See also:

Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma
in crypto 1998.

Its basically the idea of using non-interactive zero knowlede proof of
membership in a list of coins as an alternative to blinding.

The interesting thing is then the bank doesnt need a private key and doesnt
much need to be trusted.  Anyone can audit the list of coins, it is
published; same for double spend database.  The ZKP is a representation
problem (like Stefan Brands ecash/credentials).

They use Merkle trees to improve the computation efficiency (reduce the size
of the representation problems that have to be presented and verified).
Like bitcoin it provides auditability, but better than bitcoin it provides
cryptographically secure anonymity.  With bitcoin it is not anonymous, just
pseudonymous but traceable - because there is publicly auditable signature
chain showing transfers between pseudonyms.

Sander & Ta-Shma propose using it with a physical bank providing exchange,
but that could be replaced with variable cost hashcash like bitcoin.

I dont understood why bitcoin didnt use it - maybe Shatoshi wasn't aware of
it?  Or maybe he didnt want cryptographic anonymity for some reason.

(For Sander & Ta-Shma to work without a bank in the bitcoin-like setting for
the transfer of coins, we just need to give the recipient a fresh coin on
being the first to present a unspent spend transcript.  I think you could
make change and coin division work with the DLREP also).

In their setting Sander & Ta-Shma also can identify double-spenders because
their identity is included in one attribute of the DLREP that is revealed by
simultaneous equation if two different shows are made for the same coin.
Maybe would be something useful you could do with that feature in the
bitcoin setting.


On Mon, Jun 13, 2011 at 09:15:08PM -0600, Zooko O'Whielacronx wrote:
Also related, Eric Hughes posted about something he called "Encrypted
Open Books" on 1993-08-16. The idea was to allow an auditor to confirm
the correctness of the accounts without being able to see the details
of people's accounts.


cryptography mailing list
cryptography mailing list

Reply via email to