I've been attempting to design a decentralized auction/ exchange system that permits pseudonymous participants. By 'decentralized', I mean that NO central server, or subset of individual servers, controls access to any resource the system cannot work without; that there is no single point of failure. A consequence of this is that every ability that exists in any node, must exist in every node. So the whole problem of currency issue gets the slightly weird solution of "everybody has to be able to print their own money." The sticking point is that this basically means the system will be without any single universal "currency". A lot of E-cash techniques are usable, but what you wind up trading is certificates that represent goods or services offered by individuals in the system -- Alice the Farmer might issue certificates for bushels of wheat, while Bob the Carpenter might issue a bunch of certificates that say "collect a thousand of these and I'll redeem them for a new 10x10 meter deck on your house" and Carol the moneychanger might promise to redeem hers for one US dollar each, just for the amusement value of "redeeming" something in a system where hard currencies are the norm with a fiat currency. So these would be effectively a sort of digital merchants scrip, reducing back down to barter. Exchange rates between the currencies issued by different participants would fluctuate according to trust and commodity values, and I'm okay with that. Given the nature of the trust/reputation thing, I'd expect only a very small percentage of the participants to *actually* issue their own currency, as they wouldn't get good acceptance/exchange values until widely known, but everybody would have the ability. The problem I'm running into is that while all kinds of e-cash protocols exist that protect the anonymity of the buyer and a lot protect the anonymity of the seller, there are none that protect the anonymity of the currency issuer, which would be ideal in this circumstance. With the techniques I know of, the issuer can have only "Nym" protection. The basic problem with anonymizing the issuers (beyond technique alone) would be how the scrip gets redeemed when you don't necessarily know whom the issuer is. Can anybody recommend appropriate reading? Bear
,----[ On Wed, Jul 11, at 01:30PM, Ray Dillinger wrote: ]-------------- | Can anybody recommend appropriate reading? | | | Bear `----[ End Quote ]--------------------------- its not too much, in fact, it is not precisely what you are looking for. but check this paper out: http://freehaven.net/doc/mix-acc/mix-acc.pdf (also check out other papers on the freehaven project, they are working on prjects which, in theory are similar to what you just described.) http://freehaven.net/papers.html it is about reliabilty in mix net networks, describes a reliabilty system and (this is the part that might be of interest to you) it describes potential failures and weak points in a system that is theoretically similar to yours. hope that helps... --gabe -- "It's not brave, if you're not scared."
Have you looked at Plan 9? It would allow you to run the 'mint' as a independent distributed service for all users that actually runs as no user. It would require a 'virtual filespace' so the requisite binaries and such don't reside on any one machine, not native but that's doable as well. Once started, as long as there were any Plan 9 process/file spaces available the service would 'live'. On Wed, 11 Jul 2001, Ray Dillinger wrote:
I've been attempting to design a decentralized auction/ exchange system that permits pseudonymous participants. By 'decentralized', I mean that NO central server, or subset of individual servers, controls access to any resource the system cannot work without; that there is no single point of failure.
A consequence of this is that every ability that exists in any node, must exist in every node. So the whole problem of currency issue gets the slightly weird solution of "everybody has to be able to print their own money."
The sticking point is that this basically means the system will be without any single universal "currency". A lot of E-cash techniques are usable, but what you wind up trading is certificates that represent goods or services offered by individuals in the system -- Alice the Farmer might issue certificates for bushels of wheat, while Bob the Carpenter might issue a bunch of certificates that say "collect a thousand of these and I'll redeem them for a new 10x10 meter deck on your house" and Carol the moneychanger might promise to redeem hers for one US dollar each, just for the amusement value of "redeeming" something in a system where hard currencies are the norm with a fiat currency. So these would be effectively a sort of digital merchants scrip, reducing back down to barter.
Exchange rates between the currencies issued by different participants would fluctuate according to trust and commodity values, and I'm okay with that. Given the nature of the trust/reputation thing, I'd expect only a very small percentage of the participants to *actually* issue their own currency, as they wouldn't get good acceptance/exchange values until widely known, but everybody would have the ability.
The problem I'm running into is that while all kinds of e-cash protocols exist that protect the anonymity of the buyer and a lot protect the anonymity of the seller, there are none that protect the anonymity of the currency issuer, which would be ideal in this circumstance. With the techniques I know of, the issuer can have only "Nym" protection.
The basic problem with anonymizing the issuers (beyond technique alone) would be how the scrip gets redeemed when you don't necessarily know whom the issuer is.
Can anybody recommend appropriate reading?
Bear
On Wed, Jul 11, 2001 at 01:30:44PM -0700, Ray Dillinger wrote:
[Anonymous, everyone a mint, floating exchange rates problem...]
The problem I'm running into is that while all kinds of e-cash protocols exist that protect the anonymity of the buyer and a lot protect the anonymity of the seller, there are none that protect the anonymity of the currency issuer, which would be ideal in this circumstance. With the techniques I know of, the issuer can have only "Nym" protection.
The basic problem with anonymizing the issuers (beyond technique alone) would be how the scrip gets redeemed when you don't necessarily know whom the issuer is.
Probably people would be willing to accept other issuers currencies even if they don't know the issuer so long as they had the reputation rating for the currency / issuer. But anonymous reptuations alone aren't any use as a rational issuer would refuse to redeem if the action didn't adversely affect his reputation -- you need to be assured that the rating of the anonymous issuer will be downrated if they refuse to redeem. So then perhaps you could proceed by having unlinkably anonymous credentials for reputation with a trap-door for the rating party so that the rating party can identify the pseudonym behind the unlinkable credential and downrate it. You also want the unlinkable rating credentials to need to be refreshed by the rating credential issuer in order to re-show. Brands' credentials have this property if you reshow without collaboration with the issuer, they are linkable (and hence would be linkable to the transaction gone bad which triggered the downrating). One might desire also that the rating credential issuer not be able to link general transactions, even with collusion from all parties except the issuer. However I'm not sure if this is going to be possible; the rating issuer must be able to link to the nym in event of foul play by the currency issuer, and clearly ability to link from unlinkable payments to a nym links the payments. The only avenue I see is if the foul play were mathematically encapsulatable and could be combined with the protocol so that the rating issuer is only able to link payments to nyms in the event of foul play. Do you think you can encapsulate foul play formally generally enough to be useful in your application? Adam
Probably people would be willing to accept other issuers currencies even if they don't know the issuer so long as they had the reputation rating for the currency / issuer.
But anonymous reptuations alone aren't any use as a rational issuer would refuse to redeem if the action didn't adversely affect his reputation -- you need to be assured that the rating of the anonymous issuer will be downrated if they refuse to redeem.
So then perhaps you could proceed by having unlinkably anonymous credentials for reputation with a trap-door for the rating party so that the rating party can identify the pseudonym behind the unlinkable credential and downrate it. You also want the unlinkable rating credentials to need to be refreshed by the rating credential issuer in order to re-show. Brands'
This just shifting the issue without actually solving it - instead of mint visibility now we have credential issuer visibility. There goes credential issuer. The basic point here is that: a) most "public" (including me and the few that I talked with) will not "trust" money that is pure math, without actual *people* (who can be pulped if something goes wrong) behind it. Pulpability (in this special meaning) is a key ingredient in trust - you trust someone that agrees to be hurt if she misuses the trust. Fuck the math, new advances happen and most do not understand it any way. b) The competition (government) will pulp the pulpable mint. So, n-way blind e-cash will never happen. It may be a nice thing to bullshit about and to do PhD thesis and patents on and thus attract chicks, but it will never happen. __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
On Thu, 12 Jul 2001, Morlock Elloi wrote:
b) The competition (government) will pulp the pulpable mint.
Not if they can't find it.
So, n-way blind e-cash will never happen. It may be a nice thing to bullshit about and to do PhD thesis and patents on and thus attract chicks, but it will never happen.
As long as we use the current OS and network models - yes. With other inherently distributed and anonymous models - maybe. http://plan9.bell-labs.com -- ____________________________________________________________________ Nature and Nature's laws lay hid in night: God said, "Let Tesla be", and all was light. B.A. Behrend The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Thu, Jul 12, 2001 at 03:41:57PM -0700, Morlock Elloi wrote:
Probably people would be willing to accept other issuers currencies even if they don't know the issuer so long as they had the reputation rating for the currency / issuer.
But anonymous reptuations alone aren't any use as a rational issuer would refuse to redeem if the action didn't adversely affect his reputation -- you need to be assured that the rating of the anonymous issuer will be downrated if they refuse to redeem.
So then perhaps you could proceed by having unlinkably anonymous credentials for reputation with a trap-door for the rating party so that the rating party can identify the pseudonym behind the unlinkable credential and downrate it. You also want the unlinkable rating credentials to need to be refreshed by the rating credential issuer in order to re-show. Brands'
This just shifting the issue without actually solving it - instead of mint visibility now we have credential issuer visibility. There goes credential issuer.
So I have two types of issuer. The currency issuer (let's call them mints to avoid confusion). Ray has every one a mint (potentially, some users may choose to use other peoples mints to avoid having to manage the reputation of their own). Floating exchange rates based on reptuation of the mint. Then we have an issuer of one use (and hence unlinkable) credentials representing the reputation of the mint. So these are reputation credential issuers. My thought was that there would similarly be reputation credential issuers -- (potentially) everyone a reputation credential issuer. Also Stubblebine et al have a paper about abuse control with unlinkable anonymous credentials. They way they do this is to have one unlinkable credential which you can show only once. Then you can trade it for a fresh unlinkable credential if there have been no complaints against the current credential. Because the fresh credential is freshly blinded it's not linkable. And yet you retain some scope for abuse control, if the proof of misconduct arrives before you've handed over the new credential. (The Stubblebine paper doesn't say much more than that. Do a web search if you want the paper. It was in the context of unlinkable subscriptions to services, where you want to renew, but the service operator wants the ability to cancel abusers of their AUP's subscriptions.) Seems like this might be usable here.
The basic point here is that:
a) most "public" (including me and the few that I talked with) will not "trust" money that is pure math, without actual *people* (who can be pulped if something goes wrong) behind it. Pulpability (in this special meaning) is a key ingredient in trust - you trust someone that agrees to be hurt if she misuses the trust. Fuck the math, new advances happen and most do not understand it any way.
This seems like a technology trust issue. It seems just to do with branding, advertising and common acceptance. A mag-swipe card could fail, a bank could empty your acount, their security could fail and someone else empty your account via ATM. People trust the systems because their friends trust them and seem to use them without incident and they want to use the system because of convenience or some other useful attribute.
b) The competition (government) will pulp the pulpable mint.
So, n-way blind e-cash will never happen. It may be a nice thing to bullshit about and to do PhD thesis and patents on and thus attract chicks, but it will never happen.
Ray's scheme sounds interesting because it's a computer mediated Letts scheme. Letts schemes seem to exist with manual book-keeping. Also trust levels needed to trust in something as a value store are much higher than purely as a immediately cleared payment mechanism. With the reputation system you could even have insurance. Adam
Then we have an issuer of one use (and hence unlinkable) credentials representing the reputation of the mint. So these are reputation credential issuers. My thought was that there would similarly be reputation credential issuers -- (potentially) everyone a reputation credential issuer.
*WHO* do you beat up if they lie ? If you *can* beat up someone, so can the government. We are back to the basic fallacy of cyberspace, that somehow crypto and networks will switch the address space under Men with Guns, so that they will be left in their own empty pages while we roam the virtual memory. This is an excellent example why some things need to be addressable in gov-pages (meatspace) and therefore pulpable.
This seems like a technology trust issue. It seems just to do with branding, advertising and common acceptance. A mag-swipe card could fail, a bank could empty your acount, their security could fail and someone else empty your account via ATM. People trust the systems because their friends trust them and seem to use them without incident and they want to use the
This is patently false. If something goes wrong with my account I deal with meat in the bank. In US of A you are not liable for stolen card use. In US of A you can say "no, I did not withraw this cash" - EVEN IF YOU DID - and bank does not have much choice - some hoofed cpunks may know the exact case name. Technology in banking is just a tool, a helper. You can dispute any and all charges. Cards and ATMs are just tokens and machines with no property or ownership. Companies behind them, with very well known coordinates, are the ones you do the business with.
higher than purely as a immediately cleared payment mechanism. With the reputation system you could even have insurance.
Any e-cash system that has shared address space with Men with Guns will be run by Men with Guns. Take, for example, the Anon Mint Insurance Company. How would it assess the risk in order to determine the premium ? There are *no* established anon mints and there can be no insurance for anon startup mints(1). Unless you disclose some meatspace addresses, and then we have MwG, and so on. It's easy to bring life to moon by providing all support from Earth. But we have *no* "Earth" in anon e-cash, and MwG will take care that it remains so. Which is exactly why there is no anon e-cash today. (1) if there is, I'll become rich in no time. __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
On Thu, 12 Jul 2001, Adam Back wrote:
Also trust levels needed to trust in something as a value store are much higher than purely as a immediately cleared payment mechanism. With the reputation system you could even have insurance.
Uh, to clarify, at least in the current version of the design, the reputation system *is* insurance. Basically in a pseudonymous situation, the only kind of reputation system that could possibly matter is where the person providing the reputation certificates does so by offering to bet real money on someone's good behavior at easy odds. Otherwise you can just spoof the system with tentacle reputation agents that all recommend you (and each other). So, when alice-the-buyer wants some assurances that bob-the-seller won't rip her off, she goes to Carol-the-reputation-agent and says "What are the odds on Bob reneging in a five-hundred-buck deal?" And Carol's response is something like "I'll bet Bob does you a straight deal, five-hundred-to-one." Alice considers the rate and decides she wants insurance, pays Carol a buck for a "marker" to use in the contract, does a five-hundred-buck deal with bob (man, that's a lot of venison) and if Bob reneges, Alice gets to cash in Carol's five-hundred-buck marker - thus getting her money back. Carol instantly warns every other reputation agent in the system about Bob and how he reneged for five hundred bucks -- so that Nym is effectively trashed. If Bob doesn't renege, Carol makes a buck. Anyway; whether you call Carol a bookie or an insurance dealer is entirely negotiable. But in this scheme your "reputation" means neither more nor less than the cheapest insurance rates someone can get if they try to insure themselves against you reneging. Bear
On 12 Jul 2001, at 15:41, Morlock Elloi wrote:
The basic point here is that:
a) most "public" (including me and the few that I talked with) will not "trust" money that is pure math, without actual *people* (who can be pulped if something goes wrong) behind it.
You say that now, but what if the day comes when digital currency schemes have been in successful operation for years, and there are goods or services you desire that can be had far cheaper (or only) if you use digital currency? YOU won't dive in with the stuff, but assuming it can be made to work at all, there may be enough brave/foolhardy people to bootstrap the system to the point where it has been demonstrated "safe". BTW, the usual term for what you call "pupability" is "accountability". Usually one speaks of people being "held accountable" rather than "pulped". I'm not criticizing your choice of terminology, but I think communication is facilitated if people stick tostandard terminology rather than making up their own. Also, bank officers caught defrauding their customers in the real world are more likely to be sent to minimum security prison rather than bludgeoned to death.
b) The competition (government) will pulp the pulpable mint.
Possibly. Or there's another possibility, that maybe the government officials who have "pulping" authority will become clients of digital cash systems themselves.
So, n-way blind e-cash will never happen. It may be a nice thing to bullshit about and to do PhD thesis and patents on and thus attract chicks, but it will never happen.
Seldom say never. BTW, a PhD helps you get chicks? Where? George
__________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
You say that now, but what if the day comes when digital currency schemes have been in successful operation for years, and there are goods or services you desire that can be had far cheaper (or only) if you use digital currency?
Hmmm ... this sounds like a dot-com business plan :-))
if people stick tostandard terminology rather than making up their own. Also, bank officers caught defrauding their customers in the real world are more likely to be sent to minimum security prison rather than bludgeoned to death.
I am talking about ideal world. Pulpability is exactly what I meant to say, it deals away with euphemisms.
Seldom say never. BTW, a PhD helps you get chicks? Where?
Berkeley. __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
participants (6)
-
Adam Back -
Gabriel Rocha -
georgemw@speakeasy.net -
Jim Choate -
Morlock Elloi -
Ray Dillinger