On Thu, Oct 20, 2005 at 03:36:54PM -0700, cyphrpunk wrote: > As far as the issue of receipts in Chaumian ecash, there have been a > couple of approaches discussed. > > The simplest goes like this. If Alice will pay Bob, Bob supplies Alice > with a blinded proto-coin, along with a signed statement, "I will > perform service X if Alice supplies me with a mint signature on this > value Y". Alice pays to get the blinded proto-coin Y signed by the > mint. Now she can give it to Bob and show the signature on Y in the > future to prove that she upheld her end.
I like this one, though there might be a problem if Alice does everything, except giving Bob the signed version of Y in the end. I can imagine scenarios where this might be a problem. However, it can be relatively easily solved if the mint publishes every signed proto-coin (instead of being handed to the payer, it goes to the public records, from where the payer can retrieve it). There's no reason not to. > A slightly more complicated one starts again with Bob supplying Alice > with a blinded proto-coin, which Alice signs. Now she and Bob do a > simultaneous exchange of secrets protocol to exchange their two > signatures. This can be done for example using the commitment scheme > of Damgard from Eurocrypt 93. Bob gets the signature necessary to > create his coin, and Alice gets the signed receipt (or even better, > perhaps Bob's signature could even constitute the service Alice is > buying). This one requires additional infrastructure which needs to be rolled out, which is expensive. Simultaneous exchange of secrets is an elegant cryptographic feat, but the required tools are not available to the general public right now and the motivation to obtain them are insufficient. Thus, a system relying on this cannot be phased in cheaply. > I would be very interested to hear about a practical application which > combines the need for non-reversibility (which requires a degree of > anonymity) with the need to be able to prove that payment was made > (which seems to imply access to a legal system to force performance, > an institution which generally will require identification). I claim that a system that provides both features will be prefered by users to one that provides only one or neither. The desirability of a payment vehicle depends on the assortment of goods and services available for it. Now, the lack of non-reversibility might be either a show-stopper or a significant additional cost in the case of some goods and services, while receipts are required in the case of others. Both might be required for transactions in the $100 ... $1000 range between a power-seller and one-time buyers in a low-trust environment. From the seller's point of view, the risk of a reversal might not be acceptable (basically, he cannot assess the probability of it, while the cost is substantial), because the value is too high, so he needs irreversibility. >From the buyer's point of view, the risk of losing the money is not catastrophic, but highly undesirable; he wants to be able to name-and-shame the fraud. This would provide the seller with enough incentives to deliver and enough security to go ahead with the deal. The "legal system" in this case is just provable reputation-tracking, which in case of non-performance deprives the seller of future custom. -- Daniel