Anonymous gives some comments on some deficiencies in the properties of the transferable ecash schemes to date:
On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote: > [...] > And second, because they grow, it is possible to tell exactly how > many hands a particular coin has passed through - just count the > transcripts of previous spends. So coins are not all that > anonymous. And further, there is no re-blinding of the earlier > transcripts. The Alice transcript is in the clear in all following > uses of that same coin. Transferred coins are recognizable and > linkable. While it is true that the coins are by unavoidably linkable, the linkability will only leak information where a user happens to see the same coin twice as it gets re-spent, as he can recognize this. As the chain length is also visible he knows how many hands it has gone through since he spent it. However he has no way to identify the intermediate payers except the last payer. The amount of identifying information the immediate payer discloses is up to that payer, though some identification may be relatively hard to avoid if there is no anonymous communication link used. So in general the shorter the intermediate chain the more revealing about the first and last payer in the intermediate chain the observation is. The more people who collude, the more chance their is that the colluding group can find samples of respent coins and so identify or gain information about the transactions of a target payer or payee. The transaction information leakage from the linkability may be fairly limited in practice -- for example by comparison how much transaction leakage would you expect to get as an individual or small group of coluding individuals if you write down the serial number on a bank note and wait until you see it again -- or even if a bank were to perform the same experiment, and they are far more likely to see it again due to volume. The issue will tend to be worse in small payment communities. Clearly it's not ideal, and it is useful to think about things you could do to improve the situation: - One thing that could be done to obscure this is to add a few extra random spending hops (say 0-2) which the user can do himself by spending to himself, though this comes at some extra space overhead. The recipient won't be able to distinguish self-spends from third-party spends. - Another defense would be to use third party money-changer to exchange coins for different coins. Basically to shuffle coins around a bit so that receiving a coin from someone with a short enough chain length between current and recognised spend to normally leak some information will no longer gain useful information. Ideas for more robustly fixing it: - Perhaps there is a way to encrypt the original chain with the bank's public key with a randomizable encryption algorithm such as Elgamal and yet retain sufficient proofs that the encrypted chain contains coin transcripts which would identify the appropriate part if the coin were double spent, and such that people handling the coin are assured of it's issue value. Also here are some comments on the conclusions: > So it works, but broadly speaking there are two problems. First, off-line > coins suck, as described above. And second, because they grow, it is > possible to tell exactly how many hands a particular coin has passed > through - just count the transcripts of previous spends. So coins are > not all that anonymous. And further, there is no re-blinding of the > earlier transcripts. The Alice transcript is in the clear in all > following uses of that same coin. Transferred coins are recognizable > and linkable. Hence they suck even worse than off-line coins. Online actions are harder to perform anonymously, therefore added flexibility to behave more off-line is good for anonymity. Off-line and transferable off-line coins add several new features which are useful to an anonymous user: - ability to transfer rather than deposit, so better hiding payee identity from bank for payers that want this (there are good uses for payee privacy as well as payer privacy) - accountless operation is better for privacy than forcing payments to be deposited and withdrawn as it also gives a user privacy of transaction volume; however accountless operation where you have to connect to the bank in real time (online protocol) makes it more difficult to remain anonymous due to the need for interactive low-latency communication - a money changer is much easier and more realistic to operate with off-line transferability -- it's basically impossible for the bank to detect with off-line transferability. With online coins a money changer would stand out exchanging a lot of coins through it's account (with forced-account option), plus even with accountless online exchange of fresh coins at the bank it's harder for the money changer to hide it's identity due to it's necessarily high bandwidth, low-latency interactive communication link with the bank (precisely the kind of anonymity which is hardest to achieve). - also you don't have to trust the money changer with off-line transferability -- he does not see blinding factors (though of course there is the double blind protocol variant with online chaum, this double blinding is not possible with other protocols, eg Brands I think). Conveniently the money changer also has an incentive to not cheat if the bank is hostile to this kind of operation -- or he will be identified, so users can be fairly confident in the unlikelihood of the money-changer double spending. - it becomes more plausible to have a hidden bank as the communication links to it could be quite strongly protected with high latency more anonymous communication links such as mixmaster, and usenet message pools, while still allowing interactive payments and re-spending. So in summary I think transferable off-line gives you a large number of advantages. The features are entirely selectable by the different users. People who want immediate clearing and to avoid all risk of being left with a double spent coin and having to go to the bank and wait for the bank to extract the funds from the double spender can still achieve that as it as online clearing is a sub-protocol. People who want to trade-off some of that guarantee for the kinds of applications and features discussed above can do so where they could not with a purely online payment scheme. > First, off-line coins suck, as described above. [...] Off-line coins just offer an extra optional feature for the user, any user who chooses can instead use them as online coins. So I would argue off-line coins are better than online coins. > Transferred coins are recognizable and linkable. Hence they suck > even worse than off-line coins. Tranferable off-line coins allow all kinds of cool anonymity features as described above, I also argued above that the linkability deficiency can somewhat defended against. And transferable off-line coins add yet more flexibility, while again not preventing online clearing for those that prefer it. While some of the features have the linkability artifact, those features are optional and the user has free choice to select methods to avoid entirely or defend against linkability by any of the available methods respectively fetching fresh online coins, using money-changers to do the same more off-line, and self re-spending to add confusion. Hence transferable off-line coins are already superior to both non-transferable off-line coins and online coins due to the selection of choice of new features and trade-offs offered to the users. All we need now is a way to more robustly defeat linkability. Adam
