W3C home > Mailing lists > Public > public-webpayments@w3.org > October 2013

Re: Anonymous digital cash, on top of bitcoin

From: Niels Möller <nisse@lysator.liu.se>
Date: Wed, 30 Oct 2013 15:32:40 +0100
To: "Goss\, Brian C.\, M.D." <Goss.Brian@mayo.edu>
Cc: "public-webpayments\@w3.org" <public-webpayments@w3.org>
Message-ID: <nnk3gun81j.fsf@bacon.lysator.liu.se>
"Goss, Brian C., M.D." <Goss.Brian@mayo.edu> writes:

> Why have a bank at all? If somehow having two digitally signed
> transactions using the same token (or input in bitcoin speak) can
> reveal a private key or decrypt a token of value from the double spent
> token itself? You wouldn't need a bank to construct such a token if it
> were backed and redeemed in bitcoin.

Good question. Let me do some hand-waving.

I principle, the tokens are of the form (x, r), where x is the user's
secret identity, and r is a random number. (In the actual system, we're
likely not working with (x, r) directly, but instead with x g + r h
where g and h are elements in some group).

When paying with the token, you reveal x + c r, where c is a random
challenge value provided by the seller. Paying twice, with two distinct
challenges c and c', clearly reveals x.

So what is the bank's role? It's involved in several ways:

1. The bank collects the transaction info, so it gets both c and c' in
   case a user double spends.

2. Its involvement in the withdrawal protocol forces the user's token to
   be of the right form. We can't let a user to freely choose a token
   (r1, r2), where both elements are meaningless random numbers. I don't
   remember exactly how this works, but I think there's a protocol
   betwen user and bank to construct the token, and then the bank will
   sign the resulting token using the bank's private key.

3. It provides the meaning for the identifier "x", and makes knowledge
   of x valuable (knowledge of x provides ownership of the user's bank

4. And it keeps track of how many coins each user creates.

To me, it seems reasonble that (1) can be replaced with a public
transaction database.

And (3) could perhaps be replaced with a general-purpose lost-and-found
service for secret keys: You hand the service a public key and some
bitcoins. The service pays out to the first one who provides it with a
valid signature on the message "secret revealed, please pay reward to
bitcoin account y", corresponding to the key in question. The service
could also sign some certificate to that effect.

For (2), we'd need some clever mathematics. When posting, I was thinking
that it would be easy to just take existing protocols and add some
bitcoin gateway. I'd have to look deeper into the protocols to
understand what it takes to eliminate the bank.

And for (4), this looks like the fundamental difficulty. Say I convert 1
bitcoin into anonymous digital cash. I pay someone with that cash. The
receiver converts it back to bitcoins. How's that disappearing and
reappearing bitcoin going to look in the bitcoing transaction database?
And to get any anynomity, it seems necessary that a large number of
users' transactions are aggregated, right?

So I think this line of though gives leads to the following answer:

   We need some private keys which will act as owners of all bitcoins
   which have been "converted" into digital cash. Let's call the holders
   of those keys "banks". And for anonymity, there must be a lot fewer
   banks than users.


Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
Received on Wednesday, 30 October 2013 14:33:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:25 UTC