[cryptography] current digital cash / anonymous payment projects?

Ian G iang at iang.org
Thu Dec 2 17:29:07 EST 2010

On 2/12/10 6:32 PM, James A. Donald wrote:
> On 2010-12-01 11:18 PM, Ian G wrote:
>> On 1/12/10 6:12 AM, travis+ml-rbcryptography at subspacefield.org wrote:
>>> Can anyone give me a good rundown of the current anonymous payment
>>> systems, technologies and/or algorithms?
>> OK, there are some issues here. There is technology, algorithms,
>> patents, techniques, protocols, applications, services, business models
>> ... all lumped into one general term without care.
>> Anonymous payment systems are a bit of a contradiction, internally. What
>> you're probably talking about is untraceable payment systems, which
>> typically use Chaum or Brands or Wagner algorithms (there are a handful
>> of other variants). In this model, the "coin" is stripped of its
>> identifying information as it transfers from Ivan to Alice to Bob. When
>> Bob deposits the coin to Ivan (issuer) for credit to his account, or for
>> rollover to new coins, the chain of traceability is broken.
>> Then, there is another variation called nymous payment systems. This
>> model is typically done with a client-server public-private key
>> arrangement, where the client registers the public key, and signs
>> requests (including payments) which are sent to the server. The privacy
>> trick with this one is that the issuer doesn't need to know who holds
>> the private key; so while everything is traceable, it's also nymous.
> For anonymous payments to actually be anonymous, we need both nymity and
> untraceability.
> Nymity means that anyone can have lots of different and seemingly
> unrelated communication end points, such as, for example, email addresses.
> With Pecunix, you can pay anyone who has an email address, with no
> requirement for the recipient to demonstrate a true name known to the
> state - but transfers between one email address and another are traceable.
> For anonymity, one has to be able to have cheap and disposable nyms,
> *and* be able to transfer funds between nyms without anyone being able
> to discover that one nym is getting the money from the other nym.

Yep, this is where the definitions matter, at a first order analysis. 
Change those definitions around and it gets a bit confusing.

However, beyond the "privacy" aspects, there are other requirements 
which interfere in strange ways, but you'll only find this at a second 
order analysis.  Plenty of systems have failed because they've not 
understood the laws of money & business;  we or they have fielded 
systems that were (e.g.) private but broken in other ways.


PS:  I know James knows all this;  Note to travis:  if you're just 
interested in the crypto, you can ignore all of this, and research all 
the various blinding methods.  But if you are interested in running a 
business, the crypto is more or less easy, the business is devilishly 
complicated.  To get a taste of the business aspects, have a look at the 
FC7 model:  http://iang.org/papers/fc7.html

More information about the cryptography mailing list