Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
Just presented at ICETE2005 by Daniel Nagy:
http://www.epointsystem.org/~nagydani/ICETE2005.pdf
Abstract. In present paper a novel approach to on-line payment is presented that tackles some issues of digital cash that have, in the author s opinion, contributed to the fact that despite the availability of the technology for more than a decade, it has not achieved even a fraction of the anticipated popularity. The basic assumptions and requirements for such a system are revisited, clear (economic) objectives are formulated and cryptographic techniques to achieve them are proposed.
This is a thorough and careful paper but the system has no blinding and so payments are traceable and linkable. The standard technique of inserting dummy transfers is proposed, but it is not clear that this adds real privacy. Worse, it appears that the database showing which coins were exchanged for which is supposed to be public, making this linkage information available to everyone, not just banking insiders. Some aspects are similar to Dan Simon's proposed ecash system from Crypto 96, in particular using knowledge of a secret such as a hash pre-image to represent possession of the cash. Simon's system is covered by patent number 5768385 and the ePoint system may need to step carefully around that patent. See http://www.mail-archive.com/cpunks@einstein.ssz.com/msg04483.html for further critique of Simon's approach. CP
On Tue, Oct 18, 2005 at 11:27:53PM -0700, cyphrpunk wrote:
Just presented at ICETE2005 by Daniel Nagy:
This is a thorough and careful paper but the system has no blinding and so payments are traceable and linkable. The standard technique of inserting dummy transfers is proposed, but it is not clear that this adds real privacy. Worse, it appears that the database showing which coins were exchanged for which is supposed to be public, making this linkage information available to everyone, not just banking insiders.
Some aspects are similar to Dan Simon's proposed ecash system from Crypto 96, in particular using knowledge of a secret such as a hash pre-image to represent possession of the cash. Simon's system is covered by patent number 5768385 and the ePoint system may need to step carefully around that patent. See http://www.mail-archive.com/cpunks@einstein.ssz.com/msg04483.html for further critique of Simon's approach.
At the time of writing, I was already familiar with Simon's proposal and its above mentioned critique (I learnt about them from Stefan Brands' blog). At that time, the design and the implementation were already complete and the process of writing up the paper was also well advanced. Wishing to postpone the discussion of patents for as long as possible, I decided against citing Dan Simon's work in references, which may be regarded as an act of academic dishonesty on my part. Mea culpa. I am reasonably confident that I can legally defend the point that there are sufficient differences between my proposal and Simon's, but I might not be ready to fight off a legal assault from Microsoft (lack of time and money) right now. Leaving the patent issue at that, let us proceed to the substance. I will probably need to write another paper, clarifiing some of these issues. Let me, however, re-emphasize some of the points already present in the paper and perhaps cast them in a slightly different light. In my paper, I am explicitly and implicitly challenging Chaum's assumptions about the very problem of digital cash-like payment. One can, of course, criticize my proposal under chaumian assumptions, but that would miss the point entirely. I think, a decade of consistent failure at introducing chaumian digital cash to the market is good enough a reason to re-think the problem from the very basics. Note that nowhere in my paper did I imply that the issuer is a bank (the only mentioning of a bank in the paper is in an analogy). This is because I am strongly convinced that banks cannot, will not and should not be the principal issuers of digital cash-like payment vehicles. If you need explaination, I'm willing to provide it. I do not expect payment tokens to originate from withdrawals and end their life cycles being deposited to users' bank accounts. Insider fraud is a very serious risk in financial matters. A system that provides no safeguards against a fraudulent issuer will sooner or later be exploited that way. Financial systems (not just electronic ones) often fall to insider attacks. They must be addressed in a successful system. All chaumian systems are hopelessly vulnerable to insider fraud. And now some points missing from the paper: Having a long-term global secret, whose disclosure leads to immediate, catastrophic failure of the whole system is to be avoided in security engineering (using Schneier's terminology, it makes a hard system brittle). The private key of a blinding-based system is exactly such a component. Note that in the proposed system, the digital signature of the issuer is just a fancy integrity protection mechanism for public records, which can be supplemented and even temporarily substituted (while a new key is phased in in the case of compromise) by other mechanisms of integrity protection. It is the public audit trail that provides most of the security. Using currency is, essentially, a credit operation, splitting barter into the separate acts of selling and buying, thus making the promise to reciprocate (that is the eligibility to buy something of equal value from the buyer) a tradeable asset itself. It is the trading of this asset that needs to be anonymous, and the proposed system does a good enough job of protecting the anonymity of those in the middle of the transaction chains. Hope, this helps. -- Daniel
On 10/19/05, Daniel A. Nagy <nagydani@epointsystem.org> wrote:
Note that nowhere in my paper did I imply that the issuer is a bank (the only mentioning of a bank in the paper is in an analogy). This is because I am strongly convinced that banks cannot, will not and should not be the principal issuers of digital cash-like payment vehicles. If you need explaination, I'm willing to provide it. I do not expect payment tokens to originate from withdrawals and end their life cycles being deposited to users' bank accounts.
Suppose we consider your concept of a "transaction chain", which is formed when a token is created based on some payment from outside the system, is maintained through exchanges of one token for another (we will ignore split and combine operations for now), and terminates when the token is redeemed for some outside-the-system value. Isn't it likely in practice that such transaction chains will be paid for and redeemed via existing financial systems, which are fully identified? A user will buy a token using an online check or credit card or some other non-anonymous mechanism. He passes it to someone else as a cash-like payment. Optionally it passes through more hands. Ultimately it is redeemed by someone who exchanges it for a check or deposit into a bank or credit card account. If you don't see this as the typical usage model, I'd like to hear your ideas. If this is the model, my concern is that in practice it will often be the case that there will be few intermediate exchanges. Particularly in the early stages of the system, there won't be that much to buy. Someone may accept epoints for payment but the first thing he will do is convert them to "real money". A typical transaction will start with someone buying epoints from the issuer using some identified payment system, spending them online, and then the recipient redeems them using an identified payment system. The issuer sees exactly who spent, how much they spent and where they spent it. The result is that in practice the system has no anonymity whatsoever. It is just another way of transferring value online.
Using currency is, essentially, a credit operation, splitting barter into the separate acts of selling and buying, thus making the promise to reciprocate (that is the eligibility to buy something of equal value from the buyer) a tradeable asset itself. It is the trading of this asset that needs to be anonymous, and the proposed system does a good enough job of protecting the anonymity of those in the middle of the transaction chains.
The hard part is getting into the middle of those transaction chains. Until we reach the point where people receive their salaries in epoints, they will have little choice but to buy epoints for real money. That puts them at the beginning of a transaction chain and not in the middle. Sellers will tend to be at the end. The only people who could be in the middle would be those who sell substantially online for epoints and who also find things online that they can buy for epoints. But that will be a small fraction of users. For the rest of them, anonymity is not a sellling point of this system. If you take away the anonymity, is this technology still valuable? Does it have advantages over other online payment systems, like egold, credit cards or paypal? CP
I will provide a detailed answer a bit later, but the short answer is that anonymity and untraceability are not major selling points, as experience shows. After all, ATMs could easily record and match to the user the serial numbers of each banknote they hand out, yet, there seems to be no preference to coins vs. banknotes. The major selling point, as noted in the paper and in the presentation is that the security (and hence the transaction cost manifesting itself in the effort required for each transaction) scales with transaction value. For paying pennies, you just type, say, 12-character codes. Yet, if the transaction value warrants it, you can have a full-fledged, digitally signed audit trail within the same system. And it's completely up to the users to decide what security measures to take. Another important issue is that you never risk more than the transaction value. There is no identity to be stolen. So, in short, the selling point is flexible and potentially very high security against all sorts of threats. Someone finding out who you might be is not, by far, the most serious threat in a payment system. -- Daniel
cyphrpunk wrote:
If this is the model, my concern is that in practice it will often be the case that there will be few intermediate exchanges. Particularly in the early stages of the system, there won't be that much to buy. Someone may accept epoints for payment but the first thing he will do is convert them to "real money". A typical transaction will start with someone buying epoints from the issuer using some identified payment system, spending them online, and then the recipient redeems them using an identified payment system. The issuer sees exactly who spent, how much they spent and where they spent it. The result is that in practice the system has no anonymity whatsoever. It is just another way of transferring value online.
That's a "merchant" business model. Typically, that's not how payment systems emerge. Mostly, they emerge by a p2p model, and then migrate to a merchant model over time. How they start is generally a varied question, and somewhat a part of the inspiration of the Issuer. According to the Issuer's design, he may try and force that migration faster or slower. In a more forced system, there is typically only one or a few exchange points and that is probably the Issuer himself. If the Issuer also pushes a merchant design, and a triangular flow evolves, the tracing of transactions is relatively easy regardless of the system because time and amount give it away. But, typically, if the Issuer has designs on merchant business, he generally doesn't care about the hyphed non-tracking capabilities of the software, and also prefer the tracking to be easy for support and segmentation purposes. A game that Issuers often play is to pretend or market a system as privacy protecting, but if their intention is the merchant model then that game stops when the numbers get serious. (I gather they discuss that in the Paypal book if you want a written example.) Either way, it is kind of tough to criticise a software system for that. It's the Issuer and the market that sets the tune there; not the software system. The ideal software system allows the Issuer to decide these paramaters, but it is also kind of tough to provide all such paramaters in a big dial, and keep the system small and tight. (I suppose on this note, this is a big difference between Daniel's system and mine. His is small and tight and he talks about being able to audit the 5 page long central server ... mine is relatively large and complex, but it can do bearer and it can do fully traceable, as well as be passably extended to imitate of his design.) Meanwhile, the Issuers who want to provide privacy with a bog standard double entry online accounts system still have a better record of doing that than any other Issuers that might have boasted mathematical blah blah, they just run theirs privately. e.g., your average Swiss bank. iang
participants (3)
-
cyphrpunk -
Ian G -
nagydani@epointsystem.org