Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
Let's take a look at Daniel Nagy's list of desirable features for an ecash system and see how simple, on-line Chaum ecash fares.
http://www.epointsystem.org/~nagydani/ICETE2005.pdf
One of the reasons, in the author s opinion, is that payment systems based on similar schemes lack some key characteristics of paper-based cash, rendering them economically infeasible. Let us quickly enumerate the most important properties of cash:
1. "Money doesn't smell." Cash payments are -- potentially -- _anonymous_ and untraceable by third parties (including the issuer).
This is of course the main selling point of Chaum's system, where it excels. I will point out that defining cash as merely "potentially" anonymous leaves a loophole whereby fully non-anonymous systems get to call themselves cash. This underplays the strength of Chaum's system. It is not just "potentially" anonymous, it has a strong degree of anonymity.
2. Cash payments are final. After the fact, the paying party has no means to reverse the payment. We call this property of cash transactions _irreversibility_.
Certainly Chaum ecash has this property. Because deposits are unlinkable to withdrawals, there is no way even in principle to reverse a transaction.
3. Cash payments are _peer-to-peer_. There is no distinction between merchants and customers; anyone can pay anyone. In particular, anybody can receive cash payments without contracts with third parties.
Again this is precisely how Chaum ecash works. Everyone can receive ecash and everyone can spend it. There is no distinction between buyers and vendors. Of course, transactions do need the aid of the issuer, but that is true of all online payment systems including Daniel's.
4. Cash allows for "acts of faith" or _naive transactions_. Those who are not familiar with all the antiforgery measures of a particular banknote or do not have the necessary equipment to verify them, can still transact with cash relying on the fact that what they do not verify is nonetheless verifiable in principle.
I have to admit, I don't understand this point, so I can't say to what extent Chaum ecash meets it. In most cases users will simply use their software to perform transactions and no familiarity is necessary with any antiforgery or other technical measures in the payment system. In this sense all users are "naive" and no one is expected to be a technical expert. Chaum ecash works just fine in this model.
5. The amount of cash issued by the issuing authority is public information that can be verified through an auditing process.
This is the one aspect where Chaum ecash fails. It is a significant strength of Daniel Nagy's system that it allows public audits of the amount of cash outstanding. However note that if the ecash issuer stands ready to buy and sell ecash for "real money" then he has an incentive not to excessively inflate his currency as it would create liabilities which exceed his assets. Similarly, in a state of competition between multiple such ecash issuers, any currency which over-inflates will be at a disadvantage relative to others, as discussed in Dan Selgin's works on "free banking". Daniel Nagy also raised a related point about insider malfeasance, which is also a potential problem with Chaum ecash, but there do exist technologies such as hardware security modules which can protect keys in a highly secure manner and make sure they are used only via authorized protocols. Again, the operators of the ecash system have strong incentives to protect their keys against insider attacks.
The payment system proposed in (D. Chaum, 1988) focuses on the first characteristic while partially or totally lacking all the others.
In summary, I don't think this is true at all. At least the first three characteristics are met perfectly by Chaumian ecash, and possibly the fourth is met in practice as naive users can access the system without excessive complications. Only the fifth point, the ability for outsiders to monitor the amount of cash in circulation, is not satisfied. But even then, the ecash mint software, and procedures and controls followed by the issuer, could be designed to allow third party audits similarly to how paper money cash issuers might be audited today. There do exist technical proposals for ecash systems such as that from Sander and Ta-Shma which allow monitoring the amount of cash which has been issued and redeemed while retaining anonymity and unlinkability, but those are of questionable efficiency with current technology. Perhaps improved versions of such protocols could provide a payment system which would satisfy all of Daniel Nagy's desiderata while retaining the important feature of strong anonymity. CP
Thank you for the detailed critique! I think, we're not talking about the same Chaumian cash. The referred 1988 paper proposes an off-line system, where double spending compromises anonymity and results in transaction reversal. I agree with you that it was a mistake on my part to deny its peer-to-peer nature; should be more careful in the future. I strongly disagree that potentially anonymous systems do not deserve to be called cash. For the past approx. 100 years, banknotes have been used as cash and there seems to be no preference on the market for coins, even though banknotes have unique serial numbers and are, therefore, traceable. I maintain, that anonymity and untraceability are primarily not privacy concerns but -- to some extent -- necessary conditions for irreversibility, which is the ture reason why cash is such a mainstay in commerce and why I would expect its electronic equivalent would be a desirable financial instrument in the world of electronic commerce. In a low-trust environment, irreversible payments are preferable to reversible ones. Simple on-line Chaumian blinded tokens, where the value is determined by the public key and the signed content is unimportant, as long as it is unique, are more like coins. And the most serious problem with them is that of transparent governance. Unfortunately, those hyperinflating their currency are not caught early enough. One way to handle this problem is by expiring tokens. For example, for each value, keys can be introduced in a brick-wall pattern: keys are replaced in regular intervals with two keys being valid at all times, with one expiring in the middle of the lifetime of the other. Tokens signed by the old key are always excahnged for those signed by the new one. This would allow a regular re-count of all tokens in circulation (by the time a key expires, at most as many tokens would have been exchanged for the next key as have been issued), but it raises other concerns. With simple blinded tokens, naive transactions are possible only with the already unblinded ones. One can accept them on faith, and pass on without exchanging. This does not require additional equipment/software. I know of no protocol for transfering blinded tokens with a receipt, but I do not rule out the possibility of its existence. Without it, however, the blinded tokens are useful for a very narrow range of transaction values. Namely, those small enough not to be bothered about receipts, but large enough so that the effort of making a payment does not exceed the transaction value. This confines their usability to part of the micropayment market. To reiterate, the main advantage of the proposed system is that it allows for a very large range of transaction values by providing adequate security for high-value ones, while requiring extremely little effort for low-value ones. And all that at the sole discretion of the users. Regards, -- Daninel
At 10:23 PM +0200 10/20/05, Daniel A. Nagy wrote:
The referred 1988 paper proposes an off-line system
Please. You can just as easily do an on-line system, and still have blind signatures, including m=m=2 shared secret signature hiding to prevent double spending. In fact, the *only* viable way to do blind signatures with any security is to have an *on-line* system, with redemption and reissue of certificates on every step, and the underwriter not honoring any double spent transaction. So, you still get the benefits of non-repudiation, you get functional anonymity (because audit trails become a completely superfluous cost -- all you need to keep is a single-field database of spent notes against a possible second spend, deletable on an agreed-upon date), and (I claim :-)) you get the resulting transaction cost benefit versus book-entry transactions as well. Sigh. I really wish people would actually read what people have written about these things for the last, what, 20 years now... BTW, you can exchange cash for goods, or other chaumian bearer certificates -- or receipts, for that matter, with a simple exchange protocol. Micali did one for email ten years ago, for instance. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thu, Oct 20, 2005 at 05:19:49PM -0400, R.A. Hettinga wrote:
BTW, you can exchange cash for goods, or other chaumian bearer certificates -- or receipts, for that matter, with a simple exchange protocol. Micali did one for email ten years ago, for instance.
Could you give us a reference to this one, please? Thank you in advancne! -- Daniel
At 12:32 AM +0200 10/21/05, Daniel A. Nagy wrote:
Could you give us a reference to this one, please?
Google is your friend, dude. Before making unitary global claims like you just did, you might consider consulting the literature. It's out there. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thu, Oct 20, 2005 at 07:34:34PM -0400, R.A. Hettinga wrote:
At 12:32 AM +0200 10/21/05, Daniel A. Nagy wrote:
Could you give us a reference to this one, please?
Google is your friend, dude.
Before making unitary global claims like you just did, you might consider consulting the literature. It's out there.
With all due respect, this was unnecessarily rude, unfair and unwarranted. Silvio Micali is a very prolific author and he published more than one paper on more than one exchange protocol. I am actually familiar with some of his work on the subject. I was, however, specifically interested in which particular one did you have in mind. I can think of several exchange protocols that would do the job, though I don't particularly like them, because the infrastructure for carrying them out is not in place and they require more communication than is strictly necessary for obtaining a receipt. In general, I think that one should be very careful with piling up cryptographic operations and additional back-and-forth communication steps in a payment protocol, because it may easily render it unpractical. There are reasons why there are no cash-like digital payment systems, and it's not for the lack of trying (you know that better than anybody else in the world, I guess) or the lack of demand. Making it sufficiently simple is one of the most difficult challenges. -- Daniel
At 2:36 AM +0200 10/21/05, Daniel A. Nagy wrote:
With all due respect, this was unnecessarily rude, unfair and unwarranted.
This is the *cypherpunks* list, guy... :-)
Silvio Micali is a very prolific author and he published more than one paper on more than one exchange protocol
And I just got through saying that there are *lots* of exchange protocols. You're the guy who said he couldn't figure out how to do a receipts. I toss one, out of probably hundreds out there in the last 30 years, off the top of my head, and *you* go all canonical on me here. Again. Repeat. Google is your friend. Thank you for playing. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Thu, 20 Oct 2005, cyphrpunk wrote:
system without excessive complications. Only the fifth point, the ability for outsiders to monitor the amount of cash in circulation, is not satisfied. But even then, the ecash mint software, and procedures and controls followed by the issuer, could be designed to allow third party audits similarly to how paper money cash issuers might be audited today.
One approach, investigated by Hal Finney, is to run the mint on a platform that allows remote attestation. Check out rpow.net - he has a working implementation of a proof of work payment system hosted on an IBM 4758. -David Molnar
Date: Thu, 20 Oct 2005 11:31:39 -0700 From: cyphrpunk <cyphrpunk@gmail.com>
2. Cash payments are final. After the fact, the paying party has no means to reverse the payment. We call this property of cash transactions _irreversibility_.
Certainly Chaum ecash has this property. Because deposits are unlinkable to withdrawals, there is no way even in principle to reverse a transaction.
This is not strictly correct. The payer can reveal the blinding factor, making the payment traceable. I believe Chaum deliberately chose for one-way untraceability (untraceable by the payee but not by the payer) in order to address concerns such as blackmailing, extortion, etc. The protocol can be modified to make it fully untraceable, but that's not how it is designed.
3. Cash payments are _peer-to-peer_. There is no distinction between merchants and customers; anyone can pay anyone. In particular, anybody can receive cash payments without contracts with third parties.
Again this is precisely how Chaum ecash works. Everyone can receive ecash and everyone can spend it. There is no distinction between buyers and vendors. Of course, transactions do need the aid of the issuer, but that is true of all online payment systems including Daniel's.
Apart from the transferability issue, I think there are some systems that do not rely on an issuer at all (in effect any payee is an issuer). Manasse's Millicent comes to mind, but I confess that I don't fully remember the details. Ray
R. Hirschfeld wrote:
Date: Thu, 20 Oct 2005 11:31:39 -0700 From: cyphrpunk <cyphrpunk@gmail.com>
2. Cash payments are final. After the fact, the paying party has no means to reverse the payment. We call this property of cash transactions _irreversibility_.
Certainly Chaum ecash has this property. Because deposits are unlinkable to withdrawals, there is no way even in principle to reverse a transaction.
This is not strictly correct. The payer can reveal the blinding factor, making the payment traceable. I believe Chaum deliberately chose for one-way untraceability (untraceable by the payee but not by the payer) in order to address concerns such as blackmailing, extortion, etc. The protocol can be modified to make it fully untraceable, but that's not how it is designed.
Huh - first I've heard of that, would be encouraging if that worked. How does it handle an intermediary fall guy? Say Bad Guy Bob extorts Alice, and organises the payoff to Freddy Fall Guy. This would mean that Alice can strip her blinding factors and reveal that she paid to Freddy, but as Freddy is not to be found, he can't be encouraged to reveal his blinding factors so as to reveal that Bob bolted with the dosh. iang
On 10/22/05, Ian G <iang@systemics.com> wrote:
R. Hirschfeld wrote:
This is not strictly correct. The payer can reveal the blinding factor, making the payment traceable. I believe Chaum deliberately chose for one-way untraceability (untraceable by the payee but not by the payer) in order to address concerns such as blackmailing, extortion, etc. The protocol can be modified to make it fully untraceable, but that's not how it is designed.
Huh - first I've heard of that, would be encouraging if that worked. How does it handle an intermediary fall guy? Say Bad Guy Bob extorts Alice, and organises the payoff to Freddy Fall Guy. This would mean that Alice can strip her blinding factors and reveal that she paid to Freddy, but as Freddy is not to be found, he can't be encouraged to reveal his blinding factors so as to reveal that Bob bolted with the dosh.
Right, that is one of the kinds of modifications that Ray referred to. If the mint allows (de-facto) anonymous exchanges then a blackmailer can simply do an exchange of his ecash before spending it and he will be home free. Another mod is for the blackmailer to supply the proto-coin to be signed, in blinded form. One property of Daniel Nagy's epoint system is that it creates chains where each token that gets created is linked to the one it came from. This could be sold as an anti-abuse feature, that blackmailers and extortionists would have a harder time avoiding being caught. In general it is an anti-laundering feature since you can't wash your money clean, it always links back to when it was dirty. U.S. law generally requires that stolen goods be returned to the original owner without compensation to the current holder, even if they had been purchased legitimately (from the thief or his agent) by an innocent third party. Likewise a payment system with traceable money might find itself subject to legal orders to reverse subsequent transactions, confiscate value held by third parties and return the ill-gotten gains to the victim of theft or fraud. Depending on the full operational details of the system, Daniel Nagy's epoints might be vulnerable to such legal actions. Note that e-gold, which originally sold non-reversibility as a key benefit of the system, found that this feature attracted Ponzi schemes and fraudsters of all stripes, and eventually it was forced to reverse transactions and freeze accounts. It's not clear that any payment system which keeps information around to allow for potential reversibility can avoid eventually succumbing to pressure to reverse transactions. Only a Chaumian type system, whose technology makes reversibility fundamentally impossible, is guaranteed to allow for final clearing. And even then, it might just be that the operators themselves will be targeted for liability since they have engineered a system that makes it impossible to go after the fruits of criminal actions. CP
participants (6)
-
cyphrpunk -
David Alexander Molnar -
Ian G -
nagydani@epointsystem.org -
R. Hirschfeld -
R.A. Hettinga