At 5:30 pm -0400 on 5/2/97, Hal Finney wrote:

Bob, if I understand you correctly, you've suggested that digital bearer instruments will in the long run actually be more efficient than conventional book entry based transaction models. Anonymity will be cheaper than identified transactions.

Exactly. In the same way that physical bearer certificates were cheaper to use than handwritten book entries. Before telegraphy, anyway. It was telegraphy, more than anything else, which forced the creation of book-entry settlement (using, actually, encrypted messages and prearranged authentication codes), because you could do trades at a distance, which you couldn't do with paper certificates. Database-enabled accounting was what killed large and abstract value physical bearer certificates once and for all. Especially when you could swap data sets with tape or disk packs from machine to machine. (Notice I didn't say tax law. The book entries had to be there before you could tax them. :-). Law follows reality, not the other way around. We get the government we deserve [afford], a constituency of idiots will elect one, and all that tosh.) I claim that as you get closer to completely offline digital bearer certificates, you bring back the competitive advantage of bearer certificates. Right now, we're pretty much in the on-line digital bearer certificate stage of things, but I'm claiming that even *that* makes it possible to supplant very large pieces of the book entry hierarchy we've managed to build in the industrial age. Particularly in the case of peer-to-peer transactions over great physical -- or regulatory :-) -- distances.

But, if digital bearer certificates of all kinds are, as you suggest, cheaper and more efficient than conventional ones, why can't we just use ordinary non-blinded digital instruments and ignore the identifying information?

I claim that the very futility of tracing those certificates creates the greatest saving, especially if the only thing you really care about is whether the trade will clear. The primary reason for keeping archives of transactions is so that you can hire a cop to hunt down someone and send them to jail when they stiff you. If you can't hunt them down, you don't have to pay the cop. :-). Cops cost lots, as most people on cypherpunks would agree. With a completely anonymous system like Chaum's, you *really* have to trust the reputation of entity backing the certificates, but you don't give a fig about who gives you the money itself. "Cash is King", right? Since there are many more buyers and sellers than certificate underwriters, and since the underwriter only keeps records of spent certificates and not all transactions (and is probably expiring keys and issues of certificates to keep the on-line storage load manageable), then at least two sets of transaction book entries (those of the buyer and seller) disappear, and the bookeeping load of the issuer is much less than that of a typical book-entry intermediary like a clearinghouse. Not to mention the offsetting book-entries of the clearing system linking multiple clearing entities. Actually, that's more an artifact of a geodesic network, and not of a digital bearer certifcate transaction system itself.

This makes them less attractive from the privacy perspective, but what about from the point of view of the financial markets? Can they just ignore the serial numbers and treat them as the bearer certificates you have been talking about? (Don't real bearer certificates often have serial numbers on them?)

Yup. Actually, dollar bills have serial numbers. Bearer bonds had serial numbers. That's how you controlled the amount in circulation, and could detect some kinds of fraud, because the number of certificates issued is a published figure. But the serial number's not important from a privacy perspective once a certificate changes hands several times, especially if the population of certificates is large, like it is with dollar bills. Even the coupons, the little bits you hacked off and sent in every quarter to get paid interest, had serial numbers. However, notice that you didn't need to know *who* was sending in the coupon. The coupon itself was it's own proof for redemption. You just sent back a check payable to the person who sent in the coupon, or if the person, or person's messenger, showed up physically, you paid cash. Remember $10,000, or $100K bills? That's what they were primarily for. Cash settlement of things like large bond transactions. Paper for paper. Anyway, it's when you start registering certificates, and keeping track of who owns what, that you get the cost explosion. In that case, you're right. You could do it without blinding. Dan Simon's cash system for Microsoft operates kind of like that. You can track the original purchaser at the initial purchase, but after it's gone through a few secondary trades, including ones with yourself, tracking them is pretty much impossible. Chaum's current version of ecash has this, um, feature, which Ian Goldberg has now conveniently dispatched. Frankly, the model I promote now, with a book-entry bank as a trustee, has this problem, because you need a book-entry account at your own bank to bring money on and off the net. Of course, at some point, you could do this anonymously and in person at a currency exchange, with a bag of cash. :-). Fortunately, as I said today in a reply to Adam Back, when you create other assets on the net besides cash, and can issue them in bearer form, the problem of requiring identity for authentication goes away, because the book entries are no longer there there to repudiate.

Maybe this geodesic market you're talking about (which I don't understand at all) could work with current technology?

Moore's Law makes a given public network appear increasingly "geodesic", like Bucky Fuller's geodesic structures, because nodes (switches, processors) are comparatively cheaper than lines to build. The geodesic market is a market which lives on a geodesic network, which, as Moore's law progresses, creates smaller and smaller financial entities -- eventually automated ones -- as measured by asset size or cashflow. That's because a given amount of money, invested in an increasingly larger swarm of distributed hardware "nodes", can handle more transactions, and/or smaller amounts of money, as processor prices drop. I claim that a cash-settled, digital bearer certificate market is what will function best on a geodesic network, because it costs less to run for the reasons I outlined above. I further claim that the most efficient digital bearer certificate is an anonymous one. You get anonymity because it's a waste of resources to keep track of people who pay you in cash. And, if the system is strongly anonymous from the outset (and perfect pseudonymity is functionally anonymous), you won't even try. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA Lesley Stahl: "You mean *anyone* can set up a web site and compete with the New York Times?" Andrew Kantor: "Yes." Stahl: "Isn't that dangerous?" The e$ Home Page: http://www.shipwright.com/