Compact E-Cash discussion

doc/paper/taler.bib

@@ -99,14 +99,30 @@
 
 
 @inproceedings{Camenisch05compacte-cash,
-    author = {Jan Camenisch and Susan Hohenberger and Anna Lysyanskaya},
-    title = {Compact e-cash},
-    booktitle = {In EUROCRYPT, volume 3494 of LNCS},
-    year = {2005},
-    pages = {302--321},
-    publisher = {Springer-Verlag}
-    url = {http://cs.brown.edu/~anna/papers/chl05-full.pdf},
-    url_citeseerx = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.136.4640}
+  author = {Jan Camenisch and Susan Hohenberger and Anna Lysyanskaya},
+  title = {Compact e-cash},
+  booktitle = {In EUROCRYPT, volume 3494 of LNCS},
+  year = {2005},
+  pages = {302--321},
+  publisher = {Springer-Verlag},
+  url = {http://cs.brown.edu/~anna/papers/chl05-full.pdf},
+  url_citeseerx = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.136.4640}
+}
+
+
+@Inbook{ST99,
+  author="Sander, Tomas and Ta-Shma, Amnon",
+  editor="Wiener, Michael",
+  title="Auditable, Anonymous Electronic Cash",
+  bookTitle="Advances in Cryptology --- CRYPTO' 99: 19th Annual International Cryptology Conference Santa Barbara, California, USA, August 15--19, 1999 Proceedings",
+  year="1999",
+  publisher="Springer Berlin Heidelberg",
+  address="Berlin, Heidelberg",
+  pages="555--572",
+  isbn="978-3-540-48405-9",
+  doi="10.1007/3-540-48405-1_35",
+  doi_url="http://dx.doi.org/10.1007/3-540-48405-1_35",
+  url = {http://www.cs.tau.ac.il/~amnon/Papers/ST.crypto99.pdf"}
 }
 
 

doc/paper/taler.tex

@@ -292,15 +292,37 @@ multiple transactions can be linked to each other.
 Performing fractional payments using $k$-show signatures is also 
 rather expensive.
 
-% For longer non-conference version :
-% -Add note on Carmenisch's compact e-cash withdrawals \cite{Camenisch05compacte-cash}
-% -Add note on Merkle tree based scheme that inspired Zerocash
+In pure blind signature based schemes like Taler, withdrawal and spend
+operations require bandwidth logarithmic in the value being withdrawn
+or spent.  In \cite{Camenisch05compacte-cash}, there is a zero-knoledge
+scheme that improves upon this, requiring only constant bandwidth for
+withdrawals and spend operations, but sadly the exchanges' storage and
+search costs become lienar in the total value of all transactions. 
+In princile, one could correct this by adding multiple denominations, 
+an open problem stated already in \cite{Camenisch05compacte-cash}.
+As described, the scheme employs offline double spending protection,
+which inherently makes it fragile and create an wholey unneccasry 
+deanonymization risk.  We believe the offline protection from double
+spending could be removed, thus switching the scheme to only protection
+against online doulbe spending, like Taler. 
+Along with fixing these two issues, an interesting applied research project
+would be to add partial spending and a form of Taler's refresh protocol.
+At present, we feel these relatively new cryptographic techniques incur
+unacceptable financial risks to the exchange, due to underdeveloped
+implementation practice.
+
+In this vein, there are pure also zero-knoledge proof based schemes
+like \cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe
+varations on BOLT~\cite{BOLT}, that avoid using any denomination-like
+constructs, slightly reducing metadata leakage.  At present, these all
+incur excessive bandwidth or computational costs however.
 
 %Some argue that the focus on technically perfect but overwhelmingly
 %complex protocols, as well as the the lack of usable, practical
 %solutions lead to an abandonment of these ideas by
 %practitioners~\cite{selby2004analyzing}.
 
+% FIXME: Move to top of section?
 % FIXME: ask OpenCoin dev's about this! Then make statement firmer!
 To our knowledge, the only publicly available effort to implement
 Chaum's idea is Opencoin~\cite{dent2008extensions}.  However, Opencoin