Re: [cryptography] sander ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)
James A. Donald jam...@echeque.com writes: On 2011-06-15 1:29 AM, Ian G wrote: Which, to my mind was the same sin as the alternate: obsession with privacy, including to the extent of eliminating the core requirements of money. The first law of money is that it has to be safe: http://forum.bitcoin.org/index.php?topic=16457.0 Reversible (soft) money has to have at its foundation irreversible and final hard money. I think the owner of the lost BTC is about to find this out the hard way if he tries to follow one suggestion for recovering the bits: go to the police! 25k BTC are about $500.000, thats crazy! they can investigate and find out who it was. at which point the police will either (a) laugh him out of the station or (b) ask him to take a urine/blood test to figure out what he's on. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] sander ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)
Efficiency is relative. Vs a central bank and Brands credentials its inefficient - a handful of modexps vs say one hundred or a thousand. Vs bitcoin with longest hash chain wins, and minimum hash being 10 minutes work for the entire network, I think straight DLREP on all the coins in a time interval is OK. And having to wait for a few intervals to have confidence your transferred coin is in a non-orphan chain to have confidence vs pretty much instant deposit. Note you can tune the time interval size, and so the size of the DLREP problem. DLREP is linear in the number of coins. Adam On Tue, Jun 14, 2011 at 07:40:10PM +1000, James A. Donald wrote: It is not a design, but an idea for a design. There is no efficient zero knowledge proof that has the required properties. On 2011-06-14 6:13 PM, Adam Back wrote: [...] They use Merkle trees to improve the computation efficiency (reduce the size of the representation problems that have to be presented and verified). I dont understood why bitcoin didnt use it ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] sander ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)
On 2011-06-14 6:13 PM, Adam Back wrote: See also: Auditable Anonymous Electronic Cash by Tomas Sander and Amnon Ta-Shma in crypto 1998. http://www.math.tau.ac.il/~amnon/Papers/ST.crypto99.pdf Its basically the idea of using non-interactive zero knowlede proof of membership in a list of coins as an alternative to blinding. The interesting thing is then the bank doesnt need a private key and doesnt much need to be trusted. Anyone can audit the list of coins, it is published; same for double spend database. The ZKP is a representation problem (like Stefan Brands ecash/credentials). They use Merkle trees to improve the computation efficiency (reduce the size of the representation problems that have to be presented and verified). Like bitcoin it provides auditability, but better than bitcoin it provides cryptographically secure anonymity. With bitcoin it is not anonymous, just pseudonymous but traceable - because there is publicly auditable signature chain showing transfers between pseudonyms. Sander Ta-Shma propose using it with a physical bank providing exchange, but that could be replaced with variable cost hashcash like bitcoin. I dont understood why bitcoin didnt use it It is not a design, but an idea for a design. There is no efficient zero knowledge proof that has the required properties. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] sander ta-shma + bitcoin, b-money, hashcash (Re: Is BitCoin a triple entry system?)
On 2011-06-15 1:29 AM, Ian G wrote: Which, to my mind was the same sin as the alternate: obsession with privacy, including to the extent of eliminating the core requirements of money. The first law of money is that it has to be safe: http://forum.bitcoin.org/index.php?topic=16457.0 This is the fundamental reason why we have reversable transactions in systems to account for money ... (whatever we think of the result, there is a reason why we have that feature). This is also why nymous (public-key identified) transaction systems will always beat out coin-based (blinded) systems in the long run. This seems inconsistent with the May scale of monetary hardness, and the ancient appeal of gold money. Reversible (soft) money has to have at its foundation irreversible and final hard money. Thus, in the days of the gold standard, all the banks would do final settlement in gold, and people tended to pay in banknotes. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography