A paper titled "How to Make a Mint: The Cryptography of Anonymous Electronic Cash" has been making the rounds of the electronic money community in recent months. Prepared by cryptology experts at the National Security Agency, it raises security and law enforcement concerns about anonymous systems designed like Digicash Inc.'s Ecash.
Here are excerpts from the paper's conclusion:
*
Because it is simple to make an exact copy of an elec- tronic coin, a secure electronic cash system must have a way to protect against multiple spending. If the system is implemented on-line, then multiple spending can be prevented by maintaining a data base of spent coins and checking this list with each payment. If the system is implemented off- line, then there is no way to prevent multiple spending cryptographically, but it can be detected when the coins are deposited.
Detection of multiple spending after the fact is only useful if the identity of the offender is revealed. Cryptographic solutions have been proposed that will reveal the identity of the multiple spender while preserving user anonymity otherwise.
Token forgery can be prevented in an electronic cash system as long as the cryptography is sound and securely implemented, the secret keys used to sign coins are not compromised, and integrity is maintained on the public keys. However, if there is a security flaw or a key compromise, the anonymity of electronic cash will delay detection of the problem . . . .
The untraceability of electronic cash creates problems in detecting money laundering and tax evasion because there is no way to link the payer and payee. To counter this problem, it is possible to design a system that has an option to restore traceability using an escrow mechanism. If certain conditions are met (such as a court order), a deposit or withdrawal record can be turned over to a commonly trusted entity who holds a key that can decrypt information connecting the deposit to a withdrawal, or vice versa. However, this is not a solution to the token forgery problem because there may be no way to know which deposits are suspect.
We have also looked at two optional features of off-line electronic cash: transferability and divisibility. Because the size of an electronic coin must grow with each transfer, the number of transfers allowed per coin must be limited. Also, allowing transfers magnifies the problems of detecting counterfeit coins, money laundering, and tax evasion. Coins can be made divisible without losing any security or anonymity features but at the expense of additional memory requirements and transaction time.
In conclusion, the potential risks in electronic commerce are magnified when anonymity is present. Anonymity creates the potential for large sums of counterfeit money to go undetected by preventing identification of forged coins. Anonymity also provides an avenue for laundering money and evading taxes that is difficult to combat without resorting to escrow mechanisms.
Anonymity can be provided at varying levels, but increasing the level of anonymity also increases potential damages. It is necessary to weigh the need for anonymity with these concerns. It may well be concluded that these problems are best avoided using a secure electronic payment system that provides privacy but not anonymity.
