the bank, and the bank in this case does
> have recourse -- it can revoke the payment, even though it can't
> identify the payee.
No, once the coin is deposited there is no way to invalidate it after
the fact. The ZK proof was only offered in the context of the list as it
was at that moment, and there is no way to say, "the list has changed,
let's go back and see which ZK proof transcripts are now invalid".
They would all be invalid once the list changes. There is no way to
single out the particular one which was invalidated by the removal of
a coin from the list. Hence settlement is still final.
