Here's a long response. But it's my only post of today, as the list was going on and on about atom bombs, uranium sabots, and alpha particles, and with debate about why some of us are ignoring these posts and the posts of ranters and baiters. This topic is more in line with my reasons for being on this list. Sorry for the length. Hal Finney writes:
One question is the ease of theft in a digital cash environment, and the consequences of claiming that secrets have been stolen. This problem was recognized very early on in discussions of digital signatures. The whole point of a signature is so that someone can be held to a commitment. But an easy "out" would be to "accidentally on purpose" let the secret keys be stolen, then to claim that the signature was actually forged. Contrariwise, a business might be vicitimized by actually having its secrets stolen and a forged signature created that committed it to an unfavorable action.
Hal is right the problem of *repudiation* or *disavowal* was recognized early on. Alice is confronted with a digital signature, or whatever. She says; "But I didn't sign that" or "Oh, that's my old key--it's obsolete" or "My sysadmin must have snooped through my files," or "I guess those key escrow guys are at it again." APPROACHES TO REPUDIATION **The purist approach: you *are* your key. If another biological unit obtains your key, he or she is effectively you. Guard your key carefully. **The modern American "excuse" approach: Hey, if you want to disavow a contract, like, just claim your key was stolen or, like, you lost it. I understand the reasoning behind adopting a more intermediate stance, but I think that only the purist stance will hold water in the long run.(A hint of this: untraceable cash means, for most transactions of interest with digital cash, that once the crypto stuff has been handled, whether the sig was stolen or not is moot, because the money is gone...no court can rule that the sig was invalid and then retrieve the cash!) [It is true that Chaum went to great lengths to develop system which preserve anonymity for single-spending instances, but which break anonymity and thus reveal identity for double-spending instances. I'm not sure what market forces caused him to think about this as being so important, but it creates many headaches. Besides being clumsy, it require physical ID, it invokes a legal system to try to collect from "double spenders," and it admits the extremely serious breach of privacy by enabling stings. For example, Alice pays Bob a unit of money, then quickly Alice spends that money before Bob can...Bob is then revealed as a "double spender," and his identity revealed to whomver wanted it...Alice, IRS, Gestapo, etc. A very broken idea. Acceptable mainly for small transactions. More on this later.] NEGOTIATED PROTOCOLS TO REDUCE RISKS However, just as most folks make arrangements with their bank/ATM machines (semantic meaning #2 of "ATM") to limit cash withdrawals to, say, $200 a day (it varies), so too can digital cash arrangements make similar contractual deals to limit losses. Some possible plans: * Plan A: The protocol insists on retinal scan or other biometric authentication between the "smartcard" used as the cryptographic keying device and the putative owner. The "Thunderball" plan. (issues: preserving anonymity with biometric authentication, spoofing of the channel between card and physical apparatus, theft of smartcard, etc.) * Plan B: The protocol only allows, say, $1000 per transaction. And no more than 3 transactions per day. Each transaction that is cleared sends a demon message to the account owner through a separate communications channel. (This sounds complex...the idea is to provide a signal that an account is being accessed, allowing the account owner to put a hold on the account. Even if he can't stop the transactions underway, or recently completed, because of the lags that may exist in this feedback, he can limit losses. Kind of a mix between off-line and on-line transactions....such mixes are to be expected, with the choice up to parties, depending on costs, risks, speed of communications, etc.) * Plan C: Use off-line cash only for "small" transactions, such as those now handled with physical coins and small bills. Use on-line clearing for larger amounts, with various forms of biometric security. This echoes how things are done today: off-line cash is what you can carry, in bill, coin specie, etc. Larger amounts (hundreds of dollars and up) is almost always handled on-line, via either credit cards (on-line clearing, albeit not anonymous/untraceable) or checks, cashier's checks, etc. (Coins and cash bills are really "on-line clearing" though, in that their existential properties make them acceptable immediately; they are not replicable, at least not easily, and hence can be conserved in transations. All the usual stuff about the nature of cash money.) Which will be used? (and there are many variants...) As usual, markets will allow choice. Many people will choose to limit exposure with Plan B-type transactions. Others will contract with insurance agents who cover risks by insisting on their own protocols for added security. (I don't mean conventional insurance agents, naturally.) MISCELLANEOUS STUFF
On the other hand, I would hope that people actually can learn to use care in safeguarding their secrets. The pass words and PINs we use today may be complemented by physical checks for voice patterns, thumb prints, perhaps (ironically) handwriting. Another approach would be
Most smartcards in use today support some form of local PIN entering, some way to provide a truly memorizable extra piece of identiy. Other biometric measures remain a hot area of research. Stroke recognition, thumbprints, etc. In about 5 years, when I think digital cash will be ready for prime time (pun intended), these additional mechanisms should be deployable, for a price. (Market-driven again: those who want to pay less in insurance will take better steps. Companies may adopt standards. Banks may enforce them.) ...
suggestions (one here a couple of days ago) to use various kinds of information exchange between the authenticating device and the human user in order to prove authorization in such a way that even a thief who has snooped on past exchanges will not be able to use the device. This approach is sometimes called the use of "pass algorithms".
"Zero knowledge interactive proof systems" have been used for password systems; no amount of past snooping or eavesdropping helps. (Of course, the user still has to have physical security over his local computer, or PDA, dongle, or secret decoder ring.) This seems like a readily-solvable problem (and one we already accept with existing ATM machines). THE INCREDIBLE IMPORTANCE AND ELEGANCE OF ON-LINE CLEARING ...
Applying this to the double-spending case, I suspect that Bob Hettinga is more on the right track in seeing the solution in the legal system rather than a simple "shucks, you caught me" forfeiting of a bond worth triple damages. There really should be no excuse for double
*On-line clearing* for larger amounts is, in my opinion, the Right Thing. Networks are getting deployed widely and are speedy. ATM, SONET, ISDN, and all the rest. I want to elaborate on this, even though I think most of Hal's points are made with off-line clearing in mind. I want to make the case for why on-line clearing is the One True Digital Cash. Conceptually, the guiding principle idea is simple: he who gets to the train locker where the cash is stored *first* gets the cash. There can never be "double spending," only people who get to the locker and find no cash inside. Chaumian blinding allows the "train locker" (e.g., Credit Suisse) to give the money to the entity making the claim without knowing how the number correlates to previous numbers they "sold" to other entities. Anonymity is preserved, absolutely. (Ignoring for this discussion issues of cameras watching the cash pickup, if it ever actually gets picked up.) Once the "handshaking" of on-line clearing is accepted, based on the "first to the money gets it" principle, then networks of such clearinghouses can thrive, as each is confident about clearing. (There are some important things needed to provide what I'll dub "closure" to the circuit. People need to ping the system, depositing and withdrawing, to establish both confidence and cover. A lot like remailer networks. In fact, very much like them.) In on-line clearing, only a number is needed to make a transfer. Conceptually, that is. Just a number. It is up to the holder of the number to protect it carefully, which is as it should be (for reasons of locality, for self-responsibility, and because any other option introduces repudiation, disavowall, and the "Twinkies made me do it" sorts of nonsense). Once the number is transferred and reblinded, the old number no longer has a claim on the money stored at Credit Suisse, for example. That money is now out of the train locker and into a new one. (People always ask, "But where is the money, really?" I see digital cash as *claims* on accounts in existing money-holding places, typically banks. There are all kinds of "claims"--Eric Hughes has regaled us with tales of his explorations of the world of commericial paper. My use of the term "claim" here is of the "You present the right number, you get access" kind. Like the combination to a safe. The train locker idea makes this clearer, and gets around the confusion about "digimarks" of "e$" actually _being_ any kind of money it and of itself.) Off-line systems may be useful for paying for movies, toll roads, etc., but there the protocols can be set up to limit exposure to fraud. (Ontological constraints, such as number of movie theater attendees, etc., will limit the losses. Scams will likely still exist, but the problem seems manageable with some work.) And as networks get much faster, expect even off-line cash to fade. Depends on costs, insurance rates, benefits, and of course on regulations.
spending, even of a penny, and the penalties could be made strong enough to deter most people. If a bank does not think they will be able to find and prosecute a person who is withdrawing off-line digital cash, they will probably not give any to him. Then if the
The "first to the locker" approach causes the bank not to particularly care about this, just as a Swiss bank will allow access to a numbered account (or used to...please let's not have a dozen posts arguing about this, as is so often the case on this list!) by presentation of the number, and perhaps a key. Identity proof *may* be needed, depending on the "protocol" they and the customer established, but it need not be. And the last thing the bank is worried about is being able to "find and prosecute" anyone, as there is no way they can be liable for a double spending incident. The beauties of local clearing! (Which is what gold coins do, and paper money if we really think we can pass it on to others.) IS PROOF OF PHYSICAL IDENTITY NEEDED? ...
money is double-spent, the person who withdrew it would be prima facie responsible, with a reasonable presumption that they did it unless there is significant evidence otherwise. I don't know that this is how it will work out but it is one possibility (unless the uncertainty just scares everybody away - but I think the digital signature experience will get people used to the concepts and problems).
I recall some analyses of these situations a while back. I looked in my "Crypto" Proceedings but didn't find it. The danger of making the "person who withdrew it" a culprit if the money has already been "spent" is clear: he is just as likely to be an innocent victim of a setup as the guilty party. With off-line clearing, and not the "handshaked" beauty of immediate clearing, one has to rely on "trust"--tough with an anonymous person. On-line clearing has the possible danger implicit in all trades that Alice will hand over the money, Bob will verify that it has cleared into his account (in older terms, Bob would await word that his Swiss bank account has just been credited), and then Bob will fail to complete his end of the bargain. If the transaction is truly anonymous, over computer lines, then of course Bob just hangs up his modem and the connection is broken. This situation is as old as time, and has always involved protcols in which trust, repeat business, etc., are factors. Or escrow agents. REAL ESCROW AND TRUE NYMS Long before the "key escrow" of Clipper, true escrow was planned. Escrow as in escrow agents. Or bonding agents. Alice and Bob want to conduct a transaction. Neither trusts the other; indeed, they are unknown to each other. In steps "Esther's Escrow Service." She is _also utraceable_, but has established a digitally-signed presence and a good reputation for fairness. Her business is in being an escrow agent, like a bonding agency, not in "burning" either party. (The math of this is interesting: as long as the profits to be gained from any small set of transactions is less than her "reputation capital," it is in her interest to forego the profits from burning and be honest. It is also possible to arrange that Esther cannot profit from burning either Alice or Bob or both of them, e.g., by suitably encrypting the escrowed stuff.) Alice can put her part of the transaction into escrow with Esther, Bob can do the same, and then Esther can release the items to the parties when conditions are met, when both parties agree, when adjudication of some sort occurs, etc. (There a dozen issues here, of course, about how disputes are settled, about how parties satisfy themselves that Esther has the items she says she has, etc.) UNTRACEABLE MARKETS FOR ASSASSINATIONS To make this brutally concrete, here's how escrow makes murder contracts much safer than they are today to negotiate. Instead of one party being caught in an FBI sting, as is so often the case when amateurs try to arrange hits, they can use an escrow service to insulate themselves from: 1. From being traced, because the exchanges are handled via pseudonyms 2. From the killer taking the money and then not performing the hit, because the escrow agent holds the money until the murder is verified (according to some prototocol, such a newspaper report...again, an area for more work, thankfully). 3. From being arrested when the money is picked up, as this is all done via digital cash. There are some ways to reduce the popularity of this Murder, Incorporated system. (Things I've been thinking about for about 6 years, and which we discussed on the list and on the Extropians list. I'll save this for another time.) My point here is to show how on-line clearing works in conjunction with an escrow agent function.(Esther clears the cash, and can issue new cash to Bob, who "trusts" her that if he does the job, the cash will clear, as she's the escrow agent he's dealt with many times before.) THE DANGER OF EVER USING PHYSICAL IDENITY VERIFICATION
The other point I wanted to discuss was this issue of the bank authenticating the people who receive the cash. This does raise the spectre of a big brother system where there is some way to identify people with 100% certainty. Obviously this could be abused.
Danger! Danger! Danger! Any such system, that relies on physical IDs is substantially less private that banks today in many countries, and is not at all what I would call "digital cash." On-line clearing makes this unnecessary.
Without the authentication, you're not going to have off-line cash, IMO. You will be stuck with on-line systems in which everyone has to verify everything before accepting it. This means you pay a cost in communications overhead and possibly other foregone opportunities.
Agreed. But acceptable with a two-tiered system: - off-line cash for small transactions, with smartcards, "observer" protocols, and with built-in limits - on-line , immediately-cleared cash for larger transactions, also with various agreed-upon limits or requirements RISKS Is there a danger that people will lose the numbers that they need to redeem money? That someone could steal the number and thus steal their money? Sure. There's the danger that I'll lose my bearer bonds, or forget my Swiss bank account number, or lose my treasure map to where I buried my money (as Alan Turing supposedly did in WW II). People can take steps to limit risk. More secure computers. Dongles worn around their necks. Protocols that involve biometric authentication to their local computer or key storage PDA, etc. Limits on withdrawals per day, etc. People can store key numbers with people they trust, perhaps encrypted with other keys, can leave them with their lawyers, etc. All sorts of arrangements can be made. Where I'm not sure I agree with what Hal is saying is that _personal identification_ is but one of these arrangements. Often used, but not essential to the underlyng protocol. Again, the Swiss banks (maybe now the Liechtenstein anstalts are a better example) don't require physical ID for all accounts. (More generally, if Charles wants to create a bank in which deposits are made and then given out to the first person who sings the right tune, why should we care? This extreme example is useful in pointing out that _contractual arrangements_ need not involve governmental or societal norms about what constitutes proof of identity.) PAPIEREN, BITTE Hal goes on to talk about blinded credentials. A very important idea in our permission slip-happy society, and an idea that is not getting nearly enough attention. (Chaum's seminal "Transaction Systems to Make Big Brother Obsolete," from Oct or Nov of 1985, in "Communications of the ACM," remains required reading here.) But I also take a more radical view. Ask yourself why credentials are _ever_ needed. Maybe for driving a car, and the like, but in those cases anonymity is not needed, as the person is in the car, etc. Credentials for drinking age? Why? Let the parents enforce this, as the argument goes about watching sex and violence on t.v. (If one accepts the logic of requiring bars to enforce children's behavior, then one is on a slippery slope toward requiring television set makers to check smartcards of viewers, or of requiring a license to access the Internet, etc.) In almost no cases do I see the need to carry "papers" with me. Maybe a driver's license, like I said. In other areas, why? This gets to a core issue: the incredible benefits of locally clearing a transaction. Caveat emptor, buyer beware, etc. Cash on the barrelhead. In transactions where "future performance" is needed, as in a contract to have a house built, or to do some similar job, then of course the idea of on-line or immediate clearing is bogus...like paying a stranger a sum of money on his promise that he'll be back the next day to start building you a house. Parties to such long-term, non-locally-cleared cases may contract with an escrow agent, as I described above. This is like the "privately-produced law" we've discussed so many times. The essence: voluntary arrangements. Maybe proofs of identity will be needed, or asked for, maybe not. But these are not the essence of the deal. An interesting area. I apologize if this essay, while long, is not quite long enough to capture the ideas I wanted to express. To me, these are core ideas. Maybe not as core to those of you who favor talking about depleted uranium sabots (but what about Chobham armor and explosive armor?) or about "PGP rulz, d00d!," but core isseus to me. Your smileage may vary. --Tim May .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."