Gee, this sounds familiar. :-) I remember talking about cash-settled routing with Vinnie Moscaritolo, while bouncing around in his bumper-sticker-festooned Toyota pickup when I did my first Apple talk in 1995 or so. It's kinda like Feynman's "patent" for the atomic powered bomber, one of the first things you bump into when you think about how small bearer transactions could go. No doubt the Agorics guys were talking about something equivalent in the "digital silk road" days; turtles all the way down, and so on. Cash-settled routing is essentially a streaming cash application, just like streaming music, or a whole lot of other things, if you hop back and forth across the particle/wave phenomenon that is the world of internet protocols. The simple way to deal with double spending of streaming coins is to assay (statistical sample) the coins in real-time, do a redeem-reissue on assay, and to do a redeem/reissue on all your coins after completion of the transaction to make sure that the coins you have aren't double spent. Or not, I suppose. The risk is entirely yours, same as it ever was with off-line or, in the case of streaming, quasi-offline, transactions. As an underwriter (I hate the word bank for various reasons), I would assay coins randomly on redemption and pay for the whole lot to save myself and my customers time and bandwidth. As for the coins themselves we were looking at Shamir/Rivest's micromint for this the first time around, but Nicko wrote a paper for FC00 showing that simple rsa-signed coins are more scalable from case zero. BTW, I think of "coins" as things requiring probabilistic settlement like this, and "notes" as things requiring individual settlement, like blind-signature instruments. Obviously, Moore's Law determines the "thermocline" ("pecunicline"? :-)) for this, the boundry layer between "coins" and "notes". I chose probabilistic settlement, because micromint, and other streaming coin applications, pretty much require a factory to produce the coins, just like it takes a whole factory to make one penny, the first being the most expensive, economies of scale, and all that. Of course, Rivest/Micali's "Peppercoin" is the exception that proves the notes/coins decision-rule, because, while a completely book-entry transaction, it's probabilistically settled, Peppercoin being a "lottery" where you write an arbitrarily large number of biometric- identity checks and pay only one of them. So Pepper*coin* is really Pepper*check*, but, obviously, that name would probably make the VCs eyes glaze over, so its just as well they didn't use it. Anyway, for TOR itself, like anonymous remailers, cash settlement, streaming or otherwise, is necessary, because the economics of the idea at the moment is entirely transfer-priced, meaning that, like open source -- or other advertisement-supported media :-) -- the product is included "free" in transactions for other things. Since anonymity is, shall we say, atomistic in its necessity, it's hard to support it with something else besides cold, hard, cash. Cheers, RAH Begin forwarded message:
From: Eugen Leitl <eugen@leitl.org> Date: September 24, 2008 4:43:14 AM GMT-04:00 To: cypherpunks@al-qaeda.net Subject: Re: (micro)payments for anonymous routing in Tor?
----- Forwarded message from Josh Albrecht <thejash@gmail.com> -----
From: Josh Albrecht <thejash@gmail.com> Date: Wed, 24 Sep 2008 03:44:39 -0400 To: or-talk@freehaven.net Subject: Re: (micro)payments for anonymous routing in Tor? Reply-To: or-talk@freehaven.net
* payments turn it into a service with an expected outcome. Assumably (among others) that is 1) your anonymity is maintained and 2) your payment is completed successfully. What happens _when_ something goes wrong? As of now, the first thing that Tor says is "This is experimental software. Do not rely on it for strong anonymity. " It would have to add, "Do not rely on this to successfully route your financial transactions" and while the first is a warning most can accept, the second may really scare us.
This came up on IRC as well. Someone pointed out that the paper's assumption of "honest but curious" banks might not be valid (ie, the bank might cheat). However, there are a few counter-arguments to that that I see.
For the S-coins, it will be immediately obvious to a relay that the bank is cheating, because the relay can validate whether the payment is good or not on its own. For the A-coins, the answer is trickier. The relays can still check the validity of the payment, but the client could be "double-spending". If the bank pays A-coins even in the case of double-spending, the bank can never cheat. The downside is that anonymous clients can then cheat to get slightly more value for A-coins than they put in. This is a serious problem because it would allow the client to pay multiple relays that they control, essentially duplicating their money for free.
Thus, the bank must decline all payment for double-spent A-coins, or at least allow only one payment for any A-coin. However, clients can still validate that the bank is not cheating by withdrawing and depositing A-coins at any time in an attempt to catch the bank cheating. This is more of an economic argument--the bank has an incentive to maintain user trust so that it can continue to do business. The value gained by cheating some users of A-coins would likely be less than the expected gain from NOT having to worry about the risk of someone demonstrating that the bank is cheating.
Also, the values at stake are: 1. very small, and 2. greater than the current profit of zero for relay operators. It's not that relay operators have to rely on Tor for their financial security--they could, with this scheme, make some modest amount to cover their costs. No single relay operator should ever have a significant amount of money in the system that could possibly be at risk.
On Wed, Sep 24, 2008 at 12:05 AM, <tor-operator@sky-haven.net> wrote: How do you pay anonymously yet have the system fairly permit "paid" traffic to have higher priority? With anonymity intact, how do you audit and enforce this policy?
I think your first question was about how to ensure that giving priority to certain traffic does not introduce any new attacks against anonymity? In that case, I'm not sure, but it is not at all clear to me that this would decrease anonymity. Does anyone see such an attack?
As for the second question, I think it was: what prevents relay operators from choking off all unpaid traffic, in order to maximize profits? As an answer to that, I'd say that not much prevents them from doing that. Perhaps there are anonymity benefits to allowing unpaid traffic as well (since there would be more ambiguity as to the original source of the traffic). There might also be ethical benefits to allowing unpaid traffic, ie, much the same motivation for the current operators of Tor relays. Finally, if this were the default behavior, novice users would be unlikely to change it, and that alone might be enough bandwidth for unpaid users.
Thanks for the thoughts! - Josh
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE