Someone, whose reputation is bigger than God, in the hope of sparing me public humiliation from the error of my ways (the very paradigm of a lost cause :-)), wrote to me offline on this topic. I'm posting it here, because frequently people reply to me with stuff which is extremely relevant to the argument at hand, and which should be heard in public. The main consideration I use is that none of the information in the reply can be used to identify the person who sent it, or mess up whatever plans they're laying, something you can clearly see in the following... At 4:48 pm -0400 on 5/3/97, somebody wrote: you write:
I further claim that the most efficient digital bearer certificate is an anonymous one.
Hal's point is this. There are two types of "anonymity": one where the bank says "I swear I won't keep any records based on the name you gave me" (the benign bank), and the other where we use Chaumian blinding so the bank never even sees the identity information (the untrusted bank).
Right. Let's call the first one the Microsoft model, because I feel especially vicious this evening, and the second one the "Real" Chaum model.
Now, it seems to me that the "benign bank" sort of anonymity can't cost any more (and in fact will even cost less) than the "untrusted bank" Chaumian anonymity.
Not true. With Chaumian anonymity, all the underwriter does is keep a database of spent digital bearer certificates, which they keep down by expiring certificate issues and the keys which generate them periodically. When someone double-spends a certificate, the underwriter has enough information to reveal their public key, but only when someone double spends and not before. With the Microsoft model, the underwriter knows who's buying your certificates, *and* the shared secret which makes the cash valid, *and* what time the certificate was issued, *and* what your shoe sizes, and the name of your sister's first date, and, and, and,... Anyway, I claim that the very Chaumian inability to *ever* know who bought the certificates you underwrite keeps you from ever *trying* to keep track of any other data, which, of course, is inherently cheaper.
Yet your arguments for anonymity apply equally to both situations.
No they don't. There's a qualitative difference between a system where you can't ever know who some one is, but you can still trust them, and a system where you always know who someone is and they have to trust *you*. :-). I say that one of the additional virtues of the former system is significantly reduced transaction costs, and finally, that that happy side effect will eventually result in a shift away from the latter kind of system, if it ever is useful to begin with. By the way, an additional cost of the system, which is obviously more in line with the privacy concerns of cypherpunks, and possibly less germaine to the transaction cost issue we're discussing, is the cost of the risk of breaking the confidentiality of systems like the Microsoft idea. I have a hunch that all it takes is one big information leak, and such systems will be dropped as a form of digital cash underwriting, but I'm going pretty far out on a limb to make that particular assertion. Should we call this the "Clipper effect", just to rattle peoples' chains?
Therefore, I say your arguments, taken to their logical conclusion, imply that we'll end up with "benign bank" anonymity, rather than Chaumian "untrusted bank" anonymity.
Again, I don't think so. However, what we really need is some actual estimates and analysis to prove it, barring the existence of any actual transaction cost data, of course. :-). Something I'm not qualified to do, though I bet there are people here who can get those answers.
But "benign bank" anonymity is a very very weak form of anonymity indeed -- it's not what most cypherpunks (or cryptographers) mean when they talk about anonymous digital cash.
Amen. Only people mired in the book-entry way of looking at things think otherwise. I believe the economics of the marketplace will soon teach them the serious errors of their ways...
"Benign bank" anonymity is the sort of thing that Cybercash or other traditional systems provide; "untrusted bank" security is what Digicash provides.
And, again, I assert that the paradox of all this is that the cheapest form of commerce is a form where you don't trust anyone, or, better, trust, but verify, everyone. That's the beauty of the blind signature algorithm, it allows you to do all that, and not keep books, which cost money.
So, if I understand your argument correctly, you're saying that we'll inevitably end up with some weak form of anonymity, but it will be far weaker than what most cypherpunks want.
I hope you can see by now, after I've taken another shot at explaining it better, what I was getting at.
That sounds more like a cause for a call to arms than a reason to sit around reassuring ourselves that everything will turn out fine without us!
Nah. I don't do calls to arms. It's much better to change the world by making money. An especially important focus to have when you're building transaction systems. :-). I strongly beleive that you can easily knock three, maybe four, decimal places off the cost of any transaction you can care to mention just by using strong financial cryptography and anonymous digital bearer certificates on a ubiquitous geodesic network. That remains to be seen, however. I will say that I'm working as hard as someone with my limited skillset can to prove that hypothesis. :-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/