At 7:16 PM -0800 11/27/00, Ray Dillinger wrote:
Since this time I was trying to distill a formal protocol specification, I was a lot more critical about fine points.
Bell handwaved on the point of obtaining digital cash for paying the assassin with. Bob the broker can go to the
There's often "hand-waving" when reasoning about digital cash and how it is transferred, spent, redeemed, etc. Bell is not a cryptographer. Also, he didn't claim to have built a working system. (I think any of us could be called as witnesses to refute a state claim that he was deploying a real system!) However, much of your reasoning below is _also_ hand-waving. Fortunately, there's a way to cut through it. I'll cover this at the end, after your included section (which I would normally snip, but won't this time).
bank and obtain it in the usual way, of course - but then has to transfer it to Alice the assassin, and there's a sticky point involved. If he just "copies" the money to Alice, she can double-spend with impunity and it's Bob's identity that will be revealed.
Conversely, if she provides tokens for the bank to sign, then Bob has a major problem getting them past the cut-and- choose protocol at the bank. Even if she provides enough tokens to completely populate the cut-and-choose protocol, those tokens still have to have splits of valid identification information for somebody in them - and giving them all to Bob so that Bob could complete the protocol with the bank - would imply that Bob is privy to that information. Worse, the bank will have the information from the cuts it didn't choose, and has to make sure it all matches. Thus, Bob the Broker and Dave the Banker can identify Alice - or at the very least someone whose identification Alice has stolen.
Finally, Carol the contributor has to have a way to check the digital cash that was sent Alice - to make sure Bob is not holding out her contribution. This works if Carol's original coinage is simply encrypted under the key that the successful predictor used - because Carol can perform the same computation and make sure that bit string appears in the "payment" package. But then Carol has the same problem where Alice can double-spend with impunity and it's Carol's identity that will be revealed. On the other hand, if Carol's digital cash is transferred to Bob by protocol, there's no way she can recognize it later under encryption. (and under commercial digital cash protocols now in use, no way Bob can retransfer it to Carol). So if Bob deposits the money and obtains new digital cash, Carol needs a way to look at that digital cash and know that it does in fact carry the bank's signatures for the proper amounts - she can't recognize her own bills, but she can check that the total is correct from the last point at which she could. But Carol has to be provided this information without providing her enough information to just spend the cash herself.
In short, AP as described by Bell appears to depend on digital cash having some exotic and not-otherwise-very- useful properties, including a bank with a protocol that allows issue-by-proxy, which has no readily apparent commercial use. No protocol for digital cash that I'm yet aware of has these properties. Hence, without some major engineering work, and probably the active cooperation of some bank, AP as described cannot be implemented.
It's simple: If payer-anonymity (payer is untraceable by the payee) and payee-anonymity (payee is untraceable by the payer) exists, then the buyers and sellers of some "thing" are untraceable to each other. Whether that "thing" is a piece of warez or a bet in a murder pool (cf. Jack London for a much earlier discussion that Bell's). Arguing how complicated or confusing digital cash can be by citing a specific market like AP is what I mean by hand-waving. If, for example, the Mojo Nation folks succeed in making "mojo" both payer-anonymous AND payee-anonymous, then all of the hand-waving above is beside the point.
I think some of these problems could be solved by engineering; but A, it would be non-trivial work, and B, I don't think I care to waste any effort on figuring out secure ways to kill people outside the law.
Bear
RTFM. --Tim May -- (This .sig file has not been significantly changed since 1992. As the election debacle unfolds, it is time to prepare a new one. Stay tuned.)