I just read Offline anonymous electronic money systems and their cryptographical
ID: 650679 • Letter: I
Question
I just read Offline anonymous electronic money systems and their cryptographical base , which asks for anonymous offline systems. The OP claims eCash is such a system, and the answer claims that fairCash is such a system.
I've added security as a third requirement, since an insecure system seems useless to me. When evaluating a system, I assume that the mint/bank can be trusted, but that the persons who transfer the money don't trust each other, and have all hardware that's in their possession completely under control.
Looking at these three properties, it seems impossible to fulfill them all at the same time. In particular I don't see how you could prevent double spending.
The best offline system I can think of, allows the bank to see the amount of cash flowing from/to a particular person, but only reveals the actual transaction if he double-spends, and then hopes that the double spent money can be recovered out of protocol(for example in court). But I feel like the reduced anonymity and security are worse than requiring online transactions. Edit: It seems like eCash falls in this category.
Explanation / Answer
Depends on what you mean by secure. If you merely want the ability to detect and then presumably punish double spending, you can do that in a way that is secure and anonymous: double spending reveals enough information to provably identify the user. Since honest users don't double spend, they are still anonymous. This is used in Camenisch et al.'s Compact E-cash paper
These systems use techniques similar to anonymous credentia ---e.g. signatures over committed values and zero knowledge proofs about those signatures --- which make it impossible to link the issue of a unit of currency to its spending or the spending of another unit of currency unless it is double spent. As a result, unlike bitcoin, they really are completely anonymous if the cryptographic assumptions hold.
If you mean prevent double spending. No, it's impossible without trusted hardware*. You run up against, among other things, the cap theorem. What stops me from making a clone of my data and executing the same protocol on other ends of the world ( or the galaxy)?
* As others have pointed out, it might be possible in the quantum setting. Certainly you can make non-cloneable quantum "objects", but its unclear how you would transfer them.