Title: ecash and revocability Post by: adam3us on May 14, 2013, 09:46:02 PM So back in 1999, in an ecash thread on cypherpunks I claimed:
http://marc.info/?l=cypherpunks&m=95280154629900&w=2 > I wouldn't say ecash has to use blinding, but I would argue it would be a > misuse of the word "ecash", if something which was revocable were dubbed > ecash. This was in the context of a discussion of digigold (e-gold stored the physical gold, digigold offered "ecash" backed in that physical gold). Digigold ran on Systemics payment server/sox protocol. Because of inferred regulatory concerns and patent licensing issues digigold & systemics were not using blind signatures. However with systemics sox server, like bitcoin, you could create multiple accounts on demand and shuffle payments around for a degree of privacy. The bitcoin analogy would be the transaction log lived in the systemics server, so it had a central failure point, but arguably more privacy as the log was not public. Also systemics SOX protocol (Ian Grigg & Gary Howland) had some aspect of bitcoins smart contract concepts - ricardian contracts. http://iang.org/papers/ricardian_contract.html (Btw the anonymous reply itself was interesting - http://marc.info/?l=cypherpunks&m=95280154629912&w=2 that could have been Nakamoto, the only missing thing from the parts on the discussion room floor to bitcoin is mathematical inflation control.) The thread actually started here http://marc.info/?l=cypherpunks&m=95280154629912&w=2 and then continues here http://marc.info/?l=cypherpunks&m=95280154629900&w=2 because of a subject line change and then http://marc.info/?l=cypherpunks&m=95280154629916&w=2 and http://marc.info/?l=cypherpunks&m=95280154629948&w=2 more subject line change confusion. A related thread a few days later also covers Sander & Ta-Shma (which zerocoin is based on): http://marc.info/?l=cypherpunks&m=95280154630167&w=2 there were many more threads about various ecash technologies. Adam Title: bitcoin taint & unilateral revocability (Re: ecash and revocability) Post by: adam3us on May 14, 2013, 09:47:49 PM So back in 1999, in an ecash thread on cypherpunks I claimed: http://marc.info/?l=cypherpunks&m=95280154629900&w=2 > I wouldn't say ecash has to use blinding, but I would argue it would be a > misuse of the word "ecash", if something which was revocable were dubbed > ecash. So I still think that is an important point. "Ecash should not be revocable". I think bitcoin currently has a partial problem because of taint. Now blinding based unlinkability, in a distributed cryptographic payer/payee anonymous system like Sander & Ta Shma [1] and zerocoin has so far been based on ZKP of set membership. Of course that is somewhat expensive, though zerocoin improved the ZKP with an relatively efficient (but still cut-and-choose) proof. Bitcoins relative lack of privacy creates a problem with tainted coins risking becoming unspendable, or spendable only with some users, or at a discount. So while the policy coded says all coins are equally acceptable, the information exists so people can unilaterally reject them, depending on what the taint is. So far revocability hasnt reared it's head that I heard, nor taint inspection too much? However people have the choice and technical means to check the taint and send the bitcoins back. Another aspect is that bitcoin, like systemics sox/digigold, makes a different privacy tradeoff. Somewhat private, but not very much. But it creates the question: could the taint issue be fixed efficiently (eg even without blinding or ZKP of set membership?) One related concept is commitments. I think its relatively easy to commit to a payment and lock a coin without identifying yourself, until the commitment is released. You might do the commitment, wait 6-blocks for confirmation, then reveal the commitment. Then that is like a self-issued green coin with no need for trust, that can be immediately cleared. The recipient has to be committed to at the same time to prevent double spending. So just commit = H( input-pub ) H( transaction ) and put it in the block chain. Where transaction the is usual ( input signature, output-pub, script). (Fee for the commit would have to come from an unlinked coin or the input-pub reveals the coin). Wait 6 blocks, send/reveal the transaction (free because fee was already paid). Validators check input-pub hash against committed coins by hash, check the transaction hash, and the usual ransaction validations = sum inputs, otherwise reject. The user better pay change if any to a different public key, as the inputs public keys are one use - are after the reveal they are DoS lockable by other people reposting H( input-pub ). The input-pub coin is locked as normal transactions have their public key hash validate as not being locked. Adam [1] Sander & Ta Shma "Auditable, Anonymous Electronic Cash" http://www.cs.tau.ac.il/~amnon/Papers/ST.crypto99.pdf Title: Re: ecash and revocability Post by: forbun on April 21, 2014, 10:15:59 PM Quote Bitcoins relative lack of privacy creates a problem with tainted coins risking becoming unspendable, or spendable only with some users, or at a discount. So while the policy coded says all coins are equally acceptable, the information exists so people can unilaterally reject them, depending on what the taint is. So far revocability hasnt reared it's head that I heard, nor taint inspection too much? However people have the choice and technical means to check the taint and send the bitcoins back. I'm not convinced that this will become a problem, socially. The same problem exists with real-world cash, which has serial numbers. The technical means to track dollar bills exists. But in practice, nobody bothers. It's prevented by law, but even if the law didn't exist, I'm not sure that mainstream people would care. |