reply on: Why can't you buy ecash from a Cashu mint? \ stacker news ~bitcoin

11 sats \ 16 replies \ @Scoresby OP 28 May \ parent \ on: Why can't you buy ecash from a Cashu mint? bitcoin

the mint received sats and sent sats, ecash didn't obviate that.

If the mint only has one user I could see your point. In my example the mint has more than one user: me and the person buying from me. Explain how privacy is not achieved here? The point is that the mint, nor anyone watching the bitoin chain can be sure if the sats that came out belong to me or to the purchaser. This is privacy.

32 sats \ 15 replies \ @justin_shocknet 28 May

The Bitcoin transaction is where it came from and where it went, your IOU is not a Bitcoin transaction

Compare now to if you were using Wallet of Satoshi, what privacy was gained? Nothing

21 sats \ 14 replies \ @Scoresby OP 28 May

My IOU doesn't enter into the equation, because in my example I have traded it away. The end state of the example is that I control sats that used to be controlled by someone else and there is no on chain record that can be linked to me.

In the case of WoS they have knowledge of the specific balance change to my account. Ecash mint does not have the same level of insight.

32 sats \ 13 replies \ @justin_shocknet 28 May

because in my example I have traded it away

No, you just used a custodian to receive and spend Bitcoin

How long the buyer had an "account" on the same custodian is irrelevant

In the case of WoS they have knowledge of the specific balance change to my account

No different than if you created a new WoS account every time you received, it's all meaningless ephemeral keys and the custodian still has all in/out data.

11 sats \ 9 replies \ @Scoresby OP 28 May

No different than if you created a new WoS account every time you received, it's all meaningless ephemeral keys and the custodian still has all in/out data.

This is a good example. However, there is nothing in WoS that is similar to the bearer-ness of an ecash token.

My understanding of ecash is that when I give a token to someone else they have to return it to the mint and get issued a new one in order to ensure that I don't double spend them.

This would be akin to taking my WoS account, giving someone else the login info and then that person logging in and sweeping it to some account they control.

With ecash my understanding is that the mint doesn't see all the various tokens that are in existence. Whereas in WoS they always see all balances.

It seems to me that it is possible to trade ecash tokens to someone else without the mint knowing such a trade has happened. More difficult with WoS.

11 sats \ 8 replies \ @justin_shocknet 28 May

a JWT is literally a bearer token

transferring value from one JWT to another would require a DB tx, with ECash it requires a new signature

There's some added obfuscation by not using the DB, but thats only internally, and its not particularly useful relative to other method non-KYC custodians like WoS use... and you're left arguing the point that the usecase is large custodians, like the US Treasury or Coinbase

This means nothing for Bitcoin

1 sat \ 7 replies \ @Scoresby OP 28 May

Again we come to this: am I wrong that the ecash mint cannot single out a specific token for freezing/blocking?

A web token can trivially be singled out.

A internal difference is important. I don't see how this would only apply to large custodians.

Not being able to selectively target tokens for some action seems very useful to me.

18 sats \ 6 replies \ @justin_shocknet 28 May

single out a specific token

If that token was uniquely minted, yes, as mint events can use key-tweaking to distinguish mint rounds. Every ECash "buy" could be uniquely tainted, clients may have mitigations for that but it's ultimately a cat-mouse game that the NSA is likely steps ahead of.

web token can trivially be singled out.

A web token is still just another anonymous random string, so your point is moot

I don't see how this would only apply to large custodians.

Small custodians have insignificant anonset that is trivially undone by any kind of multi-stage hueristic

Not being able to selectively target tokens for some action seems very useful to me

You just want to believe that, there's no empirical rationale for it outside of KYC institutions

1 sat \ 5 replies \ @Scoresby OP 28 May

Thanks for this comment. It's helpful. The idea of tainting every issued ecash token is something I have not heard about.

As to the size of the anonset: I do wish this was something there was more discussion about. Clearly there is some minimum number of users below which it's easy to disentangle different users.

view replies

0 sats \ 2 replies \ @MarsIronPI 29 May

You seem to be missing the fact that the mint doesn't have any kind of sense for who has what token.

If I deposit 32 sats via lightning, the mint gives me an IOU for 32 sats. This IOU is mumble mumble some kind of random string mumble mumble that is signed by the mint but without the mint being able to see the random string. The mint signs it with its 32-sat key. Then I give this token to the merchant and the merchant presents the signed string to the mint and asks for sats to be sent via lightning in exchange (or simply for a new token to be created).

0 sats \ 1 reply \ @justin_shocknet 29 May

That's not only not true it's pointless, why use a custodian you're worried about being targeted by?

The server can key tweak it use countless other 2nd stage heuristics.. or simply not issue tokens after deposit

If that's your usecase it's pathetic

0 sats \ 0 replies \ @MarsIronPI 29 May

That's not only not true it's pointless, why use a custodian you're worried about being targeted by?

A government could force an otherwise trustworthy custodian to take action against a user.

[...] or simply not issue tokens after deposit

Fair point. Can anybody familiar with the ecash protocols say whether there's some kind of protection against this?