[By forwarding this mail to the DBS list, Robert Hettinga agrees that he is an arrogant, obnoxious, power-hungry asshole with no moral integrity whatsoever.]
Adam Back wrote: > On Tue, Apr 09, 2002 at 06:17:06PM +0200, Anonymous wrote: > > And second, because the deposit is unlinkable to the withdrawal, there is > > no way for the bank to know when it can safely release the escrow amount > > back to the withdrawer. How long is the bank going to hold onto those > > escrowed funds? A week? A month? > > I suppose the bank would have to hold onto the funds until the coins > issued using that account as guarantee expired. Again, this escrow idea really can't work. Suppose Alice withdraws $100. Exactly how much additional would have to be withdrawn and put into an escrow account? $100? That would cover only one double-spend. But if someone is going to cheat and double-spend, knowing it will be detected later, obviously they will grab for as much as they can. Alice would have to put aside enough for hundreds or thousands of double-spends, or even more. So every time she withdraws $100, she has to set aside $100,000 in an escrow account. Does that sound realistic? Then, the money stays in the account for the expiration period of the coins, which would presumably be for weeks or months at least. You don't want coins expiring more often than that or there is too much danger of people's money going bad while they carry it. > Aside from the problem with limit you identify, I think generally the > precedent is already set by the non-electronic world: to engage in > transactions which typically require reputation and identity for > contract violation enforcement anonymously, you have to pony up cash > up-front. It's one thing to do this with pre-paid services, but quite another for a banking system which aims to be universal. Most people and businesses would find it absolutely impossible to use a payment system which had these properties. Every time they got some income, they can spend only a small fraction of it, depending on how big the escrow multiplier is. Hopefully it is clear that escrow cannot work as a way of dealing with double-spending after the fact. The only other alternative is for the bank to Know Its Customer intimately, and for there to be some kind of worldwide police which can track and arrest people anywhere. This would entail strengthening and centralizing international law enforcement, exactly the opposite of the trends we would want to encourage. > > Are you saying that if Alice pays Bob, he can anonymously exchange the > > coins and end up with new fresh coins with ALICE's identity in them? > > That's great, he can double spend all he wants and she ends up going > > to the pokey. No thanks. > > No that is prevented. > [Description of how the final payee refreshes his 0-value coin up to > the value of the transaction, without identifying himself] Okay, that sounds pretty good. But it's specific to Brands cash, right? The generic transferable off-line cash you described earlier can't do that. Of course Brands is patented up the wazoo. It's amazing the harm he and Chaum have done to the world by locking up their best ideas. And they didn't even get rich. What a waste. If either of them had the balls to put their patents into the public domain, they could make a very comfortable living just from consulting and speaking fees. > A correction on something I said earlier about Chaum double-blinding: > > | (There is the double blind Chaum variant, but it is even less > | convenient as both the payer and payee have to be online at what > | becomes a simultaneous withdrawl, spend and deposit time.) > > This is innacurate, it is actually a simultaneous withdrawal and > spend, followed by an arbitrarily later spend by the payee as the > payee knows the payer does not see the coin due to the extra blinding. Please, this is such ancient history. MTB's ecash died a long time ago, we don't need to keep rehashing how to work around its limitations. The right way to do Chaum cash with two-sided anonymity is simply to allow anonymous coin exchanges at the bank. There is no issue in recognizing the payee's deposited coins if he is fully anonymous and gets fresh coins at that time. In fact there don't need to be bank accounts at all, and in further fact there doesn't need to be a bank; just a coin exchanging mint. We talked about this a while ago. You start it up and it emits one coin, which represents all of the value of this mint's money supply. >From then on it does only one operation: you give it $X in old coins, and it gives you $X in new coins (possibly partitioned differently). When someone pays Alice, she turns it in at the bank and gets new coins, incidentally checking the old ones for validity and double-spending. Her new coins are completely untraceable and ready for whatever use she desires. She keeps all her money in her wallet. Third parties can offer secure backup services, exchange to other currencies, and even act as banks with accounts, loans and interest. None of this affects the mint. That's enough for an ecash system. It's simple, online, fully anonymous and untraceable. You might even be able to find someplace where it was legal, since the mint is not a bank. Or what the hell, put the fully automated mint onto a satellite and shoot it into orbit, with wireless data links to the net. At least it'd give the military asat people something to aim at.
