- From: Niels Möller <nisse@lysator.liu.se>
- Date: Wed, 30 Oct 2013 15:32:40 +0100
- To: "Goss\, Brian C.\, M.D." <Goss.Brian@mayo.edu>
- Cc: "public-webpayments\@w3.org" <public-webpayments@w3.org>
"Goss, Brian C., M.D." <Goss.Brian@mayo.edu> writes: > Why have a bank at all? If somehow having two digitally signed > transactions using the same token (or input in bitcoin speak) can > reveal a private key or decrypt a token of value from the double spent > token itself? You wouldn't need a bank to construct such a token if it > were backed and redeemed in bitcoin. Good question. Let me do some hand-waving. I principle, the tokens are of the form (x, r), where x is the user's secret identity, and r is a random number. (In the actual system, we're likely not working with (x, r) directly, but instead with x g + r h where g and h are elements in some group). When paying with the token, you reveal x + c r, where c is a random challenge value provided by the seller. Paying twice, with two distinct challenges c and c', clearly reveals x. So what is the bank's role? It's involved in several ways: 1. The bank collects the transaction info, so it gets both c and c' in case a user double spends. 2. Its involvement in the withdrawal protocol forces the user's token to be of the right form. We can't let a user to freely choose a token (r1, r2), where both elements are meaningless random numbers. I don't remember exactly how this works, but I think there's a protocol betwen user and bank to construct the token, and then the bank will sign the resulting token using the bank's private key. 3. It provides the meaning for the identifier "x", and makes knowledge of x valuable (knowledge of x provides ownership of the user's bank account) 4. And it keeps track of how many coins each user creates. To me, it seems reasonble that (1) can be replaced with a public transaction database. And (3) could perhaps be replaced with a general-purpose lost-and-found service for secret keys: You hand the service a public key and some bitcoins. The service pays out to the first one who provides it with a valid signature on the message "secret revealed, please pay reward to bitcoin account y", corresponding to the key in question. The service could also sign some certificate to that effect. For (2), we'd need some clever mathematics. When posting, I was thinking that it would be easy to just take existing protocols and add some bitcoin gateway. I'd have to look deeper into the protocols to understand what it takes to eliminate the bank. And for (4), this looks like the fundamental difficulty. Say I convert 1 bitcoin into anonymous digital cash. I pay someone with that cash. The receiver converts it back to bitcoins. How's that disappearing and reappearing bitcoin going to look in the bitcoing transaction database? And to get any anynomity, it seems necessary that a large number of users' transactions are aggregated, right? So I think this line of though gives leads to the following answer: We need some private keys which will act as owners of all bitcoins which have been "converted" into digital cash. Let's call the holders of those keys "banks". And for anonymity, there must be a lot fewer banks than users. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
Received on Wednesday, 30 October 2013 14:33:08 UTC