Adam Back wrote: > On Tue, Apr 09, 2002 at 08:37:05AM +0200, Anonymous wrote: > > an off-line system inherently requires > > users to identify themselves to the bank at withdrawal time. > > Not quite inherently, there are other things you could do. (This has > been discussed before I think in [1] at least from reference in the > thesis). You could if you wished, rather than putting identity in the > coin, put an anonymous escrow account number in the coin. Users who > preferred to be anonymous at withdrawal would put a deposit which is > held in escrow like a good behavior bond. If they double spend they > are not identified but their escrow account is frozen. The account > could optionally be based on is-a-person credentials as a further > inconvenience for double-spenders to have an account frozen, though is > a-person-credentials implies strong identification to a Registration > Authority. The actual withdrawal could then be made from the > anonymous account hiding identity from the bank. However similar > effect can be achieved with accountless operation, which brings us to > your next comment...
Two problems with this escrow idea. First, as noted before, there is no limit on how much can be double-spent in a short time, hence the escrow account can't cover it. This is not just a minor flaw, it makes the whole escrow idea unworkable, because it completely fails to achieve its goal of forcing the user to make good his double spends. And second, because the deposit is unlinkable to the withdrawal, there is no way for the bank to know when it can safely release the escrow amount back to the withdrawer. How long is the bank going to hold onto those escrowed funds? A week? A month? The withdrawer can simply wait until after that time interval and then double spend without losing a cent. And how many people are going to want to use a bank which makes them set aside an equal amount of every withdrawal for some extended period? That is absolutely impossible given how most people and businesses manage their cash flow. > With Brands off-line coins you _can_ anonymously exchange off-line > coins at the bank if you choose to set it up that way. > > Technically how this works is using an attribute hiding refreshing > protocol which issues a new fresh coin with the same attributes > (identity, denomination) as the previous spent coin while revealing > only some negotiated sub-set of the attributes of the old coin (in > this case denomination), so the new coin is unlinkable for the bank > and yet the bank is assured that it will contain the same identity > that was certified originally so the bank will be able to recover the > identity if it is later double spent. There is a description of this > protocol in section 5 of [3]. This works for off-line coins. For > transferable off-line coins you need additionally to update the > 0-value last holder coin to match the value of the coin being > exchanged, using the updating protocol (see section 5.2.1 in [2], or > probably [1] may have some discussion). Are you saying that if Alice pays Bob, he can anonymously exchange the coins and end up with new fresh coins with ALICE's identity in them? That's great, he can double spend all he wants and she ends up going to the pokey. No thanks.
