[Copied to Adam so he doesn't have to wait for some moderator to get off his fat ass and approve it. And BTW permission is NOT granted to forward this or any part of it to the DBS list because Hettinga is an asshole who kicks people off his list for spite. He can piss in his own sandbox if he wants but we don't have to play in it.]
Adam Back wrote: > On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote: > > First, off-line coins suck, as described above. [...] > > Off-line coins just offer an extra optional feature for the user, any > user who chooses can instead use them as online coins. So I would > argue off-line coins are better than online coins. It's not just an extra feature; an off-line system inherently requires users to identify themselves to the bank at withdrawal time. It cannot allow users to anonymously exchange coins at the bank. So it has an inherent lack of anonymity which is not present in an online system. Furthermore, off-line coins require a complex infrastructure to work. Unlike online systems, where cheating is impossible, off-line systems attempt to locate and punish cheaters after the fact. How can that possibly work in an Internet system where people may be engaging in transactions all over the world? If someone cheats you from Timbuktu do you really expect the cops over there to track him down for you? Or maybe the bank will make good by forcing each person to keep a certain amount in their account to pay off creditors they have cheated? The problem there is that there is no limit to how fast people can cheat in an off-line system, so there is no way the bank can force people to keep enough in their account to cover cheating. In short, off-line cash simply can't work in an Internet economy. It violates the fundamental nature of the net, which is distributed and anonymous. An old cypherpunk aphorism says that any internet protocol which ends with "then the cops track down the bad guy" is fundamentally flawed. Off-line cash is a non-starter by this criterion. > > Transferred coins are recognizable and linkable. Hence they suck > > even worse than off-line coins. > > Tranferable off-line coins allow all kinds of cool anonymity features > as described above, I also argued above that the linkability > deficiency can somewhat defended against. Most of the anonymity features are just as applicable in an online system where people can exchange coins without identifying themselves. This allows for fully anonymous transactions with the bank and accountless operation. You talked about moneychangers, but the discussion was confusing. What exactly is a moneychanger? You seem to have an unstated assumption that moneychangers wouldn't be allowed by the bank and this was a way around that. But if transferrable off-line cash allows moneychangers, which the bank won't allow, then such a bank probably wouldn't provide for transferrable off-line cash either. Anyway, what the hell is a moneychanger, and why wouldn't a bank allow one? As for hidden banks, there is no evidence yet that people are clamoring to trust their hard earned savings to a bank which won't even show its face and which could abscond with the entire money supply at any time without penalty. Turning to the fact that the off-line coin chains are linkable, that's such an ugly blot on the whole idea that it deserves to kill it on those grounds alone. In one stroke you've gone from mathematical anonymity to "somewhat" anonymity. It's reminiscent of Dan Simon's fully linkable "cash", where he offered the same sort of lame ideas like spending to yourself a few times. If all you want is pretend anonymity then don't bother with the fancy mathematics. Real anonymity means unlinkable coins. End of story. > And transferable off-line coins add yet more flexibility, while again > not preventing online clearing for those that prefer it. While some > of the features have the linkability artifact, those features are > optional and the user has free choice to select methods to avoid > entirely or defend against linkability by any of the available methods > respectively fetching fresh online coins, using money-changers to do > the same more off-line, and self re-spending to add confusion. Hence > transferable off-line coins are already superior to both > non-transferable off-line coins and online coins due to the selection > of choice of new features and trade-offs offered to the users. All we > need now is a way to more robustly defeat linkability. Linkability can't be defeated. The Chaum&Pedersen paper implies that anyone can collude with the bank to determine if a coin is a later instance of one they held earlier. They simulate a second spend of their earlier coin, and let the bank determine if that produces a double-spending match with the later one, which it would have to do if they were both on the same chain. Hence there is no way even in principle to avoid chain linkability. Let's face it, transferrable off-line coins have so many limitations and weaknesses that they are not worth pursuing. Going forward, everyone will be online all the time via wireless connections, as with the current Blackberry handhelds. Online systems can provide more anonymity than off-line, including accountless, transfer based payments, with no need ever to identify yourself to a bank. And you don't have to rely on the Keystone Kops to catch the guy who passed you a bad coin, because you can protect yourself from getting ripped off in the first place.
