6

I just read Offline anonymous electronic money systems and their cryptographical base , which asks for anonymous offline systems. The OP claims eCash is such a system, and the answer claims that fairCash is such a system.

I've added security as a third requirement, since an insecure system seems useless to me. When evaluating a system, I assume that the mint/bank can be trusted, but that the persons who transfer the money don't trust each other, and have all hardware that's in their possession completely under control.

Looking at these three properties, it seems impossible to fulfill them all at the same time. In particular I don't see how you could prevent double spending.

The best offline system I can think of, allows the bank to see the amount of cash flowing from/to a particular person, but only reveals the actual transaction if he double-spends, and then hopes that the double spent money can be recovered out of protocol(for example in court). But I feel like the reduced anonymity and security are worse than requiring online transactions. Edit: It seems like eCash falls in this category.

Community
  • 1
CodesInChaos
  • 24,841
  • 2
  • 89
  • 128
  • Are we ruling out schemes (such as MintChip) based on secure hardware tokens? – David Schwartz Apr 21 '12 at 01:05
  • "have all hardware that's in their possession completely under control" i.e. if the users have the MintChip, I assume that they can extract any secret keys embedded by the bank. – CodesInChaos Apr 21 '12 at 07:54

1 Answers1

5

Depends on what you mean by secure. If you merely want the ability to detect and then presumably punish double spending, you can do that in a way that is secure and anonymous: double spending reveals enough information to provably identify the user. Since honest users don't double spend, they are still anonymous. This is used in Camenisch et al.'s Compact E-cash paper

These systems use techniques related to blind signatures and and similar to anonymous credentials ---e.g. signatures over committed values and zero knowledge proofs about those signatures --- which make it impossible to link the issue of a unit of currency to its spending or the spending of another unit of currency unless it is double spent. As a result, unlike bitcoin, they really are completely anonymous if the cryptographic assumptions hold.

If you mean prevent double spending. No, it's impossible without trusted hardware*. You run up against, among other things, the cap theorem. What stops me from making a clone of my data and executing the same protocol on other ends of the world ( or the galaxy)?

* As others have pointed out, it might be possible in the quantum setting. Certainly you can make non-cloneable quantum "objects", but its unclear how you would transfer them. (update) in fact you can potentially do it with quantum knots3

Community
  • 1
imichaelmiers
  • 1,614
  • 10
  • 13
  • One problem with the first kind of scheme is that it sacrifices a lot anonymity even for honest users. The accounts are not anonymous, the amount of cash flowing in/out of an account can be observed by the bank. I was considering some escrow based systems, but couldn't make it work. Escrow can punish double-spend, but it's not enough once the multi-spend factor is large enough. – CodesInChaos Apr 21 '12 at 08:01
  • "What stops me from making a clone of my data and ..." http://en.wikipedia.org/wiki/No_cloning_theorem –  Apr 21 '12 at 20:34
  • @RickyDemer OK, yes you can use quantum physics. I should have said specialized hardware instead of trusted. – imichaelmiers Apr 22 '12 at 06:13
  • @CodeInChaos No, these really are actually anonymous as in spending is unlinkable to issue . There isn't an account you keep with the mint/bank, they just issue you a bunch of crypto tokens that you store yourself. Once issued they are completely untraceable unless double spent. – imichaelmiers Apr 22 '12 at 06:19
  • I'm not interested in quantum schemes 2) I understand that payments are untraceable in the ideal case, thanks to blind signatures. But in order to get the name embedded into the tokens, I need to register each payment I send/receive with my bank in my name, even if the bank doesn't learn who was the partner in the transaction. 3) An honest mistake can also easily lead to deanomymization via double-spend. For example you restore from backup, or your application crashes at an unfortunate time. 3) It also leads to unbounded financial risk for the victim if somebody steals the tokens
    • – CodesInChaos Apr 22 '12 at 17:07
  • While I don't really like such schemes(I already described it in the question as one that falls a bit short of my expectations), it's probably the best thing you can get if you want offline spendability, so I'll accept this answer. My personal consequence is that offline spendability should be sacrificed, in favor of higher anonymity, and in protocol enforceability. – CodesInChaos Apr 22 '12 at 17:18
  • Accidental double spending breaks anonymity. Probably what would happen is you would have hardware that you trust(e.g. a tpm, an hsm, mintchip , etc) that would not let you spend more that once and might require a pin number to spend.Actually I think that probably should be a requirement of any e-cash (online or offline) to prevent hacking and theft.

    Absent the double spending error, I don't see how you get higher anonymity from an online system. The bank doesn't know how many coins you got, only that they issued them to some valid id.

     – imichaelmiers Apr 22 '12 at 18:39