From daw@cs.berkeley.edu Fri Aug 9 20:24:00 PDT 1996
Article: 860 of isaac.lists.coderpunks
Path: news.isaac.cs.berkeley.edu!not-for-mail
From: daw@cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.coderpunks
Subject: Payer-anonymous micropayments
Date: 29 Jul 1996 00:41:01 -0700
Organization: ISAAC Group, UC Berkeley
Lines: 104
Sender: daemon@abraham.cs.berkeley.edu
Approved: mail2news@news.isaac.cs.berkeley.edu
Distribution: isaac
Message-ID: <4thme3$kh7@joseph.cs.berkeley.edu>
NNTP-Posting-Host: abraham.cs.berkeley.edu
Precedence: bulk
I thought I'd share my thoughts on a subject I had pondered about a while ago:
how to build a cryptographically strong anonymous digital micropayment system.
There has recently been a lot of interest in micropayment protocols. Still,
all the proposed micropayment methods that I know of do not provide
cryptographic protection of your identity. The obvious approach -- simply
using Chaumian digital cash (i.e. Digicash's ecash) -- provides those
guarantees, but it requires a public-key operation for every micropayment, so
it is perhaps a bit too heavyweight for true micropayment applications.
I think it is important to consider privacy concerns even in micropayment
applications. If Bob Dole's videotape renting record (or a list of Al Gore's
purchases on the Information Superhighway, or Chelsea Clinton's GIF downloads
>from the net) were ever leaked to the public, I'd predict an outcry.
One popular micropayment technique uses chained one-way hashes to reduce the
public-key operations required. Recall that the idea is to repeatedly apply a
one-way function f to produce a stick of coins
N, f^{100}(N), sig_B(C, f^{100}(N)).
Here f^i(N) denotes i repeated applications of f to N, i.e.
f^{i+1}(x) = f^i(f(x)) f^0(x) = x,
and sig(x) denotes a public-key signature on x. The customer C buys a stick of
coins from a trusted third party broker B, who provides the signature on
f^{100}(N):
C->B: C, f^{100}(N)
B->C: sig_B(C, f^{100}(N))
Before spending at a shop S, the customer commits
C->S: f^{100}(N), sig_B(C, f^{100}(N));
the shop verifies the broker's signature offline. To spend the first coin on
the stick, the customer provides a pre-image of f
C->S: f^{99}(N)
and the shop verifies that the received bitstring is indeed a pre-image of
f^{100}(N) under f. Similarly, the i-th coin of the stick is spent by sending
f^{100-i}(N). Later during off-peak hours, the shop can provide the broker
with the signature on the stick of coins as well as all the coins spent at the
shop, and the broker will pay the shop back.
Several folks have proposed schemes based on this basic idea of coin sticks;
if the abbreviated explanation above was confusing, see Rivest and Shamir's
paper ( http://theory.lcs.mit.edu/~rivest/RivestShamir-mpay.ps ).
To stop double-spending, the client's identity is included in the signature on
the stick, and brokers are likely to require real-world proof of identification
(such as a credit card or driver's license); brokers can identify and blacklist
(or prosecute) double-spenders through this technique. This is likely to
deter most double-spending. Of course some double-spending may occur, but the
assumption is that so little money is at stake in micropayment schemes that
this should not be a serious concern to most businesses in real life.
Note that this protocol can be easily blinded with Chaumian techniques: remove
the client's identity from the signature and use a blind signature protocol in
the withdrawal phase. For instance, with RSA the withdrawal protocol becomes
C->B: C, b^e f^{100}(N) mod n
B->C: ( b^e f^{100}(N) )^d mod n
where (e,n) is the broker's public key, d is the corresponding private key, and
b is the blinding factor. Note that C obtains the signature on f^{100}(N) as
sig_B(f^{100}(N))
= ( f^{100}(N) )^d mod n
= b^{-1} ( b^e f^{100}(N) )^d mod n.
The commitment and payment phases of the protocol above can remain unchanged.
Multiple purchases at the same shop with the same stick can be linked together,
but this doesn't seem to be a huge problem in practice.
The blinding does cause some problems with double-spending; still, they are not
too hard to fix. Shops can simply verify stick commitments online with the
broker, as is done in online Chaumian ecash protocols. This doesn't seem to be
too terrible a requirement; subsequent verification of each of the 100 coins in
the stick requires just a hash calculation for each coin.
The largest remaining obstacle is how to deal with partially-spent sticks.
With the unblinded coin stick protocols, customers can simply spend the rest of
a partially-spent stick at another shops or redeem it at their broker.
However, in the blinded protocol, spending coins from the same stick at two
different places allows those two purchase locations to be linked, so the
traditional approach doesn't work. Still, this obstacle can be surmounted.
One possibility is for brokers to buy back partially-spent sticks with
payee-anonymous digital coins (even if those coins were merely a local scrip
that could be redeemed only for new full sticks from the same broker). Again,
shops could also give change (via a payee-anonymous method, of course). Chaum
has described how to do payee-anonymous digital cash for change-making.
Another possibility is for brokers to redeem partially-spent sticks immediately
for a shorter full stick; for instance, if I have 87 unspent coins remaining in
my 100 coin stick, I could anonymously redeem it at my broker (using the above
blinded protocol) for a new full 87-coin stick. (However, don't fall into the
trap of suggesting that I redeem a 60-unspent-coin stick and a 50-unspent-coin
stick for a new full 110-coin stick: that makes the shop purchases on the first
two sticks linkable.)
So I think the difficulties that payee-anonymity introduces in the above
blinded micropayment scheme can be patched up without too many contortions.
It's true-- in the final analysis, there *are* still some costs associated
with providing payer-anonymity-- but I think they are fairly minor.
One practical advantage of this micropayment scheme is that it could be
deployed quickly with some fairly small modifications to Digicash's ecash
system. Best of all, we get cryptographic guarantees of payer-anonymity.
Any comments?
P.S. Some of these ideas arose from conversations with Ian Goldberg-- thanks
to him for all the enlightening discussions!