On Mon, 27 Nov 2000, A. Melon wrote:
Newby puzzles:
Right, I agree.
But what I'd like to consider is a recipe for "plain ordinary" folk to conspire anonymously to commit murder.
Did you even bother to read AP? RTFM, dude!
Speaking as someone who has very recently read AP, the protocol presented therein is incomplete. I'm collecting protocols, trying to write a reference work of them, and, well, I'm most of the way through the A's so the other day I looked at Assassination Politics again. Since this time I was trying to distill a formal protocol specification, I was a lot more critical about fine points. Bell handwaved on the point of obtaining digital cash for paying the assassin with. Bob the broker can go to the bank and obtain it in the usual way, of course - but then has to transfer it to Alice the assassin, and there's a sticky point involved. If he just "copies" the money to Alice, she can double-spend with impunity and it's Bob's identity that will be revealed. Conversely, if she provides tokens for the bank to sign, then Bob has a major problem getting them past the cut-and- choose protocol at the bank. Even if she provides enough tokens to completely populate the cut-and-choose protocol, those tokens still have to have splits of valid identification information for somebody in them - and giving them all to Bob so that Bob could complete the protocol with the bank - would imply that Bob is privy to that information. Worse, the bank will have the information from the cuts it didn't choose, and has to make sure it all matches. Thus, Bob the Broker and Dave the Banker can identify Alice - or at the very least someone whose identification Alice has stolen. Finally, Carol the contributor has to have a way to check the digital cash that was sent Alice - to make sure Bob is not holding out her contribution. This works if Carol's original coinage is simply encrypted under the key that the successful predictor used - because Carol can perform the same computation and make sure that bit string appears in the "payment" package. But then Carol has the same problem where Alice can double-spend with impunity and it's Carol's identity that will be revealed. On the other hand, if Carol's digital cash is transferred to Bob by protocol, there's no way she can recognize it later under encryption. (and under commercial digital cash protocols now in use, no way Bob can retransfer it to Carol). So if Bob deposits the money and obtains new digital cash, Carol needs a way to look at that digital cash and know that it does in fact carry the bank's signatures for the proper amounts - she can't recognize her own bills, but she can check that the total is correct from the last point at which she could. But Carol has to be provided this information without providing her enough information to just spend the cash herself. In short, AP as described by Bell appears to depend on digital cash having some exotic and not-otherwise-very- useful properties, including a bank with a protocol that allows issue-by-proxy, which has no readily apparent commercial use. No protocol for digital cash that I'm yet aware of has these properties. Hence, without some major engineering work, and probably the active cooperation of some bank, AP as described cannot be implemented. I think some of these problems could be solved by engineering; but A, it would be non-trivial work, and B, I don't think I care to waste any effort on figuring out secure ways to kill people outside the law. Bear