I thank Hal Finney for his thoughtful reply, and Tim May for his excellent essay. It looks like we can start to draw a stronger conclusion: there are serious holes in the assumptions made by offline digital cash protocols when applied to computer networks rather than manually operated smart cards. Hal's comparison of coin theft to digital signature protection and repudiation is apt, but usually Irving only has one or a few keys to protect, while he might have thousands of coins, issued by various banks. I doubt digital signatures will ever be used alone much for signing expensive contracts. A digital signature on an expensive contract, in addition to being repudiable, will be suspicious, since if few people accept such signatures as strongly binding (the initial state), they will not be widely used on expensive contracts, and thus their existance on an expensive contract will be suspicous. I predict it will become common practice, or even law, that digitally signed contracts over a certain amount are automatically invalid unless further precuations have been taken (signatures of notary witnesses, or perhaps some better crypto protocol designed for this purpose). The trouble with offline cash in a network environment is that the upper limit for fraud liability can be incredibly high. If there are hundreds of thousands of vendors on the net, a situation CommerceNet predicts before the end of the decade, and they are using this offline protocol, then even with small transactions the fraud could run into the millions of dollars. There's plenty of incentive for Irving to steal Jane's coins, run off to some place on the net that has no extradition treaty, and pump good change out of the vendors and into his Lichtenstein account to his heart's content. We may yet find protocols to mitigate or limit this kind of fraud -- make change traceable if linked to double spending, do random online checks as a cypherpunks poster suggested last year, or similar precautions layered on top of the basic protocol. But so far these problems haven't been put on the front burner of digital cash design, and already we have people out there selling offline cash on the network as a superior solution! Reliance on law enforcement flies in the face of cypherpunk goals, and indeed against the goals of good cops as well -- one of their most vocal complaints is about people setting up systems that are vulnerable to crime, putting them in unecessary danger. It also goes against political reality to think that a startup operation can lobby governments all across the globe to protect a system that is ideal for money laundering and tax evasion. Ain't gonna happen -- they'll let those "dirty money banks and money laundering net sites" rot; they may even give Irving a helping hand. I disagree that "there is no excuse" for double spending. If the software is implemented badly (no fault of the user), it might get mixed up with systems programs in such a way as to cause double spending. For example, if the system crashes and one must recover from a month old backup, one has to go through that old purse and determine which coins have been spent. If the software and/or user makes a mistake in this process, we get double spending. If a network burps and sends a vendor two coins where there should have been one, we get double spending. The possibilities for accident are legion and cannot all be foreseen. "Shit happens". A protocol that treats common accident the same as criminal fraud, when the stakes are so high, is pathological. In the online system the consequences of double spending (or million spending) are far more benign. At worst one customer is out stolen coins. In a networked offline system those same few coins are a potential loss for every vendor on the net. As Tim May noted, we may not even need to recongize fraud in online cash -- just treat all online double spending as accident. No bonding, secured accounts, investigators, ID badges or cops with guns busting down Janes's door after Iriving has million-spent her coins. Here we both have a simple liability system and much less chance of fraud. Tim May also suggested that most offline protocols are intended for manually used smart cards. This makes sense -- unlike an network environment with automated spending agents, the scope of multi spending for manually used pruchases in small amounts is quite limited. On the network even fraud of a few cents per transaction can quickly add up to big $$$ across thousands of vendors. What are the communications costs of online clearing, anyway? Don't credit card clearings cost about two cents per transaction these days? If clearing costs are less than plausible offline cash fraud and fraud prevention costs, online cash is a winner, both now and increasingly in the future as bandwidth becomes even cheaper. sincerely, -- An Unauthenticated Agent with no credentials: WYSIWYG
Anonymous writes
there are serious holes in the assumptions made by offline digital cash protocols when applied to computer networks rather than manually operated smart cards.
... I disagree that "there is no excuse" for double spending. If the software is implemented badly (no fault of the user),
So implement it right - the fact that a poorly programmed bank computer might credit someone with a million dollars does not prevent banks from using computers.
... if the system crashes and one must recover from a month old backup, one has to go through that old purse and determine which coins have been spent.
Return suspect coins to vendor and ask for new coins. Vendor will detect most of the already spent coins. If some coins are double spent they will eventually show up as double spent by the person who had the system crash, who will simply make them good.
If a network burps and sends a vendor two coins where there should have been one, we get double spending.
Actually we do not, because the recipient will detect the coins are non unique, assuming the protocol is implemented correctly, and will treat the duplicated message as a single message. Indeed since coin transport will probably be by datagrams duplicated and lost coins will happen continuously, and will be automatically fixed by the protocol.
The possibilities for accident are legion and cannot all be foreseen. "Shit happens".
That is what debugging and beta testing is for.
A protocol that treats common accident the same as criminal fraud, when the stakes are so high, is pathological.
If you make good on the accident, no problem. It is only a problem if the accident causes substantial money transfer, which can be prevented by adequate protocols. It is possible to construct the protocols so that any "accident" resulting in substantial money transfer must be old fashioned fraud or robbery. If someone breaks into your computer, that is no more an argument against offline digicash than if someone breaks into your safe. If Joe million spends one of Janes coins he must interact with a million separate vendors in a rather short time. This will inevitably make waves. Offline digicash is not so much anonymous as offering controlled nomity. Again I point out that the existing grey capitalist system involving foreign bank accounts in the names of bermuda and Hong Kong companies, is quite adequately anonymous even though checks are purely identity based money. Offline digital cash cannot be "real" digital cash, whatever that is. It has to be identity based cash with controlled limits on identification. It will resemble those Bermuda check accounts with Visa debit cards more than it resembles cash in your pocket. -- --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we James A. Donald are. True law derives from this right, not from the arbitrary power of the omnipotent state. jamesd@netcom.com
I doubt digital signatures will ever be used alone much for signing expensive contracts. Not every binding signature is on a contract. The signature at the bottom of a check is not signing a contract, but rather referencing a contract between the drawer of the check and the bank whereby the bank agrees to accept such checks. Expect models like this to proliferate, where one physical signature initiates the use of many digital signatures in a proper context. Such a system could be used, for example, in a new beast called a "contract proxy", which is the nominal end of some contract, but which is really standing in for some other party. Activity within a contract is not the same thing as a creating a contract. This is one of the very first things I learned in this field, and I thank Mike Godwin for pointing this out to me. I predict it will become common practice, or even law, that digitally signed contracts over a certain amount are automatically invalid unless further precuations have been taken (signatures of notary witnesses, or perhaps some better crypto protocol designed for this purpose). This prediction is either far too premature, since the whole technical and le al situation with use of digital signatures in _any_ form is not yet well enough developed, or totally tautological, since a digital signature as such is merely a string of bits with little other than mathematical interpretation. What is certain is that the social process involved in making digital signatures useful will be far more complicated than the software needed to make the digital signatures. We may yet find protocols to mitigate or limit this kind of fraud -- make change traceable if linked to double spending, "Traceable to what?" is the real question. One can consider systems traceable to persons or systems traceable to security deposits, for example. Reliance on law enforcement flies in the face of cypherpunk goals, and indeed against the goals of good cops as well A system that requires police for its stability is externalizing part of its security costs to the governments of jurisdiction. The taxpayers of such jurisdictions are subsidizing these enterprises. And in cases where the powers of the jurisdiction are weak or non-existent, be that by accident or design, these kinds of systems just won't work economically. A protocol that treats common accident the same as criminal fraud, when the stakes are so high, is pathological. And not only that, it requires trafficking in identity. [...] we may not even need to recongize fraud in online cash -- just treat all online double spending as accident. No bonding, secured accounts, investigators, ID badges or cops with guns busting down Janes's door after Iriving has million-spent her coins. The economics of charging for deposit attempts clearly prevents most double spending. There may well, however, be an economic win for an business which finds a way to save on clearing costs by eliminating the deposit charge in lieu of some other notion of assurance against abuse, like a secured account from which deposit fees are levied. If clearing costs are less than plausible offline cash fraud and fraud prevention costs, online cash is a winner, both now and increasingly in the future as bandwidth becomes even cheaper. I agree. It appears to the back of my envelope that communication and computation charges are dropping fast enough that by the time offline smartcards are economical enough to deploy, that online systems will be cheaper. Eric
participants (3)
-
Anonymous -
hughes@ah.com -
jamesd@netcom.com