Electronic Banking
Some time back Tim May suggested that we should do some experiments with electronic cash. He offered to do some Xeroxing if people would "pay" him. There are lots of proposals for electronic cash in the literature, mostly very complex. I think one of Chaum's simpler proposals would be adequate for email "banking". This proposal, from the beginning of his paper "Untraceable Electronic Cash" in Crypto 88(?), goes like this: 1. Alice chooses a random x and r, and supplies the bank with B=r^3*f(x) mod n, where f is a one-way function (like MD5), and n is the modulus for the bank's public key. 2. The bank takes the third root of B (e.g. via an RSA decryption) and sends it back to Alice: D = r * f(x)^(1/3), and withdraws one dollar from her account. 3. Alice extracts C = f(x)^(1/3) by dividing D by r. (Note that division can be done mod n without knowing the factors of n, but it's rather complicated.) 4. To pay Bob one dollar, Alice gives him (x, C). 5. Bob can verify that C = f(x)^(1/3), but he still has to send (x, C) to the bank in order to make sure that x hasn't been used before. Otherwise Alice could spend (x, C) twice. The bank increases Bob's account by one dollar. This scheme is pretty simple and provides untraceability - the bank saw B and D but not C, so although it can verify that (x, C) is legit, it can't correlate that with Alice's withdrawal. The main disadvantage of this approach is that Bob has to send (x, C) to the bank right away (or at least before sending Alice anything in return for her cash) to verify that the cash hasn't been used before. But in email, where turnarounds of a day or more aren't unusual, this should be tolerable. Alice and Bob could be pseudonyms, using anonymous addresses to communicate with each other and with the bank. Different denominations of cash could correspond to different exponents than "3" in the example above. (That is, $1 would use C=f(x)^(1/3), $2 would use C=f(x)^(1/5), $4 would use C=f(x)^(1/7), and so on.) Technically, this would be quite easy to implement, using the code in PGP for the arithmetic, and MD5 for the one-way function. We'd need to define a few message formats. The RFC1113 ascii encoding from PGP could be used as well. The "social" problems are more challenging, it seems to me. What is the backing for this electronic money? Why do people care what their bank balances are? Is this stuff really worth anything? One possibility is to base digital cash on real money. People would open a pseudonymous account via email, then postal-mail dollars to the bank, enclosing their account number so the bank would know whom to credit with the deposit. Later, if someone wanted to withdraw "real money" from their account they would have to give a real postal address where it could be mailed. Now the electronic money is worth real dollars. Even if people didn't deposit or withdraw very often, it still has value because of the backing. Unfortunately, this approach would currently be illegal (at least, unless you actually were a real bank!). If there were some way the bank itself could be anonymous, it might survive, but I don't see how to mail it money while keeping the anonymity. Still, we could consider experimenting with this on a small scale with accounts of no more than a few dollars. As long as it was clearly an experiment I doubt that any prosecutions would result even if it attracted government attention, because the expense involved in court costs would be so disproportionate to the few dollars involved in this technically illegal act. Another approach would be not to try backing the digital cash at all, or rather backing it implicitly by the determination of various people to accept it and perform services or supply goods in return for it. Tim's offer to Xerox papers in return for digital cash would be one example. Perhaps others could provide some other services. It would be great if some shareware author would accept digital cash as a symbol of support for crypto anonymity. One problem that I see with this approach is how you determine the size of the money supply. Or, in other words, how does new digital cash get started circulating? How do people get new accounts, and how much money is in them? If these problems can be solved, a big advantage of this approach is that the banker can be anonymous. He would be known only by his anonymous address and his public key(s). This would provide some safety in the event that even a small-scale experiment like this was targetted for a crackdown. Another issue is the prospect of multiple "banks", each issuing their own (incompatible) cash. How would they compete? Perhaps in terms of rapid turnaround? Some might choose to be anonymous, others would go public. The latter would have the advantage that people might trust them more, but OTOH there is more chance of your bank account disappearing after a crackdown for a public bank than an anonymous one. Lots to think about here! Hal 74076.1041@compuserve.com
Hal Finney makes some very good points about anonymous banking and some experiments we may try in the near future. (First let me dispose of a minor item.)
Some time back Tim May suggested that we should do some experiments with electronic cash. He offered to do some Xeroxing if people would "pay" him.
(A minor note: I ended up doing the Xeroxing for free, which hasn't yet been declared illegal...though I presume you'll all carefully note this on your tax returns, as such "barter exchanges" are reportable income. In theory, which shows how hopeless tax collection is becoming, all of our "mutual consulting" on this list, and on the Net in general, is _taxable income_--just as if we were plumbers and carpenters getting together to work on each other's houses. A crazy system.) Back to the important stuff. Hal continues:
There are lots of proposals for electronic cash in the literature, mostly very complex. I think one of Chaum's simpler proposals would be adequate for email "banking". This proposal, from the beginning of his paper "Untraceable Electronic Cash" in Crypto 88(?), goes like this:
(Hal's excellent summary of Chaum's system elided)
Technically, this would be quite easy to implement, using the code in PGP for the arithmetic, and MD5 for the one-way function. We'd need to define a few message formats. The RFC1113 ascii encoding from PGP could be used as well.
This sounds great! (But I worry that the handful of you already doing the programming of PGP, new versions, MacPGP, remailers, etc., will get overloaded and/or burned out. I'd offer to help, but my programming these days is limited to fiddling with Mathematica and a little bit of Smalltalk and Scheme/LISP.)
The "social" problems are more challenging, it seems to me. What is the backing for this electronic money? Why do people care what their bank balances are? Is this stuff really worth anything?
And the lesson we learned from PGP 2.0 is that actually getting _something_ out there for people to play around with is crucial. Getting "PGDC" ("Pretty Good Digital Cash") in use will be a harder sell than PGP deployment was, because most people don't understand the ideas, see no real pressing need, and can't do much in any case without an "economy" of users. I've long thought that a "Black Market AMIX" would be one such use, but I won't get into that here.
One possibility is to base digital cash on real money. People would open a pseudonymous account via email, then postal-mail dollars to the bank, enclosing their account number so the bank would know whom to credit with the deposit. Later, if someone wanted to withdraw "real money" from their account they would have to give a real postal address where it could be mailed. Now the electronic money is worth real dollars. Even if people didn't deposit or withdraw very often, it still has value because of the backing.
Unfortunately, this approach would currently be illegal (at least, unless you actually were a real bank!). If there were some way the bank itself could be anonymous, it might survive, but I don't see how to mail it money while keeping the anonymity. Still, we could consider experimenting with this on a small scale with accounts of no more than a few dollars. As long as it was clearly an experiment I doubt that any prosecutions would result even if it attracted government attention, because the expense involved in court costs would be so disproportionate to the few dollars involved in this technically illegal act.
Warning! Recently, a bunch of bowlers (women, no less) were busted for illegal gambling because of their "pot" they were bowling for. After much public outcry and laughter at the authorities, the charges were either dropped or reduced. I mention this because casual bowlers evoke sympathy, hackers and cypherpunks do not.
One problem that I see with this approach is how you determine the size of the money supply. Or, in other words, how does new digital cash get started circulating? How do people get new accounts, and how much money is in them?
We're in new territory here. The start of a new kind of economy. Lots of experimentation and trial and error work will be needed.
If these problems can be solved, a big advantage of this approach is that the banker can be anonymous. He would be known only by his anonymous address and his public key(s). This would provide some safety in the event that even a small-scale experiment like this was targetted for a crackdown.
Yes. And also anonymous "escrow services" which are like banks but which serve other functions, such as holding the money in a transaction so that Alice cannot take the money from Bob and refuse to deliver on her side of the deal. All of these entities must be "pseudonymous" (a clumsy word), in that digital pseudonyms are supported (a la the work of Hughes, Finney, and Janek Martinson) and True Names cannot be traced.
Another issue is the prospect of multiple "banks", each issuing their own (incompatible) cash. How would they compete? Perhaps in terms of rapid turnaround? Some might choose to be anonymous, others would go public. The latter would have the advantage that people might trust them more, but OTOH there is more chance of your bank account disappearing after a crackdown for a public bank than an anonymous one.
Banks, escrow services, etc. will all have "reputations" and credit ratings (from crypto versions of Standard and Poors, themselves operating only as a pseudonym!). All of this will evolve over time.
Lots to think about here!
Hal
That's for sure. Incredibly good points being made by everyone! --Tim -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | PGP Public Key: by arrangement.
Currencies will almost certainly have to be backed by goods in order to be astablished. Would you want to keep your money in something that could collapse easily? There's been a lot of thought put into using things like mutual fund shares as the currency. dean
[Hal Finney describes Chaum's blind signature scheme.]
The "social" problems are more challenging, it seems to me.
One such social problem that Hal does not mention is that the blind signature is a patented algorithm. You'd have to get a signature from Chaum. Since any such company which wanted to deploy with blind signatures whould be competing with Chaum's own company, DigiCash, there might be a problem here.
One possibility is to base digital cash on real money.
Unfortunately, this approach would currently be illegal (at least, unless you actually were a real bank!).
If you wanted to do this as a business, you can start a bank with (roughly) a million dollars in capital or you can buy an existing one with at minimum (roughly) fifty thousand. These minimum investments are for bank regulation purposes, not operating costs. So, if you really want to _be_ a bank, it's not that hard. Your greatest startup expense will most likely be attorney's fees for a specialist in bank regulation law. Eric
participants (5)
-
Eric Hughes -
ghsvax!hal@uunet.UU.NET -
gnu@cygnus.com -
tcmay@netcom.com -
tribble@xanadu.com