Stefan Brands writes:
> > ... By the way, to forestall Clarice unblinding the cash received
> > from Dave and thus knowing the identity of the cash Alice gets,
> > here's one option:
> >
> > Alice provides the appropriate keys in an envelope Clarice
> > encrypted to Dave, such that Dave encrypts the blinded cash
> > he sends back to Clarice. Clarice cannot ever unblind this
> > cash herself, as its locked in an envelope only Alice can
> > open.
Tim describes here Ian Goldberg's double blinding scheme applied to
David Chaum's online protocol as implemented in the old DigiCash
system.
so this is the standard chaum ecash.
======================================================================
serial-no = (b^e).[R||h(R)] mod n
proto-coin = serial-no^d mod n
= b.[R||h(R)]^d mod n
coin = proto-coin . b^-1 mod n (ie divide by b)
= [R||h(R)]^d mod n
check-valid-coin(c) = c^e mod n is of form [x||h(x)]
check-double-spent(c) = bank records spent coins
trace-payee(c) = payer gives bank b, bank records proto-coins as well
Ian's double blind protocol is that the shop choses it's own blinding
value b1, and then the user choses his own blinding value b2, the bank
signs, payer unblinds, the payee unblinds, and now the payee can't be
traced by the payer and bank.
======================================================================
payee-serial-no = b1^e.[R||h(R)] mod n
payer-blinded = b2^e.b1^e.[R||h(R)] mod n
payer-proto-coin = b2.b1.[R||h(R)]^d mod n
proto-coin = b1.[R||h(R)]^d mod n
coin = [R||h(R)]^d mod n
check-valid-coin(c) = c^e mod n is of form [x||h(x)]
check-double-spent(c) = bank records spent coins
trace-payee(c) = can't do
> You cannot (a)buse my system(s) in this manner. The account that
> the payee will be able to deposit the money in is the account that
> is specified by the payer in his/her signature when making the
> payment. If payer-only untraceability is switched on in the design,
> the payee cannot prevent the payer's device(s) [user-controlled
> computer / smartcard] from learning the account to which the money
> can be deposited. That is, payer untraceable cash plus payer
> untraceable cash in the other direction does NOT become mutually
> untraceable cash.
While Ian's double blind protocol doesn't work with Stefan's secret
key certificate based cash, it would seem that accountless users who
use money-changers could work, as clearly parties who don't have
accounts, and just pay people who do have accounts to perform
transactions for them can't be traced.
But if the system depends upon a physical device to complete part of
the protocol, it could be arranged that one can not participate
without one of the physical devices. (A software only implementation
is prevented by using the device as a dongle).
However how could one prevent people from selling empty devices, or
swapping empty devices, or selling pre-loaded devices. If the
blackmailer arranges to purchase a card (by paying a street person to
provide his true name for example), then he can have the extortion
proceeds paid to the street persons card, pay it into street person
A's true name account, then take the money out again, pay his own
card. Then the black mailer can physically destroy the street persons
card, removing all possibility of the bank further tracing the money.
(The black mailing scenario usually involves large amounts of money,
and so it might seem that the flow could be traced by volume alone.
However by using a number of cards and demanding the payment in
smaller coins, the blackmailer can probably hide the transaction. He
faces little risk even if the extorted person colludes with the bank
before some of the payments clear, as his own name is not on any of
the accounts he is using. And he doesn't need to trust any third
party money changers because he is acting as his own money changer).
Now clearly this is not to say that black mailing is a nice thing, but
I think two way anonymous ecash is more interesting for users; it
encourages small value peer to peer commerce between users, and I
think is more likely to succeed in the market place, it is more user
friendly, more peer-to-peer.
I hope the above shows how it is difficult to impossible ultimately to
prevent the determined terrorist from obtaining anonymity whatever
technical means are build. As Tim observes terrorists can achieve
practical anonymity today, despite massive financial profiling,
tracing and logging, by shopping around.
It seems a shame to inconvenience all the legitimate users desiring
payee anonymity to protect against something which is ultimately
impossible. Yes we can inconvenience the black mailer, but if he is
aiming to get 1 million, he can afford to live with the inconvenience.
Making black mail inconvenient might stop some petty unpleasantness,
but won't stop the large value blackmailer.
If instead people are encouraged to be pseudonymous, and hold assets
pseudonymously, it would appear that you can't black-mail a pseudonym,
so doing as many things as possible pseudonymously appears to reduce
the risk of being black-mailed. If a person has a low profile in
meatspace, so that no one can have expectations that they are worth
black-mailing, their risk of being black-mailed is minimzed. So, lets
encourage a psuedonymous society, where financial privacy is taken
seriously.
I also comment that it might be possible to have users choose whether
they want to be able to make payee anonymous payments when they sign
up. If you buy a card with your real name, (as opposed to a
pseudonym) and you are worried about blackmail, you fill the form in
with "no payee anonymous payments over $50k/year" or whatever your
limit you expect to spend is. Then this presents another (weak)
barrier for the blackmailer, he has to provide the user with another
card, but at least it presents the user with a choice.
Another observation is that most people don't have enough money to
make it worth attempting to blackmail them anyway -- there are
after-all risks to the blackmailer, as some physical actions have to
be taken.
So someone with some millions to protect can probably already protect
himself using some kind of legal contract arrangement where he has a
discretionary trust which will not pay black mail demands.
For Joe Bloggs your average citizen, I don't expect being extorted for
what's left of this weeks wages is a concern.
If the barrier to entry for black mail turns out to be lowered, and it
becomes common, the discretionary trust arrangement will become more
popular for lower net worth individuals who feel the need for it.
Adam
