12.6.1. (this section still under construction)
12.6.2. This is one of the main points of division between systems.
12.6.3. Online Clearing
- (insert explanation)
12.6.4. Offline Clearing
- (insert explanation)
12.6.5. Double spending
- Some approaches involve constantly-growing-in-size coins at
each transfer, so who spent the money first can be deduced
(or variants of this). And N. Ferguson developed a system
allowing up to N expenditures of the same coin, where N is
a parameter. [Howard Gayle reminded me of this, 1994-08-29]
- "Why does everyone think that the law must immediately be
invoked when double spending is detected?....Double
spending is an informational property of digital cash
systems. Need we find malicious intent in a formal
property? The obvious moralism about the law and double
spenders is inappropriate. It evokes images of revenge and
retribution, which are stupid, not to mention of negative
economic value." [Eric Hughes, 1994-08-27] (This also
relates to Eric's good point that we too often frame crypto
issue in terms of loaded terms like "cheating," "spoofing,"
and "enemies," when more neutral terms would carry less
meaning-obscuring baggage and would not give our "enemies"
(:-}) the ammunition to pass laws based on such terms.)
12.6.6. Issues
+ Chaum's double-spending detection systems
- Chaum went to great lengths to develop system which
preserve anonymity for single-spending instances, but
which break anonymity and thus reveal identity for double-
spending instances. I'm not sure what market forces
caused him to think about this as being so important, but
it creates many headaches. Besides being clumsy, it
require physical ID, it invokes a legal system to try to
collect from "double spenders," and it admits the
extremely serious breach of privacy by enabling stings.
For example, Alice pays Bob a unit of money, then quickly
Alice spends that money before Bob can...Bob is then
revealed as a "double spender," and his identity revealed
to whomver wanted it...Alice, IRS, Gestapo, etc. A very
broken idea. Acceptable mainly for small transactions.
+ Multi-spending vs. on-line clearing
- I favor on-line clearing. Simply put: the first spending
is the only spending. The guy who gets to the train
locker where the cash is stored is the guy who gets it.
This ensure that the burden of maintaining the secret is
on the secret holder.
- When Alice and Bob transfer money, Alice makes the
transfer, Bob confirms it as valid (or verifies that his
bank has received the deposit), and the transaction is
complete.
- With network speeds increasing dramatically, on-line
clearing should be feasible for most transactions. Off-
line systems may of course be useful, especially for
small transactions, the ones now handled with coins and
small bills.
-
12.6.7. "How does on-line clearing of anonymous digital cash work?"
- There's a lot of math connected with blinding,
exponentions, etc. See Schneier's book for an introduction,
or the various papers of Chaum, Brands, Bos, etc.
- On-line clearing is similar to two parties in a transaction
exchanging goods and money. The transaction is clearled
locally, and immediately. Or they could arrange transfer of
funds at a bank, and the banker could tell them over the
phone that the transaction has cleared--true "on-line
clearing." Debit cards work this way, with money
transferred effectively immediately out of one account and
into another. Credit cards have some additional wrinkles,
such as the credit aspect, but are basically still on-line
clearing.
- Conceptually, the guiding principle idea is simple: he who
gets to the train locker where the cash is stored *first*
gets the cash. There can never be "double spending," only
people who get to the locker and find no cash inside.
Chaumian blinding allows the "train locker" (e.g., Credit
Suisse) to give the money to the entity making the claim
without knowing how the number correlates to previous
numbers they "sold" to other entities. Anonymity is
preserved, absolutely. (Ignoring for this discussion issues
of cameras watching the cash pickup, if it ever actually
gets picked up.)
- Once the "handshaking" of on-line clearing is accepted,
based on the "first to the money gets it" principle, then
networks of such clearinghouses can thrive, as each is
confident about clearing. (There are some important things
needed to provide what I'll dub "closure" to the circuit.
People need to ping the system, depositing and withdrawing,
to establish both confidence and cover. A lot like remailer
networks. In fact, very much like them.)
- In on-line clearing, only a number is needed to make a
transfer. Conceptually, that is. Just a number. It is up to
the holder of the number to protect it carefully, which is
as it should be (for reasons of locality, or self-
responsibility, and because any other option introduces
repudiation, disavowal, and the "Twinkies made me do it"
sorts of nonsense). Once the number is transferred and
reblinded, the old number no longer has a claim on the
money stored at Credit Suisse, for example. That money is
now out of the train locker and into a new one. (People
always ask, "But where is the money, really?" I see digital
cash as *claims* on accounts in existing money-holding
places, typically banks. There are all kinds of "claims"--
Eric Hughes has regaled us with tales of his explorations
of the world of commericial paper. My use of the term
"claim" here is of the "You present the right number, you
get access" kind. Like the combination to a safe. The train
locker idea makes this clearer, and gets around the
confusion about "digimarks" of "e$" actually _being_ any
kind of money it and of itself.)
By Tim May, see README
HTML by Jonathan Rochkind