[fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
cyphrpunk at gmail.com
Sun Oct 30 00:17:25 EDT 2005
On 10/28/05, Daniel A. Nagy <nagydani at epointsystem.org> wrote:
> Irreversibility of transactions hinges on two features of the proposed
> systetm: the fundamentally irreversible nature of publishing information in
> the public records and the fact that in order to invalidate a secret, one
> needs to know it; the issuer does not learn the secret at all in some
> implementnations and only learns it when it is spent in others.
> In both cases, reversal is impossible, albeit for different reasons. Let's
> say, Alice made a payment to Bob, and Ivan wishes to reverse it with the
> possible cooperation of Alice, but definitely without Bob's help. Alice's
> secret is Da, Bob's secret is Db, the corresponding challenges are,
> respectively, Ca and Cb, and the S message containing the exchange request
> Da->Cb has already been published.
> In the first case, when the secret is not revealed, there is simply no way to
> express reverslas. There is no S message with suitable semantics semantics,
> making it impossible to invalidate Db if Bob refuses to reveal it.
The issuer can still invalidate it even though you have not explicitly
defined such an operation. If Alice paid Bob and then convinces the
issuer that Bob cheated her, the issuer could refuse to honor the Db
deposit or exchange operation. From the recipient's perspective, his
cash is at risk at least until he has spent it or exchanged it out of
The fact that you don't have an "issuer invalidates cash" operation in
your system doesn't mean it couldn't happen. Alice could get a court
order forcing the issuer to do this. The point is that reversal is
technically possible, and you can't define it away just by saying that
the issuer won't do that. If the issuer has the power to reverse
transactions, the system does not have full ireversibility, even
though the issuer hopes never to exercise his power.
> In the second case, Db is revealed when Bob tries to spend it, so Ivan can,
> in principle, steal (confiscate) it, instead of processing, but at that
> point Da has already been revealed to the public and Alice has no means to
> prove that she was in excusive possession of Da before it became public
That is an interesting possibility, but I can think of a way around
it. Alice could embed a secret within her secret. She could base part
of her secret on a hash of an even-more-secret value which she would
not reveal when spending/exchanging. Then if it came to where she had
to prove that she was the proper beneficiary of a reversed
transaction, she could reveal the inner secret to justify her claim.
> Now, one can extend the list of possible S messages to allow for reversals
> in the first scenario, but even in that case Ivan cannot hide the fact of
> reversal from the public after it happened and the fact that he is prepared
> to reverse payments even before he actually does so, because the users and
> auditors need to know the syntax and the semantics of the additional S
> messages in order to be able to use Ivan's services.
That's true, the public visibility of the system makes secret
reversals impossible. That's very good - one of the problems with
e-gold was that it was never clear when they were reversing and
freezing accounts. Visibility is a great feature. But it doesn't keep
reversals from happening, and it still leaves doubt about how final
transactions will be in this system.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography