- From: Goss, Brian C., M.D. <Goss.Brian@mayo.edu>
- Date: Wed, 30 Oct 2013 12:36:57 +0000
- To: 'Niels Möller' <nisse@lysator.liu.se>, "public-webpayments@w3.org" <public-webpayments@w3.org>
I'm a little uncertain how this setup is different from Chaum's Digicash of 20-30 years ago, aside from using Bitcoin as the backing rather than traditional currency. I also don't understand why, in your system, banks don't need to know any "real names of their users." Banks always require knowing the names of their users (at least in the US); and even true Swiss professional banker - customer confidentiality is a thing of the past. The identity regulations come in to play at the exchange points between traditional currency and digital currency -- even for Bitcoin. What didn't work well about Chaumian digicash (specifically, his second version that disclosed identity upon a double spend) was that digicash was like toilet paper (single use only) and no better than a check (it can bounce and all you have is an identity to collect from). The root of the problem is identity. Digicash and Bitcoin are both attempts at making digital cash equivalents, but neither really function as cash. Digicash needed real world identity and a redemption model (like at a bank); Bitcoins are fungible (can be used over and over), but have a pseudonym tied to each and every transaction for ever (or at least a "long time" depending on archival strategies for "prune-able" transactions). The problem with identity is three-fold: 1) A person's true/real world identity is tough to verify 2) Even with a verified identity and irrefutable debt, it's costly to collect payment from an identity (think cops, courts, etc) 3) Pseudonymous identities, such as you describe here (If I'm reading this correctly), are easy to make by the dozens. The solution? I'm no expert, but, if instead of encoding a real world or even a pseudonymous identity (even one that cost something to produce) into a digital currency token (to be revealed if double spent), why not incorporate more of the currency that is payable upon double spending? For example, if Merchant Madeline receives 1 unit of a hypothetical currency called W3C credits from Buyer Beatrice, and Beatrice tries to also use that same 1 credit to pay back Creditor Claudia, then Beatrice loses the (variable amount of) excess W3C credits backing the 1 credit she issued twice (perhaps each recipient could deduct the up to the amount they were owed from these "excess backing credits"). This could probably be implemented over the Bitcoin block chain to permit offline/off chain transactions. I don't see any way around an/pseud-onymity that doesn't cost the Buyer something. Banks made double spending via check difficult by enforcing the Buyer to disclose their identity to the Merchant; Digicash digitized this process but made it even less useful than a check (which can be endorsed to a third party); Keyhotee (http://invictus-innovations.com/keyhotee/) attempts to make your digital identity valuable (mined)...but, at the end of the day, it needs to cost the Buyer 2x as much (or more) to perform a double spend (and scale linearly or higher order for multiple spends) and each recipient needs to recover the amount they are due (or more). -----Original Message----- From: public-webpayments-request@listhub.w3.org [mailto:public-webpayments-request@listhub.w3.org] On Behalf Of Niels Möller Sent: Tuesday, October 29, 2013 2:51 AM To: public-webpayments@w3.org Subject: Anonymous digital cash, on top of bitcoin Some years ago, for my masters thesis I wrote a prototype system for anonymous offline digital cash (a technically solved problem). But it was a bit difficult to make it useful in practice without cooperating with some established bank, and to banks, anonymity is a very unattractive feature. Today we have bitcoins. I'm not very familiar with how it works, but the main feature is that it is decentralized, with no single bank or government in control. It is pseudonymous, but *not* anonymous. There's the global public database of all transactions ever. The other day, it striked me that it's possible to create a system for anonymous digital cash, with gateways to bitcoin rather than gateways to traditional banks. To review how a digital cash system can work, the system I worked with (Stefan Brands') was based on the following three protocols: 1. Withdrawal. User withdraws coins from his/her account at the bank. The protocol forces the user's identity to be encoded in into the coins. 2. Payment. Paying with the coin involves a proof-of-knowledge, constructed. The user's identity is unconditionally hidden, as long as each coin is used only once, but the identity is leaked if the same coin is spent twice. The bank is not a party to this protocol (so it's an "offline" system). 3. Deposit. The receiver of the coin gives the bank something close to a transcript of the payment transaction. Bank checks for double spending (and can derive the identity of any double-spender), and credits the receivers account. So coins are single use (not transferable). It's anonymous in the way that any party observing only the withdrawals and deposits, e.g., the bank, cannot link which coin withdrawal corresponds to which later deposit. Traffic analysis may still be possible, depending on volume and other circumstances. Now, to make this system interoperate with bitcoins, add the following features: * Transfer bitcoins to the bank, and have them credited to your account (or if you like, to anybody else's account). * Withdraw bitcoins from your account. * Make it possible to do the deposit protocol, without any account at the bank. Instead of crediting an account, the bank gives back bitcoins. * Let the bank accept payments (i.e., play the receiver role for the payment protocol) for coins issued by other banks. And credit an account of the payer's choice. Since the other bank is untrusted, there will be some delay while our bank deposits the coins at the other bank and gets bitcoins back. These additional transaction types are no more anonymous than bitcoin is, but that's the price for interoperability, I guess. Now, anyone can set up such a bank service, without any cooperation with any traditional bank or payment processor. Users need to trust the banks they choose to deposit money with, obviously, but different banks need not trust eachother, and banks don't need to know any "real names" of their users. Some questions: * In which jurisdictions is such a service legal? I'm fairly sure it was legal an Sweden some 15 years ago (spoke to a lawyer at my university, and apparently banking regulations don't apply until you start to lend out other people's money, which makes sense). But I'm not sure it still is, with the more recent "money laundering" laws. * Any existing organization who could be trusted and willing to run a bank issuing anonymous digital coins? EFF? Mozilla? flattr? * Is this on-topic for the web-payments group? I'm not sure if you consider anonymity to be a very important feature. * Are there any other *anonymous* payment systems in the works which I should know about? I haven't been active in the area for some years. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
Received on Wednesday, 30 October 2013 12:37:24 UTC