[cryptography] current digital cash / anonymous payment projects?
iang at iang.org
Thu Dec 2 17:29:07 EST 2010
On 2/12/10 6:32 PM, James A. Donald wrote:
> On 2010-12-01 11:18 PM, Ian G wrote:
>> On 1/12/10 6:12 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>>> Can anyone give me a good rundown of the current anonymous payment
>>> systems, technologies and/or algorithms?
>> OK, there are some issues here. There is technology, algorithms,
>> patents, techniques, protocols, applications, services, business models
>> ... all lumped into one general term without care.
>> Anonymous payment systems are a bit of a contradiction, internally. What
>> you're probably talking about is untraceable payment systems, which
>> typically use Chaum or Brands or Wagner algorithms (there are a handful
>> of other variants). In this model, the "coin" is stripped of its
>> identifying information as it transfers from Ivan to Alice to Bob. When
>> Bob deposits the coin to Ivan (issuer) for credit to his account, or for
>> rollover to new coins, the chain of traceability is broken.
>> Then, there is another variation called nymous payment systems. This
>> model is typically done with a client-server public-private key
>> arrangement, where the client registers the public key, and signs
>> requests (including payments) which are sent to the server. The privacy
>> trick with this one is that the issuer doesn't need to know who holds
>> the private key; so while everything is traceable, it's also nymous.
> For anonymous payments to actually be anonymous, we need both nymity and
> Nymity means that anyone can have lots of different and seemingly
> unrelated communication end points, such as, for example, email addresses.
> With Pecunix, you can pay anyone who has an email address, with no
> requirement for the recipient to demonstrate a true name known to the
> state - but transfers between one email address and another are traceable.
> For anonymity, one has to be able to have cheap and disposable nyms,
> *and* be able to transfer funds between nyms without anyone being able
> to discover that one nym is getting the money from the other nym.
Yep, this is where the definitions matter, at a first order analysis.
Change those definitions around and it gets a bit confusing.
However, beyond the "privacy" aspects, there are other requirements
which interfere in strange ways, but you'll only find this at a second
order analysis. Plenty of systems have failed because they've not
understood the laws of money & business; we or they have fielded
systems that were (e.g.) private but broken in other ways.
PS: I know James knows all this; Note to travis: if you're just
interested in the crypto, you can ignore all of this, and research all
the various blinding methods. But if you are interested in running a
business, the crypto is more or less easy, the business is devilishly
complicated. To get a taste of the business aspects, have a look at the
FC7 model: http://iang.org/papers/fc7.html
More information about the cryptography