RE: Anonymous digital cash, on top of bitcoin

With smart contracts in Bitcoin, I'm not sure you'd even need to embed "excess" funds inside a token to prevent double spending -- it could be part of the contract.  This puts me far outside my knowledge domain, but, I suppose one could construct a contract such that anyone with two signed transactions from the same token to two different payees could construct a transaction requiring signatures from both payees that executes the "double spend clause" (payable in bitcoins).  There are far far smarter people than I though to flesh this idea out.

Web payments, from what I can gather, fall in to two categories: those mimicking cash on some level (no identity requirements, instant transaction verification, irreversible transactions, no built-in crime fighting, etc) and those mimicking credit cards (verified identities, reversible transactions, delayed settlement, issuers must pay for crime fighting, etc).  These are very very different problems...


-----Original Message-----
From: Niels Möller [mailto:nisse@lysator.liu.se] 
Sent: Wednesday, October 30, 2013 9:33 AM
To: Goss, Brian C., M.D.
Cc: public-webpayments@w3.org
Subject: Re: Anonymous digital cash, on top of bitcoin

"Goss, Brian C., M.D." <Goss.Brian@mayo.edu> writes:

> Why have a bank at all? If somehow having two digitally signed 
> transactions using the same token (or input in bitcoin speak) can 
> reveal a private key or decrypt a token of value from the double spent 
> token itself? You wouldn't need a bank to construct such a token if it 
> were backed and redeemed in bitcoin.

Good question. Let me do some hand-waving.

I principle, the tokens are of the form (x, r), where x is the user's secret identity, and r is a random number. (In the actual system, we're likely not working with (x, r) directly, but instead with x g + r h where g and h are elements in some group).

When paying with the token, you reveal x + c r, where c is a random challenge value provided by the seller. Paying twice, with two distinct challenges c and c', clearly reveals x.

So what is the bank's role? It's involved in several ways:

1. The bank collects the transaction info, so it gets both c and c' in
   case a user double spends.

2. Its involvement in the withdrawal protocol forces the user's token to
   be of the right form. We can't let a user to freely choose a token
   (r1, r2), where both elements are meaningless random numbers. I don't
   remember exactly how this works, but I think there's a protocol
   betwen user and bank to construct the token, and then the bank will
   sign the resulting token using the bank's private key.

3. It provides the meaning for the identifier "x", and makes knowledge
   of x valuable (knowledge of x provides ownership of the user's bank
   account)

4. And it keeps track of how many coins each user creates.

To me, it seems reasonble that (1) can be replaced with a public transaction database.

And (3) could perhaps be replaced with a general-purpose lost-and-found service for secret keys: You hand the service a public key and some bitcoins. The service pays out to the first one who provides it with a valid signature on the message "secret revealed, please pay reward to bitcoin account y", corresponding to the key in question. The service could also sign some certificate to that effect.

For (2), we'd need some clever mathematics. When posting, I was thinking that it would be easy to just take existing protocols and add some bitcoin gateway. I'd have to look deeper into the protocols to understand what it takes to eliminate the bank.

And for (4), this looks like the fundamental difficulty. Say I convert 1 bitcoin into anonymous digital cash. I pay someone with that cash. The receiver converts it back to bitcoins. How's that disappearing and reappearing bitcoin going to look in the bitcoing transaction database?
And to get any anynomity, it seems necessary that a large number of users' transactions are aggregated, right?

So I think this line of though gives leads to the following answer:

   We need some private keys which will act as owners of all bitcoins
   which have been "converted" into digital cash. Let's call the holders
   of those keys "banks". And for anonymity, there must be a lot fewer
   banks than users.

Regards,
/Niels

--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

Received on Wednesday, 30 October 2013 18:40:52 UTC