I just found out about the decentralized digital cash system Bitcoin, by way of an LWN article. It looks very interesting, but as I understand it it can’t scale very far in its current form due to the requirement that a log of all transactions be sent to all clients.
One interesting point is that publishing the complete list of transactions doesn’t imply complete transparency, since accounts aren’t linked to users. An account is just a public/private key pair, and any user may create however many accounts she likes. The existence of an account isn’t announced to the world, except implicitly when the account is on the sending or receiving end of a transaction. (Since all transactions are published, however, it’s possible to data mine the flow of money, so the actual anonymity is likely to be limited.)
Karl, you are correct in pointing out the cryptographic trade-off between pure anonymity and pseudo-anonymity with traceable block chains. This is due to the double-spending issue which Chaumian e-cash solves by way of a “centralized” mint and Bitcoin solves by way of “decentralized” block chains that have to be confirmed by the nodes.
I lean towards decentralized and distributed when it comes to anonymous digital cash, because until we can utilize molecular transportation to send gold coins over the Internet, the approach by Bitcoin will be the closest we get to a fully, decentralized monetary system.
Jon
http://themonetaryfuture.blogspot.com/2010/10/rally-in-bitcoin.html
Over time the log will grow, but addresses that have been used up can be forgotten so it might grow less quickly than it seems. Nevertheless it will eventually be cumbersome for every user to have a complete chain, already some users do not even have the client installed, but use a service like mtgox or mybitcoin. These services let you send and receive coins using regular bitcoin addresses for which they have the keys or from account to account like an internal bank transfer. In the far future all common users will probably use a service like this. Since anyone can run a service like this people will need to be careful who they trust, but also there will be no lack of competition.
“addresses that have been used up can be forgotten”—do you mean that all historical transactions for addresses that have a credit balance of zero can be discarded? That’s precisely what I don’t understand—how can new clients verify the block chain (that is, verify the hashes) without obtaining all historical transactions?
The other scalability problem is that as the number of users grow (presuming that it does), the number of transactions per second will eventually make it impractical to log them all at any central point, much less a large number of such points.
All historical transactions and complete chains are not required for receiver to be reasonably satisfied as to the non-double-spending of the coin within the first minutes of receipt.
From Satoshi’s comments of the cryptography mailing list:
“Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for
double spending, which only requires having the chain of block headers, or
about 12KB per day. Only people trying to create new coins would need to run network nodes. At first, most users would run network nodes, but as the
network grows beyond a certain point, it would be left more and more to
specialists with server farms of specialized hardware. A server farm would
only need to have one node on the network and the rest of the LAN connects with that one node. The bandwidth might not be as prohibitive as you think. A typical transaction would be about 400 bytes (ECC is nicely compact).”
Yes, I figured that out while trying to sleep last night: they don’t need to verify the complete contents of the chain, just that it is the chain built with the most hashing effort. (And they need to compute the credit balance of accounts that spend money in order to catch overspending, but I guess that’s not a problem.)
Note that this still doesn’t solve the scalability problem, though; it just concentrates it at the nodes that do produce blocks. Millions of transactions per day will work fine, but I’m not sure that billions will.